az graph query -q "Resources | project id, name, type, resourceGroup, subscriptionId, location, tags, sku=sku.name | order by type asc" --output jsonResource drift
Resource drift is the gap between the intended Azure configuration in code, policy, or design and the resource state that actually exists after manual changes or unmanaged deployments.
Source: Microsoft Learn - Bicep deployment for Azure landing zones Reviewed 2026-05-22
- Exam trap
- Calling every difference bad drift without checking whether it was an approved emergency change waiting to be merged into code.
- Production check
- Run a Resource Graph inventory query and filter for missing Owner, Environment, or CostCenter tags.
Article details and learning context
- Aliases
- Azure resource drift, infrastructure drift, configuration drift, IaC drift, deployment drift
- Difficulty
- intermediate
- CLI mappings
- 5
- Last verified
- 2026-05-22
Understand the concept
In plain English
Resource drift is what happens when the Azure environment no longer matches the design, template, policy, or runbook that teams believe is true. Someone may change a firewall rule in the portal, create a resource outside the pipeline, remove a tag, resize a SKU, or leave behind a resource after migration. The workload may still run, but the source of truth is now unreliable. Drift is not always malicious. It is often the quiet result of urgent fixes, incomplete cleanup, or automation that was never reconciled.
Why it matters
Resource drift matters because trust in the platform depends on knowing what is actually deployed. A security team may believe public access is disabled while a manual exception exists. A FinOps team may forecast costs from templates while someone resized a database. A deployment may fail because a portal change introduced a dependency the template does not know about. Drift also weakens disaster recovery because rebuilding from code will not reproduce the live environment. The impact is slower troubleshooting, unreliable compliance, surprise costs, and risky releases. Treating drift as operational debt gives teams a practical way to reconcile urgent fixes with durable engineering controls.
Official wording and source
Microsoft Learn discusses drift through deployment stacks, what-if, policy, and resource inventory: compare declared infrastructure with resources that actually exist, identify resources created outside templates or manual changes, and choose whether unmanaged resources are detached or deleted during stack updates.
Technical context
In Azure architecture, resource drift appears across the control plane, governance layer, and operations model. It is detected with Azure Resource Graph, what-if deployments, deployment stacks, Azure Policy compliance, Activity Log, inventory exports, and service-specific configuration checks. Drift can affect tags, SKUs, networking rules, identity assignments, diagnostic settings, locks, private endpoints, and deployed resource counts. It is especially important for infrastructure-as-code platforms because templates may look correct while Azure state has changed. CLI gives operators repeatable discovery, comparison, and evidence export across subscriptions.
Exam context
Compare with
Where it is used
Where you see it
- In Azure Resource Graph exports, resources appear with unexpected SKUs, missing tags, public access settings, diagnostic gaps, or owner values that do not match the template.
- In deployment what-if output, resources show modify or delete actions that surprise the team because live Azure state changed after the last approved deployment during review.
- In Activity Log, manual portal changes, role assignment edits, or automation identity updates reveal when a resource diverged from the expected baseline during incident review.
Common situations
- Find manually created resources before a migration so landing-zone code does not miss hidden dependencies or preserve unmanaged cost.
- Detect public access, firewall, diagnostic, identity, or SKU changes that weaken security and reliability controls after emergency fixes.
- Reconcile what-if differences before redeployment so templates do not overwrite necessary hotfixes or keep outdated settings.
- Identify untagged, orphaned, or scaled-up resources that escaped FinOps ownership and now distort chargeback or forecast reports.
- Use deployment stacks, policy state, and Activity Log evidence to decide whether drift should be deleted, detached, remediated, or codified.
Illustrative Azure scenarios
These examples show how the concept can affect design and operations. They are illustrative scenarios, not customer claims.
Scenario 01 Maritime logistics finds a hidden firewall exception Scenario, objectives, solution, measured impact, and takeaway.
HarborLine operated shipment tracking APIs on Azure App Service and Azure SQL. A weekend hotfix added a public firewall exception that never made it back into infrastructure code.
- Detect security-sensitive drift before the next release.
- Identify who made the change and why it remained open.
- Restore the approved private-access baseline safely.
- Create a repeatable drift report for network exposure.
The platform team treated the firewall difference as resource drift rather than an isolated configuration mistake. Azure Resource Graph exported public network access and firewall-related fields for the workload. Azure CLI what-if showed the next Bicep deployment would remove the exception, while Activity Log identified the emergency service principal that created it. Engineers confirmed the original incident was resolved, updated the runbook, removed the exception through the next approved deployment, and added Azure Policy audit checks for public access. The drift report was scheduled weekly and reviewed with security operations.
- The public firewall exception was removed within one change window without breaking shipment APIs.
- Network drift detection expanded from one workload to 47 production resource groups.
- Security review time for firewall exceptions dropped from three hours to 40 minutes.
- The team found six additional stale exceptions before the next external audit.
Resource drift turns risky invisible changes into evidence-backed remediation work that can be reviewed, owned, and closed.
Scenario 02 Education nonprofit reconciles volunteer-built resources Scenario, objectives, solution, measured impact, and takeaway.
BrightPath Learning used Azure to host tutoring portals and reporting dashboards. Volunteers created storage accounts and app resources during a fundraising campaign, but the platform team had no matching code or owner records.
- Find resources created outside the deployment pipeline.
- Assign owners and cost centers before budget review.
- Move approved resources into infrastructure code.
- Retire unused campaign resources without disrupting students.
Operators ran Resource Graph inventory queries to compare live resources with the Bicep modules used for the tutoring platform. Untagged resources were grouped by creation time, resource group, SKU, and recent activity. Activity Log showed which volunteer accounts and service principals created them. The team classified each resource as adopt, retire, or investigate. Adopted resources were added to Bicep with approved names and tags. Retired resources were deleted only after application logs and storage metrics confirmed no recent student traffic. Azure Policy began auditing missing Owner and Campaign tags at the resource group scope.
- Thirty-two unmanaged resources were classified in two days instead of three weeks of interviews.
- Monthly Azure spend dropped by 18 percent after unused premium resources were retired.
- Four active campaign resources were safely adopted into code without downtime.
- Future volunteer deployments required tagged resource groups and platform review before launch.
Drift management is not just cleanup; it helps teams adopt useful emergency work while removing resources that no longer serve the mission.
Scenario 03 Insurance analytics restores deployment confidence Scenario, objectives, solution, measured impact, and takeaway.
Fennel Mutual ran actuarial models on Azure Databricks, storage, and private networking. Redeployments began showing unexpected what-if changes because manual SKU and diagnostic edits accumulated over several quarters.
- Explain why what-if output no longer matched approved templates.
- Protect necessary performance changes from being overwritten.
- Restore diagnostic and tag compliance across analytics resources.
- Reduce failed release reviews caused by surprising deployment differences.
The data platform team compared what-if output with live resource JSON exported through Azure CLI. They found three categories of drift: intentional SKU increases during model season, missing diagnostic settings after a workspace migration, and tags changed by a legacy automation job. Necessary SKU changes were added to parameter files, diagnostic settings were redeployed, and the old tag job was retired. Azure Policy monitored diagnostic compliance, while a monthly Resource Graph workbook highlighted SKU, tag, and private endpoint drift. Release reviewers received a drift summary before approving future deployments.
- Unexpected what-if changes fell from 64 items to nine after the reconciliation sprint.
- Diagnostic coverage returned to 98 percent across analytics resources.
- Release review meetings dropped from 90 minutes to 35 minutes.
- Two required performance upgrades were preserved in code instead of being rolled back accidentally.
Resource drift reviews keep infrastructure code honest by separating real design changes from accidental configuration noise.
Azure CLI
After ten years of Azure engineering work, I use Azure CLI for drift because drift is an estate-wide question. The portal shows one blade at a time, but CLI can export resources, tags, SKUs, identities, diagnostic settings, locks, and policy states across subscriptions. It also works in scheduled jobs, pull-request checks, and incident reviews. I can compare expected configuration with live output, run what-if before redeployment, and capture Activity Log evidence showing who changed what. For drift, speed and repeatability matter. A scriptable CLI check turns vague suspicion into a concrete list of differences owners can fix without portal guesswork.
Useful for
- Export live resource inventory and compare name, type, SKU, location, tags, and identity with the approved source of truth.
- Run what-if before redeployment to identify configuration changes that code would make against the current Azure state.
- List noncompliant policy states to find drift in required tags, locations, diagnostic settings, public access, or security configuration.
- Review Activity Log around a drift finding to identify the caller, timestamp, and management operation that changed the resource.
- Inspect a specific resource as JSON when portal views hide fields needed for automated drift comparison.
Before you run a command
- Confirm tenant, subscription set, management group scope, and whether the drift check covers one workload or the full landing zone.
- Use Reader access for discovery, then require explicit approval before remediation commands that modify, delete, resize, or retag resources.
- Know the intended source of truth: Bicep, Terraform, policy, deployment stack, runbook, or approved exception register.
- Choose output format carefully; JSON supports automated comparison, while table output helps humans triage high-risk differences quickly.
- Watch cost and outage risk before remediation because drift may represent a necessary hotfix that has not yet been codified.
What the output tells you
- Resource Graph output shows the current Azure state, including resource IDs, types, locations, tags, SKUs, and ownership signals used for comparison.
- What-if output shows what a deployment would create, modify, ignore, or delete, which highlights differences between code and live state.
- Policy state output identifies compliance drift against assigned rules but does not automatically prove who changed the resource or why.
- Activity Log output gives timestamps, callers, operations, and statuses that help reconstruct the change path behind a drift finding.
- A resource show payload provides the exact JSON fields automation should compare, especially for identities, SKUs, tags, and provider properties.
Mapped commands
Resource drift CLI Commands
directaz deployment group what-if --resource-group <resource-group> --template-file main.bicep --parameters @main.bicepparamaz policy state list --filter "ComplianceState eq 'NonCompliant'" --query "[].{resourceId:resourceId,policyAssignmentName:policyAssignmentName,complianceState:complianceState}" --output tableaz monitor activity-log list --resource-group <resource-group> --max-events 100 --query "[].{time:eventTimestamp,caller:caller,operation:operationName.value,status:status.value,resource:resourceId}" --output tableaz resource show --ids <resource-id> --query "{id:id,name:name,type:type,location:location,tags:tags,identity:identity,sku:sku}" --output jsonArchitecture context
A seasoned Azure architect treats drift management as part of the platform operating model, not as a one-time cleanup. The intended state may come from Bicep, Terraform, Azure Policy, deployment stacks, landing-zone modules, or approved design records. The actual state comes from Azure Resource Manager, service APIs, policy compliance, and logs. The architecture decision is how strict reconciliation should be. Some drift should be blocked by policy, some should be remediated automatically, and some emergency changes should be tagged, reviewed, and folded back into code. For production systems, drift reviews should focus on controls that change blast radius: public access, identity, SKU, redundancy, diagnostic coverage, locks, and private connectivity.
- Security
- Security impact is often direct. Drift can quietly reopen public network access, weaken TLS settings, remove diagnostic logs, add broad role assignments, disable Defender plans, or leave unmanaged keys and secrets. The danger is that diagrams, code, and policy dashboards may no longer describe the live attack surface. Drift does not always mean compromise, but it creates blind spots attackers and misconfigurations can exploit. Use Azure Policy, Resource Graph, Activity Log, Defender for Cloud, and CLI evidence to find security-sensitive differences. Emergency exceptions should have expiration, owner, and approval tags. Reconcile accepted changes into infrastructure code so the next deployment does not erase or preserve the wrong state.
- Cost
- Drift has an indirect but frequent cost impact. A manually scaled database, forgotten premium disk, untagged environment, extra private endpoint, orphaned public IP, or duplicate workspace can survive outside the cost model because the template or naming standard does not mention it. FinOps teams need drift reports that connect live resources to owners, environments, SKUs, and expected lifecycle. Drift can also hide savings opportunities when policy or code says a resource should be smaller than it is. The best cost control is not blind deletion; it is evidence-based reconciliation. Identify the difference, confirm business need, update the source of truth, or remove the resource through an approved cleanup path.
- Reliability
- Reliability impact is practical and sometimes severe. Drift can remove redundancy, resize capacity, change autoscale rules, alter firewall dependencies, break diagnostic settings, or leave orphaned resources that confuse failover runbooks. It also makes recovery uncertain because redeploying from code may not recreate the environment that was actually running. Reliable operations require a known source of truth and a process for reconciling live exceptions. What-if, deployment stacks, Activity Log, and scheduled inventory checks help identify differences before a change window. Do not automatically overwrite every drift finding; first decide whether it is a harmful mutation, a necessary emergency change, or a template update that was never captured.
- Performance
- Runtime performance can be affected when drift changes capacity, routing, caching, indexing, or network paths. A portal resize might improve one symptom while creating cost or reliability risk. A changed firewall or private endpoint can add latency or break dependency resolution. Operational performance is also affected because engineers spend longer reconciling reality with templates and diagrams. Drift detection improves troubleshooting speed by answering whether a recent manual change explains the incident. CLI exports and what-if output are especially useful during performance investigations because they reveal configuration differences before teams chase application code. The goal is faster diagnosis and fewer surprises during redeployment.
- Operations
- Operators handle resource drift by collecting inventory, comparing it against intended state, classifying differences, and assigning remediation owners. The work usually happens during governance reviews, release failures, incident retrospectives, cost cleanup, and migration preparation. CLI and Resource Graph are useful for exporting name, type, location, SKU, tags, locks, identity, and selected configuration fields. Azure Policy shows compliance state, while Activity Log helps explain who changed a resource and when. Good operations practice separates detection from action: first prove the difference, then decide whether to revert, update code, add an exception, or retire the resource. Otherwise drift cleanup becomes another source of outages.
Common mistakes
- Calling every difference bad drift without checking whether it was an approved emergency change waiting to be merged into code.
- Running automatic remediation that deletes or resizes resources before confirming dependencies, owners, rollback path, and business impact.
- Comparing only names and tags while missing security-sensitive drift in network access, diagnostics, identities, and lock configuration.
- Ignoring Activity Log context and blaming the wrong team for drift created by a service principal or platform automation job.
- Letting policy exemptions become permanent drift because nobody assigned an expiration date or reviewed the exception after the incident.