In the past, I have seen customers doing this manually and capturing the evidence in a very ad-hoc way. Since the policy resources are constantly evolving in any Azure environments, the test effort should be continuous to ensure (1) new or updated policies are working as expected, and (2) the existing policies are still effective after any policy changes.

The Policy Integration Test is a framework that I have spent over 8 months developing to address this challenge. It provides an automated way to test policy resources in a real environment, and programmatically capture the evidence using standard testing framework Pester. The test cases can be automatically triggered when a PR is raised in your Policy IaC repository, or manually executed on demand.

The Policy Integration Test is an important part of the AzPolicyFactory solution, it is in fact the value proposition of the solution. It provides a comprehensive set of tests and validations at different stages of the CI/CD pipelines to ensure the quality and correctness of the Azure Policy resources being deployed.

Today, I have finished the migration of the existing AzPolicyFactory solution to the new repository in the Azure GitHub organization, together with the addition of the Policy Integration Test framework. You can find the new repository at aka.ms/AzPolicyFactory. I have included very comprehensive documentation in the repository to help you get started with the Policy Integration Test framework.

The Policy Integration Test solution supports both Azure DevOps pipelines and GitHub Actions workflows.

It supports both Azure Bicep and Terraform in the test cases.

Here are some screenshots of the Policy Integration Test framework in action:

Azure DevOps:

GitHub Action Workflow:

You can find detailed documentation about Policy Integration Test or AzPolicyFactory solution as a whole in the GitHub repository.

P.S. Since the release of AzPolicyFactory solution last month, I have received a few requests for me to document the feature comparison between AzPolicyFactory and other popular open source solutions.

My focus has been and always will be building the AzPolicyFactory solution. I will not document such comparison. If you have any specific questions or are requesting that I produce detailed documentation on a specific topic related to AzPolicyFactory, please raise an issue in the GitHub repository.

You can also use your favourite AI model to summarize the differences for you as long as the solutions you want to compare are well-documented.

Hopefully as you can see, the focus on AzPolicyFactory is testing and validation. Deploying Azure Policy or any Azure resources is not hard, there are many ways to achieve this.

Looking back and seeing how much time I have spent on all the features in AzPolicyFactory (and the upcoming release of a brand new solution that I have planned), to me the policy resource deployment part of the solution is something I have spent maybe 5% of the entire time on.

Lastly, please feel free to raise issues in the GitHub repository if you have questions or run into issues.

Looking forward to seeing how the AzPolicyFactory solution can help you in managing Azure Policy at scale in your organization!

I have developed several Azure Policy-related solutions for various customers over the last 4-5 years. Some of these patterns have kept evolving over time.

I have decided to open source these solutions and share with the community. At the moment, there are at least 3 solutions that I have in mind.

This is considered the first installment of the series, which is a pattern I have developed for deploying Azure Policy with Infrastructure as Code (IaC) using Azure DevOps or GitHub Actions.

AzPolicyFactory is a pattern I started building around 2021 and has gone through many iterations based on the feedback from customers and the changes in Azure Policy itself. I believe it has reached a mature level and provides a safe and efficient way to manage Azure Policy at scale, especially in large organizations with complex environments.

The next 2 patterns I’m planning to open source will work well with this pattern, and I will share more details about them in the future. Stay tuned!

AzPolicyFactory Introduction

AzPolicyFactory provides a comprehensive set of IaC solutions for testing, deploying and managing Azure Policy resources at scale.

By leveraging these IaC templates and pipelines, organizations can automate the deployment and management of Azure Policy resources, ensuring consistent governance across their Azure environments while reducing manual effort and the risk of misconfigurations.

AzPolicyFactory ships with 4 separate but interconnected Azure DevOps pipelines and GitHub Actions workflows that cover the entire lifecycle of Azure Policy resources, including:

• Policy Definitions
• Policy Initiatives
• Policy Assignments
• Policy Exemptions

The solution automates the entire lifecycle of Azure Policy resources — from code commit through testing and validation to production deployment — ensuring quality and correctness at every stage.

The Azure Policy IaC solution in this repository includes the following key features:

• Supports both Azure DevOps pipelines and GitHub Actions workflows for maximum flexibility and compatibility with different CI/CD platforms.
• Comprehensive set of Bicep modules and templates for deploying Azure Policy resources, following best practices for modularity, reusability, and maintainability.
• Comprehensive set of tests and validation at different stages of the CI/CD pipelines to ensure the quality and correctness of the Azure Policy resources being deployed.
• Follows industry best practices for Azure Policy management, safe deployment, code scan, and PR validation to ensure that the Azure Policy resources are deployed in a secure and compliant manner.
• Unit tests for every policy resource being deployed.
• Policy Integration Test (coming soon) to validate the functionality and effectiveness of the deployed Azure Policy resources in enforcing the desired governance and compliance requirements.

Learn More

You can find the AzPolicyFactory solution in the following GitHub repository: AzPolicyFactory. I have included very comprehensive documentation in the repository to help you get started.

What’s Next?

Since I only joined Microsoft a little over a month ago, I am still finding my way around. My plan is to try to move this repository to the Azure GitHub organization. If I manage to do that, I will update this post with the new link. In the meantime, you can check out the repository in my personal GitHub account.

2026-04-05 Update: I have successfully moved the repository to the Azure GitHub organization. You can now find it at aka.ms/AzPolicyFactory. Unfortunately, it’s not move, but initialize a new repo and copy the code over. So the stars and forks are not moved. If you have already starred or forked the original repo, please update to the new one. I will archive the original repo soon.

Next, I’m planning to release a solution I spent over 8 months developing, which I completed about 18 months ago — a framework for Azure Policy integration testing. I’m in the process of finding a good place to release it within Microsoft. Hopefully it won’t be too long before I can share it with the community. Stay tuned!

I have decided to create a new GitHub account that better reflects my personal identity rather than continue using the old one. My new GitHub account is taoyangcloud. I have also created a new GitHub organization called TaoYang-Cloud to host my open-source projects going forward.

I have transferred all of the repositories from my old account tyconsulting to the new organization TaoYang-Cloud. If you have bookmarked or stared any of my repos in the past, the link should still work as GitHub automatically redirects to the new location. However, if it doesn’t work, please go look for the repos under the new organization.

Sadly I will lose all the followers and achievements associated with my old account, but I believe this is a necessary step to align with my new career path.

I have also updated the links in all my blog posts that referenced my old GitHub account to point to the new account and organization.

Feel free to follow my new GitHub account and organization to stay updated with my latest open-source projects and contributions!

12 years ago, after spending 4 years blogging and contributing to the Microsoft tech community, I started wondering where could this lead me. I started having this though in my head that “maybe I can become a Microsoft MVP one day just like the guys I looked up to. Maybe I can reach out to the MVPs I admire and ask them for advice on how to become a part of their elite group.” Funny enough, before I had the courage to reach out to them, one morning, I received an email from Microsoft informing me that I had been nominated by a MVP that I deeply admire. I felt extremely honoured and excited. long story short, after I completed the nomination process and waited for approx. 3 months, I got accepted! Since then, I have been re-awarded every year for 12 consecutive years.

Initially, I set a personal goal to maintain the MVP status for at least 5 years. then after 5 years, I made another goal to maintain in the program for as long as the MVP trophy itself has more space for the annual renewal discs.

Right now, I am proud to say that I have accomplished my goal and filled all the available space on this trophy.

During my time, I have had the privilege to contribute to the community in various ways, including speaking at conferences and user groups, writing articles, YouTube videos, books and providing feedback to product groups, etc.. The MVP program has provided me with a platform to share my knowledge and passion for technology, and I am grateful for the recognition and support from Microsoft.

I also enjoyed the opportunities to meet the fellow MVPs and Microsoft product groups in person during MVP summits. The wonderful time we had in Seattle would always be cherished memories.

Every journey has its end. Back in November last year, I have accepted a full-time employee position at Microsoft Australia. After the Christmas holidays, I started the new role at Microsoft this week.

As a full-time Microsoft employee, I am no longer eligible to be an MVP. Therefore, with a mix of emotions, I have notified the MVP support team that I will be retiring from the MVP program.

I want to take this opportunity to express my heartfelt gratitude to the entire MVP community. Thank you for the support, friendship, and inspiration over the years.

Last but not least, I am still going to be active in the tech community, just in a different capacity now. I look forward to continuing to contribute and give back to the community in new ways as a Microsoft employee.

Many customers have gone down the route of developing, publishing and sharing internally developed Azure IaC modules within the organization. The modules can be written in Bicep, or Terraform or other IaC languages.

The process is typically as follows:

1. Develop the module locally.
2. Publish a “beta” or preview version of the module into a registry.
3. Test the module in a staging environment before promoting it to production.
4. Bump the version number and publish the final module.

We have implemented internal Bicep module libraries leveraging existing now retired Azure CARML and it’s successor Azure Verified Modules (AVM) library for several customers over the last few years.

Some common questions asked by the customers include:

1. Module usage tracking - How do we know where the modules are being used? if we update or retire a module, we need to know who’s going to be impacted.
2. Module versioning control - How do we ensure only production-ready versions are being used in production environments? In another word, how do we prevent the use of beta or pre-release versions in production?

To answer these questions and address the concern, we have come up with a pattern that involves the use of hidden- tags in the Bicep modules.

As you may know, if you create a tag with the hidden- prefix, the Azure Portal hides the tag (but it is still viewable via the ARM REST API). For example, this Storage Account has 2 hidden tags as you can see in the resource JSON view

But they are hidden from the portal view:

We created two hidden tags for every resource module. The hidden-module_name tag indicates the name of the module and the hidden-module_version tag indicates the complete semantic version of the module (major.minor.patch). If the module consumers don’t look close enough, they won’t notice these tags because they are hidden from the portal view.

To implement this in the bicep modules, we added the following code to the module (using storage account as an example):

//tags parameter
@description('Optional. Tags of the resource.')
param tags object?

//external version.json file that stores the version number (as a common pattern in AVM and CARML)
var moduleVersion = loadJsonContent('./version.json').version

//combine the existing tags and hidden tags
var mergedTags = union(tags, {
    'hidden-module_name': 'storage/storage-account'
    'hidden-module_version': moduleVersion
  })

//pass the combined tags to the resource
resource storageAccount 'Microsoft.Storage/storageAccounts@2025-01-01' = {
  name: 'mystorageaccount'
  location: 'eastus'
  tags: mergedTags
  ...
  ...
}

Module Usage Tracking

After these hidden tags are embedded in each module, we can start tracking the usage of these modules across your organization using Azure Resource Graph.

Here are some sample queries you can use:

Get all module usage

resources
| where tags['hidden-module_name'] matches regex '.'
| extend module_name = tostring(tags['hidden-module_name'])
| extend module_version = tostring(tags['hidden-module_version'])
| summarize resource_count = count() by type, module_name, module_version

Note: repeat this query for other Azure Resource Graph tables because not everything is stored in the resources table. Refer to this article for the details on ARG tables.

List all storage accounts deployed by the storage module with module version, owner and environment tag values

resources
| where type =~ "microsoft.storage/storageAccounts"
| where tags['hidden-module_name'] contains 'storage'
| extend module_name = tostring(tags['hidden-module_name'])
| extend owner=tostring(tags['owner'])
| extend environment=tostring(tags['environment'])
| project name, tags, module_name, environment, owner
| mvexpand tags
| extend tagKey = tostring(bag_keys(tags)[0])
| extend tagValue = tostring(tags[tagKey])
| distinct name, tagKey, tagValue, module_name, owner, environment
| where tagKey =~ "hidden-module_version"
| project resourceName = name, module_name, module_version = tagValue, owner, environment

Module Versioning Control

If the AVM / CARML pattern is being used, we need to firstly understand how the module version numbers are constructed.

In AVM / CARML, each module has a version.json file in the same directory of the module bicep file which contains the major.minor version number.

The patch version is generated by the pipeline at the module publish time. The pipeline then combines the major.minor version from the version.json file with the patch number it generated. When a module is published from the main or master branches, the final version number is the one this combined version number.

When the module is published from another branch (i.e. a feature branch for adding new features or a bugfix branch for fixing a bug), the pipeline appends -prerelease to the version number.

The purpose of the -prerelease versions are for you to conduct integration testing in staging environments. These version have not gone through the code review and PR process, the code has not been merged to the main branch, therefore they are not production ready.

To block the use of -prerelease versions in production, We have created an Azure Policy definition and assigned it to the management group represents the top of the hierarchy for the production environment. The policy simply blocks any resources that has hidden-module_version tag with the value that matches the pattern *-prerelease:

{
  "name": "pol-restrict-prerelease-overlay-module-versions",
  "properties": {
    "displayName": "Restrict resources to be deployed using prerelease overlay module versions",
    "description": "Prerelease module versions are published for testing purposes only. They are not intended for production use and they have not gone through code review and validation. This policy restricts resources from being deployed using prerelease overlay module versions.",
    "metadata": {
      "category": "Code Vulnerability",
      "version": "1.0.0",
      "preview": false,
      "deprecated": false
    },
    "mode": "Indexed",
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Deny"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "tags[hidden-module_version]",
            "exists": true
          },
          {
            "field": "tags[hidden-module_version]",
            "like": "*-prerelease"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  }
}

Note: This policy works very well for the resources that support tags. Obviously, not all resources in Azure support tags, and this is a limitation.

Our hidden tag is important because Bicep modules can be consumed in two ways:

1. When a module is pulled from a registry (either public or private Azure Container Registry), the Bicep template compiles it as a “nested deployment” with all module contents embedded into the ARM payload. In this scenario the module’s version is not discoverable.

2. When a module is used as a TemplateSpec, the compiled template uses a linked reference that points to the TemplateSpec version. However, Azure Policy does not evaluate Microsoft.Resources/deployments resource used by nested or linked deployments. Azure Policy skips anything coming from the Microsoft.Resources resource provider (except for subscriptions and resource groups).

Because of both these issues, we decided to “mark” our modules by storing a hidden version tag in the ARM payload.

Update Module Pipelines

If you are using the CARML / AVM pipeline patterns for your internal Bicep modules, there is one update to the Pipeline code that you need to be aware of.

As I have shown above, the module version number is retrieved from the version.json file. However this file only contains the major.minor version numbers.

We need to update the pipeline to write back the full version number to this file before the module publish task.

This is what we have done:

Firstly updated the Get-ModulesToPublish.ps1 and added a new function and placed it before the Get-ModulesToPublish function::

function Set-ModuleVersionFile {
    [CmdletBinding()]
    param (
        [Parameter(Mandatory)]
        [string] $TemplateFilePath,

        [Parameter(Mandatory)]
        [string] $Version
    )

    $ModuleFolder = Split-Path -Path $TemplateFilePath -Parent
    $VersionFilePath = Join-Path $ModuleFolder 'version.json'
    $VersionFileContent = Get-ChildItem -Path $VersionFilePath | Get-Content | ConvertFrom-Json
    $VersionFileContent.version = $Version
    $VersionFileContent | ConvertTo-Json | Set-Content $VersionFilePath
    Write-Verbose "Updated module '$($ModuleFolder.Replace('\','/').Split('modules')[-1])' version metadata content: `n$($VersionFileContent | Out-String)"-Verbose
}

Then added a step to call this function and update the version.json file before returning the $modulesToPublish variable in the Get-ModulesToPublish function at the end of the file:

foreach ($TemplateFileToPublish in $TemplateFilesToPublish) {
    $ModuleVersion = Get-NewModuleVersion -TemplateFilePath $TemplateFileToPublish.FullName -Verbose
    Set-ModuleVersionFile -TemplateFilePath $TemplateFileToPublish -Version $ModuleVersion -Verbose
}

Conclusion

Over time I’ve raised a feature request so that the AVM team might support similar functionality natively. It has been a while since I raised the request and the AVM team have not committed to implementing this.

Therefore I have decided to document this pattern so that if we fork the AVM or CARML modules for our internal use, we can “inject” our own hidden tags (both the module name and version) into the ARM payload.

Although the sample code above is specific to Bicep modules and our AVM/CARML fork, the same concept can be applied – for example, in Terraform modules when you need to track which version of a module was deployed.

New test to check if any referenced resource types are excluded from policy evaluation

Azure policy excludes several resource types when evaluating resources. these types are defined here:

• Resources that are exempt from policy evaluation
• Provider pass-through to non Azure Resource Manager resources

Added a new test to check if any referenced resource types are from the lists above (using regex)

Updated tests for Audit / Deny interchangeable effects to exclude auto-generated bypassed properties

Some properties are not available at resource creation time (not in the request payload). any policies targeting these properties cannot use Deny effect.(Optional or auto-generated resource property that bypasses policy evaluation)

• Updated the existing tests for Audit / Deny interchangeable effects to exclude policies that are referencing these properties (using regex)
• Added new test to ensure any policies that are referencing these properties do have Deny as one of the allowed values for the policy effect.

brew install powershell/tap/powershell

I also have VSCode and the PowerShell extension installed on all of them.

I noticed the other day that I wasn’t able to get vscode to format PowerShell script on one of the Mac computers. I then tried on the other two and none of them worked. Looks like it’s a common issue across all my Mac computers.

When I tried to format the script, I got the prompt to search and install a formatter.

To Troubleshoot this, I opened the integrated terminal in VSCode checked the output from PowerShell extension. I found the following error message:

It seems that VScode doesn’t know the path to the PowerShell executable.

To fix it, I found the location in a terminal window using the where command:

Then configured the powershell.powerShellAdditionalExePaths setting in VSCode as the error message suggested and pointed it to the location of the PowerShell executable. I also followed this instruction and added powershell.powerShellDefaultVersion setting in the settings.json file.

After this, I restarted VSCode and opened the PowerShell script again. This time, I was able to format the script without any issues. The output from the integrated terminal also showed that the PowerShell extension was able to find the PowerShell executable.

Since I also have to use Windows and Ubuntu (WSL) for work, I don’t want these settings to be sync’d to my Windows laptop because the PowerShell path would be different on Ubuntu and Windows. So I have configured the settings sync to ignore these settings in the settings.json file. I added the following lines to the settings.json file:

"settingsSync.ignoredSettings": [
  "powershell.powerShellAdditionalExePaths",
  "powershell.powerShellDefaultVersion"
],

• via Azure Resource Manager API (Azure PowerShell, Azure CLI, Bicep templates or Azure Portal)
• directly on the SQL MI instance using SSMS

If the database is created via the Azure Resource Manager API, any Azure Policies that you have assigned for the SQL MI databases will apply. However, if the database is created directly on the SQL MI instance using SSMS, the Azure Policies will not apply at all.

I have discovered this behaviour around 18 months ago and reported it to the Azure SQL product team and it was acknowledged. Unfortunately to date, this limitation has not been addressed.

To demonstrate this behaviour, I created two databases on a SQL MI instance, one via the Azure Portal and the other via SSMS. We can see the DB created via ARM API on the SSMS console and vice versa.

SSMS view:

Azure Portal view:

I have a DeployIfNotExists policy to configure Diagnostic Settings for SQL MI databases. As you can see, the policy is applied to the DB created via ARM API, but not the one created via SSMS.

This limitation applies to all policy effects, not just DeployIfNotExists policies. If you have any Deny policies targeting SQL MI databases, they will not apply to databases created via SSMS at creation time, since the database is then visiable via a GET request in ARM API, the compliance scan of Azure Policy will eventually pick it up and mark it as non-compliant.

This is a security and operational risk. If your organisation is using SQL MI and would use SSMS to create databases, you should be aware of this limitation and consider other methods to enforce your policies. In the past, I have created an Azure Function App to scan the SQL MI databases and enforce the policies. This is a workaround, not ideal, since if a Deny policy cannot be enforced at creation time, Policy compliance scan will not fix the non-compliant resources automatically.

P.S. The Azure Policy GitHub repo has a list of known issues documented here. This behaviour with SQL MI is not listed there.

When creating an action group, you can configure zero or more notifications as well as actions.

We need to make sure when alerts are triggered, The following controls should be put in place to prevent data exfiltration and enhance network transport security.

Emails are only sent to authorised email addresses.

Only email domains managed by your organisation should be used. Personal email addresses or emails of another organisation should be prohibited.

SMS messages are only sent to authorised mobile phone numbers. The phone numbers used to receive SMS messages should belong to appropriate personnel. Phone numbers external to your organisation or numbers of other countries should be restricted.

Actions that trigger another Azure resource (Azure Automation Runbook, Event Hub Namspace, Azure Function App and Azure Logic App) are only triggering resources within the same subscription or been explicitly added to the allowed list of targets.

When the organisation does not separate Azure environments into different Entra ID tenants, this will ensure we are not potentially sending production alert data to non-production environments.

It will also allow the organisation to control which azure resources can be used to receive alert data if they are indeed located in different subscriptions of the action group.

Only allowed Webhooks can be used to receive alert data

The Webhook URL can belong to anyone and located anywhere in the world. It should be controlled so only allowed Webhook URLs can be used in action groups.

Only allow Webhooks that use HTTPS

Unencrypted data using HTTP protocol should be prohibited.

Fortunately the Azure Policy aliases for these properties exist already. I was able to leverage them and created the following policies and placed them in my azure policy GitHub repo:

• Restrict Azure Monitor Action Group Send Email Notification to External Email Addresses
• Restrict Azure Monitor Action Group Send SMS Notification to Unauthorized Phone Numbers
• Restrict Azure Monitor Action Group Trigger Actions to Cross-Subscription Azure Automation or not on the Allowed List
• Restrict Azure Monitor Action Group Trigger Actions to Cross-Subscription Event Hubs or not on the Allowed List
• Restrict Azure Monitor Action Group Trigger Actions to Cross-Subscription Function Apps or not on the Allowed List
• Restrict Azure Monitor Action Group Trigger Actions to Cross-Subscription Logic Apps or not on the Allowed List
• Restrict Azure Monitor Action Group Trigger Actions to Webhooks that are not on the Allowed List
• Restrict Azure Monitor Action Group Trigger Actions to Webhooks that are not using HTTPS

With the policies for restricting cross-subscription function app, logic app, event hub and automation runbooks, the definitions provide an array parameter to allow a list of cross-subscription resources. You can use the allowedAutomationAccounts, allowedEventHubNamespaces, allowedFunctionApps and allowedLogicApps parameters in its respective policy to approve the use of any of these resources that are located in other subscriptions.

In the portal UI, you can also see the ITSM connection and Secure Webhook as available actions. I did not bother to develop policies for ITSM connections because according to the documentation, it is already deprecated.

With regards to Secure Webhook, the ARM JSON configuration is the same as normal webhook, the only difference is that you will need to specify an EntraID application’s object ID and set useAadAuth to true. Therefore the policies for the Webhook Actions also apply to Secure Webhooks.

There are many benefits of using this pattern:

• Log data, table retention can be centrally managed.
• Simply the management of AMPLS (Azure Monitor Private Link Scope).
• Simply the management of Log Analytics workspace access.
• Able to apply for discounted price via Commitment Tier (There is a minimum volume requirement for commitment tier, which small workspaces will not be able to qualify).
• Simplify the log access, monitor and alerting configurations since all the logs are in the same location.

However, one of the challenges of using a centralised Log Analytics workspace is how to calculate and charge back the data usage to different subscriptions. In most of the billing solutions, customers normally have nominated a common tag that’s associated to the internal cost centre which is used for consumption charge back.

Few days ago, I worked with my good friend Alex Verkinderen and came up with the following queries to calculate the total billable data per subscription. The queries are based on the assumption that the SolutionID tag is used to identify the cost centre for each subscription. The queries are designed to be used in any Log Analytics workspace and leverage the capability of cross querying Azure Resource Graph. By cross querying Azure Resource Graph, we can get the subscription name and any tags of interest from the Azure Resource Graph and join the data with the Log Analytics data.

Here are the 2 queries we have developed:

Total ingested volume over last month per subscription

arg("").ResourceContainers
| where type =~ 'microsoft.resources/subscriptions'
| project SubscriptionName = name, subscriptionId, SolutionId = tags['SolutionID']
| join kind=inner hint.remote=right (
    find where TimeGenerated between(startofday(ago(32d))..startofday(now())) project _BilledSize, _IsBillable,  _SubscriptionId
    | where _IsBillable == true
    | summarize BillableDataBytes = sum(_BilledSize) by _SubscriptionId
    | extend DataIngestedInGB = format_bytes(BillableDataBytes, 3, "GB")
    | extend subscriptionId = _SubscriptionId
) on subscriptionId
| sort by BillableDataBytes
| project SubscriptionName, subscriptionId, SolutionId, DataIngestedInGB

Daily ingestion volume over last month for a specific subscription

arg("").ResourceContainers
| where type =~ 'microsoft.resources/subscriptions'
| project SubscriptionName = name, subscriptionId, SolutionId = tags['SolutionID']
| join kind=inner hint.remote=right (
    find where TimeGenerated between(startofday(ago(32d))..startofday(now())) project _BilledSize, _IsBillable,  _SubscriptionId, TimeGenerated
    | where _IsBillable == true
    | summarize BillableDataBytes = sum(_BilledSize) by _SubscriptionId, bin(TimeGenerated, 1d)
    | extend DataIngestedInGB = format_bytes(BillableDataBytes, 3, "GB")
    | extend IngestionDate = bin(TimeGenerated, 1d)
    | extend subscriptionId = _SubscriptionId
) on subscriptionId
| where SubscriptionName =~ 'The-Big-MVP-Sub-2'
| sort by IngestionDate asc
| project SubscriptionName, subscriptionId, SolutionId, DataIngestedInGB, IngestionDate

The billable price can be then easily calculated based on the ingested volume and price per GB.