[BugFix] - Suspended Main Runbooks and Missing GR13 Compliance Results

[singhgss]

Bug Fix: Main Runbook TLS Deserialization and Query Optimization Issues

Overview/Summary

This pull request addresses multiple issues affecting the main runbook execution:

• Deserialization Failure: The runbook was suspending actions due to a failure to deserialize the Storage Account TLS check. It retried twice before timing out, which prevented the completion of all GR13 controls.
• Inefficient Queries: The Monitor-BreakGlassAccount query was inefficient because it loaded all sign-in logs into memory before filtering. Additionally, the Check-StorageAccountTLSversion module was using AZ modules rather than optimized Graph queries.

The updates ensure that the runbook now completes successfully and gathers compliance data for all 13 Guardrails.

This PR fixes/adds/changes/removes

fixes #389

1. Fixes: The deserialization error in the Storage Account TLS check that was causing premature suspensions.
2. Optimizes: The Monitor-BreakGlassAccount query by moving filtering logic to the query level, reducing memory usage.
3. Rewrites: The Check-StorageAccountTLSversion module to use Graph queries instead of AZ modules for better performance.
4. Updates: Module dependencies by adding Az.ResourceGraph (v1.1.0) and updating Az.Accounts (v4.0.2).

Breaking Changes

1. Module Dependencies: The updated implementation requires:

   • Az.ResourceGraph version 1.1.0 or higher.
   • Az.Accounts module updated to 4.0.2.
   • Keeping in mind new warnings show up after updating Az.Account. After some lookup, it is clear this warnings are of no concern. But this github issue mentions this in detail Az.Accounts v3.0.4 givimg warning in Azure Automation with PowerShell 5.1 runbooks Azure/azure-powershell#26155

   Users with older versions of these modules must update to avoid compatibility issues.

To Reproduce

• The issue was observed in two client instances with a larger amount of resources than our standard test environments.

Expected Behavior

• The main runbook should complete its run without suspensions, ensuring compliance data is collected for all 13 Guardrails.

Screenshots

Testing Evidence

• Testing was conducted on client instances with an extensive resource base. The following results were observed:
  • The runbook now completes without suspensions following the Storage Account TLS check.
  • All GR13 controls are processed successfully with no warnings.
  • Optimized queries have reduced memory usage and improved performance.

As part of this Pull Request I have

• Checked for duplicate Pull Requests
• Associated it with relevant GitHub Issues
• Ensured my code/branch is up-to-date with the latest changes in the main branch
• Performed testing and provided evidence.
• Updated relevant and associated documentation.
• Ensured PowerShell module versions have been updated (manually or with the ./tools/Update-ModuleVersions.ps1 script)