diff --git a/docs/content/services/container/aks/_index.md b/docs/content/services/container/aks/_index.md
index 79033a5e0..e2e7ca041 100644
--- a/docs/content/services/container/aks/_index.md
+++ b/docs/content/services/container/aks/_index.md
@@ -36,7 +36,7 @@ The presented resiliency recommendations in this guidance include Aks and associ
 | [AKS-20 - Configure system nodepool count](#aks-20---configure-system-nodepool-count)                                         |   Availability    |  High   | Preview |         Yes          |
 | [AKS-21 - Configure user nodepool count](#aks-21---configure-user-nodepool-count)                                         |   Availability    |  High   | Preview |         Yes          |
 | [AKS-22 - Configure pod disruption budgets (PDBs)](#aks-22---configure-pod-disruption-budgets-pdbs)                                         |   Availability    |  Medium   | Preview |         No          |
-| [AKS-23 - Nodepool subnet size needs to accommodate maximum auto-scale settings](#aks-23---nodepool-subnet-size-needs-to-accommodate-maximum-auto-scale-settings)                                         |   Availability    |  High   | Preview |         No          |
+| [AKS-23 - Nodepool subnet size needs to accommodate maximum auto-scale settings](#aks-23---nodepool-subnet-size-needs-to-accommodate-maximum-auto-scale-settings)                                         |   Availability    |  High   | Preview |         Yes          |
 | [AKS-24 - Enforce resource quotas at the namespace level](#aks-24---enforce-resource-quotas-at-the-namespace-level)                                         |   Availability    |  High   | Preview |         No          |
 
 {{< /table >}}
diff --git a/docs/content/services/container/aks/code/aks-23/aks-23.kql b/docs/content/services/container/aks/code/aks-23/aks-23.kql
index fa5cad258..e45ed8c75 100644
--- a/docs/content/services/container/aks/code/aks-23/aks-23.kql
+++ b/docs/content/services/container/aks/code/aks-23/aks-23.kql
@@ -1 +1,25 @@
-// cannot-be-validated-with-arg
+// Azure Resource Graph Query
+// Returns each AKS cluster with nodepools that have user nodepools with a subnetmask that does not match autoscale configured max-nodes
+// Subtracting the network address, broadcast address, and default 3 addresses Azure reserves within each subnet
+
+resources
+| where type == "microsoft.containerservice/managedclusters"
+| extend nodePools = properties['agentPoolProfiles']
+| mv-expand nodePools = properties.agentPoolProfiles
+| where nodePools.enableAutoScaling == true
+| extend nodePoolName=nodePools.name, maxNodes = nodePools.maxCount, subnetId = tostring(nodePools.vnetSubnetID)
+| project clusterId = id, clusterName=name, nodePoolName=nodePools.name, toint(maxNodes), subnetId
+| join kind = leftouter (
+    resources
+    | where type == 'microsoft.network/virtualnetworks'
+    | extend subnets = properties.subnets
+    | mv-expand subnets
+    | project id = tostring(subnets.id), addressPrefix = tostring(subnets.properties['addressPrefix'])
+    | extend subnetmask = toint(substring(addressPrefix, indexof(addressPrefix, '/')+1, string_size(addressPrefix)))
+    | extend possibleMaxNodeCount = toint(exp2(32-subnetmask) - 5)
+) on $left.subnetId == $right.id
+| project-away id, subnetmask
+| where possibleMaxNodeCount <= maxNodes
+| extend param1 = strcat(nodePoolName, " autoscaler upper limit: ", maxNodes)
+| extend param2 = strcat("ip addresses on subnet: ", possibleMaxNodeCount)
+| project recommendationId="aks-23", name=clusterName, id=clusterId, param1, param2