An easy way to find unmanaged resources is to set up a tag policy, e.g. "managed-by":"terraform" and add that tag to all resources in your terraform manifests. Then manually created resources won't have that tag and you'll find them in the list of non-compliant resources. That assumes, that your users don't manually add that tag to trick you, of course.
Here's how to set up a tag policy in Azure and via the azurerm terraform provider.