- Article
- 9 minutes to read
When an Azure resource is determined to be non-compliant to a policy rule, it's helpful tounderstand which portion of the rule the resource isn't compliant with. It's also useful tounderstand what change altered a previously compliant resource to make it non-compliant. There aretwo ways to find this information:
- Compliance details
- Change history (Preview)
Compliance details
When a resource is non-compliant, the compliance details for that resource are available from thePolicy compliance page. The compliance details pane includes the following information:
- Resource details such as name, type, location, and resource ID
- Compliance state and timestamp of the last evaluation for the current policy assignment
- A list of reasons for the resource non-compliance
Important
As the compliance details for a Non-compliant resource shows the current value of properties onthat resource, the user must have read operation to the type of resource. For example, ifthe Non-compliant resource is Microsoft.Compute/virtualMachines then the user must have theMicrosoft.Compute/virtualMachines/read operation. If the user doesn't have the neededoperation, an access error is displayed.
To view the compliance details, follow these steps:
Launch the Azure Policy service in the Azure portal by selecting All services, then searchingfor and selecting Policy.
On the Overview or Compliance page, select a policy in a compliance state that isNon-compliant.
(Video) Azure Policy - Non-compliance messagesUnder the Resource compliance tab of the Policy compliance page, select and hold (orright-click) or select the ellipsis of a resource in a compliance state that isNon-compliant. Then select View compliance details.
The Compliance details pane displays information from the latest evaluation of the resourceto the current policy assignment. In this example, the field Microsoft.Sql/servers/version isfound to be 12.0 while the policy definition expected 14.0. If the resource is non-compliantfor multiple reasons, each is listed on this pane.
For an auditIfNotExists or deployIfNotExists policy definition, the details include thedetails.type property and any optional properties. For a list, see auditIfNotExistsproperties and deployIfNotExistsproperties. Last evaluated resource isa related resource from the details section of the definition.
Example partial deployIfNotExists definition:
{ "if": { "field": "type", "equals": "[parameters('resourceType')]" }, "then": { "effect": "DeployIfNotExists", "details": { "type": "Microsoft.Insights/metricAlerts", "existenceCondition": { "field": "name", "equals": "[concat(parameters('alertNamePrefix'), '-', resourcegroup().name, '-', field('name'))]" }, "existenceScope": "subscription", "deployment": { ... } } }}
Note
To protect data, when a property value is a secret the current value displays asterisks.
These details explain why a resource is currently non-compliant, but don't show when the change wasmade to the resource that caused it to become non-compliant. For that information, see Changehistory (Preview) below.
Compliance reasons
Resource Manager modes andResource Provider modes each havedifferent reasons for non-compliance.
General Resource Manager mode compliance reasons
The following table maps eachResource Manager mode reason to theresponsible condition in the policy definition:
| Reason | Condition |
|---|---|
| Current value must contain the target value as a key. | containsKey or not notContainsKey |
| Current value must contain the target value. | contains or not notContains |
| Current value must be equal to the target value. | equals or not notEquals |
| Current value must be less than the target value. | less or not greaterOrEquals |
| Current value must be greater than or equal to the target value. | greaterOrEquals or not less |
| Current value must be greater than the target value. | greater or not lessOrEquals |
| Current value must be less than or equal to the target value. | lessOrEquals or not greater |
| Current value must exist. | exists |
| Current value must be in the target value. | in or not notIn |
| Current value must be like the target value. | like or not notLike |
| Current value must be case-sensitive match the target value. | match or not notMatch |
| Current value must be case-insensitive match the target value. | matchInsensitively or not notMatchInsensitively |
| Current value must not contain the target value as a key. | notContainsKey or not containsKey |
| Current value must not contain the target value. | notContains or not contains |
| Current value must not be equal to the target value. | notEquals or not equals |
| Current value must not exist. | not exists |
| Current value must not be in the target value. | notIn or not in |
| Current value must not be like the target value. | notLike or not like |
| Current value must not be case-sensitive match the target value. | notMatch or not match |
| Current value must not be case-insensitive match the target value. | notMatchInsensitively or not matchInsensitively |
| No related resources match the effect details in the policy definition. | A resource of the type defined in then.details.type and related to the resource defined in the if portion of the policy rule doesn't exist. |
Azure Policy Resource Provider mode compliance reasons
The following table maps each Microsoft.PolicyInsightsResource Provider mode reason code toits corresponding explanation:
| Compliance reason code | Error message and explanation |
|---|---|
| NonModifiablePolicyAlias | NonModifiableAliasConflict: The alias '{alias}' is not modifiable in requests using API version '{apiVersion}'. This error happens when a request using an API version where the alias does not support the 'modify' effect or only supports the 'modify' effect with a different token type. |
| AppendPoliciesNotApplicable | AppendPoliciesUnableToAppend: The aliases: '{ aliases }' are not modifiable in requests using API version: '{ apiVersion }'. This can happen in requests using API versions for which the aliases do not support the 'modify' effect, or support the 'modify' effect with a different token type. |
| ConflictingAppendPolicies | ConflictingAppendPolicies: Found conflicting policy assignments that modify the '{notApplicableFields}' field. Policy identifiers: '{policy}'. Please contact the subscription administrator to update the policy assignments. |
| AppendPoliciesFieldsExist | AppendPoliciesFieldsExistWithDifferentValues: Policy assignments attempted to append fields which already exist in the request with different values. Fields: '{existingFields}'. Policy identifiers: '{policy}'. Please contact the subscription administrator to update the policies. |
| AppendPoliciesUndefinedFields | AppendPoliciesUndefinedFields: Found policy definition that refers to an undefined field property for API version '{apiVersion}'. Fields: '{nonExistingFields}'. Policy identifiers: '{policy}'. Please contact the subscription administrator to update the policies. |
| MissingRegistrationForType | MissingRegistrationForResourceType: The subscription is not registered for the resource type '{ResourceType}'. Please check that the resource type exists and that the resource type is registered. |
| AmbiguousPolicyEvaluationPaths | The request content has one or more ambiguous paths: '{0}' required by policies: '{1}'. |
| InvalidResourceNameWildcardPosition | The policy assignment '{0}' associated with the policy definition '{1}' could not be evaluated. The resource name '{2}' within an ifNotExists condition contains the wildcard '?' character in an invalid position. Wildcards can only be located at the end of the name in a segment by themselves (ex. TopLevelResourceName/?). Please either fix the policy or remove the policy assignment to unblock. |
| TooManyResourceNameSegments | The policy assignment '{0}' associated with the policy definition '{1}' could not be evaluated. The resource name '{2}' within an ifNotExists condition contains too many name segments. The number of name segments must be equal to or less than the number of type segments (excluding the resource provider namespace). Please either fix the policy definition or remove the policy assignment to unblock. |
| InvalidPolicyFieldPath | The field path '{0}' within the policy definition is invalid. Field paths must contain no empty segments. They may contain only alphanumeric characters with the exception of the '.' character for splitting segments and the '[*]' character sequence to access array properties. |
AKS Resource Provider mode compliance reasons
The following table maps each Microsoft.Kubernetes.DataResource Provider mode reason tothe responsible state of theconstraint templatein the policy definition:
| Reason | Constraint template reason description |
|---|---|
| Constraint/TemplateCreateFailed | The resource failed to create for a policy definition with a Constraint/Template that doesn't match an existing Constraint/Template on cluster by resource metadata name. |
| Constraint/TemplateUpdateFailed | The Constraint/Template failed to update for a policy definition with a Constraint/Template that matches an existing Constraint/Template on cluster by resource metadata name. |
| Constraint/TemplateInstallFailed | The Constraint/Template failed to build and was unable to be installed on cluster for either create or update operation. |
| ConstraintTemplateConflicts | The Template has a conflict with one or more policy definitions using the same Template name with different source. |
| ConstraintStatusStale | There is an existing 'Audit' status, but Gatekeeper has not performed an audit within the last hour. |
| ConstraintNotProcessed | There is no status and Gatekeeper has not performed an audit within the last hour. |
| InvalidConstraint/Template | API Server has rejected the resource due to a bad YAML. This reason can also be caused by a parameter type mismatch (example: string provided for an integer) |
Note
For existing policy assignments and constraint templates already on the cluster, if thatConstraint/Template fails, the cluster is protected by maintaining the existingConstraint/Template. The cluster reports as non-compliant until the failure is resolved on thepolicy assignment or the add-on self-heals. For more information about handling conflict, seeConstraint template conflicts.
Component details for Resource Provider modes
For assignments with aResource Provider mode, select theNon-compliant resource to open a deeper view. Under the Component Compliance tab is additionalinformation specific to the Resource Provider mode on the assigned policy showing theNon-compliant Component and Component ID.
Compliance details for guest configuration
For policy definitions in the Guest Configuration category, there could be multiplesettings evaluated inside the virtual machine and you'll need to view per-setting details. Forexample, if you're auditing for a list of security settings and only one of them has statusNon-compliant, you'll need to know which specific settings are out of compliance and why.
You also might not have access to sign in to the virtual machine directly but you need to report onwhy the virtual machine is Non-compliant.
Azure portal
Begin by following the same steps in the section above for viewing policy compliance details.
In the Compliance details pane view, select the link Last evaluated resource.
The Guest Assignment page displays all available compliance details. Each row in the viewrepresents an evaluation that was performed inside the machine. In the Reason column, a phraseis shown describing why the Guest Assignment is Non-compliant. For example, if you're auditingpassword policies, the Reason column would display text including the current value for eachsetting.
View configuration assignment details at scale
The guest configuration feature can be used outside of Azure Policy assignments.For example,Azure AutoManagecreates guest configuration assignments, or you mightassign configurations when you deploy machines.
To view all guest configuration assignments across your tenant, from the Azureportal open the Guest Assignments page. To view detailed complianceinformation, select each assignment using the link in the column "Name".
Change history (Preview)
As part of a new public preview, the last 14 days of change history are available for all Azureresources that support complete modedeletion. Change historyprovides details about when a change was detected and a visual diff for each change. A changedetection is triggered when the Azure Resource Manager properties are added, removed, or altered.
Launch the Azure Policy service in the Azure portal by selecting All services, then searchingfor and selecting Policy.
On the Overview or Compliance page, select a policy in any compliance state.
Under the Resource compliance tab of the Policy compliance page, select a resource.
Select the Change History (preview) tab on the Resource Compliance page. A list ofdetected changes, if any exist, are displayed.
Select one of the detected changes. The visual diff for the resource is presented on theChange history page.
The visual diff aides in identifying changes to a resource. The changes detected may not berelated to the current compliance state of the resource.
Change history data is provided by Azure Resource Graph. Toquery this information outside of the Azure portal, see Get resource changes.
Next steps
- Review examples at Azure Policy samples.
- Review the Azure Policy definition structure.
- Review Understanding policy effects.
- Understand how to programmatically create policies.
- Learn how to get compliance data.
- Learn how to remediate non-compliant resources.
- Review what a management group is with Organize your resources with Azure management groups.
FAQs
How do you determine noncompliance? ›
Noncompliance is commonly identified in the following ways: A report or complaint received from a participant, research team member, or others. A report initiated by the Investigator through a Reportable Event Form. Information provided in a Continuing Review Form.
How do I check Azure compliance? ›To see compliance data mapped as assessments in your dashboard, add a compliance standard to your management group or subscription from within the Security policy page. To learn more about Azure Policy and initiatives, see Working with security policies.
What is compliance in Azure policy? ›Azure Policy helps to enforce organizational standards and to assess compliance at-scale. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill down to the per-resource, per-policy granularity.
What is non compliant in Azure? ›As the compliance details for a Non-compliant resource shows the current value of properties on that resource, the user must have read operation to the type of resource. For example, if the Non-compliant resource is Microsoft. Compute/virtualMachines then the user must have the Microsoft.
What is a reason for non compliance? ›Patient's lack of understanding.
Noncompliance often occurs when patients don't understand why they're taking a certain medication. Help them understand the purpose of the medication and why and how it will benefit them. Also, describe potential side effects.
Once every 24 hours, assignments are automatically reevaluated. A large policy or initiative of many resources can take time, so there's no pre-defined expectation of when the evaluation cycle completes. Once it completes, updated compliance results are available in the portal and SDKs.
Which tool within Azure helps you track your compliance? ›Which tool within Azure helps you to track your compliance with various international standards and government laws? Compliance Manager will track your own compliance with various standards and laws.
What is an example of non compliance? ›Examples of non compliance include: Failure to wear personal protective equipment (PPE) Insufficient administration of operations. Failure to obtain proper certifications/illegal operations.
What is considered non compliance? ›Noncompliant behavior involves behavior that does not conform to or follow the rules, regulations, or advice of others. In the workplace, this can be demonstrated by failure to act in accordance with the workplace policies and rules, or the inability to meet specified standards.
What are 3 possible consequences of noncompliance? ›Non-compliance leaves you at risk for financial losses, security breaches, license revocations, business disruptions, poor patient care, erosion of trust, and a damaged reputation. Here is a quick overview of the impact of non-compliance.
What is the major risk of non-compliance? ›
The most well-known consequence of non-compliance is the financial loss from government action, which can take the form of: Fines. Limitations on your business activities. Legal fees associated with a legal investigation.
What is a non-compliance issue? ›What is Non-Compliance? Non-compliance refers to an individual's failure to act within stated boundaries or refusal to comply with such regulations or rules. Non compliant behaviour can be both intentional or unintentional, depending on the situation.
What are the actions for non-compliance? ›Actions for noncompliance are one or more time-ordered actions that are taken by a policy to help protect devices and your organization.
What are areas of non-compliance? ›Area of non-compliance means any action or failure to act that cause(s) a licensee to be out of compliance with RSA 151, He-P 803, or other applicable federal and state requirements.
What are the three main types of policy evaluations? ›The three main types of evaluation, shown in the bottom row of Figure 3, each focus on a different phase of the policy process5: policy content evaluation, policy implementation evaluation, and policy impact evaluation.
How do you evaluate effectiveness of a policy? ›The gold standard to evaluate and quantify the effectiveness of policies is the comparison of empirical observations with a control group in an experimental design or with a counterfactual scenario.
How long does it take for an Azure policy to take effect? ›A new policy or initiative assignment takes about five minutes to be applied. New or updated resources within scope of an existing assignment become available in about 15 minutes. A standard compliance scan occurs every 24 hours.
How many compliance offerings does Azure have? ›And, get more than 35 compliance offerings specific to the needs of key industries, including health, government, finance, education, manufacturing, and media.
Where can you go to see what standards Microsoft is in compliance with in Azure? ›Sign in to the Azure portal. Navigate to Defender for Cloud > Regulatory compliance. The dashboard provides you with an overview of your compliance status and the set of supported compliance regulations.
What is the purpose of compliance manager Azure? ›Compliance Manager helps simplify compliance and reduce risk by providing: Pre-built assessments for common industry and regional standards and regulations, or custom assessments to meet your unique compliance needs (available assessments depend on your licensing agreement; learn more).
What factors cause compliance? ›
Key Factors Affecting Compliance
Group influence: Being in the immediate presence of a group makes compliance more likely. Group size: The likelihood of compliance increases with the number of people present. 11 If only one or two people are present, a person might buck the group opinion and refuse to comply.
Common compliance risks involve illegal practices and include fraud, theft, bribery, money laundering and embezzlement. Privacy breaches. A common compliance risk is the violation of privacy laws. Hacking, viruses and malware are some of the cyber risks that affect organizations.
How do you detect non-compliance? ›Noncompliance can be detected by indirect methods (e.g., self-report, interview, therapeutic outcome, pill count, computerized compliance monitors) or direct methods (e.g., biologic markers, tracer compounds, biologic assay of body fluids).
What are the 2 types of compliance? ›There are two main types of compliance that denote where the framework is coming from: corporate and regulatory. Both corporate and regulatory compliance consist of a framework of rules, regulations and practices to follow.
How do you measure non adherence? ›Several different approaches to monitor medication adherence have been developed. These include (a) self-report questionnaires or structured interviews, (b) therapeutic drug monitoring (TDM), (c) electronic devices and (d) pharmacy pick-up/refill rates.
What is considered non-compliance? ›Noncompliant behavior involves behavior that does not conform to or follow the rules, regulations, or advice of others. In the workplace, this can be demonstrated by failure to act in accordance with the workplace policies and rules, or the inability to meet specified standards.
What are examples of noncompliance? ›Unsafe working conditions, wage garnishment, and improper remuneration for work hours and overtime are all instances of non-compliance of your business .
What are risk factors for non adherence? ›Conclusions: Risk factors for non-adherence are younger age, busy working life, recent diagnosis and disease remission. Good communication with the doctor might improve adherence.
What are the two types of non adherence? ›There are many causes of non˗adherence but they fall into two overlapping categories: intentional and unintentional.