Determine causes of non-compliance - Azure Policy (2023)

  • Article
  • 9 minutes to read

When an Azure resource is determined to be non-compliant to a policy rule, it's helpful tounderstand which portion of the rule the resource isn't compliant with. It's also useful tounderstand what change altered a previously compliant resource to make it non-compliant. There aretwo ways to find this information:

  • Compliance details
  • Change history (Preview)

Compliance details

When a resource is non-compliant, the compliance details for that resource are available from thePolicy compliance page. The compliance details pane includes the following information:

  • Resource details such as name, type, location, and resource ID
  • Compliance state and timestamp of the last evaluation for the current policy assignment
  • A list of reasons for the resource non-compliance

Important

As the compliance details for a Non-compliant resource shows the current value of properties onthat resource, the user must have read operation to the type of resource. For example, ifthe Non-compliant resource is Microsoft.Compute/virtualMachines then the user must have theMicrosoft.Compute/virtualMachines/read operation. If the user doesn't have the neededoperation, an access error is displayed.

To view the compliance details, follow these steps:

  1. Launch the Azure Policy service in the Azure portal by selecting All services, then searchingfor and selecting Policy.

  2. On the Overview or Compliance page, select a policy in a compliance state that isNon-compliant.

    (Video) Azure Policy - Non-compliance messages

  3. Under the Resource compliance tab of the Policy compliance page, select and hold (orright-click) or select the ellipsis of a resource in a compliance state that isNon-compliant. Then select View compliance details.

    Determine causes of non-compliance - Azure Policy (1)

  4. The Compliance details pane displays information from the latest evaluation of the resourceto the current policy assignment. In this example, the field Microsoft.Sql/servers/version isfound to be 12.0 while the policy definition expected 14.0. If the resource is non-compliantfor multiple reasons, each is listed on this pane.

    Determine causes of non-compliance - Azure Policy (2)

    For an auditIfNotExists or deployIfNotExists policy definition, the details include thedetails.type property and any optional properties. For a list, see auditIfNotExistsproperties and deployIfNotExistsproperties. Last evaluated resource isa related resource from the details section of the definition.

    Example partial deployIfNotExists definition:

    { "if": { "field": "type", "equals": "[parameters('resourceType')]" }, "then": { "effect": "DeployIfNotExists", "details": { "type": "Microsoft.Insights/metricAlerts", "existenceCondition": { "field": "name", "equals": "[concat(parameters('alertNamePrefix'), '-', resourcegroup().name, '-', field('name'))]" }, "existenceScope": "subscription", "deployment": { ... } } }}

    Determine causes of non-compliance - Azure Policy (3)

Note

To protect data, when a property value is a secret the current value displays asterisks.

(Video) Azure Policies and Initiatives-A definitive Guide:Meet Regulatory Compliance and Security standards

These details explain why a resource is currently non-compliant, but don't show when the change wasmade to the resource that caused it to become non-compliant. For that information, see Changehistory (Preview) below.

Compliance reasons

Resource Manager modes andResource Provider modes each havedifferent reasons for non-compliance.

General Resource Manager mode compliance reasons

The following table maps eachResource Manager mode reason to theresponsible condition in the policy definition:

ReasonCondition
Current value must contain the target value as a key.containsKey or not notContainsKey
Current value must contain the target value.contains or not notContains
Current value must be equal to the target value.equals or not notEquals
Current value must be less than the target value.less or not greaterOrEquals
Current value must be greater than or equal to the target value.greaterOrEquals or not less
Current value must be greater than the target value.greater or not lessOrEquals
Current value must be less than or equal to the target value.lessOrEquals or not greater
Current value must exist.exists
Current value must be in the target value.in or not notIn
Current value must be like the target value.like or not notLike
Current value must be case-sensitive match the target value.match or not notMatch
Current value must be case-insensitive match the target value.matchInsensitively or not notMatchInsensitively
Current value must not contain the target value as a key.notContainsKey or not containsKey
Current value must not contain the target value.notContains or not contains
Current value must not be equal to the target value.notEquals or not equals
Current value must not exist.not exists
Current value must not be in the target value.notIn or not in
Current value must not be like the target value.notLike or not like
Current value must not be case-sensitive match the target value.notMatch or not match
Current value must not be case-insensitive match the target value.notMatchInsensitively or not matchInsensitively
No related resources match the effect details in the policy definition.A resource of the type defined in then.details.type and related to the resource defined in the if portion of the policy rule doesn't exist.

Azure Policy Resource Provider mode compliance reasons

The following table maps each Microsoft.PolicyInsightsResource Provider mode reason code toits corresponding explanation:

Compliance reason codeError message and explanation
NonModifiablePolicyAliasNonModifiableAliasConflict: The alias '{alias}' is not modifiable in requests using API version '{apiVersion}'. This error happens when a request using an API version where the alias does not support the 'modify' effect or only supports the 'modify' effect with a different token type.
AppendPoliciesNotApplicableAppendPoliciesUnableToAppend: The aliases: '{ aliases }' are not modifiable in requests using API version: '{ apiVersion }'. This can happen in requests using API versions for which the aliases do not support the 'modify' effect, or support the 'modify' effect with a different token type.
ConflictingAppendPoliciesConflictingAppendPolicies: Found conflicting policy assignments that modify the '{notApplicableFields}' field. Policy identifiers: '{policy}'. Please contact the subscription administrator to update the policy assignments.
AppendPoliciesFieldsExistAppendPoliciesFieldsExistWithDifferentValues: Policy assignments attempted to append fields which already exist in the request with different values. Fields: '{existingFields}'. Policy identifiers: '{policy}'. Please contact the subscription administrator to update the policies.
AppendPoliciesUndefinedFieldsAppendPoliciesUndefinedFields: Found policy definition that refers to an undefined field property for API version '{apiVersion}'. Fields: '{nonExistingFields}'. Policy identifiers: '{policy}'. Please contact the subscription administrator to update the policies.
MissingRegistrationForTypeMissingRegistrationForResourceType: The subscription is not registered for the resource type '{ResourceType}'. Please check that the resource type exists and that the resource type is registered.
AmbiguousPolicyEvaluationPathsThe request content has one or more ambiguous paths: '{0}' required by policies: '{1}'.
InvalidResourceNameWildcardPositionThe policy assignment '{0}' associated with the policy definition '{1}' could not be evaluated. The resource name '{2}' within an ifNotExists condition contains the wildcard '?' character in an invalid position. Wildcards can only be located at the end of the name in a segment by themselves (ex. TopLevelResourceName/?). Please either fix the policy or remove the policy assignment to unblock.
TooManyResourceNameSegmentsThe policy assignment '{0}' associated with the policy definition '{1}' could not be evaluated. The resource name '{2}' within an ifNotExists condition contains too many name segments. The number of name segments must be equal to or less than the number of type segments (excluding the resource provider namespace). Please either fix the policy definition or remove the policy assignment to unblock.
InvalidPolicyFieldPathThe field path '{0}' within the policy definition is invalid. Field paths must contain no empty segments. They may contain only alphanumeric characters with the exception of the '.' character for splitting segments and the '[*]' character sequence to access array properties.

AKS Resource Provider mode compliance reasons

The following table maps each Microsoft.Kubernetes.DataResource Provider mode reason tothe responsible state of theconstraint templatein the policy definition:

ReasonConstraint template reason description
Constraint/TemplateCreateFailedThe resource failed to create for a policy definition with a Constraint/Template that doesn't match an existing Constraint/Template on cluster by resource metadata name.
Constraint/TemplateUpdateFailedThe Constraint/Template failed to update for a policy definition with a Constraint/Template that matches an existing Constraint/Template on cluster by resource metadata name.
Constraint/TemplateInstallFailedThe Constraint/Template failed to build and was unable to be installed on cluster for either create or update operation.
ConstraintTemplateConflictsThe Template has a conflict with one or more policy definitions using the same Template name with different source.
ConstraintStatusStaleThere is an existing 'Audit' status, but Gatekeeper has not performed an audit within the last hour.
ConstraintNotProcessedThere is no status and Gatekeeper has not performed an audit within the last hour.
InvalidConstraint/TemplateAPI Server has rejected the resource due to a bad YAML. This reason can also be caused by a parameter type mismatch (example: string provided for an integer)

Note

For existing policy assignments and constraint templates already on the cluster, if thatConstraint/Template fails, the cluster is protected by maintaining the existingConstraint/Template. The cluster reports as non-compliant until the failure is resolved on thepolicy assignment or the add-on self-heals. For more information about handling conflict, seeConstraint template conflicts.

Component details for Resource Provider modes

For assignments with aResource Provider mode, select theNon-compliant resource to open a deeper view. Under the Component Compliance tab is additionalinformation specific to the Resource Provider mode on the assigned policy showing theNon-compliant Component and Component ID.

Determine causes of non-compliance - Azure Policy (4)

(Video) AZ-304: Achieving compliance with Azure Policy

Compliance details for guest configuration

For policy definitions in the Guest Configuration category, there could be multiplesettings evaluated inside the virtual machine and you'll need to view per-setting details. Forexample, if you're auditing for a list of security settings and only one of them has statusNon-compliant, you'll need to know which specific settings are out of compliance and why.

You also might not have access to sign in to the virtual machine directly but you need to report onwhy the virtual machine is Non-compliant.

Azure portal

Begin by following the same steps in the section above for viewing policy compliance details.

In the Compliance details pane view, select the link Last evaluated resource.

Determine causes of non-compliance - Azure Policy (5)

The Guest Assignment page displays all available compliance details. Each row in the viewrepresents an evaluation that was performed inside the machine. In the Reason column, a phraseis shown describing why the Guest Assignment is Non-compliant. For example, if you're auditingpassword policies, the Reason column would display text including the current value for eachsetting.

Determine causes of non-compliance - Azure Policy (6)

View configuration assignment details at scale

The guest configuration feature can be used outside of Azure Policy assignments.For example,Azure AutoManagecreates guest configuration assignments, or you mightassign configurations when you deploy machines.

To view all guest configuration assignments across your tenant, from the Azureportal open the Guest Assignments page. To view detailed complianceinformation, select each assignment using the link in the column "Name".

Determine causes of non-compliance - Azure Policy (7)

(Video) Help Everyone Follow The Rules | Azure Policy

Change history (Preview)

As part of a new public preview, the last 14 days of change history are available for all Azureresources that support complete modedeletion. Change historyprovides details about when a change was detected and a visual diff for each change. A changedetection is triggered when the Azure Resource Manager properties are added, removed, or altered.

  1. Launch the Azure Policy service in the Azure portal by selecting All services, then searchingfor and selecting Policy.

  2. On the Overview or Compliance page, select a policy in any compliance state.

  3. Under the Resource compliance tab of the Policy compliance page, select a resource.

  4. Select the Change History (preview) tab on the Resource Compliance page. A list ofdetected changes, if any exist, are displayed.

    Determine causes of non-compliance - Azure Policy (8)

  5. Select one of the detected changes. The visual diff for the resource is presented on theChange history page.

    Determine causes of non-compliance - Azure Policy (9)

The visual diff aides in identifying changes to a resource. The changes detected may not berelated to the current compliance state of the resource.

Change history data is provided by Azure Resource Graph. Toquery this information outside of the Azure portal, see Get resource changes.

(Video) Module Azure Governance & Compliance - 18 Azure Policy

Next steps

  • Review examples at Azure Policy samples.
  • Review the Azure Policy definition structure.
  • Review Understanding policy effects.
  • Understand how to programmatically create policies.
  • Learn how to get compliance data.
  • Learn how to remediate non-compliant resources.
  • Review what a management group is with Organize your resources with Azure management groups.

FAQs

How do you determine noncompliance? ›

Noncompliance is commonly identified in the following ways: A report or complaint received from a participant, research team member, or others. A report initiated by the Investigator through a Reportable Event Form. Information provided in a Continuing Review Form.

How do I check Azure compliance? ›

To see compliance data mapped as assessments in your dashboard, add a compliance standard to your management group or subscription from within the Security policy page. To learn more about Azure Policy and initiatives, see Working with security policies.

What is compliance in Azure policy? ›

Azure Policy helps to enforce organizational standards and to assess compliance at-scale. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill down to the per-resource, per-policy granularity.

What is non compliant in Azure? ›

As the compliance details for a Non-compliant resource shows the current value of properties on that resource, the user must have read operation to the type of resource. For example, if the Non-compliant resource is Microsoft. Compute/virtualMachines then the user must have the Microsoft.

What is a reason for non compliance? ›

Patient's lack of understanding.

Noncompliance often occurs when patients don't understand why they're taking a certain medication. Help them understand the purpose of the medication and why and how it will benefit them. Also, describe potential side effects.

How often does Azure Policy evaluate? ›

Once every 24 hours, assignments are automatically reevaluated. A large policy or initiative of many resources can take time, so there's no pre-defined expectation of when the evaluation cycle completes. Once it completes, updated compliance results are available in the portal and SDKs.

Which tool within Azure helps you track your compliance? ›

Which tool within Azure helps you to track your compliance with various international standards and government laws? Compliance Manager will track your own compliance with various standards and laws.

What is an example of non compliance? ›

Examples of non compliance include: Failure to wear personal protective equipment (PPE) Insufficient administration of operations. Failure to obtain proper certifications/illegal operations.

What is considered non compliance? ›

Noncompliant behavior involves behavior that does not conform to or follow the rules, regulations, or advice of others. In the workplace, this can be demonstrated by failure to act in accordance with the workplace policies and rules, or the inability to meet specified standards.

What are 3 possible consequences of noncompliance? ›

Non-compliance leaves you at risk for financial losses, security breaches, license revocations, business disruptions, poor patient care, erosion of trust, and a damaged reputation. Here is a quick overview of the impact of non-compliance.

What is the major risk of non-compliance? ›

The most well-known consequence of non-compliance is the financial loss from government action, which can take the form of: Fines. Limitations on your business activities. Legal fees associated with a legal investigation.

What is a non-compliance issue? ›

What is Non-Compliance? Non-compliance refers to an individual's failure to act within stated boundaries or refusal to comply with such regulations or rules. Non compliant behaviour can be both intentional or unintentional, depending on the situation.

What are the actions for non-compliance? ›

Actions for noncompliance are one or more time-ordered actions that are taken by a policy to help protect devices and your organization.

What are areas of non-compliance? ›

Area of non-compliance means any action or failure to act that cause(s) a licensee to be out of compliance with RSA 151, He-P 803, or other applicable federal and state requirements.

What are the three main types of policy evaluations? ›

The three main types of evaluation, shown in the bottom row of Figure 3, each focus on a different phase of the policy process5: policy content evaluation, policy implementation evaluation, and policy impact evaluation.

How do you evaluate effectiveness of a policy? ›

The gold standard to evaluate and quantify the effectiveness of policies is the comparison of empirical observations with a control group in an experimental design or with a counterfactual scenario.

How long does it take for an Azure policy to take effect? ›

A new policy or initiative assignment takes about five minutes to be applied. New or updated resources within scope of an existing assignment become available in about 15 minutes. A standard compliance scan occurs every 24 hours.

How many compliance offerings does Azure have? ›

And, get more than 35 compliance offerings specific to the needs of key industries, including health, government, finance, education, manufacturing, and media.

Where can you go to see what standards Microsoft is in compliance with in Azure? ›

Sign in to the Azure portal. Navigate to Defender for Cloud > Regulatory compliance. The dashboard provides you with an overview of your compliance status and the set of supported compliance regulations.

What is the purpose of compliance manager Azure? ›

Compliance Manager helps simplify compliance and reduce risk by providing: Pre-built assessments for common industry and regional standards and regulations, or custom assessments to meet your unique compliance needs (available assessments depend on your licensing agreement; learn more).

What factors cause compliance? ›

Key Factors Affecting Compliance

Group influence: Being in the immediate presence of a group makes compliance more likely. Group size: The likelihood of compliance increases with the number of people present. 11 If only one or two people are present, a person might buck the group opinion and refuse to comply.

What are the common types of compliance risks? ›

Common compliance risks involve illegal practices and include fraud, theft, bribery, money laundering and embezzlement. Privacy breaches. A common compliance risk is the violation of privacy laws. Hacking, viruses and malware are some of the cyber risks that affect organizations.

How do you detect non-compliance? ›

Noncompliance can be detected by indirect methods (e.g., self-report, interview, therapeutic outcome, pill count, computerized compliance monitors) or direct methods (e.g., biologic markers, tracer compounds, biologic assay of body fluids).

What are the 2 types of compliance? ›

There are two main types of compliance that denote where the framework is coming from: corporate and regulatory. Both corporate and regulatory compliance consist of a framework of rules, regulations and practices to follow.

How do you measure non adherence? ›

Several different approaches to monitor medication adherence have been developed. These include (a) self-report questionnaires or structured interviews, (b) therapeutic drug monitoring (TDM), (c) electronic devices and (d) pharmacy pick-up/refill rates.

What is considered non-compliance? ›

Noncompliant behavior involves behavior that does not conform to or follow the rules, regulations, or advice of others. In the workplace, this can be demonstrated by failure to act in accordance with the workplace policies and rules, or the inability to meet specified standards.

What are examples of noncompliance? ›

Unsafe working conditions, wage garnishment, and improper remuneration for work hours and overtime are all instances of non-compliance of your business .

What are risk factors for non adherence? ›

Conclusions: Risk factors for non-adherence are younger age, busy working life, recent diagnosis and disease remission. Good communication with the doctor might improve adherence.

What are the two types of non adherence? ›

There are many causes of non˗adherence but they fall into two overlapping categories: intentional and unintentional.

Videos

1. Azure Policy Remediation Deep Dive
(John Savill's Technical Training)
2. How to troubleshoot Device Compliance Scenarios based on Conditional Access Policies in Azure AD
(Microsoft Helps)
3. Control and audit your Azure resources with Azure Policies
(David Postlethwaite)
4. Windows 10 Compliance Policy Intune
(T-Minus365)
5. Introduction to Azure Policy
(Atmosera)
6. Azure Policy Insights & Multi-tag Demo via Azure Policy
(Inside Cloud and Security)
Top Articles
Latest Posts
Article information

Author: Eusebia Nader

Last Updated: 01/04/2023

Views: 5697

Rating: 5 / 5 (80 voted)

Reviews: 87% of readers found this page helpful

Author information

Name: Eusebia Nader

Birthday: 1994-11-11

Address: Apt. 721 977 Ebert Meadows, Jereville, GA 73618-6603

Phone: +2316203969400

Job: International Farming Consultant

Hobby: Reading, Photography, Shooting, Singing, Magic, Kayaking, Mushroom hunting

Introduction: My name is Eusebia Nader, I am a encouraging, brainy, lively, nice, famous, healthy, clever person who loves writing and wants to share my knowledge and understanding with you.