Get policy compliance data - Azure Policy (2023)

  • Article
  • 19 minutes to read

One of the largest benefits of Azure Policy is the insight and controls it provides over resourcesin a subscription or management group of subscriptions. Thiscontrol can be used to prevent resources from being created in thewrong location, enforce common and consistent tag usage, or audit existing resources forappropriate configurations and settings. In all cases, data is generated by Azure Policy to enableyou to understand the compliance state of your environment.

There are several ways to access the compliance information generated by your policy and initiativeassignments:

  • Using the Azure portal
  • Through command line scripting

Before looking at the methods to report on compliance, let's look at when compliance information isupdated and the frequency and events that trigger an evaluation cycle.

Warning

If compliance state is being reported as Not registered, verify that theMicrosoft.PolicyInsights Resource Provider is registered and that the user has the appropriateAzure role-based access control (Azure RBAC) permissions as described inAzure RBAC permissions in Azure Policy.

Evaluation triggers

The results of a completed evaluation cycle are available in the Microsoft.PolicyInsights ResourceProvider through PolicyStates and PolicyEvents operations. For more information about theoperations of the Azure Policy Insights REST API, seeAzure Policy Insights.

Evaluations of assigned policies and initiatives happen as the result of various events:

  • A policy or initiative is newly assigned to a scope. It takes around five minutes for the assignmentto be applied to the defined scope, then the evaluation cycle begins for applicable resources against the newly assigned policy or initiative. Depending on the effectsused, resources are marked as compliant, non-compliant, exempt, or unknown. Alarge policy or initiative evaluated against a large scope of resources can take time, sothere's no pre-defined expectation of when the evaluation cycle completes. Once it completes,updated compliance results are available in the portal and SDKs.

  • A policy or initiative already assigned to a scope is updated. The evaluation cycle and timing forthis scenario is the same as for a new assignment to a scope.

  • A resource is deployed to or updated within a scope with an assignment via Azure Resource Manager,REST API, or a supported SDK. In this scenario, the effect event (append, audit, deny, deploy) andcompliant status information for the individual resource becomes available in the portal and SDKsaround 15 minutes later. This event doesn't cause an evaluation of other resources.

  • A subscription (resource type Microsoft.Resources/subscriptions) is created or moved within amanagement group hierarchy with an assigned policydefinition targeting the subscription resource type. Evaluation of the subscription supportedeffects (audit, auditIfNotExist, deployIfNotExists, modify), logging, and any remediation actionstakes around 30 minutes.

  • A policy exemption is created, updated, or deleted. In thisscenario, the corresponding assignment is evaluated for the defined exemption scope.

  • Standard compliance evaluation cycle. Once every 24 hours, assignments are automaticallyreevaluated. A large policy or initiative of many resources can take time, so there's nopre-defined expectation of when the evaluation cycle completes. Once it completes, updatedcompliance results are available in the portal and SDKs.

  • The machine configuration resource provider is updated withcompliance details by a managed resource.

  • On-demand scan

Note

By design, Azure Policy exempts all resources under the Microsoft.Resources resource provider (RP) frompolicy evaluation with the exception of subscriptions and resource groups, which can be evaluated.

(Video) Azure Policies and Initiatives-A definitive Guide:Meet Regulatory Compliance and Security standards

On-demand evaluation scan

An evaluation scan for a subscription or a resource group can be started with Azure CLI, AzurePowerShell, a call to the REST API, or by using theAzure Policy Compliance Scan GitHub Action.This scan is an asynchronous process.

Note

Not all Azure resource providers support on-demand evaluation scans. For example, Azure Virtual Network Manager (AVNM) currently doesn't support either manual triggers or the standard policy compliance evaluation cycle (daily scans).

On-demand evaluation scan - GitHub Action

Use theAzure Policy Compliance Scan actionto trigger an on-demand evaluation scan from yourGitHub workflowon one or multiple resources, resource groups, or subscriptions, and gate the workflow based on thecompliance state of resources. You can also configure the workflow to run at a scheduled time sothat you get the latest compliance status at a convenient time. Optionally, GitHub Actions cangenerate a report on the compliance state of scanned resources for further analysis or forarchiving.

The following example runs a compliance scan for a subscription.

on: schedule: - cron: '0 8 * * *' # runs every morning 8amjobs: assess-policy-compliance: runs-on: ubuntu-latest steps: - name: Login to Azure uses: azure/login@v1 with: creds: ${{secrets.AZURE_CREDENTIALS}} - name: Check for resource compliance uses: azure/policy-compliance-scan@v0 with: scopes: | /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

For more information and workflow samples, see theGitHub Actions for Azure Policy Compliance Scan repo.

On-demand evaluation scan - Azure CLI

The compliance scan is started with theaz policy state trigger-scan command.

By default, az policy state trigger-scan starts an evaluation for all resources in the currentsubscription. To start an evaluation on a specific resource group, use the resource-groupparameter. The following example starts a compliance scan in the current subscription for the MyRGresource group:

az policy state trigger-scan --resource-group "MyRG"

You can choose not to wait for the asynchronous process to complete before continuing with theno-wait parameter.

On-demand evaluation scan - Azure PowerShell

The compliance scan is started with theStart-AzPolicyComplianceScancmdlet.

By default, Start-AzPolicyComplianceScan starts an evaluation for all resources in the currentsubscription. To start an evaluation on a specific resource group, use the ResourceGroupNameparameter. The following example starts a compliance scan in the current subscription for the MyRGresource group:

Start-AzPolicyComplianceScan -ResourceGroupName 'MyRG'

You can have PowerShell wait for the asynchronous call to complete before providing the resultsoutput or have it run in the background as ajob. To use a PowerShell job to runthe compliance scan in the background, use the AsJob parameter and set the value to an object,such as $job in this example:

$job = Start-AzPolicyComplianceScan -AsJob

You can check on the status of the job by checking on the $job object. The job is of the typeMicrosoft.Azure.Commands.Common.AzureLongRunningJob. Use Get-Member on the $job object to seeavailable properties and methods.

While the compliance scan is running, checking the $job object outputs results such as these:

$jobId Name PSJobTypeName State HasMoreData Location Command-- ---- ------------- ----- ----------- -------- -------2 Long Running O... AzureLongRunni... Running True localhost Start-AzPolicyCompliance...

When the compliance scan completes, the State property changes to Completed.

On-demand evaluation scan - REST

As an asynchronous process, the REST endpoint to start the scan doesn't wait until the scan iscomplete to respond. Instead, it provides a URI to query the status of the requested evaluation.

In each REST API URI, there are variables that are used that you need to replace with your ownvalues:

  • {YourRG} - Replace with the name of your resource group
  • {subscriptionId} - Replace with your subscription ID

The scan supports evaluation of resources in a subscription or in a resource group. Start a scan byscope with a REST API POST command using the following URI structures:

  • Subscription

    POST https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.PolicyInsights/policyStates/latest/triggerEvaluation?api-version=2019-10-01
  • Resource group

    (Video) How to Design Azure Policy Cloud and Compliance Management Governance

    POST https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{YourRG}/providers/Microsoft.PolicyInsights/policyStates/latest/triggerEvaluation?api-version=2019-10-01

The call returns a 202 Accepted status. Included in the response header is a Locationproperty with the following format:

https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.PolicyInsights/asyncOperationResults/{ResourceContainerGUID}?api-version=2019-10-01

{ResourceContainerGUID} is statically generated for the scope requested. If a scope is alreadyrunning an on-demand scan, a new scan isn't started. Instead, the new request is provided the same{ResourceContainerGUID} location URI for status. A REST API GET command to theLocation URI returns a 202 Accepted while the evaluation is ongoing. When the evaluationscan has completed, it returns a 200 OK status. The body of a completed scan is a JSON responsewith the status:

{ "status": "Succeeded"}

On-demand evaluation scan - Visual Studio Code

The Azure Policy extension for Visual Studio code is capable of running an evaluation scan for aspecific resource. This scan is a synchronous process, unlike the Azure PowerShell and REST methods.For details and steps, seeOn-demand evaluation with the VS Code extension.

How compliance works

When initiative or policy definitions are assigned and evaluated, resulting compliance states are determined based on conditions in the policy rule and resources' adherence to those requirements.

Azure Policy supports the following compliance states:

  • Non-compliant
  • Compliant
  • Conflict
  • Exempted
  • Unknown (preview)

Compliant and non-compliant states

In an assignment, a resource is non-compliant if it's applicable to the policy assignment and doesn't adhere to conditions in the policy rule. The following table shows how different policy effects work with the condition evaluation for the resulting compliance state:

Resource StateEffectPolicy EvaluationCompliance State
New or UpdatedAudit, Modify, AuditIfNotExistTrueNon-Compliant
New or UpdatedAudit, Modify, AuditIfNotExistFalseCompliant
ExistsDeny, Audit, Append, Modify, DeployIfNotExist, AuditIfNotExistTrueNon-Compliant
ExistsDeny, Audit, Append, Modify, DeployIfNotExist, AuditIfNotExistFalseCompliant

Note

The DeployIfNotExist and AuditIfNotExist effects require the IF statement to be TRUE and theexistence condition to be FALSE to be non-compliant. When TRUE, the IF condition triggersevaluation of the existence condition for the related resources.

Example

For example, assume that you have a resource group - ContsoRG, with some storage accounts(highlighted in red) that are exposed to public networks.

Get policy compliance data - Azure Policy (1)

Diagram showing images for five storage accounts in the Contoso R G resource group. Storage accounts one and three are blue, while storage accounts two, four, and five are red.

In this example, you need to be wary of security risks. Now that you've created a policy assignment,it's evaluated for all included and non-exempt storage accounts in the ContosoRG resource group. Itaudits the three non-compliant storage accounts, changing their states toNon-compliant.

Get policy compliance data - Azure Policy (2)

Diagram showing images for five storage accounts in the Contoso R G resource group. Storage accounts one and three now have green checkmarks beneath them, while storage accounts two, four, and five now have red warning signs beneath them.

Understand non-compliance

When a resource is determined to be non-compliant, there are many possible reasons. To determinethe reason a resource is non-compliant or to find the change responsible, seeDetermine non-compliance.

Other compliance states

Besides Compliant and Non-compliant, policies and resources have four other states:

  • Exempt: The resource is in scope of an assignment, but has adefined exemption.
  • Conflicting: Two or more policy definitions exist with conflicting rules. For example, twodefinitions append the same tag with different values.
  • Not started: The evaluation cycle hasn't started for the policy or resource.
  • Not registered: The Azure Policy Resource Provider hasn't been registered or the accountlogged in doesn't have permission to read compliance data.

Azure Policy relies on several factors to determine whether a resource is considered applicable, then to determine its compliance state.

The compliance percentage is determined by dividing Compliant, Exempt, and Unknown resources by totalresources. Total resources include Compliant, Non-compliant,Exempt, and Conflicting resources. The overall compliance numbers are the sum of distinctresources that are Compliant, Exempt, and Unknown divided by the sum of all distinct resources. In theimage below, there are 20 distinct resources that are applicable and only one is Non-compliant.The overall resource compliance is 95% (19 out of 20).

Get policy compliance data - Azure Policy (3)

Note

Regulatory Compliance in Azure Policy is a Preview feature. Compliance properties from SDK andpages in portal are different for enabled initiatives. For more information, seeRegulatory Compliance

(Video) AZ-304: Achieving compliance with Azure Policy

Compliance rollup

There are several ways to view aggregated compliance results:

Aggregate scopeFactors determining resulting compliance state
InitiativeAll policies within
Initiative group or controlAll policies within
PolicyAll applicable resources
ResourceAll applicable policies

So how is the aggregate compliance state determined if multiple resources or policies have different compliance states themselves? This is done by ranking each compliance state so that one "wins" over another in this situation. The rank order is:

  1. Non-compliant
  2. Compliant
  3. Conflict
  4. Exempted
  5. Unknown (preview)

This means that if there are both non-compliant and compliant states, the rolled up aggregate would be non-compliant, and so on. Let's look at an example.

Assume an initiative contains 10 policies, and a resource is exempt from one policy but compliant to the remaining nine. Because a compliant state has a higher rank than an exempted state, the resource would register as compliant in the rolled-up summary of the initiative. So, a resource will only show as exempt for the entire initiative if it's exempt from, or has unknown compliance to, every other single applicable policy in that initiative. On the other extreme, if the resource is non-compliant to at least one applicable policy in the initiative, it will have an overall compliance state of non-compliant, regardless of the remaining applicable policies.

Portal

The Azure portal showcases a graphical experience of visualizing and understanding the state ofcompliance in your environment. On the Policy page, the Overview option provides details foravailable scopes on the compliance of both policies and initiatives. Along with the compliance stateand count per assignment, it contains a chart showing compliance over the last seven days. TheCompliance page contains much of this same information (except the chart), but provideadditional filtering and sorting options.

Get policy compliance data - Azure Policy (4)

Since a policy or initiative can be assigned to different scopes, the table includes the scope foreach assignment and the type of definition that was assigned. The number of non-compliant resourcesand non-compliant policies for each assignment are also provided. Selecting on a policy orinitiative in the table provides a deeper look at the compliance for that particular assignment.

Get policy compliance data - Azure Policy (5)

The list of resources on the Resource compliance tab shows the evaluation status of existingresources for the current assignment. The tab defaults to Non-compliant, but can be filtered.Events (append, audit, deny, deploy, modify) triggered by the request to create a resource are shownunder the Events tab.

Get policy compliance data - Azure Policy (6)

For Resource Provider mode resources,on the Resource compliance tab, selecting the resource or right-clicking on the row andselecting View compliance details opens the component compliance details. This page also offerstabs to see the policies that are assigned to this resource, events, component events, and changehistory.

Get policy compliance data - Azure Policy (7)

Back on the resource compliance page, select and hold (or right-click) on the row of the event youwould like to gather more details on and select Show activity logs. The activity log page opensand is pre-filtered to the search showing details for the assignment and the events. The activitylog provides more context and information about those events.

Get policy compliance data - Azure Policy (8)

Note

Compliance results can be exported from the Portal through Azure Resource Graph queries.

Command line

The same information available in the portal can be retrieved with the REST API (including withARMClient), Azure PowerShell, and Azure CLI. For fulldetails on the REST API, see the Azure Policy reference. The REST API referencepages have a green 'Try It' button on each operation that allows you to try it right in the browser.

Use ARMClient or a similar tool to handle authentication to Azure for the REST API examples.

(Video) AZ-900 Episode 31 | Azure Policy

Summarize results

With the REST API, summarization can be performed by container, definition, or assignment. Here'san example of summarization at the subscription level using Azure Policy Insight's Summarize ForSubscription:

POST https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.PolicyInsights/policyStates/latest/summarize?api-version=2019-10-01

The output summarizes the subscription. In the example output below, the summarized compliance areunder value.results.nonCompliantResources and value.results.nonCompliantPolicies. Thisrequest provides further details, including each assignment that made up the non-compliant numbersand the definition information for each assignment. Each policy object in the hierarchy provides aqueryResultsUri that can be used to get more detail at that level.

{ "@odata.context": "https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.PolicyInsights/policyStates/$metadata#summary", "@odata.count": 1, "value": [{ "@odata.id": null, "@odata.context": "https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.PolicyInsights/policyStates/$metadata#summary/$entity", "results": { "queryResultsUri": "https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.PolicyInsights/policyStates/latest/queryResults?api-version=2019-10-01&$from=2018-05-18 04:28:22Z&$to=2018-05-19 04:28:22Z&$filter=ComplianceState eq 'NonCompliant'", "nonCompliantResources": 15, "nonCompliantPolicies": 1 }, "policyAssignments": [{ "policyAssignmentId": "/subscriptions/{subscriptionId}/resourcegroups/rg-tags/providers/microsoft.authorization/policyassignments/37ce239ae4304622914f0c77", "policySetDefinitionId": "", "results": { "queryResultsUri": "https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.PolicyInsights/policyStates/latest/queryResults?api-version=2019-10-01&$from=2018-05-18 04:28:22Z&$to=2018-05-19 04:28:22Z&$filter=ComplianceState eq 'NonCompliant' and PolicyAssignmentId eq '/subscriptions/{subscriptionId}/resourcegroups/rg-tags/providers/microsoft.authorization/policyassignments/37ce239ae4304622914f0c77'", "nonCompliantResources": 15, "nonCompliantPolicies": 1 }, "policyDefinitions": [{ "policyDefinitionReferenceId": "", "policyDefinitionId": "/providers/microsoft.authorization/policydefinitions/1e30110a-5ceb-460c-a204-c1c3969c6d62", "effect": "deny", "results": { "queryResultsUri": "https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.PolicyInsights/policyStates/latest/queryResults?api-version=2019-10-01&$from=2018-05-18 04:28:22Z&$to=2018-05-19 04:28:22Z&$filter=ComplianceState eq 'NonCompliant' and PolicyAssignmentId eq '/subscriptions/{subscriptionId}/resourcegroups/rg-tags/providers/microsoft.authorization/policyassignments/37ce239ae4304622914f0c77' and PolicyDefinitionId eq '/providers/microsoft.authorization/policydefinitions/1e30110a-5ceb-460c-a204-c1c3969c6d62'", "nonCompliantResources": 15 } }] }] }]}

Query for resources

In the example above, value.policyAssignments.policyDefinitions.results.queryResultsUri providesa sample URI for all non-compliant resources for a specific policy definition. In the$filter value, ComplianceState is equal (eq) to 'NonCompliant', PolicyAssignmentId is specifiedfor the policy definition, and then the PolicyDefinitionId itself. The reason for including thePolicyAssignmentId in the filter is because the PolicyDefinitionId could exist in several policy orinitiative assignments with different scopes. By specifying both the PolicyAssignmentId and thePolicyDefinitionId, we can be explicit in the results we're looking for. Previously, forPolicyStates we used latest, which automatically sets a from and to time window of thelast 24-hours.

https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.PolicyInsights/policyStates/latest/queryResults?api-version=2019-10-01&$from=2018-05-18 04:28:22Z&$to=2018-05-19 04:28:22Z&$filter=ComplianceState eq 'NonCompliant' and PolicyAssignmentId eq '/subscriptions/{subscriptionId}/resourcegroups/rg-tags/providers/microsoft.authorization/policyassignments/37ce239ae4304622914f0c77' and PolicyDefinitionId eq '/providers/microsoft.authorization/policydefinitions/1e30110a-5ceb-460c-a204-c1c3969c6d62'

The example response below has been trimmed to a single non-compliant resource for brevity. Thedetailed response has several pieces of data about the resource, the policy or initiative, and theassignment. Notice that you can also see what assignment parameters were passed to the policydefinition.

{ "@odata.context": "https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.PolicyInsights/policyStates/$metadata#latest", "@odata.count": 15, "value": [{ "@odata.id": null, "@odata.context": "https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.PolicyInsights/policyStates/$metadata#latest/$entity", "timestamp": "2018-05-19T04:41:09Z", "resourceId": "/subscriptions/{subscriptionId}/resourceGroups/rg-tags/providers/Microsoft.Compute/virtualMachines/linux", "policyAssignmentId": "/subscriptions/{subscriptionId}/resourceGroups/rg-tags/providers/Microsoft.Authorization/policyAssignments/37ce239ae4304622914f0c77", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1e30110a-5ceb-460c-a204-c1c3969c6d62", "effectiveParameters": "", "ComplianceState": "NonCompliant", "subscriptionId": "{subscriptionId}", "resourceType": "/Microsoft.Compute/virtualMachines", "resourceLocation": "westus2", "resourceGroup": "RG-Tags", "resourceTags": "tbd", "policyAssignmentName": "37ce239ae4304622914f0c77", "policyAssignmentOwner": "tbd", "policyAssignmentParameters": "{\"tagName\":{\"value\":\"costCenter\"},\"tagValue\":{\"value\":\"Contoso-Test\"}}", "policyAssignmentScope": "/subscriptions/{subscriptionId}/resourceGroups/RG-Tags", "policyDefinitionName": "1e30110a-5ceb-460c-a204-c1c3969c6d62", "policyDefinitionAction": "deny", "policyDefinitionCategory": "tbd", "policySetDefinitionId": "", "policySetDefinitionName": "", "policySetDefinitionOwner": "", "policySetDefinitionCategory": "", "policySetDefinitionParameters": "", "managementGroupIds": "", "policyDefinitionReferenceId": "" }]}

View events

When a resource is created or updated, a policy evaluation result is generated. Results are calledpolicy events. Use the following URI to view recent policy events associated with thesubscription.

https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.PolicyInsights/policyEvents/default/queryResults?api-version=2019-10-01

Your results resemble the following example:

{ "@odata.context": "https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.PolicyInsights/policyEvents/$metadata#default", "@odata.count": 1, "value": [{ "@odata.id": null, "@odata.context": "https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.PolicyInsights/policyEvents/$metadata#default/$entity", "NumAuditEvents": 16 }]}

For more information about querying policy events, see theAzure Policy Events reference article.

Azure CLI

The Azure CLI command group for Azure Policy covers most operationsthat are available in REST or Azure PowerShell. For the full list of available commands, seeAzure CLI - Azure Policy Overview.

Example: Getting the state summary for the topmost assigned policy with the highest number ofnon-compliant resources.

az policy state summarize --top 1

The top portion of the response looks like this example:

{ "odatacontext": "https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.PolicyInsights/policyStates/$metadata#summary/$entity", "odataid": null, "policyAssignments": [{ "policyAssignmentId": "/subscriptions/{subscriptionId}/providers/microsoft.authorization/policyassignments/e0704696df5e4c3c81c873e8", "policyDefinitions": [{ "effect": "audit", "policyDefinitionGroupNames": [ "" ], "policyDefinitionId": "/subscriptions/{subscriptionId}/providers/microsoft.authorization/policydefinitions/2e3197b6-1f5b-4b01-920c-b2f0a7e9b18a", "policyDefinitionReferenceId": "", "results": { "nonCompliantPolicies": null, "nonCompliantResources": 398, "policyDetails": [{ "complianceState": "noncompliant", "count": 1 }], "policyGroupDetails": [{ "complianceState": "noncompliant", "count": 1 }], "queryResultsUri": "https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.PolicyInsights/policyStates/latest/queryResults?api-version=2019-10-01&$from=2020-07-14 14:01:22Z&$to=2020-07-15 14:01:22Z and PolicyAssignmentId eq '/subscriptions/{subscriptionId}/providers/microsoft.authorization/policyassignments/e0704696df5e4c3c81c873e8' and PolicyDefinitionId eq '/subscriptions/{subscriptionId}/providers/microsoft.authorization/policydefinitions/2e3197b6-1f5b-4b01-920c-b2f0a7e9b18a'", "resourceDetails": [{ "complianceState": "noncompliant", "count": 398 }, { "complianceState": "compliant", "count": 4 } ] } }], ...

Example: Getting the state record for the most recently evaluated resource (default is by timestampin descending order).

az policy state list --top 1
[ { "complianceReasonCode": "", "complianceState": "Compliant", "effectiveParameters": "", "isCompliant": true, "managementGroupIds": "{managementgroupId}", "odatacontext": "https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.PolicyInsights/policyStates/$metadata#latest/$entity", "odataid": null, "policyAssignmentId": "/subscriptions/{subscriptionId}/providers/microsoft.authorization/policyassignments/securitycenterbuiltin", "policyAssignmentName": "SecurityCenterBuiltIn", "policyAssignmentOwner": "tbd", "policyAssignmentParameters": "", "policyAssignmentScope": "/subscriptions/{subscriptionId}", "policyAssignmentVersion": "", "policyDefinitionAction": "auditifnotexists", "policyDefinitionCategory": "tbd", "policyDefinitionGroupNames": [ "" ], "policyDefinitionId": "/providers/microsoft.authorization/policydefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed", "policyDefinitionName": "aa633080-8b72-40c4-a2d7-d00c03e80bed", "policyDefinitionReferenceId": "identityenablemfaforownerpermissionsmonitoring", "policyDefinitionVersion": "", "policyEvaluationDetails": null, "policySetDefinitionCategory": "security center", "policySetDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8", "policySetDefinitionName": "1f3afdf9-d0c9-4c3d-847f-89da613e70a8", "policySetDefinitionOwner": "", "policySetDefinitionParameters": "", "policySetDefinitionVersion": "", "resourceGroup": "", "resourceId": "/subscriptions/{subscriptionId}", "resourceLocation": "", "resourceTags": "tbd", "resourceType": "Microsoft.Resources/subscriptions", "subscriptionId": "{subscriptionId}", "timestamp": "2020-07-15T08:37:07.903433+00:00" }]

Example: Getting the details for all non-compliant virtual network resources.

az policy state list --filter "ResourceType eq 'Microsoft.Network/virtualNetworks'"
[ { "complianceReasonCode": "", "complianceState": "NonCompliant", "effectiveParameters": "", "isCompliant": false, "managementGroupIds": "{managementgroupId}", "odatacontext": "https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.PolicyInsights/policyStates/$metadata#latest/$entity", "odataid": null, "policyAssignmentId": "/subscriptions/{subscriptionId}/providers/microsoft.authorization/policyassignments/e0704696df5e4c3c81c873e8", "policyAssignmentName": "e0704696df5e4c3c81c873e8", "policyAssignmentOwner": "tbd", "policyAssignmentParameters": "", "policyAssignmentScope": "/subscriptions/{subscriptionId}", "policyAssignmentVersion": "", "policyDefinitionAction": "audit", "policyDefinitionCategory": "tbd", "policyDefinitionGroupNames": [ "" ], "policyDefinitionId": "/subscriptions/{subscriptionId}/providers/microsoft.authorization/policydefinitions/2e3197b6-1f5b-4b01-920c-b2f0a7e9b18a", "policyDefinitionName": "2e3197b6-1f5b-4b01-920c-b2f0a7e9b18a", "policyDefinitionReferenceId": "", "policyDefinitionVersion": "", "policyEvaluationDetails": null, "policySetDefinitionCategory": "", "policySetDefinitionId": "", "policySetDefinitionName": "", "policySetDefinitionOwner": "", "policySetDefinitionParameters": "", "policySetDefinitionVersion": "", "resourceGroup": "RG-Tags", "resourceId": "/subscriptions/{subscriptionId}/resourceGroups/RG-Tags/providers/Microsoft.Network/virtualNetworks/RG-Tags-vnet", "resourceLocation": "westus2", "resourceTags": "tbd", "resourceType": "Microsoft.Network/virtualNetworks", "subscriptionId": "{subscriptionId}", "timestamp": "2020-07-15T08:37:07.901911+00:00" }]

Example: Getting events related to non-compliant virtual network resources that occurred after aspecific date.

az policy state list --filter "ResourceType eq 'Microsoft.Network/virtualNetworks'" --from '2020-07-14T00:00:00Z'
[ { "complianceReasonCode": "", "complianceState": "NonCompliant", "effectiveParameters": "", "isCompliant": false, "managementGroupIds": "{managementgroupId}", "odatacontext": "https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.PolicyInsights/policyStates/$metadata#latest/$entity", "odataid": null, "policyAssignmentId": "/subscriptions/{subscriptionId}/providers/microsoft.authorization/policyassignments/e0704696df5e4c3c81c873e8", "policyAssignmentName": "e0704696df5e4c3c81c873e8", "policyAssignmentOwner": "tbd", "policyAssignmentParameters": "", "policyAssignmentScope": "/subscriptions/{subscriptionId}", "policyAssignmentVersion": "", "policyDefinitionAction": "audit", "policyDefinitionCategory": "tbd", "policyDefinitionGroupNames": [ "" ], "policyDefinitionId": "/subscriptions/{subscriptionId}/providers/microsoft.authorization/policydefinitions/2e3197b6-1f5b-4b01-920c-b2f0a7e9b18a", "policyDefinitionName": "2e3197b6-1f5b-4b01-920c-b2f0a7e9b18a", "policyDefinitionReferenceId": "", "policyDefinitionVersion": "", "policyEvaluationDetails": null, "policySetDefinitionCategory": "", "policySetDefinitionId": "", "policySetDefinitionName": "", "policySetDefinitionOwner": "", "policySetDefinitionParameters": "", "policySetDefinitionVersion": "", "resourceGroup": "RG-Tags", "resourceId": "/subscriptions/{subscriptionId}/resourceGroups/RG-Tags/providers/Microsoft.Network/virtualNetworks/RG-Tags-vnet", "resourceLocation": "westus2", "resourceTags": "tbd", "resourceType": "Microsoft.Network/virtualNetworks", "subscriptionId": "{subscriptionId}", "timestamp": "2020-07-15T08:37:07.901911+00:00" }]

Azure PowerShell

The Azure PowerShell module for Azure Policy is available on the PowerShell Gallery asAz.PolicyInsights. UsingPowerShellGet, you can install the module using Install-Module -Name Az.PolicyInsights (make sureyou have the latest Azure PowerShell installed):

# Install from PowerShell Gallery via PowerShellGetInstall-Module -Name Az.PolicyInsights# Import the downloaded moduleImport-Module Az.PolicyInsights# Login with Connect-AzAccount if not using Cloud ShellConnect-AzAccount

The module has the following cmdlets:

  • Get-AzPolicyStateSummary
  • Get-AzPolicyState
  • Get-AzPolicyEvent
  • Get-AzPolicyRemediation
  • Remove-AzPolicyRemediation
  • Start-AzPolicyRemediation
  • Stop-AzPolicyRemediation

Example: Getting the state summary for the topmost assigned policy with the highest number ofnon-compliant resources.

PS> Get-AzPolicyStateSummary -Top 1NonCompliantResources : 15NonCompliantPolicies : 1PolicyAssignments : {/subscriptions/{subscriptionId}/resourcegroups/RG-Tags/providers/micros oft.authorization/policyassignments/37ce239ae4304622914f0c77}

Example: Getting the state record for the most recently evaluated resource (default is by timestampin descending order).

PS> Get-AzPolicyState -Top 1Timestamp : 5/22/2018 3:47:34 PMResourceId : /subscriptions/{subscriptionId}/resourceGroups/RG-Tags/providers/Mi crosoft.Network/networkInterfaces/linux316PolicyAssignmentId : /subscriptions/{subscriptionId}/resourceGroups/RG-Tags/providers/Mi crosoft.Authorization/policyAssignments/37ce239ae4304622914f0c77PolicyDefinitionId : /providers/Microsoft.Authorization/policyDefinitions/1e30110a-5ceb-460c-a204-c1c3969c6d62ComplianceState : NonCompliantSubscriptionId : {subscriptionId}ResourceType : /Microsoft.Network/networkInterfacesResourceLocation : westus2ResourceGroup : RG-TagsResourceTags : tbdPolicyAssignmentName : 37ce239ae4304622914f0c77PolicyAssignmentOwner : tbdPolicyAssignmentParameters : {"tagName":{"value":"costCenter"},"tagValue":{"value":"Contoso-Test"}}PolicyAssignmentScope : /subscriptions/{subscriptionId}/resourceGroups/RG-TagsPolicyDefinitionName : 1e30110a-5ceb-460c-a204-c1c3969c6d62PolicyDefinitionAction : denyPolicyDefinitionCategory : tbd

Example: Getting the details for all non-compliant virtual network resources.

PS> Get-AzPolicyState -Filter "ResourceType eq '/Microsoft.Network/virtualNetworks'"Timestamp : 5/22/2018 4:02:20 PMResourceId : /subscriptions/{subscriptionId}/resourceGroups/RG-Tags/providers/Mi crosoft.Network/virtualNetworks/RG-Tags-vnetPolicyAssignmentId : /subscriptions/{subscriptionId}/resourceGroups/RG-Tags/providers/Mi crosoft.Authorization/policyAssignments/37ce239ae4304622914f0c77PolicyDefinitionId : /providers/Microsoft.Authorization/policyDefinitions/1e30110a-5ceb-460c-a204-c1c3969c6d62ComplianceState : NonCompliantSubscriptionId : {subscriptionId}ResourceType : /Microsoft.Network/virtualNetworksResourceLocation : westus2ResourceGroup : RG-TagsResourceTags : tbdPolicyAssignmentName : 37ce239ae4304622914f0c77PolicyAssignmentOwner : tbdPolicyAssignmentParameters : {"tagName":{"value":"costCenter"},"tagValue":{"value":"Contoso-Test"}}PolicyAssignmentScope : /subscriptions/{subscriptionId}/resourceGroups/RG-TagsPolicyDefinitionName : 1e30110a-5ceb-460c-a204-c1c3969c6d62PolicyDefinitionAction : denyPolicyDefinitionCategory : tbd

Example: Getting events related to non-compliant virtual network resources that occurred after aspecific date, converting to a CSV object, and exporting to a file.

$policyEvents = Get-AzPolicyEvent -Filter "ResourceType eq '/Microsoft.Network/virtualNetworks'" -From '2020-09-19'$policyEvents | ConvertTo-Csv | Out-File 'C:\temp\policyEvents.csv'

The output of the $policyEvents object looks like the following output:

Timestamp : 9/19/2020 5:18:53 AMResourceId : /subscriptions/{subscriptionId}/resourceGroups/RG-Tags/providers/Mi crosoft.Network/virtualNetworks/RG-Tags-vnetPolicyAssignmentId : /subscriptions/{subscriptionId}/resourceGroups/RG-Tags/providers/Mi crosoft.Authorization/policyAssignments/37ce239ae4304622914f0c77PolicyDefinitionId : /providers/Microsoft.Authorization/policyDefinitions/1e30110a-5ceb-460c-a204-c1c3969c6d62ComplianceState : NonCompliantSubscriptionId : {subscriptionId}ResourceType : /Microsoft.Network/virtualNetworksResourceLocation : eastusResourceGroup : RG-TagsResourceTags : tbdPolicyAssignmentName : 37ce239ae4304622914f0c77PolicyAssignmentOwner : tbdPolicyAssignmentParameters : {"tagName":{"value":"costCenter"},"tagValue":{"value":"Contoso-Test"}}PolicyAssignmentScope : /subscriptions/{subscriptionId}/resourceGroups/RG-TagsPolicyDefinitionName : 1e30110a-5ceb-460c-a204-c1c3969c6d62PolicyDefinitionAction : denyPolicyDefinitionCategory : tbdTenantId : {tenantId}PrincipalOid : {principalOid}

The PrincipalOid field can be used to get a specific user with the Azure PowerShell cmdletGet-AzADUser. Replace {principalOid} with the response you get from the previousexample.

(Video) Data Residency and Compliance Sovereignty Azure Cloud With Azure Policy DEMO

PS> (Get-AzADUser -ObjectId {principalOid}).DisplayNameTrent Baker

Azure Monitor logs

If you have a Log Analytics workspace withAzureActivity from theActivity Log Analytics solution tied to yoursubscription, you can also view non-compliance results from the evaluation of new and updatedresources using simple Kusto queries and the AzureActivity table. With details in Azure Monitorlogs, alerts can be configured to watch for non-compliance.

Get policy compliance data - Azure Policy (9)

Next steps

  • Review examples at Azure Policy samples.
  • Review the Azure Policy definition structure.
  • Review Understanding policy effects.
  • Understand how to programmatically create policies.
  • Learn how to remediate non-compliant resources.
  • Review what a management group is with Organize your resources with Azure management groups.

FAQs

Can Azure policy service be used to check the compliance of existing resources? ›

Azure Policy evaluates state by examining properties on resources that are represented in Resource Manager and properties of some Resource Providers. Azure Policy ensures that resource state is compliant to your business rules without concern for who made the change or who has permission to make a change.

How do I check Azure compliance? ›

To see compliance data mapped as assessments in your dashboard, add a compliance standard to your management group or subscription from within the Security policy page. To learn more about Azure Policy and initiatives, see Working with security policies.

How do I download Azure policy? ›

Launch the Azure Policy service in the Azure portal by clicking All services, then searching for and selecting Policy. Select Definitions on the left side of the Azure Policy page. Use the Export definitions button or select the ellipsis on the row of a policy definition and then select Export definition.

Where can you go to see what standards Microsoft is in compliance with? ›

Sign in to the Azure portal. Navigate to Defender for Cloud > Regulatory compliance. The dashboard provides you with an overview of your compliance status and the set of supported compliance regulations.

Which tool within Azure helps you track your compliance? ›

Which tool within Azure helps you to track your compliance with various international standards and government laws? Compliance Manager will track your own compliance with various standards and laws.

Is it true that you can download a regulatory compliance report from Azure security Center? ›

From Azure Security Center, you can download a Regulatory Compliance report.

What is Azure compliance documentation? ›

The Azure compliance documentation provides you with detailed documentation about legal and regulatory standards and compliance on Azure. Here you find compliance offerings across these categories: Global. US government. Financial services.

How do I find my CIS compliance in Azure? ›

To review the complete initiative definition, open Policy in the Azure portal and select the Definitions page. Then, find and select the CIS Microsoft Azure Foundations Benchmark v1. 3.0 Regulatory Compliance built-in initiative definition.

What is Azure compliance? ›

Azure Compliance Manager is a new service to help customers manage the compliance requirements of the workloads they deploy in the cloud, aligned with the concept of the cloud's shared responsibility model.

How do you identify compliance requirements? ›

Typical steps to achieve regulatory compliance include the following:
  1. Identify applicable regulations. Determine which laws and compliance regulations apply to the company's industry and operations. ...
  2. Determine requirements. ...
  3. Document compliance processes. ...
  4. Monitor changes, and determine whether they apply.

Where can you go to see all of the international standards compliance documents and audit results that Azure provides for itself? ›

You can access Azure audit reports and related documentation via the Service Trust Portal (STP). You must sign in to access audit reports on the STP. For more information, see Get started with Microsoft Service Trust Portal.

How many compliance offerings Does Microsoft have for Azure? ›

Streamline compliance with Microsoft Azure, the cloud platform with over 90 compliance offerings.

What is a compliance tracker? ›

CB Compliance Tracker is a convenient online management tool that eliminates the administrative burden of managing paper records. Replaces manual/paper process with intuitive, efficient automation that reduces the security risk of sending via faxes, emails, etc.

Which two action types can be tracked by the Microsoft compliance Manager? ›

Compliance Manager tracks two types of actions:
  • Your improvement actions: Managed by your organization.
  • Microsoft actions: Managed by Microsoft.
Oct 3, 2022

How do I get Azure monitor? ›

Start by opening the Log Search portal.
  1. In the Azure portal, click All services. In the list of resources, type Monitor. As you begin typing, the list filters based on your input. Select Monitor.
  2. On the Monitor navigation menu, select Log Analytics and then select a workspace.
Mar 30, 2022

Which two organization level insights can you derive from regulatory compliance dashboard of Microsoft Defender for Cloud? ›

Which two organization-level insights can you derive from the Regulatory Compliance dashboard of Azure Security Center? Enables you to assign, track, and record compliance and assessment-related activities. Provides a compliance score to help you track your progress and prioritize auditing.

Can you view the regulatory compliance of your Azure resources in Azure security Center? ›

In the regulatory compliance dashboard, you get a single view of the status of all assessments within your environment, in the context of a particular standard or regulation. As you act on the recommendations and reduce risk factors in your environment, you can see your compliance posture improve.

How do I download Azure security Center recommendations? ›

To download a CSV report of your recommendations:
  1. Sign in to the Azure portal.
  2. Navigate to Microsoft Defender for Cloud > Recommendations.
  3. Select Download CSV report.
Jan 12, 2023

What are the three types of compliance? ›

Let's take a look at what they are and what they mean.
  • Regulatory compliance. Regulatory compliance is when a business follows the local and international laws and regulations that are relevant to its operations. ...
  • HR compliance. ...
  • Data compliance. ...
  • Health and safety compliance.
May 18, 2022

What are the 3 phases of compliance? ›

The Three-Stage Preparation to Meet Compliance Requirements
  • Define and list down organization risks.
  • Continuous audit and compliance.
  • Best practices to Implement SOD.
Nov 14, 2019

Where can I find my CIS? ›

call HMRC's CIS Helpline - 0300 200 3210. use a third-party software package.
...
You (or your accountant) must provide the following information about your business as a contractor:
  • the name of your business or organisation.
  • your unique taxpayer reference (UTR)
  • your accounts office reference.
  • your employer reference.
Oct 19, 2021

How do I find my UDR in Azure? ›

Log in to the Azure Portal: https://portal.azure.com.
  1. Click New.
  2. In the New column, select enter route table in the search box and click Enter.
  3. In the Everything column, select Route table.
  4. Click Create.
  5. In the Route table column, configure the following settings: Name – Enter the route table name. ...
  6. Click Create.
Apr 25, 2018

What are the 2 types of compliance? ›

There are two main types of compliance that denote where the framework is coming from: corporate and regulatory. Both corporate and regulatory compliance consist of a framework of rules, regulations and practices to follow.

What are the four key compliance issues? ›

The 4 Most Common Compliance Risks and How to Avoid Them
  • Legal & Liability Concerns.
  • Data Security.
  • Business Reputation.
Aug 11, 2022

What are the 7 pillars of compliance? ›

However, 7 key elements exist in virtually all legally effective compliance programs:
  • Policies & Procedures.
  • Chief Compliance Officer/Compliance Committee.
  • Education & Training.
  • Reporting.
  • Monitoring & Auditing.
  • Enforcement.
  • Responding To Issues.

What five 5 factors must a compliance plan include? ›

The five elements are:
  • Leadership.
  • Risk Assessment.
  • Standards and Controls.
  • Training and Communications.
  • Oversight.
Dec 1, 2019

What are key compliance indicators? ›

Specifically, a key compliance indicator is a metric or measurement that provides a quantitative description of an organization's adherence to a stated compliance objective. While not necessary for understanding KCIs, those familiar with key performance indicators (KPIs) may see some parallels.

What is a compliance audit checklist? ›

What is a Compliance Audit Checklist? A compliance audit checklist is a tool used by auditors to ensure that an organization is following the rules and regulations that have been put in place. The checklist contains a list of items that need to be audited and the appropriate procedure for each item.

What are the 3 common methods of internal audit to determine compliance? ›

There are common methods of internal auditing that may be used to determine compliance:
  • System Audits.
  • Process Audits.
  • Product Audits.
May 14, 2022

Where can I find the auditor's report? ›

Locating the Auditor's Report

In these cases, auditor's reports can be found in annual reports immediately prior to the financial statements. In other cases, auditor's reports can be found either as a separate document or attached to the business's financial statements.

Does Azure policy apply to existing resources? ›

Each policy definition in Azure Policy has a single effect. That effect determines what happens when the policy rule is evaluated to match. The effects behave differently if they are for a new resource, an updated resource, or an existing resource.

Which Azure feature enables organizations to manage the access policies and compliance of their resources in Azure across multiple subscriptions? ›

Resource groups provide organizations with the ability to manage the compliance of Azure resources across multiple subscriptions.

Which services are used to manage the resources in Azure? ›

Azure Resource Manager is the deployment and management service for Azure. It provides a management layer that enables you to create, update, and delete resources in your Azure account. You use management features, like access control, locks, and tags, to secure and organize your resources after deployment.

Which service in Azure helps to have rights tools for being compliant? ›

Compliance Manager is a free workflow-based risk assessment tool that is designed to help organizations manage regulatory compliance within the shared responsibility model of the Azure cloud.

Videos

1. How to create and Assign Azure Policies for Compliance
(mobilerootindia)
2. Compliance with Azure Policy - 1/10/2019
(Azure Deployments & Governance)
3. Monitoring Azure Policy compliance states using Azure Monitor
(AzureTar)
4. Azure Policy - Non-compliance messages
(Talking tech with Techielass)
5. Introduction to Azure Policy
(Atmosera)
6. #Azure #Policy #Compliance | Az104 | Azure Cloud
(Cloudakshay | Cloud Devops)
Top Articles
Latest Posts
Article information

Author: Madonna Wisozk

Last Updated: 01/19/2023

Views: 5713

Rating: 4.8 / 5 (48 voted)

Reviews: 95% of readers found this page helpful

Author information

Name: Madonna Wisozk

Birthday: 2001-02-23

Address: 656 Gerhold Summit, Sidneyberg, FL 78179-2512

Phone: +6742282696652

Job: Customer Banking Liaison

Hobby: Flower arranging, Yo-yoing, Tai chi, Rowing, Macrame, Urban exploration, Knife making

Introduction: My name is Madonna Wisozk, I am a attractive, healthy, thoughtful, faithful, open, vivacious, zany person who loves writing and wants to share my knowledge and understanding with you.