In our previous blog post, we discussed how we can write custom Azure Policies in accordance with Organization’s Strategic and Compliance Requirements. We also learned how to apply policies at different scope levels in Azure. While planning, writing and applying compliance requirements in the form of Azure Policies is important, it is equally important to audit existing resources for appropriate configurations and settings, evaluate the results and take certain actions. One needs to be evaluate how many resources are compliant with the defined requirements, what resources are non-compliant, what corrective actions can be taken to bring them in compliance and also remove any false positives.

In Azure, compliance data generated by the Azure Policies can be accessed by all usual channels like using Azure Portal, Azure CLI, Azure PowerShell, Azure REST API.

Using Azure Portal for Viewing Compliance

The Azure Portal provides a graphical view of the compliance state for the Azure Resources. On the Policy page, the Overview option provides details for available scopes on the compliance of both policies and initiatives:

Along with the compliance state and count per assignment, it contains a chart showing compliance over the last seven days:

The Compliance page contains much of this same information (except the chart), but provide additional filtering and sorting options:

Clicking on a policy or initiative in the table provides a deeper look at the compliance for that particular assignment:

The list of resources on the Resource compliance tab shows the evaluation status of existing resources for the current assignment. The tab defaults to Non-compliant, but can be filtered:

Events (append, audit, deny, deploy) triggered by the request to create a resource are shown under the Events tab:

You can select specific event to view more details on the same:

Using Azure PowerShell for Viewing Compliance

The Azure PowerShell module for Azure Policy is available on the PowerShell Gallery as Az.PolicyInsights. It should have been installed by default when you have installed latest Azure PowerShell.

First, let’s see what cmdlets are offered by this module:

To get the overall state of the compliance, we can use Get-AzPolicyStateSummary cmdlet:

We can see that we have 2 non-compliant policies and 3 resources are flagged as a non-compliant.

We can use Get-AzPolicyState to get latest policy state records generated in the last day for all resources within the subscription in current session context. We can also filter the results using scope such as subscription / management group or resource group:

# Gets latest policy state records generated in the last day for all resources within the subscription in current session context
Get-AzPolicyState

# Gets latest policy state records generated in the last day for all resources within the specified management group.
Get-AzPolicyState -ManagementGroupName "myManagementGroup"

#Gets latest policy state records generated in the last day for all resources within the specified resource group (in the subscription in current session context)
Get-AzPolicyState -SubscriptionId "mySubscriptionId"

The results might be too large to parse at once. So you can select and filter using Select-Object and Where-Object filters:

Get-AzPolicyState -SubscriptionId {subscriptionId} | Where-Object {$_.PolicyAssignmentName -eq {policyAssignmentName}

Azure Policy Evaluation Triggers

Evaluations of assigned policies and initiatives happen as the result of various events:

1. A policy or initiative is assigned to a new scope. It takes about 30-60 mins for the assignment cycle to be applied.
2. A policy or initiative already assigned to a scope is updated. It takes about 30-60 mins for the assignment cycle to be applied.
3. A resource is deployed to a scope with an assignment via Resource Manager, REST, Azure CLI, or Azure PowerShell.
4. Standard compliance evaluation cycle which happens every 24 hours
5. On-demand scan
6. The Guest Configuration resource provider is updated with compliance details by a managed resource.

On-demand evaluation scan

An evaluation scan for a subscription or a resource group can be started with a call to the REST API. This scan is an asynchronous process. As such, the REST endpoint to start the scan doesn’t wait until the scan is complete to respond. Instead, it provides a URI to query the status of the requested evaluation.

There is no other method available to trigger on-demand scan as of now.

Summary and Notes

It is equally important to audit existing resources for appropriate configurations and settings, evaluate the results and take appropriate actions. Microsoft Azure Policy generates this data automatically and makes it available using various channels. One can also integrate the same with other tools using REST APIs.

For further reading: Get Compliance Data – https://docs.microsoft.com/en-us/azure/governance/policy/how-to/get-compliance-data
Create Guest configuration policies – https://docs.microsoft.com/en-us/azure/governance/policy/how-to/guest-configuration-create

In next blog post, we’ll discuss how we can manage non-compliant resources and trigger remediation.