az policy attestation
Manage resource policy attestations.
Commands
| Name | Description | Type | Status |
|---|---|---|---|
| az policy attestation create |
Create a policy attestation. |
Core | GA |
| az policy attestation delete |
Delete an existing policy attestation. |
Core | GA |
| az policy attestation list |
List all attestations for a resource. |
Core | GA |
| az policy attestation show |
Get a policy attestation. |
Core | GA |
| az policy attestation update |
Update an existing policy attestation. |
Core | GA |
az policy attestation create
Create a policy attestation.
az policy attestation create --attestation-name
--policy-assignment
[--assessment-date]
[--comments]
[--compliance-state {Compliant, NonCompliant, Unknown}]
[--definition-reference-id]
[--evidence]
[--expires-on]
[--metadata]
[--namespace]
[--owner]
[--parent]
[--resource]
[--resource-group]
[--resource-type]Examples
Create an attestation at resource group scope for a policy assignment
az policy attestation create -g myRg -n myAttestation --policy-assignment eeb18edc813c42d0ad5a9eabCreate an attestation at resource group scope for a policy assignment using the policy assignment resource ID
az policy attestation create -g myRg -n myAttestation \
--policy-assignment "/subscriptions/fff10b27-fff3-fff5-fff8-fffbe01e86a5/providers/Microsoft.Authorization/policyAssignments/myPa"Create an attestation at subscription scope for a policy set assignment
az policy attestation create -n myAttestation \
--policy-assignment eeb18edc813c42d0ad5a9eab \
--definition-reference-id auditVMPolicyReferenceCreate an attestation for a specific resource using the resource ID
az policy attestation create \
--resource "/subscriptions/fff10b27-fff3-fff5-fff8-fffbe01e86a5/resourceGroups/myRg/providers/Microsoft.Compute/virtualMachines/myVm" \
-n myAttestation --policy-assignment eeb18edc813c42d0ad5a9eabCreate an attestation at resource group scope using all properties
az policy attestation create --attestation-name myAttestation -g myRg -a eeb18edc813c42d0ad5a9eab \
--compliance-state Compliant --assessment-date 2023-01-01T08:29:18Z \
--evidence source-uri=https://sampleuri.com description="Sample description for the sample uri" \
--evidence source-uri=https://sampleuri2.com description="Sample description 2 for the sample uri 2" \
--expires-on 2024-08-01T05:29:18Z --owner user@myOrg.com --metadata Location=NYC Dept=ACC \
--definition-reference-id auditVMPolicyReferenceRequired Parameters
The name of the attestation.
The resource ID of the policy assignment that the attestation is setting the state for.
Optional Parameters
The time the evidence was assessed.
Comments describing why this attestation was created.
The compliance state that should be set on the resource.
The policy definition reference ID from a policy set definition that the attestation is setting the state for. If the policy assignment assigns a policy set definition the attestation can choose a definition within the set definition with this property or omit this and set the state for the entire set definition.
The evidence supporting the compliance state set in this attestation.
The time the compliance state should expire.
Additional metadata in space-separated key=value pairs for an attestation. This overwrites any existing metadata for the attestation.
Provider namespace (Ex: Microsoft.Provider).
The person responsible for setting the state of the resource. This value is typically an Azure Active Directory object ID.
The parent path (Ex: resourceTypeA/nameA/resourceTypeB/nameB).
Resource ID or resource name. If a name is given, please provide the resource group and other relevant resource id arguments.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
Resource type (Ex: resourceTypeC).
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az policy attestation delete
Delete an existing policy attestation.
az policy attestation delete --attestation-name
[--namespace]
[--parent]
[--resource]
[--resource-group]
[--resource-type]Examples
Delete an attestation at resource group scope
az policy attestation delete -g myRg -n myAttestationRequired Parameters
The name of the attestation.
Optional Parameters
Provider namespace (Ex: Microsoft.Provider).
The parent path (Ex: resourceTypeA/nameA/resourceTypeB/nameB).
Resource ID or resource name. If a name is given, please provide the resource group and other relevant resource id arguments.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
Resource type (Ex: resourceTypeC).
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az policy attestation list
List all attestations for a resource.
az policy attestation list [--filter]
[--resource]
[--resource-group]
[--top]Examples
List all policy attestations at subscription scope
az policy attestation listList the top two policy attestations at resource group scope
az policy attestation list -g myRg --top 2List all attestations that has the policy assignment id of myPolicyAssignment
az policy attestation list --filter "PolicyAssignmentId eq '/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/providers/microsoft.authorization/policyassignments/b101830944f246d8a14088c5'"Optional Parameters
OData filter expression.
Resource ID.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
Maximum number of records to return.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az policy attestation show
Get a policy attestation.
az policy attestation show --attestation-name
[--namespace]
[--parent]
[--resource]
[--resource-group]
[--resource-type]Examples
Show an attestation at subscription.
az policy attestation show --attestation-name myAttestationRequired Parameters
The name of the attestation.
Optional Parameters
Provider namespace (Ex: Microsoft.Provider).
The parent path (Ex: resourceTypeA/nameA/resourceTypeB/nameB).
Resource ID or resource name. If a name is given, please provide the resource group and other relevant resource id arguments.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
Resource type (Ex: resourceTypeC).
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az policy attestation update
Update an existing policy attestation.
az policy attestation update --attestation-name
[--assessment-date]
[--comments]
[--compliance-state {Compliant, NonCompliant, Unknown}]
[--definition-reference-id]
[--evidence]
[--expires-on]
[--metadata]
[--namespace]
[--owner]
[--parent]
[--policy-assignment]
[--resource]
[--resource-group]
[--resource-type]Examples
Update an attestation at resource scope
az policy attestation update --attestation-name myAttestation \
--resource "/subscriptions/fff10b27-fff3-fff5-fff8-fffbe01e86a5/resourceGroups/myRg/providers/Microsoft.Compute/virtualMachines/myVm" \
--comments "Adding comments for this attestation"Required Parameters
The name of the attestation.
Optional Parameters
The time the evidence was assessed.
Comments describing why this attestation was created.
The compliance state that should be set on the resource.
The policy definition reference ID from a policy set definition that the attestation is setting the state for. If the policy assignment assigns a policy set definition the attestation can choose a definition within the set definition with this property or omit this and set the state for the entire set definition.
The evidence supporting the compliance state set in this attestation.
The time the compliance state should expire.
Additional metadata in space-separated key=value pairs for an attestation. This overwrites any existing metadata for the attestation.
Provider namespace (Ex: Microsoft.Provider).
The person responsible for setting the state of the resource. This value is typically an Azure Active Directory object ID.
The parent path (Ex: resourceTypeA/nameA/resourceTypeB/nameB).
The resource ID of the policy assignment that the attestation is setting the state for.
Resource ID or resource name. If a name is given, please provide the resource group and other relevant resource id arguments.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
Resource type (Ex: resourceTypeC).
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
