az policy state
Manage policy compliance states.
Commands
| Name | Description | Type | Status |
|---|---|---|---|
| az policy state list |
List policy compliance states. |
Core | GA |
| az policy state summarize |
Summarize policy compliance states. |
Core | GA |
| az policy state trigger-scan |
Trigger a policy compliance evaluation for a scope. |
Core | GA |
az policy state list
List policy compliance states.
az policy state list [--all]
[--apply]
[--expand]
[--filter]
[--from]
[--management-group]
[--namespace]
[--order-by]
[--parent]
[--policy-assignment]
[--policy-definition]
[--policy-set-definition]
[--resource]
[--resource-group]
[--resource-type]
[--select]
[--to]
[--top]Examples
Get latest policy states at current subscription scope.
az policy state listGet all policy states at current subscription scope.
az policy state list --allGet latest policy states at management group scope.
az policy state list -m "myMg"Get latest policy states at resource group scope in current subscription.
az policy state list -g "myRg"Get latest policy states for a resource using resource ID.
az policy state list --resource "/subscriptions/fff10b27-fff3-fff5-fff8-fffbe01e86a5/resourceGroups/myResourceGroup /providers/Microsoft.EventHub/namespaces/myns1/eventhubs/eh1/consumergroups/cg1"Get latest policy states for a resource using resource name.
az policy state list --resource "myKeyVault" --namespace "Microsoft.KeyVault" --resource-type "vaults" -g "myresourcegroup"Get latest policy states for a nested resource using resource name.
az policy state list --resource "myRule1" --namespace "Microsoft.Network" --resource-type "securityRules" --parent "networkSecurityGroups/mysecuritygroup1" -g "myresourcegroup"Get latest policy states for a policy set definition in current subscription.
az policy state list -s "fff58873-fff8-fff5-fffc-fffbe7c9d697"Get latest policy states for a policy definition in current subscription.
az policy state list -d "fff69973-fff8-fff5-fffc-fffbe7c9d698"Get latest policy states for a policy assignment in current subscription.
az policy state list -a "ddd8ef92e3714a5ea3d208c1"Get latest policy states for a policy assignment in the specified resource group in current subscription.
az policy state list -g "myRg" -a "ddd8ef92e3714a5ea3d208c1"Get top 5 latest policy states in current subscription, selecting a subset of properties and customizing ordering.
az policy state list --top 5 --order-by "timestamp desc, policyAssignmentName asc" --select "timestamp, resourceId, policyAssignmentId, policySetDefinitionId, policyDefinitionId"Get latest policy states in current subscription during a custom time interval.
az policy state list --from "2018-03-08T00:00:00Z" --to "2018-03-15T00:00:00Z"Get latest policy states in current subscription filtering results based on some property values.
az policy state list --filter "(policyDefinitionAction eq 'deny' or policyDefinitionAction eq 'audit') and resourceLocation ne 'eastus'"Get number of latest policy states in current subscription.
az policy state list --apply "aggregate($count as numberOfRecords)"Get latest policy states in current subscription aggregating results based on some properties.
az policy state list --apply "groupby((policyAssignmentId, policySetDefinitionId, policyDefinitionReferenceId, policyDefinitionId), aggregate($count as numStates))"Get latest policy states in current subscription grouping results based on some properties.
az policy state list --apply "groupby((policyAssignmentName, resourceId))"Get latest policy states in current subscription aggregating results based on some properties specifying multiple groupings.
az policy state list --apply "groupby((policyAssignmentId, policySetDefinitionId, policyDefinitionReferenceId, policyDefinitionId, resourceId))/groupby((policyAssignmentId, policySetDefinitionId, policyDefinitionReferenceId, policyDefinitionId), aggregate($count as numNonCompliantResources))"Get latest policy states for a resource including policy evaluation details.
az policy state list --resource "myKeyVault" --namespace "Microsoft.KeyVault" --resource-type "vaults" -g "myresourcegroup" --expand PolicyEvaluationDetailsGet latest component policy states for a resource (eg. vault) and policy assignment referencing a resource provider mode policy definition
az policy state list --resource "/subscriptions/fff10b27-fff3-fff5-fff8-fffbe01e86a5/resourceGroups/myResourceGroup/providers/Microsoft.KeyVault/vaults/myKeyVault" --filter "policyAssignmentId eq '/subscriptions/fff10b27-fff3-fff5-fff8-fffbe01e86a5/providers/Microsoft.Authorization/policyAssignments/myPa'" --expand "Components($filter=ComplianceState eq 'NonCompliant' or ComplianceState eq 'Compliant')"Get latest component policy states for a resource (eg. vault) and policy assignment referencing an initiative containing a resource provider mode policy definition
az policy state list --resource "/subscriptions/fff10b27-fff3-fff5-fff8-fffbe01e86a5/resourceGroups/myResourceGroup/providers/Microsoft.KeyVault/vaults/myKeyVault" --filter "policyAssignmentId eq '/subscriptions/fff10b27-fff3-fff5-fff8-fffbe01e86a5/providers/Microsoft.Authorization/policyAssignments/myPa' and policyDefinitionReferenceId eq 'myResourceProviderModeDefinitionReferenceId'" --expand "Components($filter=ComplianceState eq 'NonCompliant' or ComplianceState eq 'Compliant')"Get latest component counts by compliance state for a resource (eg. vault) and policy assignment referencing a resource provider mode policy definition
az policy state list --resource "/subscriptions/fff10b27-fff3-fff5-fff8-fffbe01e86a5/resourceGroups/myResourceGroup/providers/Microsoft.KeyVault/vaults/myKeyVault" --filter "policyAssignmentId eq '/subscriptions/fff10b27-fff3-fff5-fff8-fffbe01e86a5/providers/Microsoft.Authorization/policyAssignments/myPa'" --expand "Components($filter=ComplianceState eq 'NonCompliant' or ComplianceState eq 'Compliant' or ComplianceState eq 'Conflict';$apply=groupby((complianceState),aggregate($count as count)))"Optional Parameters
Within the specified time interval, get all policy states instead of the latest only.
Apply expression for aggregations using OData notation.
Expand expression using OData notation.
Filter expression using OData notation.
ISO 8601 formatted timestamp specifying the start time of the interval to query.
Name of management group.
Provider namespace (Ex: Microsoft.Provider).
Ordering expression using OData notation.
The parent path (Ex: resourceTypeA/nameA/resourceTypeB/nameB).
Name of policy assignment.
Name of policy definition.
Name of policy set definition.
Resource ID or resource name. If a name is given, please provide the resource group and other relevant resource id arguments.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
Resource type (Ex: resourceTypeC).
Select expression using OData notation.
ISO 8601 formatted timestamp specifying the end time of the interval to query.
Maximum number of records to return.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az policy state summarize
Summarize policy compliance states.
az policy state summarize [--filter]
[--from]
[--management-group]
[--namespace]
[--parent]
[--policy-assignment]
[--policy-definition]
[--policy-set-definition]
[--resource]
[--resource-group]
[--resource-type]
[--to]
[--top]Examples
Get latest non-compliant policy states summary at current subscription scope.
az policy state summarizeGet latest non-compliant policy states summary at management group scope.
az policy state summarize -m "myMg"Get latest non-compliant policy states summary at resource group scope in current subscription.
az policy state summarize -g "myRg"Get latest non-compliant policy states summary for a resource using resource ID.
az policy state summarize --resource "/subscriptions/fff10b27-fff3-fff5-fff8-fffbe01e86a5/resourceGroups/myResourceGroup /providers/Microsoft.EventHub/namespaces/myns1/eventhubs/eh1/consumergroups/cg1"Get latest non-compliant policy states summary for a resource using resource name.
az policy state summarize --resource "myKeyVault" --namespace "Microsoft.KeyVault" --resource-type "vaults" -g "myresourcegroup"Get latest non-compliant policy states summary for a nested resource using resource name.
az policy state summarize --resource "myRule1" --namespace "Microsoft.Network" --resource-type "securityRules" --parent "networkSecurityGroups/mysecuritygroup1" -g "myresourcegroup"Get latest non-compliant policy states summary for a policy set definition in current subscription.
az policy state summarize -s "fff58873-fff8-fff5-fffc-fffbe7c9d697"Get latest non-compliant policy states summary for a policy definition in current subscription.
az policy state summarize -d "fff69973-fff8-fff5-fffc-fffbe7c9d698"Get latest non-compliant policy states summary for a policy assignment in current subscription.
az policy state summarize -a "ddd8ef92e3714a5ea3d208c1"Get latest non-compliant policy states summary for a policy assignment in the specified resource group in current subscription.
az policy state summarize -g "myRg" -a "ddd8ef92e3714a5ea3d208c1"Get latest non-compliant policy states summary in current subscription, limiting the assignments summary to top 5.
az policy state summarize --top 5Get latest non-compliant policy states summary in current subscription for a custom time interval.
az policy state summarize --from "2018-03-08T00:00:00Z" --to "2018-03-15T00:00:00Z"Get latest non-compliant policy states summary in current subscription filtering results based on some property values.
az policy state summarize --filter "(policyDefinitionAction eq 'deny' or policyDefinitionAction eq 'audit') and resourceLocation ne 'eastus'"Optional Parameters
Filter expression using OData notation.
ISO 8601 formatted timestamp specifying the start time of the interval to query.
Name of management group.
Provider namespace (Ex: Microsoft.Provider).
The parent path (Ex: resourceTypeA/nameA/resourceTypeB/nameB).
Name of policy assignment.
Name of policy definition.
Name of policy set definition.
Resource ID or resource name. If a name is given, please provide the resource group and other relevant resource id arguments.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
Resource type (Ex: resourceTypeC).
ISO 8601 formatted timestamp specifying the end time of the interval to query.
Maximum number of records to return.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az policy state trigger-scan
Trigger a policy compliance evaluation for a scope.
az policy state trigger-scan [--no-wait]
[--resource-group]Examples
Trigger a policy compliance evaluation at the current subscription scope.
az policy state trigger-scanTrigger a policy compliance evaluation for a resource group.
az policy state trigger-scan -g "myRg"Trigger a policy compliance evaluation for a resource group and do not wait for it to complete.
az policy state trigger-scan -g "myRg" --no-waitOptional Parameters
Do not wait for the long-running operation to finish.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
