Effect of editing custom Azure Policy definition on existing assignments?

Question

Effect of editing custom Azure Policy definition on existing assignments?

Mark Poole 20

I am trying to understand how editing a custom Azure policy definition affects existing assignments but can't find any info on this.

Our scenario: We have a custom policy definition for the deployment and configuration of the AMA client on Arc connected machines. The policy was assigned to an RG with Arc connected machines in it. The AMA client was installed and configured, and the machines showed as being compliant with the policy. Unfortunately, the policy definition has a typo in the proxy settings so the machines need updating with the correct value.

I updated the policy definition but clients still reported as being compliant with the policy even though the AMA client reported back the wrong proxy config.

I then tried removing the policy assignments and creating new policy assignments against the updated policy definition. The clients still report back as being compliant with the policy even though the AMA client is still reporting back the wrong proxy config. I have manually triggered a compliance scan to try and rule out the compliance date being stale.

I am expecting the clients to become non-compliant as their AMA config no longer matches the policy definition but this does not seem to be happening. Am I wrong in my expectations?

Pranay Reddy Madireddy 6,180 Reputation points Microsoft External Staff Moderator

2024-10-30T12:49:49.9933333+00:00

Hii Mark Poole (7805)

Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.

When you changed the policy definition to fix the typo, the resources didn't become non-compliant right away. They stayed compliant because they were evaluated using the old definition.
https://learn.microsoft.com/en-us/azure/governance/policy/tutorials/create-and-manage
https://learn.microsoft.com/en-us/azure/governance/policy/concepts/evaluate-impact

Even if you removed and reassigned the policy, the clients might still appear compliant because of when the evaluation happened, and old data being stored.
https://learn.microsoft.com/en-us/azure/governance/policy/concepts/compliance-states

The compliance status can stay outdated until a full check is done, which might need to be started manually or happen on a schedule in Azure Policy.
https://learn.microsoft.com/en-us/azure/governance/policy/how-to/get-compliance-data

After making changes and running scans, look in the Azure Portal for any updates on the policy results.

Set up alerts or logs to monitor changes in compliance over time. If you have related policies, group them into a policy initiative to manage them easily.

https://learn.microsoft.com/en-us/azure/governance/policy/samples/pattern-group-with-initiative

If clients still seem compliant, check the resource settings to ensure they match the updated policy.

If you have any further queries, do let us know.

If the answer is helpful, please click "Accept Answer" and "Upvote it".
Pranay Reddy Madireddy 6,180 Reputation points Microsoft External Staff Moderator

2024-11-01T20:51:09.14+00:00

Hii Mark Poole (7805)
If you had a chance to see my comment to your question. If it was helpful, please click "Upvote" on my post let us know Thank you...!
Pranay Reddy Madireddy 6,180 Reputation points Microsoft External Staff Moderator

2024-11-04T09:22:56.88+00:00

Hii Mark Poole (7805)
If you had a chance to see my comment to your question. If it was helpful, please click "Upvote" on my post let us know Thank you...!
Mark Poole 20 Reputation points

2024-11-04T11:54:22.2733333+00:00

@Pranay Reddy Madireddy Thanks for taking the time to replay to my post.

What you have detailed is indeed how I would expect things to work. However, it didn't. The resources simply would not evaluate against the updated policy definition and kept reporting as compliant, when the config wasn't.

The only way I managed to get this resolved was to remove the AMA client from the machines and create a new remediation task. The client was then redeployed with the correct settings.

Accepted answer

0 additional answers

Your answer

Pranay Reddy Madireddy 6,180 Reputation points Microsoft External Staff Moderator

2024-10-30T12:49:49.9933333+00:00

Hii Mark Poole (7805)

Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.

When you changed the policy definition to fix the typo, the resources didn't become non-compliant right away. They stayed compliant because they were evaluated using the old definition.
https://learn.microsoft.com/en-us/azure/governance/policy/tutorials/create-and-manage
https://learn.microsoft.com/en-us/azure/governance/policy/concepts/evaluate-impact

Even if you removed and reassigned the policy, the clients might still appear compliant because of when the evaluation happened, and old data being stored.
https://learn.microsoft.com/en-us/azure/governance/policy/concepts/compliance-states

The compliance status can stay outdated until a full check is done, which might need to be started manually or happen on a schedule in Azure Policy.
https://learn.microsoft.com/en-us/azure/governance/policy/how-to/get-compliance-data

After making changes and running scans, look in the Azure Portal for any updates on the policy results.

Set up alerts or logs to monitor changes in compliance over time. If you have related policies, group them into a policy initiative to manage them easily.

https://learn.microsoft.com/en-us/azure/governance/policy/samples/pattern-group-with-initiative

If clients still seem compliant, check the resource settings to ensure they match the updated policy.

If you have any further queries, do let us know.

If the answer is helpful, please click "Accept Answer" and "Upvote it".
Pranay Reddy Madireddy 6,180 Reputation points Microsoft External Staff Moderator

2024-11-01T20:51:09.14+00:00

Hii Mark Poole (7805)
If you had a chance to see my comment to your question. If it was helpful, please click "Upvote" on my post let us know Thank you...!
Pranay Reddy Madireddy 6,180 Reputation points Microsoft External Staff Moderator

2024-11-04T09:22:56.88+00:00

Hii Mark Poole (7805)
If you had a chance to see my comment to your question. If it was helpful, please click "Upvote" on my post let us know Thank you...!
Mark Poole 20 Reputation points

2024-11-04T11:54:22.2733333+00:00

@Pranay Reddy Madireddy Thanks for taking the time to replay to my post.

What you have detailed is indeed how I would expect things to work. However, it didn't. The resources simply would not evaluate against the updated policy definition and kept reporting as compliant, when the config wasn't.

The only way I managed to get this resolved was to remove the AMA client from the machines and create a new remediation task. The client was then redeployed with the correct settings.

Answer 1

Hi Mark Poole (7805)
I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.

Issue:
Effect of editing custom Azure Policy definition on existing assignments?

Solution:
The only way I managed to get this resolved was to remove the AMA client from the machines and create a new remediation task. The client was then redeployed with the correct settings.

If you have any other questions or are still running into more issues, please let me know. Thank you again for your time and patience throughout this issue.

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

Share via

Effect of editing custom Azure Policy definition on existing assignments?

0 additional answers

Your answer