Azure Policy - Remediation task not running on newly deployed resource

Question

Azure Policy - Remediation task not running on newly deployed resource

Inbal Silis 116 Microsoft Employee

Hi.

I created new policy that assign data collection EP to VM inside existing data collection rule.

I provided this policy to my customer.

The policy running on existing VMs in data collection rule, but when customer create new VM, the policy mark the VM as non compliance.

When customer create remediation task, the remediation task manages to assign data collection end point to the VMs and the policy working!

Any idea why the policy can work only in manual remediation mode?

This is the policy customer runing:

https://github.com/inbalsilis/Defender-Policy/blob/main/AMPLS/Policy/%5BAMPLS%20Custom%5D:%20Configure%20Ass%20to%20link%20Azure%20Arc%20to%20user-defined%20Microsoft%20Defender%20for%20Cloud%20Data%20Collection%20Rule%20and%20EP

2 answers

Your answer

Answer 1

AnuragSingh-MSFT 21,551 Moderator

@Inbal Silis , Please note that the deployment to new resource being created, does not happen through "remediation task". Remediation task is only used to remediate existing resources or such resources for which deployment could not be done through DeployIfNotExists effect, after they were marked non-compliant.

The deployment through Azure Policy's DeployIfNotExists depends on EvaluationDelay property. It is optional and in the absence of this property a delay of 10 minutes is considered for evaluation and deployment. One of the reasons for the deployment to not have taken in effect is that you are checking the resource right after creation. In the absence of EvaluationDelay property, it will take atleast 10 minutes (default) for the deployment to start.

Another case could be that the policy was saved/assigned at Management Group scope. In such a case, the identity associated with the deployment template does not get the correct permission associated with it OR that the permission could not be granted when the policy was being assigned (due to lack of permission of the policy assigner). The evaluation works but it would put the resources in non-compliant state and a manual remediation task is required to remedy them.

Please check if the scenario falls under either of the 2 criteria.

If the answer did not help, please add more context/follow-up question for it, and we will help you out, else please click Accept answer so that it can help others in the community looking for help on similar topics.

Inbal Silis 116 Reputation points Microsoft Employee

2023-03-27T14:40:58.5866667+00:00

Thanks for the detailed answer!!! The policy was set at resource group level, not on management level.

For the 10 minutes delay, customer was waiting for few days, so its cant be timing issue as well.
AnuragSingh-MSFT 21,551 Reputation points Moderator

2023-03-28T05:03:23.3+00:00

Inbal Silis, thank you for the reply. With the current information available, it might be possible that the role was not assigned properly when assigning the policy. You could check the Activity Logs in Azure Portal for any such evidence. For a successful "deployIfNotExists' affect after the resource creation, an entry is added to the activity log as below (ensure to select the correct filter - subsctiption, timespan, and event severity = ALL):

Hope this helps.
Somnath Kumar 76 Reputation points

2023-04-28T04:39:51.9166667+00:00

@AnuragSingh-MSFT When the policy definition or initiative is assigned to the management group, can't see the remediation task. Is there any solution to that?
Tushar Trivedi 0 Reputation points

2024-07-05T12:35:28.0833333+00:00

I have related problem. I have 5 VMs in once resource group. The policy with guest configuration is assigned to the resource group. After I change the configuration and updated policy accordingly, out of 5, 4 VMs have picked up the changed configuration but one VM is not picking up, even after remediating multiple times in 24 hours. When I check compliance at assignment level, it shows non-compliant, but when I go to that VM, it shows compliant. What could be the possible reasons?

Answer 2

Patchfox 4,176

Hi Inbal Silis, I hope I can help you with this question.

Remediation tasks are performed automatically only on newly created resources.

For already existing resources, the policy for the "DeployIfNotExists" effect always evaluates only the state but does not perform any remediation tasks automatically - unless it is explicitly specified when assigning the policy (but then also runs only once). The Remediation can be executed thereby purposefully with certain resources.

Generally, there are 3 options to perform a remediation.

1.) From the Remediation page

2.) From a non-compliant policy assignment

3.) during policy assignment (as already mentioned)

You can find more information on the following page:

https://learn.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources?tabs=azure-portal

If the reply was helpful, please don’t forget to upvote or accept it as an answer, thank you.

Inbal Silis 116 Reputation points Microsoft Employee

2023-03-27T04:34:40.9733333+00:00

So I have newly created resources, marked by the policy as non compliance, but no auto remediation task created on them, and I wonder why?

When I create remediation task, its working.
Patchfox 4,176 Reputation points

2023-03-27T18:04:37.0333333+00:00

Okay, thanks for the info.

That means, there is no Remediation Task displayed on the scope you are looking at, not even one that is faulty.

Can you verify that no Remediation Task was created on another scope?
Patchfox 4,176 Reputation points

2023-03-31T19:39:14.9833333+00:00

Hi Inbal Silis , I quickly want to check, if my answer helped you or if you need further assistance.

Share via

Azure Policy - Remediation task not running on newly deployed resource

2 answers

Your answer