Unable to export the azure policies(Built-in) From initiative ASC_Default

Prateek Rana 60 Reputation points
2023-05-15T05:03:43.9966667+00:00

Am Trying to Fetch the polices(Built-in) inside the ASC_Default. like we have 211 polices in ASC_Default. i wan to Fetch all the polices with parameters like Definition-ID, Affect, Description, Assigned by .

I use the below Code but Missing the required information i am looking for.

(Get-AzPolicySetDefinition |?{$_.Properties.DisplayName -eq "NIST SP 800-171 Rev. 2"}).Properties.PolicyDefinitions

User's image

When I change the initiative let say "Azure security benchmark" and "ASC default" not getting any details even Fetched file is totally blank no data in it.

User's image

Please help!!

Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
793 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Mohammed Altamash Khan 2,076 Reputation points
    2023-05-15T11:09:45.7033333+00:00

    Hi

    Does the same code work for fetching data of a normal azure policy ? ASC default policy are hectic and automatically created by azure security center.

    And you need to delete the useless ones first. Analyzing and sorting this type of policy is the worst task you can give to a security admin, I just deleted everything and started new ( Just sharing my personal exp. )

    Regards

  2. tbgangav-MSFT 10,376 Reputation points
    2023-05-18T05:36:36.4033333+00:00

    Hi @Prateek Rana ,

    Firstly there is no built-in initiative with the name "Azure security benchmark" or "ASC default".

    User's image

    User's image

    There is policy assignment with the name starting with "ASC Default".

    User's image

    In case you are looking for command to get policy assignment details along with assigned by information then use below command.

    Get-AzPolicyAssignment -Id "/subscriptions/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn" | Select-Object @{Name="DisplayName"; Expression={$_.Properties.DisplayName}}, @{Name="Name"; Expression={$_.Name}}, @{Name="ResourceId"; Expression={$_.ResourceId}}, @{Name="Scope"; Expression={$_.Properties.Scope}}, @{Name="EnforcementMode"; Expression={$_.Properties.EnforcementMode}}, @{Name="AssignedBy"; Expression={$_.Properties.Metadata.AssignedBy}}, @{Name="CreatedBy"; Expression={$_.Properties.Metadata.CreatedBy}}, @{Name="CreatedOn"; Expression={$_.Properties.Metadata.CreatedOn}}, @{Name="ExcludedOutOfTheBoxStandards"; Expression={$_.Properties.Metadata.excludedOutOfTheBoxStandards}}, @{Name="Description"; Expression={$_.Properties.Description}}

    User's image

    If that's not what you are looking for and as explained here and here if you are looking for effect details of policies that are part of initiative, then it's provided as part of parameters properties as shown below. To fetch those details you might have to come up with a script and then export it to csv file.

    User's image

    User's image

    If you think fetching effect details from parameters properties of Get-AzPolicySetDefinition cmdlet is difficult then you may fetch the same by calling Get-AzPolicyDefinition cmdlet in a loop for each initiative something like shown below.

    $objResults = @()
$arrResults = @()

$GetPSDs = Get-AzPolicySetDefinition

foreach ($GetPSD in $GetPSDs) {
	$GetPDIDs = $GetPSD.Properties.PolicyDefinitions.PolicyDefinitionId
	foreach ($GetPDID in $GetPDIDs) {
		$GetPD = Get-AzPolicyDefinition | ?{$_.PolicyDefinitionId -eq $GetPDID}
		
		$objResults = New-Object PSObject -Property @{
			PolicySetMetadata				= $GetPSD.Properties.Metadata;
			PolicySetDisplayName			= $GetPSD.Properties.DisplayName;
			PolicySetDescription			= $GetPSD.Properties.Description;
			PolicySetType					= $GetPSD.Properties.PolicyType;
			PolicySetDefinitionID			= $GetPSD.PolicySetDefinitionId;
			
			PolicyMetadata					= $GetPD.Properties.Metadata;
			PolicyDisplayName				= $GetPD.Properties.DisplayName;
			PolicyDescription				= $GetPD.Properties.Description;
			PolicyType						= $GetPD.Properties.PolicyType;
			PolicyDefinitionID				= $GetPD.PolicyDefinitionId;
			AvailableEffects				= [string]$GetPD.Properties.Parameters.effect.allowedValues;
		}
		$arrResults = $arrResults + $objResults
	}	
}

$arrResults | Export-Csv -Path "C:\xxxxxx\xxxxxxx\xxxxxxx\PSD_PD_Output.csv" -NoType

    Output:

    User's image

    Note that execution time of above provided script would depend on the number of policies inside an initiative and the number of initiatives in your environment. If the execution time is more then you may have to tweak the script to execute faster with the help of Start-Job cmdlet so that starts an asynchronous job or else try parallel processing using foreach parallel or any other approach which completes the execution faster.