Way to export azure policy definitions part of Initiatives

Question

Hi All,

I would like to understand the solution for one of my below requirements.

In our organization, part of governance we had created an azure policy definition and assigned them part of Policy initiatives. Now I wanted to export all these policy definitions part of assignments bcz I wanted to understand how many of them were Active policies that we had across all the landing zones.

I had tried to extract this ARG queries & Rest APIs but none of them had valid data results part of them schema.

Can someone update me the solution on this, if had already worked on this.

Thank you.

Answer 1

Hi, you should be able to do this with, a script like the below:

foreach($g in $mgs){
    Write-Host "Exporting group: $g"
    
    $mg = Get-AzManagementGroup -GroupName $g -Expand
    
    if($mg.ParentName -ne $tenantId){
        $parentMg = $mg.ParentName
    }else{
        $parentMg = ""
    }

    # managementGroup parameter value
    $managmentGroupParam = [ordered]@{
        name = $mg.Name
        parentName = $parentMg
        displayName = $mg.displayName
    }

    # subscriptions parameter value
    $subscriptionsParam = @()
    foreach($c in $mg.Children){
        if($c.Type -eq "/subscriptions"){
            $subscriptionsParam += $c.Name
        }
    }

    # policy defintions - API returns all of them, even though you ask for scope
    Write-Host "Get policy definitions for managementGroup: $g"
    $pds = Get-AzPolicyDefinition -Custom -ManagementGroupName $g 
    $policyDefParam = @()
    foreach($pd in $pds){
        # see if this definition is actually deployed to this group since the API returns everything above it, if it is, add it to the list
        if($pd.resourceId -like "*Microsoft.Management/managementGroups/$g*"){
            $policyDefParam += $pd.name
            # Get PolicyDef JSON
            $json = Get-PolicyDefinitionObject $pd
            # Write parameter file
            $json | ConvertTo-Json -Depth 20 | Set-Content -Path "$PSScriptRoot/policyDefinitions/$($pd.name).parameters.json"
        }
    }

Source: https://github.com/bmoore-msft/AzureRM-Samples/blob/9e8e862db578f35a93edde48d88cee5223b3c9dc/lz-lifecycle-mg/export-mg.ps1#L100

Answer 2

Hi Maheswararaju P ,

You may try the below script. It is taken from this recent question. This and this are few other related questions. Take a look at them for more context. Thanks.

$objResults = @()
$arrResults = @()

$GetPSDs = Get-AzPolicySetDefinition

foreach ($GetPSD in $GetPSDs) {
	$GetPDIDs = $GetPSD.Properties.PolicyDefinitions.PolicyDefinitionId
	foreach ($GetPDID in $GetPDIDs) {
		$GetPD = Get-AzPolicyDefinition | ?{$_.PolicyDefinitionId -eq $GetPDID}
		
		$objResults = New-Object PSObject -Property @{
			PolicySetMetadata				= $GetPSD.Properties.Metadata;
			PolicySetDisplayName			= $GetPSD.Properties.DisplayName;
			PolicySetDescription			= $GetPSD.Properties.Description;
			PolicySetType					= $GetPSD.Properties.PolicyType;
			PolicySetDefinitionID			= $GetPSD.PolicySetDefinitionId;
			
			PolicyMetadata					= $GetPD.Properties.Metadata;
			PolicyDisplayName				= $GetPD.Properties.DisplayName;
			PolicyDescription				= $GetPD.Properties.Description;
			PolicyType						= $GetPD.Properties.PolicyType;
			PolicyDefinitionID				= $GetPD.PolicyDefinitionId;
			AvailableEffects				= [string]$GetPD.Properties.Parameters.effect.allowedValues;
		}
		$arrResults = $arrResults + $objResults
	}	
}

$arrResults | Export-Csv -Path "C:\xxxxxx\xxxxxxx\xxxxxxx\PSD_PD_Output.csv" -NoType