Azure policy exemption creation using powershell

Question

Azure policy exemption creation using powershell

MrFlinstone 686

Trying to create policy exemptions using code as opposed to manually creating them. According to the MS link I have a policy initiative which consists of multiple sub policies. The first issue is that I cannot seem to get the correct -Name passed to New-AzPolicyExemption This doesn't work.


    $mgmtGroup = 'xxx'
    $policySetName = 'xxx'
    Get-AzPolicySetDefinition -ManagementGroupName $mgmtGroup -Custom | Where {$_.Properties.DisplayName -eq $policySetName } | Select-Object Name

I can see the display name on the portal, but I do not know what the internal name is. I believe this is stored within the properties object when you run `Get-AzPolicySetDefinition` how can one display all the values within the property object ?

Going back to the main question

Running the below fails because it cannot find the `Name` parameter.

    ResourceGroup = Get-AzResourceGroup -Name 'ResourceGroup11'
    $intiative = Get-AzPolicySetDefinition | Where-Object { $_.Properties.DisplayName -eq 'Public' }
    New-AzPolicyAssignment -Name 'denyPolicies' -PolicySetDefinition $intiative -Scope $ResourceGroup.ResourceId

SwathiDhanwada-MSFT 18,996 Reputation points Moderator

2024-01-18T04:49:15.9566667+00:00

@MrFlinstone Did you get chance to look into my previous comment ? Let me know if you have further questions.
SwathiDhanwada-MSFT 18,996 Reputation points Moderator

2024-02-05T06:45:57.8633333+00:00

@MrFlinstone Hope the information provided is helpful. Kindly revert if you have further questions.

1 answer

Your answer

SwathiDhanwada-MSFT 18,996 Reputation points Moderator

2024-01-18T04:49:15.9566667+00:00

@MrFlinstone Did you get chance to look into my previous comment ? Let me know if you have further questions.
SwathiDhanwada-MSFT 18,996 Reputation points Moderator

2024-02-05T06:45:57.8633333+00:00

@MrFlinstone Hope the information provided is helpful. Kindly revert if you have further questions.

Answer 1

MrFlinstone Thanks for reaching out. The process you are following is correct. However, I will share an example of how I retrieved the mentioned information in my environment for your reference.

In my example, I am retrieving the Policy Initiative "Enable Azure Monitor for VMSS with Azure Monitoring Agent(AMA)".

$mgmtGroup="Non Production"                                                                                                              $policySetName="Audit Public Network Access"
$definition = Get-AzPolicySetDefinition -ManagementGroupName $mgmtGroup | Where {$_.Properties.DisplayName -eq $policySetName }

You can the internal name of the policy set definition using below command which is what you have been using.

Get-AzPolicySetDefinition -ManagementGroupName $mgmtGroup | Where {$_.Properties.DisplayName -eq

$policySetName } | Select-Object Name

User's image

To display all the values of property object within policy set definition, you can either follow the process shown in above screenshot or execute below command.

( Get-AzPolicySetDefinition -ManagementGroupName $mgmtGroup | Where {$_.Properties.DisplayName -eq $policySetName }).Properties

Regarding second error where you are prompted with Name not found , kindly share further information on the error by adding -debug property to command as I wasn't able to reproduce the error you are facing even though I am using similar commands as you.

$rg = Get-AzResourceGroup -Name "amkiyu"
New-AzPolicyAssignment -Name "audit PNA" -Scope $rg.ResourceId -PolicySetDefinition $definition

User's image

MrFlinstone 686 Reputation points

2024-02-05T23:33:27.5433333+00:00

Thanks for the comment, what i am trying to do is match up the numbers/summary seen on the azure policy section for a particular policy/initiative, analyse the data by exporting onto a CSV file. The first issue I have is that the numbers don't seem to match, I seem to be getting more data back compared to what I see on the portal.

The second issue is that I would like to get the name of the policy control for every single row in the extract, for example resource x doesn't comply with a policy known as "Function apps should use latest 'HTTP Version'". It is very cumbersome to get this level of information using scripts.

$output_sub = "C:\output\policy_result_$(get-date -f dd-MM-yyyyHHMMss).csv" $output_all = Get-AzPolicyState -ManagementGroupName 'GMC-Root-Management-Group' -Filter "(PolicySetDefinitionName eq 'xxxxxxx') " $resourceNames = @{} foreach ($resource in $output_all) { $resourcename = ($resource.ResourceId -split '/')[-1] $resourceNames[$resource.ResourceId] = $resourcename } $result = $output_all | ForEach-Object { [PSCustomObject]@{ Timestamp = $_.Timestamp ResourceId = $_.ResourceId ResourceLocation = $_.ResourceLocation ResourceType = $_.ResourceType SubscriptionId = $_.SubscriptionId ResourceGroup = $_.ResourceGroup PolicyDefinitionName = $_.PolicyDefinitionName ManagementGroupIds = $_.ManagementGroupIds PolicyAssignmentScope = $_.PolicyAssignmentScope IsCompliant = $_.IsCompliant ComplianceState = $_.ComplianceState PolicyDefinitionAction = $_.PolicyDefinitionAction ResourceTags = $_.ResourceTags ResourceName = $resourceNames[$_.ResourceId] } } # Export the result to CSV $result | Export-Csv -NoTypeInformation -Path $output_sub

Share via

Azure policy exemption creation using powershell

1 answer

Your answer