Understanding Inconsistent data return for Azure Powershell command Get-AzPolicyDefinition

Jaswanth G 20 Reputation points
2024-08-07T03:23:24.6333333+00:00

Hi, I'm encountering inconsistent data return for the Azure Powershell command Get-AzPolicyDefinition.

I have a script that obtains compliance reports for Azure Policy Initiatives and I iterate over each compliance item to obtain more information. I'm using two Azure Policy PowerShell commands Get-AzPolicyState and Get-AzPolicyDefinition. I'm running the script in two different environments (dev, prod), the command Get-AzPolicyDefinition is returning different data in my dev and prod environments.

Here's a snippet from my script

$resourceComplianceData = Get-AzPolicyState -SubscriptionId "xxxxxxx-xxxx-xxxx-xxxx-fxxx041xxxx" -ResourceGroupName "RG-Test" -Filter "(PolicyAssignmentName eq 'fcc12exx3e61003c1860' or PolicyAssignmentName eq 'SecurityCenterBuiltIn')"

foreach($complianceData in $resourceComplianceData){
    $policyInfo = Get-AzPolicyDefinition -Id $($complianceData.PolicyDefinitionId)| Select-Object -ExpandProperty properties
    $PolicyName = $policyInfo.DisplayName
    Write-Host "$PolicyName" 
}

I need to use Select-Object -ExpandProperty properties in one and shouldn't in another environment. As in

For prod

$policyInfo = Get-AzPolicyDefinition -Id $($complianceData.PolicyDefinitionId)| Select-Object -ExpandProperty properties

For dev

    $policyInfo = Get-AzPolicyDefinition -Id $($complianceData.PolicyDefinitionId)


  1. Prod and Dev are in different subscriptions, I tried running on local machine in both the subscriptions but the Select-Object is what was working in both on a local machine.
  2. The script is being run as a runbook in Automation Accounts(on a Hybrid worker), with Managed Identity to access and obtain Policy Data. Prod and Dev have separate resources(Automtion Accounts, Hybrid Workers, Identities etc)

Can someone help me understand the issue here? I'm trying to keep my code same in both dev and prod environments, but it isn't working.

TIA

Azure Automation
Azure Automation
An Azure service that is used to automate, configure, and install updates across hybrid environments.
1,234 questions
Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
860 questions
PowerShell
PowerShell
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
2,444 questions
0 comments No comments
{count} votes

Accepted answer
  1. akinbade abiola 14,905 Reputation points
    2024-08-07T04:16:38.59+00:00

    Hello Jaswanth G,

    Thanks for your question.

    Based on the information above, it points to a difference in envs. There are a few things you could verify:

    • The inconsistency could be due to different versions of the Az PowerShell module installed in your dev and prod environments.
    • The Az PowerShell module might be using different API versions in your environments, which could lead to differences in the returned object structure.
    • Check if the policy definitions themselves are identical across both environments. Any differences in the policy definitions could lead to different outputs.
    Get-AzPolicyState -SubscriptionId "xxxxxxx-xxxx-xxxx-xxxx-fxxx041xxxx" -ResourceGroupName "RG-Test" -Filter "(PolicyAssignmentName eq 'fcc12exx3e61003c1860' or PolicyAssignmentName eq 'SecurityCenterBuiltIn')"
    
    

    You can mark it 'Accept Answer' and 'Upvote' if this helped you

    Regards,

    Abiola


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.