Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
992 questions
Hi,
In order to answer this question we need to mention that there are different effects that can be used in Azure Policy. Effects like audit, auditIfNotExists, deny, denyAction, disabled and manual do not have remediation capability. So if you have non-compliant resources via those you will need to remediate manually without having the option to execute task. Remediation tasks are available for deployIfNotExists and modify. In general you might not need to use remediation for those effects at all. The reason for that is that these effects will apply when resource is deployed thus the actual action behind these policies will execute. That is the same action if you create remediation task. So in general you will have non-compliant resource for these policies only if the policies were deployed after the resource creation, the policy was not enforced, resources were exempted/excluded or the policy had some bug and it was not applied appropriate to all resources in its scope. The role of remediation tasks is to be able to remediate in any of those scenarios rather run them on regular bases like daily for example. In any case if you want to automate something around policies and their compliance state you can choose to initiate such automation via Azure Event Grid as you have already mentioned or use Log Alerts. The Azure Policy compliance data is available in Resource Graph. Log Alerts can use data from ARG. You can even use other automation tools like Azure Automation Runbooks, Logic Apps, Azure Functions, etc. that query ARG data. In summary you have many different methods that you can use to automate depending on your requirements.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.