How do you debug Azure policies?

Gregory Suvalian 186 Reputation points

Say I have policy below. How do I exactly know why specific resources was compliant/non-compliant? Where do I actually see all the properties for resource which is used for evaluation for compliancy? Custom roles do not show up in Resources blade in portal, neither showing up in results of evaluation in Policy blade

Have to put image instead of code because this website is not allowing big code pastes looks like

I guess I'm saying there is no report why policy is "Compliant", only when policy is non-compliant where report is being shown as example below


Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
830 questions
0 comments No comments
{count} votes

Accepted answer
  1. DCtheGeek-MSFT 451 Reputation points Microsoft Employee

    The answer is in the very bottom of your screenshot of the "Reasons for non-compliance" page. It shows that alias Microsoft.Security/complianceResults/resourceStatus was expected to be either OffByPolicy or Healthy, but instead has value NotHealthy. Since the reason is "Current value must be in the target value.", we can tell from the table in this section in docs ( that the condition is either in or not notIn. That segment of the policy definition isn't in the screenshot, but you are on the right track for understanding why a resource is non-compliant.

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Gregory Suvalian 186 Reputation points

    This was an example of I wanted to see from a different policy. My question is if my policy is compliant when it's not expected to be compliant, how do I know why it's compliant (which specific code path was evaluated to false for policy not to kick in). When policy is compliant it's not showing the same info like on screenshot why it's compliant.