Azure Policy Non-Compliant Message for Audit mode

asked 2021-05-04T14:34:23.967+00:00
Yasmin, Fitri 146 Reputation points

I'm currently implementing some policy related to tagging. The final goal is to assign tagging policy in Deny mode. But, in the meantime we only assigned the policy in Audit mode. So that we have time to notify resource owners to updates their tag before assigning the policy in Deny mode. I was looking on possible options to send notification to resource owners when Azure Policy has a new feature called "non-compliant message". I find this feature very helpful. But I think this message only displayed for policy assigned in Deny mode. Is there a way to used this for Audit effect as well?

If it's not possible, what option would you recommend to give alert about resource incompliancy for audit assigned policie?

Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
506 questions
No comments
{count} votes

Accepted answer
  1. answered 2021-05-12T06:27:15.81+00:00
    olufemia-MSFT 2,781 Reputation points

    Welcome back, anonymous user , :)
    Kindly Review my response below and let me know if you have any follow-up questions.

    I'm currently implementing some policy related to tagging. The final goal is to assign tagging policy in Deny mode.
    [OL] Also suggest exploring the modify effect to evaluate your resources. Modify effect takes care of adding the missing tagName/Value when a non-compliant resource is evaluated This helps accelerate the remediation step.

    But, in the meantime we only assigned the policy in Audit mode. So that we have time to notify resource owners to updates their tag before assigning the policy in Deny mode.
    [OL] By "Audit mode" do you mean using the Audit effect? IMO modify effect is a more optimized way to achieve your scenario based on my understanding but happy to hear your thoughts or clarifications if I misunderstood your scenario..

    I was looking on possible options to send notification to resource owners when Azure Policy has a new feature called "non-compliant message". I find this feature very helpful. But I think this message only displayed for policy assigned in Deny mode. Is there a way to used this for Audit effect as well? If it's not possible, what option would you recommend to give alert about resource incompliancy for audit assigned policies?

    [OA] It is possible to create alerts based on Azure Policy activity log data.
    Once a policy evaluation cycle is complete, the compliance data is available in the Microsoft.PolicyInsights Resource Provider and accessible through PolicyStates & PolicyEvents REST Operations. The data is also accessible via the Portal or Azure PowerShell.
    If you have a Log Analytics workspace with AzureActivity from the Activity Log Analytics solution tied to your subscription, you can also view non-compliance results from the evaluation of new and updated resources using simple Kusto queries and the AzureActivity table. With details in Azure Monitor logs, alerts can be configured to watch for non-compliance. More information here

    No comments

1 additional answer

Sort by: Most helpful
  1. answered 2022-04-13T17:42:22.417+00:00
    Anonymous

    The suggested approach no longer works for existing resources. See this link: https://blog.tyang.org/2021/12/06/monitoring-azure-policy-compliance-states-2021-edition/

    No comments