Welcome back, anonymous user , :)
Kindly Review my response below and let me know if you have any follow-up questions.
I'm currently implementing some policy related to tagging. The final goal is to assign tagging policy in Deny mode.
[OL] Also suggest exploring the modify effect to evaluate your resources. Modify effect takes care of adding the missing tagName/Value when a non-compliant resource is evaluated This helps accelerate the remediation step.
But, in the meantime we only assigned the policy in Audit mode. So that we have time to notify resource owners to updates their tag before assigning the policy in Deny mode.
[OL] By "Audit mode" do you mean using the Audit effect? IMO modify effect is a more optimized way to achieve your scenario based on my understanding but happy to hear your thoughts or clarifications if I misunderstood your scenario..
I was looking on possible options to send notification to resource owners when Azure Policy has a new feature called "non-compliant message". I find this feature very helpful. But I think this message only displayed for policy assigned in Deny mode. Is there a way to used this for Audit effect as well? If it's not possible, what option would you recommend to give alert about resource incompliancy for audit assigned policies?
[OA] It is possible to create alerts based on Azure Policy activity log data.
Once a policy evaluation cycle is complete, the compliance data is available in the Microsoft.PolicyInsights Resource Provider and accessible through PolicyStates & PolicyEvents REST Operations. The data is also accessible via the Portal or Azure PowerShell.
If you have a Log Analytics workspace with AzureActivity from the Activity Log Analytics solution tied to your subscription, you can also view non-compliance results from the evaluation of new and updated resources using simple Kusto queries and the AzureActivity table. With details in Azure Monitor logs, alerts can be configured to watch for non-compliance. More information here