Azure policy notscope powershell

Question

Azure policy notscope powershell

McCarthy, Marc (IT Cyber Security, Group CIO) 21

Hi,
I'm investigating implementing Azure policy using powershell and can successfully do this, apart from adding exclusions. I can retrieve current existing exclusions, but not add them. I've read through the documentation, but don't seem to be able to locate any information about this, only doing a manual update via the portal?

I've tried using the -NotScope parameter with Set-AzPolicyAssignment with RG names I want to exclude, but get an error :

Set-AzPolicyAssignment : InvalidCreatePolicyAssignmentRequest : The policy assignment
'xxxxxxxxxxxxxxxxxx' not scopes 'testRG' must all be below the policy assignment's scope

Any point in the right direction would be greatly appreciated!

Thanks,
Marc

Monalla-MSFT 13,071 Reputation points Moderator

2021-10-27T13:57:01.16+00:00

@McCarthy, Marc (IT Cyber Security, Group CIO) - Did the below answer help resolve your issue, if not please revert back with any questions.
and if it did, please feel free to "accept as answer" so it can be beneficial to the community.
Olusina Ilori 21 Reputation points

2022-06-18T16:42:47.857+00:00

@McCarthy, Marc (IT Cyber Security, Group CIO) I am having the opposite problem of trying to retrieve Azure policy and/or policy assignment information that includes Policy Name, Policy Display Name, Scope and NotScope using PowerShell but I noticed that the Get-AzPolicyAssignment cmdlet does not include those information. Do you have any suggestion that can help thank you.

Accepted answer

0 additional answers

Your answer

Monalla-MSFT 13,071 Reputation points Moderator

2021-10-27T13:57:01.16+00:00

@McCarthy, Marc (IT Cyber Security, Group CIO) - Did the below answer help resolve your issue, if not please revert back with any questions.
and if it did, please feel free to "accept as answer" so it can be beneficial to the community.
Olusina Ilori 21 Reputation points

2022-06-18T16:42:47.857+00:00

@McCarthy, Marc (IT Cyber Security, Group CIO) I am having the opposite problem of trying to retrieve Azure policy and/or policy assignment information that includes Policy Name, Policy Display Name, Scope and NotScope using PowerShell but I noticed that the Get-AzPolicyAssignment cmdlet does not include those information. Do you have any suggestion that can help thank you.

Answer 1

Monalla-MSFT 13,071 Moderator

@McCarthy, Marc (IT Cyber Security, Group CIO) - Thanks for reaching out.

The error message you are receiving is correct. Whatever is defined with the -NotScope parameter must be within the Scope that is defined.

For example, if the policy is applied to a resource group, then exceptions can only be applied to resources within that resource group.

This is a service level limitation and not a limitation with Azure PowerShell. The same limitation applies to Azure CLI and the Azure portal.

Hope that helps.

If the above response helped, please feel free to "Accept as Answer" so it can be beneficial to the community.

McCarthy, Marc (IT Cyber Security, Group CIO) 21 Reputation points

2021-10-28T07:48:04.193+00:00

Hi @Monalla-MSFT thanks for the reply. Just to confirm I understand, am I correct that because the policy is applied to a whole management group, I have to have create the exclusion against the management group rather than picking out a specific resource group?
Monalla-MSFT 13,071 Reputation points Moderator

2021-10-28T15:43:15.273+00:00

@McCarthy, Marc (IT Cyber Security, Group CIO) - Yes that is correct.
McCarthy, Marc (IT Cyber Security, Group CIO) 21 Reputation points

2021-10-28T16:18:51.393+00:00

Thanks!

Share via

Azure policy notscope powershell

0 additional answers

Your answer