Azure Graph queries for Azure Policy non compliance

Question

I am trying to use Azure Graph queries to query Key Vault compliance, but I cannot figure out where the non-compliance data is stored.

I can query all the resources that are non compliant, but cannot query why.

There seems to be a method Microsoft.PolicyInsights/policyEvents that can be called under REST APIs, but that doesn't seem to appear in Azure Resource Graph

According to this article it is not possible:

Note
Currently "reason for non-compliance" cannot be retrieved from Command line. We are working on mapping the reason code to the "reason for non-compliance" and at this point there is no ETA on this.

How can I report on this other than via REST APIs? Where else is it exposed?

Answer 1

The easiest way to run the non-compliances key vault query is to use the Microsoft Defender for cloud blade. Navigate to

Home > Microsoft Defender for Cloud > Security Posture > View Recommendations > Expand the Key Vault then open in Resource Explorer

Or you can use the query like this (copied from the same section), you can include an additional where clause

securityresources
| where type == "microsoft.security/assessments"
| extend source = trim(' ', tolower(tostring(properties.resourceDetails.Source)))
| extend resourceId = trim(' ', tolower(tostring(case(
source =~ "azure", properties.resourceDetails.Id,
extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,id)
))))
| extend status = trim(" ", tostring(properties.status.code))
| extend cause = trim(" ", tostring(properties.status.cause))
| extend assessmentKey = tostring(name)