question

AdminUser-8110 avatar image
0 Votes"
AdminUser-8110 asked nhcloud answered

Azure Graph queries for Azure Policy non compliance

I am trying to use Azure Graph queries to query Key Vault compliance, but I cannot figure out where the non-compliance data is stored.

I can query all the resources that are non compliant, but cannot query why.

There seems to be a method Microsoft.PolicyInsights/policyEvents that can be called under REST APIs, but that doesn't seem to appear in Azure Resource Graph

According to this article it is not possible:

Note
Currently "reason for non-compliance" cannot be retrieved from Command line. We are working on mapping the reason code to the "reason for non-compliance" and at this point there is no ETA on this.

How can I report on this other than via REST APIs? Where else is it exposed?


azure-key-vaultazure-policymicrosoft-graph-extensions
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

nhcloud avatar image
1 Vote"
nhcloud answered

The easiest way to run the non-compliances key vault query is to use the Microsoft Defender for cloud blade. Navigate to

Home > Microsoft Defender for Cloud > Security Posture > View Recommendations > Expand the Key Vault then open in Resource Explorer

Or you can use the query like this (copied from the same section), you can include an additional where clause

securityresources
| where type == "microsoft.security/assessments"
| extend source = trim(' ', tolower(tostring(properties.resourceDetails.Source)))
| extend resourceId = trim(' ', tolower(tostring(case(
source =~ "azure", properties.resourceDetails.Id,
extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,id)
))))
| extend status = trim(" ", tostring(properties.status.code))
| extend cause = trim(" ", tostring(properties.status.cause))
| extend assessmentKey = tostring(name)

204417-image.png



image.png (82.5 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.