I am trying to use Azure Graph queries to query Key Vault compliance, but I cannot figure out where the non-compliance data is stored.
I can query all the resources that are non compliant, but cannot query why.
There seems to be a method Microsoft.PolicyInsights/policyEvents that can be called under REST APIs, but that doesn't seem to appear in Azure Resource Graph
According to this article it is not possible:
Currently "reason for non-compliance" cannot be retrieved from Command line. We are working on mapping the reason code to the "reason for non-compliance" and at this point there is no ETA on this.
How can I report on this other than via REST APIs? Where else is it exposed?