Quickstart: Create a policy assignment to identify non-compliant resources using Azure PowerShell
Article
The first step in understanding compliance in Azure is to identify the status of your resources. In this quickstart, you create a policy assignment to identify non-compliant resources using Azure PowerShell. The policy is assigned to a resource group and audits virtual machines that don't use managed disks. After you create the policy assignment, you identify non-compliant virtual machines.
The Azure PowerShell modules can be used to manage Azure resources from the command line or in scripts. This article explains how to use Azure PowerShell to create a policy assignment.
When assigning a built-in policy or initiative definition, it's optional to reference a version. Policy assignments of built-in definitions default to the latest version and automatically inherit minor version changes unless otherwise specified.
Prerequisites
If you don't have an Azure account, create a free account before you begin.
Microsoft.PolicyInsights must be registered in your Azure subscription. To register a resource provider, you must have permission to register resource providers. That permission is included in the Contributor and Owner roles.
A resource group with at least one virtual machine that doesn't use managed disks.
Connect to Azure
From a Visual Studio Code terminal session, connect to Azure. If you have more than one subscription, run the commands to set context to your subscription. Replace <subscriptionID> with your Azure subscription ID.
Azure PowerShell
Connect-AzAccount# Run these commands if you have multiple subscriptionsGet-AzSubScriptionSet-AzContext -Subscription <subscriptionID>
Register resource provider
When a resource provider is registered, it's available to use in your Azure subscription.
To verify if Microsoft.PolicyInsights is registered, run Get-AzResourceProvider. The resource provider contains several resource types. If the result is NotRegistered run Register-AzResourceProvider:
Use the following commands to create a new policy assignment for your resource group. This example uses an existing resource group that contains a virtual machine without managed disks. The resource group is the scope for the policy assignment. This example uses the built-in policy definition Audit VMs that do not use managed disks.
Run the following commands and replace <resourceGroupName> with your resource group name:
Azure PowerShell
$rg = Get-AzResourceGroup -Name'<resourceGroupName>'$definition = Get-AzPolicyDefinition |
Where-Object { $_.DisplayName -eq'Audit VMs that do not use managed disks' }
The $rg variable stores properties for the resource group and the $definition variable stores the policy definition's properties. The properties are used in subsequent commands.
Run the following command to create the policy assignment:
Azure PowerShell
$policyparms = @{
Name = 'audit-vm-managed-disks'
DisplayName = 'Audit VM managed disks'
Scope = $rg.ResourceId
PolicyDefinition = $definition
Description = 'Az PowerShell policy assignment to resource group'
}
New-AzPolicyAssignment @policyparms
The $policyparms variable uses splatting to create parameter values and improve readability. The New-AzPolicyAssignment command uses the parameter values defined in the $policyparms variable.
Name creates the policy assignment name used in the assignment's ResourceId.
DisplayName is the name for the policy assignment and is visible in Azure portal.
Scope uses the $rg.ResourceId property to assign the policy to the resource group.
PolicyDefinition assigns the policy definition stored in the $definition variable.
Description can be used to add context about the policy assignment.
The results of the policy assignment resemble the following example: