Share via


az policy attestation

Manage resource policy attestations.

Commands

Name Description Type Status
az policy attestation create

Create a policy attestation.

Core GA
az policy attestation delete

Delete an existing policy attestation.

Core GA
az policy attestation list

List all attestations for a resource.

Core GA
az policy attestation show

Get a policy attestation.

Core GA
az policy attestation update

Update an existing policy attestation.

Core GA

az policy attestation create

Create a policy attestation.

az policy attestation create --attestation-name
                             --policy-assignment
                             [--assessment-date]
                             [--comments]
                             [--compliance-state {Compliant, NonCompliant, Unknown}]
                             [--definition-reference-id]
                             [--evidence]
                             [--expires-on]
                             [--metadata]
                             [--namespace]
                             [--owner]
                             [--parent]
                             [--resource]
                             [--resource-group]
                             [--resource-type]

Examples

Create an attestation at resource group scope for a policy assignment

az policy attestation create -g myRg -n myAttestation --policy-assignment eeb18edc813c42d0ad5a9eab

Create an attestation at resource group scope for a policy assignment using the policy assignment resource ID

az policy attestation create -g myRg -n myAttestation \
  --policy-assignment "/subscriptions/fff10b27-fff3-fff5-fff8-fffbe01e86a5/providers/Microsoft.Authorization/policyAssignments/myPa"

Create an attestation at subscription scope for a policy set assignment

az policy attestation create -n myAttestation \
  --policy-assignment eeb18edc813c42d0ad5a9eab \
  --definition-reference-id auditVMPolicyReference

Create an attestation for a specific resource using the resource ID

az policy attestation create \
  --resource "/subscriptions/fff10b27-fff3-fff5-fff8-fffbe01e86a5/resourceGroups/myRg/providers/Microsoft.Compute/virtualMachines/myVm" \
  -n myAttestation --policy-assignment eeb18edc813c42d0ad5a9eab

Create an attestation at resource group scope using all properties

az policy attestation create --attestation-name myAttestation -g myRg -a eeb18edc813c42d0ad5a9eab \
 --compliance-state Compliant --assessment-date 2023-01-01T08:29:18Z \
 --evidence source-uri=https://sampleuri.com description="Sample description for the sample uri" \
 --evidence source-uri=https://sampleuri2.com description="Sample description 2 for the sample uri 2" \
 --expires-on 2024-08-01T05:29:18Z --owner user@myOrg.com --metadata Location=NYC Dept=ACC \
 --definition-reference-id auditVMPolicyReference

Required Parameters

--attestation-name --name -n

The name of the attestation.

--policy-assignment --policy-assignment-id -a

The resource ID of the policy assignment that the attestation is setting the state for.

Optional Parameters

--assessment-date

The time the evidence was assessed.

--comments

Comments describing why this attestation was created.

--compliance-state

The compliance state that should be set on the resource.

Accepted values: Compliant, NonCompliant, Unknown
--definition-reference-id

The policy definition reference ID from a policy set definition that the attestation is setting the state for. If the policy assignment assigns a policy set definition the attestation can choose a definition within the set definition with this property or omit this and set the state for the entire set definition.

--evidence

The evidence supporting the compliance state set in this attestation.

--expires-on

The time the compliance state should expire.

--metadata

Additional metadata in space-separated key=value pairs for an attestation. This overwrites any existing metadata for the attestation.

--namespace

Provider namespace (Ex: Microsoft.Provider).

--owner

The person responsible for setting the state of the resource. This value is typically an Azure Active Directory object ID.

--parent

The parent path (Ex: resourceTypeA/nameA/resourceTypeB/nameB).

--resource --resource-id

Resource ID or resource name. If a name is given, please provide the resource group and other relevant resource id arguments.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--resource-type

Resource type (Ex: resourceTypeC).

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az policy attestation delete

Delete an existing policy attestation.

az policy attestation delete --attestation-name
                             [--namespace]
                             [--parent]
                             [--resource]
                             [--resource-group]
                             [--resource-type]

Examples

Delete an attestation at resource group scope

az policy attestation delete -g myRg -n myAttestation

Required Parameters

--attestation-name --name -n

The name of the attestation.

Optional Parameters

--namespace

Provider namespace (Ex: Microsoft.Provider).

--parent

The parent path (Ex: resourceTypeA/nameA/resourceTypeB/nameB).

--resource --resource-id

Resource ID or resource name. If a name is given, please provide the resource group and other relevant resource id arguments.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--resource-type

Resource type (Ex: resourceTypeC).

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az policy attestation list

List all attestations for a resource.

az policy attestation list [--filter]
                           [--resource]
                           [--resource-group]
                           [--top]

Examples

List all policy attestations at subscription scope

az policy attestation list

List the top two policy attestations at resource group scope

az policy attestation list -g myRg --top 2

List all attestations that has the policy assignment id of myPolicyAssignment

az policy attestation list --filter "PolicyAssignmentId eq '/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/providers/microsoft.authorization/policyassignments/b101830944f246d8a14088c5'"

Optional Parameters

--filter

OData filter expression.

--resource --resource-id

Resource ID.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--top

Maximum number of records to return.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az policy attestation show

Get a policy attestation.

az policy attestation show --attestation-name
                           [--namespace]
                           [--parent]
                           [--resource]
                           [--resource-group]
                           [--resource-type]

Examples

Show an attestation at subscription.

az policy attestation show --attestation-name myAttestation

Required Parameters

--attestation-name --name -n

The name of the attestation.

Optional Parameters

--namespace

Provider namespace (Ex: Microsoft.Provider).

--parent

The parent path (Ex: resourceTypeA/nameA/resourceTypeB/nameB).

--resource --resource-id

Resource ID or resource name. If a name is given, please provide the resource group and other relevant resource id arguments.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--resource-type

Resource type (Ex: resourceTypeC).

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az policy attestation update

Update an existing policy attestation.

az policy attestation update --attestation-name
                             [--assessment-date]
                             [--comments]
                             [--compliance-state {Compliant, NonCompliant, Unknown}]
                             [--definition-reference-id]
                             [--evidence]
                             [--expires-on]
                             [--metadata]
                             [--namespace]
                             [--owner]
                             [--parent]
                             [--policy-assignment]
                             [--resource]
                             [--resource-group]
                             [--resource-type]

Examples

Update an attestation at resource scope

az policy attestation update --attestation-name myAttestation \
  --resource "/subscriptions/fff10b27-fff3-fff5-fff8-fffbe01e86a5/resourceGroups/myRg/providers/Microsoft.Compute/virtualMachines/myVm" \
  --comments "Adding comments for this attestation"

Required Parameters

--attestation-name --name -n

The name of the attestation.

Optional Parameters

--assessment-date

The time the evidence was assessed.

--comments

Comments describing why this attestation was created.

--compliance-state

The compliance state that should be set on the resource.

Accepted values: Compliant, NonCompliant, Unknown
--definition-reference-id

The policy definition reference ID from a policy set definition that the attestation is setting the state for. If the policy assignment assigns a policy set definition the attestation can choose a definition within the set definition with this property or omit this and set the state for the entire set definition.

--evidence

The evidence supporting the compliance state set in this attestation.

--expires-on

The time the compliance state should expire.

--metadata

Additional metadata in space-separated key=value pairs for an attestation. This overwrites any existing metadata for the attestation.

--namespace

Provider namespace (Ex: Microsoft.Provider).

--owner

The person responsible for setting the state of the resource. This value is typically an Azure Active Directory object ID.

--parent

The parent path (Ex: resourceTypeA/nameA/resourceTypeB/nameB).

--policy-assignment --policy-assignment-id -a

The resource ID of the policy assignment that the attestation is setting the state for.

--resource --resource-id

Resource ID or resource name. If a name is given, please provide the resource group and other relevant resource id arguments.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--resource-type

Resource type (Ex: resourceTypeC).

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.