Share via


az policy state

Manage policy compliance states.

Commands

Name Description Type Status
az policy state list

List policy compliance states.

Core GA
az policy state summarize

Summarize policy compliance states.

Core GA
az policy state trigger-scan

Trigger a policy compliance evaluation for a scope.

Core GA

az policy state list

List policy compliance states.

az policy state list [--all]
                     [--apply]
                     [--expand]
                     [--filter]
                     [--from]
                     [--management-group]
                     [--namespace]
                     [--order-by]
                     [--parent]
                     [--policy-assignment]
                     [--policy-definition]
                     [--policy-set-definition]
                     [--resource]
                     [--resource-group]
                     [--resource-type]
                     [--select]
                     [--to]
                     [--top]

Examples

Get latest policy states at current subscription scope.

az policy state list

Get all policy states at current subscription scope.

az policy state list --all

Get latest policy states at management group scope.

az policy state list -m "myMg"

Get latest policy states at resource group scope in current subscription.

az policy state list -g "myRg"

Get latest policy states for a resource using resource ID.

az policy state list --resource "/subscriptions/fff10b27-fff3-fff5-fff8-fffbe01e86a5/resourceGroups/myResourceGroup /providers/Microsoft.EventHub/namespaces/myns1/eventhubs/eh1/consumergroups/cg1"

Get latest policy states for a resource using resource name.

az policy state list --resource "myKeyVault" --namespace "Microsoft.KeyVault" --resource-type "vaults" -g "myresourcegroup"

Get latest policy states for a nested resource using resource name.

az policy state list --resource "myRule1" --namespace "Microsoft.Network" --resource-type "securityRules" --parent "networkSecurityGroups/mysecuritygroup1" -g "myresourcegroup"

Get latest policy states for a policy set definition in current subscription.

az policy state list -s "fff58873-fff8-fff5-fffc-fffbe7c9d697"

Get latest policy states for a policy definition in current subscription.

az policy state list -d "fff69973-fff8-fff5-fffc-fffbe7c9d698"

Get latest policy states for a policy assignment in current subscription.

az policy state list -a "ddd8ef92e3714a5ea3d208c1"

Get latest policy states for a policy assignment in the specified resource group in current subscription.

az policy state list -g "myRg" -a "ddd8ef92e3714a5ea3d208c1"

Get top 5 latest policy states in current subscription, selecting a subset of properties and customizing ordering.

az policy state list --top 5 --order-by "timestamp desc, policyAssignmentName asc" --select "timestamp, resourceId, policyAssignmentId, policySetDefinitionId, policyDefinitionId"

Get latest policy states in current subscription during a custom time interval.

az policy state list --from "2018-03-08T00:00:00Z" --to "2018-03-15T00:00:00Z"

Get latest policy states in current subscription filtering results based on some property values.

az policy state list --filter "(policyDefinitionAction eq 'deny' or policyDefinitionAction eq 'audit') and resourceLocation ne 'eastus'"

Get number of latest policy states in current subscription.

az policy state list --apply "aggregate($count as numberOfRecords)"

Get latest policy states in current subscription aggregating results based on some properties.

az policy state list --apply "groupby((policyAssignmentId, policySetDefinitionId, policyDefinitionReferenceId, policyDefinitionId), aggregate($count as numStates))"

Get latest policy states in current subscription grouping results based on some properties.

az policy state list --apply "groupby((policyAssignmentName, resourceId))"

Get latest policy states in current subscription aggregating results based on some properties specifying multiple groupings.

az policy state list --apply "groupby((policyAssignmentId, policySetDefinitionId, policyDefinitionReferenceId, policyDefinitionId, resourceId))/groupby((policyAssignmentId, policySetDefinitionId, policyDefinitionReferenceId, policyDefinitionId), aggregate($count as numNonCompliantResources))"

Get latest policy states for a resource including policy evaluation details.

az policy state list --resource "myKeyVault" --namespace "Microsoft.KeyVault" --resource-type "vaults" -g "myresourcegroup" --expand PolicyEvaluationDetails

Get latest component policy states for a resource (eg. vault) and policy assignment referencing a resource provider mode policy definition

az policy state list --resource "/subscriptions/fff10b27-fff3-fff5-fff8-fffbe01e86a5/resourceGroups/myResourceGroup/providers/Microsoft.KeyVault/vaults/myKeyVault" --filter "policyAssignmentId eq '/subscriptions/fff10b27-fff3-fff5-fff8-fffbe01e86a5/providers/Microsoft.Authorization/policyAssignments/myPa'" --expand "Components($filter=ComplianceState eq 'NonCompliant' or ComplianceState eq 'Compliant')"

Get latest component policy states for a resource (eg. vault) and policy assignment referencing an initiative containing a resource provider mode policy definition

az policy state list --resource "/subscriptions/fff10b27-fff3-fff5-fff8-fffbe01e86a5/resourceGroups/myResourceGroup/providers/Microsoft.KeyVault/vaults/myKeyVault" --filter "policyAssignmentId eq '/subscriptions/fff10b27-fff3-fff5-fff8-fffbe01e86a5/providers/Microsoft.Authorization/policyAssignments/myPa' and policyDefinitionReferenceId eq 'myResourceProviderModeDefinitionReferenceId'" --expand "Components($filter=ComplianceState eq 'NonCompliant' or ComplianceState eq 'Compliant')"

Get latest component counts by compliance state for a resource (eg. vault) and policy assignment referencing a resource provider mode policy definition

az policy state list --resource "/subscriptions/fff10b27-fff3-fff5-fff8-fffbe01e86a5/resourceGroups/myResourceGroup/providers/Microsoft.KeyVault/vaults/myKeyVault" --filter "policyAssignmentId eq '/subscriptions/fff10b27-fff3-fff5-fff8-fffbe01e86a5/providers/Microsoft.Authorization/policyAssignments/myPa'" --expand "Components($filter=ComplianceState eq 'NonCompliant' or ComplianceState eq 'Compliant' or ComplianceState eq 'Conflict';$apply=groupby((complianceState),aggregate($count as count)))"

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--all

Within the specified time interval, get all policy states instead of the latest only.

Property Value
Default value: False
--apply

Apply expression for aggregations using OData notation.

Property Value
Parameter group: Query Option Arguments
--expand

Expand expression using OData notation.

Property Value
Parameter group: Query Option Arguments
--filter

Filter expression using OData notation.

Property Value
Parameter group: Query Option Arguments
--from

ISO 8601 formatted timestamp specifying the start time of the interval to query.

Property Value
Parameter group: Query Option Arguments
--management-group -m

Name of management group.

Property Value
Parameter group: Scope Arguments
--namespace

Provider namespace (Ex: Microsoft.Provider).

Property Value
Parameter group: Resource ID Arguments
--order-by

Ordering expression using OData notation.

Property Value
Parameter group: Query Option Arguments
--parent

The parent path (Ex: resourceTypeA/nameA/resourceTypeB/nameB).

Property Value
Parameter group: Resource ID Arguments
--policy-assignment -a

Name of policy assignment.

Property Value
Parameter group: Scope Arguments
--policy-definition -d

Name of policy definition.

Property Value
Parameter group: Scope Arguments
--policy-set-definition -s

Name of policy set definition.

Property Value
Parameter group: Scope Arguments
--resource

Resource ID or resource name. If a name is given, please provide the resource group and other relevant resource id arguments.

Property Value
Parameter group: Resource ID Arguments
--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Property Value
Parameter group: Scope Arguments
--resource-type

Resource type (Ex: resourceTypeC).

Property Value
Parameter group: Resource ID Arguments
--select

Select expression using OData notation.

Property Value
Parameter group: Query Option Arguments
--to

ISO 8601 formatted timestamp specifying the end time of the interval to query.

Property Value
Parameter group: Query Option Arguments
--top

Maximum number of records to return.

Property Value
Parameter group: Query Option Arguments
Global Parameters
--debug

Increase logging verbosity to show all debug logs.

Property Value
Default value: False
--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property Value
Default value: False
--output -o

Output format.

Property Value
Default value: json
Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property Value
Default value: False

az policy state summarize

Summarize policy compliance states.

az policy state summarize [--filter]
                          [--from]
                          [--management-group]
                          [--namespace]
                          [--parent]
                          [--policy-assignment]
                          [--policy-definition]
                          [--policy-set-definition]
                          [--resource]
                          [--resource-group]
                          [--resource-type]
                          [--to]
                          [--top]

Examples

Get latest non-compliant policy states summary at current subscription scope.

az policy state summarize

Get latest non-compliant policy states summary at management group scope.

az policy state summarize -m "myMg"

Get latest non-compliant policy states summary at resource group scope in current subscription.

az policy state summarize -g "myRg"

Get latest non-compliant policy states summary for a resource using resource ID.

az policy state summarize --resource "/subscriptions/fff10b27-fff3-fff5-fff8-fffbe01e86a5/resourceGroups/myResourceGroup /providers/Microsoft.EventHub/namespaces/myns1/eventhubs/eh1/consumergroups/cg1"

Get latest non-compliant policy states summary for a resource using resource name.

az policy state summarize --resource "myKeyVault" --namespace "Microsoft.KeyVault" --resource-type "vaults" -g "myresourcegroup"

Get latest non-compliant policy states summary for a nested resource using resource name.

az policy state summarize --resource "myRule1" --namespace "Microsoft.Network" --resource-type "securityRules" --parent "networkSecurityGroups/mysecuritygroup1" -g "myresourcegroup"

Get latest non-compliant policy states summary for a policy set definition in current subscription.

az policy state summarize -s "fff58873-fff8-fff5-fffc-fffbe7c9d697"

Get latest non-compliant policy states summary for a policy definition in current subscription.

az policy state summarize -d "fff69973-fff8-fff5-fffc-fffbe7c9d698"

Get latest non-compliant policy states summary for a policy assignment in current subscription.

az policy state summarize -a "ddd8ef92e3714a5ea3d208c1"

Get latest non-compliant policy states summary for a policy assignment in the specified resource group in current subscription.

az policy state summarize -g "myRg" -a "ddd8ef92e3714a5ea3d208c1"

Get latest non-compliant policy states summary in current subscription, limiting the assignments summary to top 5.

az policy state summarize --top 5

Get latest non-compliant policy states summary in current subscription for a custom time interval.

az policy state summarize --from "2018-03-08T00:00:00Z" --to "2018-03-15T00:00:00Z"

Get latest non-compliant policy states summary in current subscription filtering results based on some property values.

az policy state summarize --filter "(policyDefinitionAction eq 'deny' or policyDefinitionAction eq 'audit') and resourceLocation ne 'eastus'"

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--filter

Filter expression using OData notation.

Property Value
Parameter group: Query Option Arguments
--from

ISO 8601 formatted timestamp specifying the start time of the interval to query.

Property Value
Parameter group: Query Option Arguments
--management-group -m

Name of management group.

Property Value
Parameter group: Scope Arguments
--namespace

Provider namespace (Ex: Microsoft.Provider).

Property Value
Parameter group: Resource ID Arguments
--parent

The parent path (Ex: resourceTypeA/nameA/resourceTypeB/nameB).

Property Value
Parameter group: Resource ID Arguments
--policy-assignment -a

Name of policy assignment.

Property Value
Parameter group: Scope Arguments
--policy-definition -d

Name of policy definition.

Property Value
Parameter group: Scope Arguments
--policy-set-definition -s

Name of policy set definition.

Property Value
Parameter group: Scope Arguments
--resource

Resource ID or resource name. If a name is given, please provide the resource group and other relevant resource id arguments.

Property Value
Parameter group: Resource ID Arguments
--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Property Value
Parameter group: Scope Arguments
--resource-type

Resource type (Ex: resourceTypeC).

Property Value
Parameter group: Resource ID Arguments
--to

ISO 8601 formatted timestamp specifying the end time of the interval to query.

Property Value
Parameter group: Query Option Arguments
--top

Maximum number of records to return.

Property Value
Parameter group: Query Option Arguments
Global Parameters
--debug

Increase logging verbosity to show all debug logs.

Property Value
Default value: False
--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property Value
Default value: False
--output -o

Output format.

Property Value
Default value: json
Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property Value
Default value: False

az policy state trigger-scan

Trigger a policy compliance evaluation for a scope.

az policy state trigger-scan [--no-wait]
                             [--resource-group]

Examples

Trigger a policy compliance evaluation at the current subscription scope.

az policy state trigger-scan

Trigger a policy compliance evaluation for a resource group.

az policy state trigger-scan -g "myRg"

Trigger a policy compliance evaluation for a resource group and do not wait for it to complete.

az policy state trigger-scan -g "myRg" --no-wait

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--no-wait

Do not wait for the long-running operation to finish.

Property Value
Default value: False
--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Property Value
Parameter group: Scope Arguments
Global Parameters
--debug

Increase logging verbosity to show all debug logs.

Property Value
Default value: False
--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property Value
Default value: False
--output -o

Output format.

Property Value
Default value: json
Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property Value
Default value: False