az policy state

Manage policy compliance states.

Commands

az policy state list	List policy compliance states.
az policy state summarize	Summarize policy compliance states.
az policy state trigger-scan	Trigger a policy compliance evaluation for a scope.

az policy state list

List policy compliance states.

az policy state list [--all]
                     [--apply]
                     [--expand]
                     [--filter]
                     [--from]
                     [--management-group]
                     [--namespace]
                     [--order-by]
                     [--parent]
                     [--policy-assignment]
                     [--policy-definition]
                     [--policy-set-definition]
                     [--resource]
                     [--resource-group]
                     [--resource-type]
                     [--select]
                     [--to]
                     [--top]

Examples

Get latest policy states at current subscription scope.

az policy state list

Get all policy states at current subscription scope.

az policy state list --all

Get latest policy states at management group scope.

az policy state list -m "myMg"

Get latest policy states at resource group scope in current subscription.

az policy state list -g "myRg"

Get latest policy states for a resource using resource ID.

az policy state list --resource "/subscriptions/fff10b27-fff3-fff5-fff8-fffbe01e86a5/resourceGroups/myResourceGroup /providers/Microsoft.EventHub/namespaces/myns1/eventhubs/eh1/consumergroups/cg1"

Get latest policy states for a resource using resource name.

az policy state list --resource "myKeyVault" --namespace "Microsoft.KeyVault" --resource-type "vaults" -g "myresourcegroup"

Get latest policy states for a nested resource using resource name.

az policy state list --resource "myRule1" --namespace "Microsoft.Network" --resource-type "securityRules" --parent "networkSecurityGroups/mysecuritygroup1" -g "myresourcegroup"

Get latest policy states for a policy set definition in current subscription.

az policy state list -s "fff58873-fff8-fff5-fffc-fffbe7c9d697"

Get latest policy states for a policy definition in current subscription.

az policy state list -d "fff69973-fff8-fff5-fffc-fffbe7c9d698"

Get latest policy states for a policy assignment in current subscription.

az policy state list -a "ddd8ef92e3714a5ea3d208c1"

Get latest policy states for a policy assignment in the specified resource group in current subscription.

az policy state list -g "myRg" -a "ddd8ef92e3714a5ea3d208c1"

Get top 5 latest policy states in current subscription, selecting a subset of properties and customizing ordering.

az policy state list --top 5 --order-by "timestamp desc, policyAssignmentName asc" --select "timestamp, resourceId, policyAssignmentId, policySetDefinitionId, policyDefinitionId"

Get latest policy states in current subscription during a custom time interval.

az policy state list --from "2018-03-08T00:00:00Z" --to "2018-03-15T00:00:00Z"

Get latest policy states in current subscription filtering results based on some property values.

az policy state list --filter "(policyDefinitionAction eq 'deny' or policyDefinitionAction eq 'audit') and resourceLocation ne 'eastus'"

Get number of latest policy states in current subscription.

az policy state list --apply "aggregate($count as numberOfRecords)"

Get latest policy states in current subscription aggregating results based on some properties.

az policy state list --apply "groupby((policyAssignmentId, policySetDefinitionId, policyDefinitionReferenceId, policyDefinitionId), aggregate($count as numStates))"

Get latest policy states in current subscription grouping results based on some properties.

az policy state list --apply "groupby((policyAssignmentName, resourceId))"

Get latest policy states in current subscription aggregating results based on some properties specifying multiple groupings.

az policy state list --apply "groupby((policyAssignmentId, policySetDefinitionId, policyDefinitionReferenceId, policyDefinitionId, resourceId))/groupby((policyAssignmentId, policySetDefinitionId, policyDefinitionReferenceId, policyDefinitionId), aggregate($count as numNonCompliantResources))"

Get latest policy states for a resource including policy evaluation details.

az policy state list --resource "myKeyVault" --namespace "Microsoft.KeyVault" --resource-type "vaults" -g "myresourcegroup" --expand PolicyEvaluationDetails

Get latest component policy states for a resource (eg. vault) and policy assignment referencing a resource provider mode policy definition

az policy state list --resource "/subscriptions/fff10b27-fff3-fff5-fff8-fffbe01e86a5/resourceGroups/myResourceGroup/providers/Microsoft.KeyVault/vaults/myKeyVault" --filter "policyAssignmentId eq '/subscriptions/fff10b27-fff3-fff5-fff8-fffbe01e86a5/providers/Microsoft.Authorization/policyAssignments/myPa'" --expand "Components($filter=ComplianceState eq 'NonCompliant' or ComplianceState eq 'Compliant')"

Get latest component policy states for a resource (eg. vault) and policy assignment referencing an initiative containing a resource provider mode policy definition

az policy state list --resource "/subscriptions/fff10b27-fff3-fff5-fff8-fffbe01e86a5/resourceGroups/myResourceGroup/providers/Microsoft.KeyVault/vaults/myKeyVault" --filter "policyAssignmentId eq '/subscriptions/fff10b27-fff3-fff5-fff8-fffbe01e86a5/providers/Microsoft.Authorization/policyAssignments/myPa' and policyDefinitionReferenceId eq 'myResourceProviderModeDefinitionReferenceId'" --expand "Components($filter=ComplianceState eq 'NonCompliant' or ComplianceState eq 'Compliant')"

Get latest component counts by compliance state for a resource (eg. vault) and policy assignment referencing a resource provider mode policy definition

az policy state list --resource "/subscriptions/fff10b27-fff3-fff5-fff8-fffbe01e86a5/resourceGroups/myResourceGroup/providers/Microsoft.KeyVault/vaults/myKeyVault" --filter "policyAssignmentId eq '/subscriptions/fff10b27-fff3-fff5-fff8-fffbe01e86a5/providers/Microsoft.Authorization/policyAssignments/myPa'" --expand "Components($filter=ComplianceState eq 'NonCompliant' or ComplianceState eq 'Compliant' or ComplianceState eq 'Conflict';$apply=groupby((complianceState),aggregate($count as count)))"

Optional Parameters

--all

Within the specified time interval, get all policy states instead of the latest only.

--apply

Apply expression for aggregations using OData notation.

--expand

Expand expression using OData notation.

--filter

Filter expression using OData notation.

--from

ISO 8601 formatted timestamp specifying the start time of the interval to query.

--management-group -m

Name of management group.

--namespace

Provider namespace (Ex: Microsoft.Provider).

--order-by

Ordering expression using OData notation.

--parent

The parent path (Ex: resourceTypeA/nameA/resourceTypeB/nameB).

--policy-assignment -a

Name of policy assignment.

--policy-definition -d

Name of policy definition.

--policy-set-definition -s

Name of policy set definition.

--resource

Resource ID or resource name. If a name is given, please provide the resource group and other relevant resource id arguments.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--resource-type

Resource type (Ex: resourceTypeC).

--select

Select expression using OData notation.

--to

ISO 8601 formatted timestamp specifying the end time of the interval to query.

--top

Maximum number of records to return.

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az policy state summarize

Summarize policy compliance states.

az policy state summarize [--filter]
                          [--from]
                          [--management-group]
                          [--namespace]
                          [--parent]
                          [--policy-assignment]
                          [--policy-definition]
                          [--policy-set-definition]
                          [--resource]
                          [--resource-group]
                          [--resource-type]
                          [--to]
                          [--top]

Examples

Get latest non-compliant policy states summary at current subscription scope.

az policy state summarize

Get latest non-compliant policy states summary at management group scope.

az policy state summarize -m "myMg"

Get latest non-compliant policy states summary at resource group scope in current subscription.

az policy state summarize -g "myRg"

Get latest non-compliant policy states summary for a resource using resource ID.

az policy state summarize --resource "/subscriptions/fff10b27-fff3-fff5-fff8-fffbe01e86a5/resourceGroups/myResourceGroup /providers/Microsoft.EventHub/namespaces/myns1/eventhubs/eh1/consumergroups/cg1"

Get latest non-compliant policy states summary for a resource using resource name.

az policy state summarize --resource "myKeyVault" --namespace "Microsoft.KeyVault" --resource-type "vaults" -g "myresourcegroup"

Get latest non-compliant policy states summary for a nested resource using resource name.

az policy state summarize --resource "myRule1" --namespace "Microsoft.Network" --resource-type "securityRules" --parent "networkSecurityGroups/mysecuritygroup1" -g "myresourcegroup"

Get latest non-compliant policy states summary for a policy set definition in current subscription.

az policy state summarize -s "fff58873-fff8-fff5-fffc-fffbe7c9d697"

Get latest non-compliant policy states summary for a policy definition in current subscription.

az policy state summarize -d "fff69973-fff8-fff5-fffc-fffbe7c9d698"

Get latest non-compliant policy states summary for a policy assignment in current subscription.

az policy state summarize -a "ddd8ef92e3714a5ea3d208c1"

Get latest non-compliant policy states summary for a policy assignment in the specified resource group in current subscription.

az policy state summarize -g "myRg" -a "ddd8ef92e3714a5ea3d208c1"

Get latest non-compliant policy states summary in current subscription, limiting the assignments summary to top 5.

az policy state summarize --top 5

Get latest non-compliant policy states summary in current subscription for a custom time interval.

az policy state summarize --from "2018-03-08T00:00:00Z" --to "2018-03-15T00:00:00Z"

Get latest non-compliant policy states summary in current subscription filtering results based on some property values.

az policy state summarize --filter "(policyDefinitionAction eq 'deny' or policyDefinitionAction eq 'audit') and resourceLocation ne 'eastus'"

Optional Parameters

--filter

Filter expression using OData notation.

--from

ISO 8601 formatted timestamp specifying the start time of the interval to query.

--management-group -m

Name of management group.

--namespace

Provider namespace (Ex: Microsoft.Provider).

--parent

The parent path (Ex: resourceTypeA/nameA/resourceTypeB/nameB).

--policy-assignment -a

Name of policy assignment.

--policy-definition -d

Name of policy definition.

--policy-set-definition -s

Name of policy set definition.

--resource

Resource ID or resource name. If a name is given, please provide the resource group and other relevant resource id arguments.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--resource-type

Resource type (Ex: resourceTypeC).

--to

ISO 8601 formatted timestamp specifying the end time of the interval to query.

--top

Maximum number of records to return.

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az policy state trigger-scan

Trigger a policy compliance evaluation for a scope.

az policy state trigger-scan [--no-wait]
                             [--resource-group]

Examples

Trigger a policy compliance evaluation at the current subscription scope.

az policy state trigger-scan

Trigger a policy compliance evaluation for a resource group.

az policy state trigger-scan -g "myRg"

Trigger a policy compliance evaluation for a resource group and do not wait for it to complete.

az policy state trigger-scan -g "myRg" --no-wait

Optional Parameters

--no-wait

Do not wait for the long-running operation to finish.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.