az policy state
Manage policy compliance states.
Commands
Name | Description | Type | Status |
---|---|---|---|
az policy state list |
List policy compliance states. |
Core | GA |
az policy state summarize |
Summarize policy compliance states. |
Core | GA |
az policy state trigger-scan |
Trigger a policy compliance evaluation for a scope. |
Core | GA |
az policy state list
List policy compliance states.
az policy state list [--all]
[--apply]
[--expand]
[--filter]
[--from]
[--management-group]
[--namespace]
[--order-by]
[--parent]
[--policy-assignment]
[--policy-definition]
[--policy-set-definition]
[--resource]
[--resource-group]
[--resource-type]
[--select]
[--to]
[--top]
Examples
Get latest policy states at current subscription scope.
az policy state list
Get all policy states at current subscription scope.
az policy state list --all
Get latest policy states at management group scope.
az policy state list -m "myMg"
Get latest policy states at resource group scope in current subscription.
az policy state list -g "myRg"
Get latest policy states for a resource using resource ID.
az policy state list --resource "/subscriptions/fff10b27-fff3-fff5-fff8-fffbe01e86a5/resourceGroups/myResourceGroup /providers/Microsoft.EventHub/namespaces/myns1/eventhubs/eh1/consumergroups/cg1"
Get latest policy states for a resource using resource name.
az policy state list --resource "myKeyVault" --namespace "Microsoft.KeyVault" --resource-type "vaults" -g "myresourcegroup"
Get latest policy states for a nested resource using resource name.
az policy state list --resource "myRule1" --namespace "Microsoft.Network" --resource-type "securityRules" --parent "networkSecurityGroups/mysecuritygroup1" -g "myresourcegroup"
Get latest policy states for a policy set definition in current subscription.
az policy state list -s "fff58873-fff8-fff5-fffc-fffbe7c9d697"
Get latest policy states for a policy definition in current subscription.
az policy state list -d "fff69973-fff8-fff5-fffc-fffbe7c9d698"
Get latest policy states for a policy assignment in current subscription.
az policy state list -a "ddd8ef92e3714a5ea3d208c1"
Get latest policy states for a policy assignment in the specified resource group in current subscription.
az policy state list -g "myRg" -a "ddd8ef92e3714a5ea3d208c1"
Get top 5 latest policy states in current subscription, selecting a subset of properties and customizing ordering.
az policy state list --top 5 --order-by "timestamp desc, policyAssignmentName asc" --select "timestamp, resourceId, policyAssignmentId, policySetDefinitionId, policyDefinitionId"
Get latest policy states in current subscription during a custom time interval.
az policy state list --from "2018-03-08T00:00:00Z" --to "2018-03-15T00:00:00Z"
Get latest policy states in current subscription filtering results based on some property values.
az policy state list --filter "(policyDefinitionAction eq 'deny' or policyDefinitionAction eq 'audit') and resourceLocation ne 'eastus'"
Get number of latest policy states in current subscription.
az policy state list --apply "aggregate($count as numberOfRecords)"
Get latest policy states in current subscription aggregating results based on some properties.
az policy state list --apply "groupby((policyAssignmentId, policySetDefinitionId, policyDefinitionReferenceId, policyDefinitionId), aggregate($count as numStates))"
Get latest policy states in current subscription grouping results based on some properties.
az policy state list --apply "groupby((policyAssignmentName, resourceId))"
Get latest policy states in current subscription aggregating results based on some properties specifying multiple groupings.
az policy state list --apply "groupby((policyAssignmentId, policySetDefinitionId, policyDefinitionReferenceId, policyDefinitionId, resourceId))/groupby((policyAssignmentId, policySetDefinitionId, policyDefinitionReferenceId, policyDefinitionId), aggregate($count as numNonCompliantResources))"
Get latest policy states for a resource including policy evaluation details.
az policy state list --resource "myKeyVault" --namespace "Microsoft.KeyVault" --resource-type "vaults" -g "myresourcegroup" --expand PolicyEvaluationDetails
Get latest component policy states for a resource (eg. vault) and policy assignment referencing a resource provider mode policy definition
az policy state list --resource "/subscriptions/fff10b27-fff3-fff5-fff8-fffbe01e86a5/resourceGroups/myResourceGroup/providers/Microsoft.KeyVault/vaults/myKeyVault" --filter "policyAssignmentId eq '/subscriptions/fff10b27-fff3-fff5-fff8-fffbe01e86a5/providers/Microsoft.Authorization/policyAssignments/myPa'" --expand "Components($filter=ComplianceState eq 'NonCompliant' or ComplianceState eq 'Compliant')"
Get latest component policy states for a resource (eg. vault) and policy assignment referencing an initiative containing a resource provider mode policy definition
az policy state list --resource "/subscriptions/fff10b27-fff3-fff5-fff8-fffbe01e86a5/resourceGroups/myResourceGroup/providers/Microsoft.KeyVault/vaults/myKeyVault" --filter "policyAssignmentId eq '/subscriptions/fff10b27-fff3-fff5-fff8-fffbe01e86a5/providers/Microsoft.Authorization/policyAssignments/myPa' and policyDefinitionReferenceId eq 'myResourceProviderModeDefinitionReferenceId'" --expand "Components($filter=ComplianceState eq 'NonCompliant' or ComplianceState eq 'Compliant')"
Get latest component counts by compliance state for a resource (eg. vault) and policy assignment referencing a resource provider mode policy definition
az policy state list --resource "/subscriptions/fff10b27-fff3-fff5-fff8-fffbe01e86a5/resourceGroups/myResourceGroup/providers/Microsoft.KeyVault/vaults/myKeyVault" --filter "policyAssignmentId eq '/subscriptions/fff10b27-fff3-fff5-fff8-fffbe01e86a5/providers/Microsoft.Authorization/policyAssignments/myPa'" --expand "Components($filter=ComplianceState eq 'NonCompliant' or ComplianceState eq 'Compliant' or ComplianceState eq 'Conflict';$apply=groupby((complianceState),aggregate($count as count)))"
Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
Within the specified time interval, get all policy states instead of the latest only.
Property | Value |
---|---|
Default value: | False |
Apply expression for aggregations using OData notation.
Property | Value |
---|---|
Parameter group: | Query Option Arguments |
Expand expression using OData notation.
Property | Value |
---|---|
Parameter group: | Query Option Arguments |
Filter expression using OData notation.
Property | Value |
---|---|
Parameter group: | Query Option Arguments |
ISO 8601 formatted timestamp specifying the start time of the interval to query.
Property | Value |
---|---|
Parameter group: | Query Option Arguments |
Name of management group.
Property | Value |
---|---|
Parameter group: | Scope Arguments |
Provider namespace (Ex: Microsoft.Provider).
Property | Value |
---|---|
Parameter group: | Resource ID Arguments |
Ordering expression using OData notation.
Property | Value |
---|---|
Parameter group: | Query Option Arguments |
The parent path (Ex: resourceTypeA/nameA/resourceTypeB/nameB).
Property | Value |
---|---|
Parameter group: | Resource ID Arguments |
Name of policy assignment.
Property | Value |
---|---|
Parameter group: | Scope Arguments |
Name of policy definition.
Property | Value |
---|---|
Parameter group: | Scope Arguments |
Name of policy set definition.
Property | Value |
---|---|
Parameter group: | Scope Arguments |
Resource ID or resource name. If a name is given, please provide the resource group and other relevant resource id arguments.
Property | Value |
---|---|
Parameter group: | Resource ID Arguments |
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Property | Value |
---|---|
Parameter group: | Scope Arguments |
Resource type (Ex: resourceTypeC).
Property | Value |
---|---|
Parameter group: | Resource ID Arguments |
Select expression using OData notation.
Property | Value |
---|---|
Parameter group: | Query Option Arguments |
ISO 8601 formatted timestamp specifying the end time of the interval to query.
Property | Value |
---|---|
Parameter group: | Query Option Arguments |
Maximum number of records to return.
Property | Value |
---|---|
Parameter group: | Query Option Arguments |
Global Parameters
Increase logging verbosity to show all debug logs.
Property | Value |
---|---|
Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
Property | Value |
---|---|
Default value: | False |
Output format.
Property | Value |
---|---|
Default value: | json |
Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
Property | Value |
---|---|
Default value: | False |
az policy state summarize
Summarize policy compliance states.
az policy state summarize [--filter]
[--from]
[--management-group]
[--namespace]
[--parent]
[--policy-assignment]
[--policy-definition]
[--policy-set-definition]
[--resource]
[--resource-group]
[--resource-type]
[--to]
[--top]
Examples
Get latest non-compliant policy states summary at current subscription scope.
az policy state summarize
Get latest non-compliant policy states summary at management group scope.
az policy state summarize -m "myMg"
Get latest non-compliant policy states summary at resource group scope in current subscription.
az policy state summarize -g "myRg"
Get latest non-compliant policy states summary for a resource using resource ID.
az policy state summarize --resource "/subscriptions/fff10b27-fff3-fff5-fff8-fffbe01e86a5/resourceGroups/myResourceGroup /providers/Microsoft.EventHub/namespaces/myns1/eventhubs/eh1/consumergroups/cg1"
Get latest non-compliant policy states summary for a resource using resource name.
az policy state summarize --resource "myKeyVault" --namespace "Microsoft.KeyVault" --resource-type "vaults" -g "myresourcegroup"
Get latest non-compliant policy states summary for a nested resource using resource name.
az policy state summarize --resource "myRule1" --namespace "Microsoft.Network" --resource-type "securityRules" --parent "networkSecurityGroups/mysecuritygroup1" -g "myresourcegroup"
Get latest non-compliant policy states summary for a policy set definition in current subscription.
az policy state summarize -s "fff58873-fff8-fff5-fffc-fffbe7c9d697"
Get latest non-compliant policy states summary for a policy definition in current subscription.
az policy state summarize -d "fff69973-fff8-fff5-fffc-fffbe7c9d698"
Get latest non-compliant policy states summary for a policy assignment in current subscription.
az policy state summarize -a "ddd8ef92e3714a5ea3d208c1"
Get latest non-compliant policy states summary for a policy assignment in the specified resource group in current subscription.
az policy state summarize -g "myRg" -a "ddd8ef92e3714a5ea3d208c1"
Get latest non-compliant policy states summary in current subscription, limiting the assignments summary to top 5.
az policy state summarize --top 5
Get latest non-compliant policy states summary in current subscription for a custom time interval.
az policy state summarize --from "2018-03-08T00:00:00Z" --to "2018-03-15T00:00:00Z"
Get latest non-compliant policy states summary in current subscription filtering results based on some property values.
az policy state summarize --filter "(policyDefinitionAction eq 'deny' or policyDefinitionAction eq 'audit') and resourceLocation ne 'eastus'"
Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
Filter expression using OData notation.
Property | Value |
---|---|
Parameter group: | Query Option Arguments |
ISO 8601 formatted timestamp specifying the start time of the interval to query.
Property | Value |
---|---|
Parameter group: | Query Option Arguments |
Name of management group.
Property | Value |
---|---|
Parameter group: | Scope Arguments |
Provider namespace (Ex: Microsoft.Provider).
Property | Value |
---|---|
Parameter group: | Resource ID Arguments |
The parent path (Ex: resourceTypeA/nameA/resourceTypeB/nameB).
Property | Value |
---|---|
Parameter group: | Resource ID Arguments |
Name of policy assignment.
Property | Value |
---|---|
Parameter group: | Scope Arguments |
Name of policy definition.
Property | Value |
---|---|
Parameter group: | Scope Arguments |
Name of policy set definition.
Property | Value |
---|---|
Parameter group: | Scope Arguments |
Resource ID or resource name. If a name is given, please provide the resource group and other relevant resource id arguments.
Property | Value |
---|---|
Parameter group: | Resource ID Arguments |
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Property | Value |
---|---|
Parameter group: | Scope Arguments |
Resource type (Ex: resourceTypeC).
Property | Value |
---|---|
Parameter group: | Resource ID Arguments |
ISO 8601 formatted timestamp specifying the end time of the interval to query.
Property | Value |
---|---|
Parameter group: | Query Option Arguments |
Maximum number of records to return.
Property | Value |
---|---|
Parameter group: | Query Option Arguments |
Global Parameters
Increase logging verbosity to show all debug logs.
Property | Value |
---|---|
Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
Property | Value |
---|---|
Default value: | False |
Output format.
Property | Value |
---|---|
Default value: | json |
Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
Property | Value |
---|---|
Default value: | False |
az policy state trigger-scan
Trigger a policy compliance evaluation for a scope.
az policy state trigger-scan [--no-wait]
[--resource-group]
Examples
Trigger a policy compliance evaluation at the current subscription scope.
az policy state trigger-scan
Trigger a policy compliance evaluation for a resource group.
az policy state trigger-scan -g "myRg"
Trigger a policy compliance evaluation for a resource group and do not wait for it to complete.
az policy state trigger-scan -g "myRg" --no-wait
Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
Do not wait for the long-running operation to finish.
Property | Value |
---|---|
Default value: | False |
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Property | Value |
---|---|
Parameter group: | Scope Arguments |
Global Parameters
Increase logging verbosity to show all debug logs.
Property | Value |
---|---|
Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
Property | Value |
---|---|
Default value: | False |
Output format.
Property | Value |
---|---|
Default value: | json |
Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
Property | Value |
---|---|
Default value: | False |