Azure Policy definitions auditIfNotExists effect
The auditIfNotExists
effect enables auditing of resources related to the resource that matches the if
condition, but don't have the properties specified in the details
of the then
condition.
AuditIfNotExists evaluation
auditIfNotExists
runs after a Resource Provider processed a create or update resource request and returned a success status code. The audit occurs if there are no related resources or if the resources defined by ExistenceCondition
don't evaluate to true. For new and updated resources, Azure Policy adds a Microsoft.Authorization/policies/audit/action
operation to the activity log and marks the resource as non-compliant. When triggered, the resource that satisfied the if
condition is the resource that is marked as non-compliant.
AuditIfNotExists properties
The details
property of the AuditIfNotExists effects has all the subproperties that define the related resources to match.
type
(required)- Specifies the type of the related resource to match.
- If
type
is a resource type underneath theif
condition resource, the policy queries for resources of thistype
within the scope of the evaluated resource. Otherwise, policy queries within the same resource group or subscription as the evaluated resource depending on theexistenceScope
.
name
(optional)- Specifies the exact name of the resource to match and causes the policy to fetch one specific resource instead of all resources of the specified type.
- When the condition values for
if.field.type
andthen.details.type
match, thenname
becomes required and must be[field('name')]
, or[field('fullName')]
for a child resource. However, an audit effect should be considered instead.
Note
type
and name
segments can be combined to generically retrieve nested resources.
To retrieve a specific resource, you can use "type": "Microsoft.ExampleProvider/exampleParentType/exampleNestedType"
and "name": "parentResourceName/nestedResourceName"
.
To retrieve a collection of nested resources, a wildcard character ?
can be provided in place of the last name segment. For example, "type": "Microsoft.ExampleProvider/exampleParentType/exampleNestedType"
and "name": "parentResourceName/?"
. This can be combined with field functions to access resources related to the evaluated resource, such as "name": "[concat(field('name'), '/?')]"
."
resourceGroupName
(optional)- Allows the matching of the related resource to come from a different resource group.
- Doesn't apply if
type
is a resource that would be underneath theif
condition resource. - Default is the
if
condition resource's resource group.
existenceScope
(optional)- Allowed values are Subscription and ResourceGroup.
- Sets the scope of where to fetch the related resource to match from.
- Doesn't apply if
type
is a resource that would be underneath theif
condition resource. - For ResourceGroup, would limit to the resource group in
resourceGroupName
if specified. IfresourceGroupName
isn't specified, would limit to theif
condition resource's resource group, which is the default behavior. - For Subscription, queries the entire subscription for the related resource. Assignment scope should be set at subscription or higher for proper evaluation.
- Default is ResourceGroup.
evaluationDelay
(optional)- Specifies when the existence of the related resources should be evaluated. The delay is only used for evaluations that are a result of a create or update resource request.
- Allowed values are
AfterProvisioning
,AfterProvisioningSuccess
,AfterProvisioningFailure
, or an ISO 8601 duration between 0 and 360 minutes. - The AfterProvisioning values inspect the provisioning result of the resource that was
evaluated in the policy rule's
if
condition.AfterProvisioning
runs after provisioning is complete, regardless of outcome. Provisioning that takes more than six hours, is treated as a failure when determining AfterProvisioning evaluation delays. - Default is
PT10M
(10 minutes). - Specifying a long evaluation delay might cause the recorded compliance state of the resource to not update until the next evaluation trigger.
existenceCondition
(optional)- If not specified, any related resource of
type
satisfies the effect and doesn't trigger the audit. - Uses the same language as the policy rule for the
if
condition, but is evaluated against each related resource individually. - If any matching related resource evaluates to true, the effect is satisfied and doesn't trigger the audit.
- Can use [field()] to check equivalence with values in the
if
condition. - For example, could be used to validate that the parent resource (in the
if
condition) is in the same resource location as the matching related resource.
- If not specified, any related resource of
AuditIfNotExists example
Example: Evaluates Virtual Machines to determine whether the Antimalware extension exists then audits when missing.
{
"if": {
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
"then": {
"effect": "auditIfNotExists",
"details": {
"type": "Microsoft.Compute/virtualMachines/extensions",
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Compute/virtualMachines/extensions/publisher",
"equals": "Microsoft.Azure.Security"
},
{
"field": "Microsoft.Compute/virtualMachines/extensions/type",
"equals": "IaaSAntimalware"
}
]
}
}
}
}
Next steps
- Review examples at Azure Policy samples.
- Review the Azure Policy definition structure.
- Understand how to programmatically create policies.
- Learn how to get compliance data.
- Learn how to remediate non-compliant resources.
- Review Azure management groups.