Azure Policy attestation structure

Attestations are used by Azure Policy to set compliance states of resources or scopes targeted by manual policies. They also allow users to provide more metadata or link to evidence that accompanies the attested compliance state.

Note

Attestations can be created and managed only through Azure Policy Azure Resource Manager (ARM) API, PowerShell or Azure CLI.

Best practices

Attestations can be used to set the compliance state of an individual resource for a given manual policy. Each applicable resource requires one attestation per manual policy assignment. For ease of management, manual policies should be designed to target the scope that defines the boundary of resources whose compliance state needs to be attested.

For example, suppose an organization divides teams by resource group, and each team is required to attest to development of procedures for handling resources within that resource group. In this scenario, the conditions of the policy rule should specify that type equals Microsoft.Resources/resourceGroups. This way, one attestation is required for the resource group, rather than for each individual resource within. Similarly, if the organization divides teams by subscriptions, the policy rule should target Microsoft.Resources/subscriptions.

Typically, the provided evidence should correspond with relevant scopes of the organizational structure. This pattern prevents the need to duplicate evidence across many attestations. Such duplications would make manual policies difficult to manage, and indicate that the policy definition targets the wrong resources.

Example attestation

The following example creates a new attestation resource that sets the compliance state for a resource group targeted by a manual policy assignment:

PUT http://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.PolicyInsights/attestations/{name}?api-version=2019-10-01

Request body

The following code is a sample attestation resource JSON object:

"properties": {
  "policyAssignmentId": "/subscriptions/{subscriptionID}/providers/microsoft.authorization/policyassignments/{assignmentID}",
  "policyDefinitionReferenceId": "{definitionReferenceID}",
  "complianceState": "Compliant",
  "expiresOn": "2023-07-14T00:00:00Z",
  "owner": "{AADObjectID}",
  "comments": "This subscription has passed a security audit. See attached details for evidence",
  "evidence": [
    {
      "description": "The results of the security audit.",
      "sourceUri": "https://gist.github.com/contoso/9573e238762c60166c090ae16b814011"
    },
    {
      "description": "Description of the attached evidence document.",
      "sourceUri": "https://contoso.blob.core.windows.net/contoso-container/contoso_file.docx"
    },
  ],
  "assessmentDate": "2022-11-14T00:00:00Z",
  "metadata": {
    "departmentId": "{departmentID}"
  }
}
Property Description
policyAssignmentId Required assignment ID for which the state is being set.
policyDefinitionReferenceId Optional definition reference ID, if within a policy initiative.
complianceState Desired state of the resources. Allowed values are Compliant, NonCompliant, and Unknown.
expiresOn Optional date on which the compliance state should revert from the attested compliance state to the default state.
owner Optional Microsoft Entra ID object ID of responsible party.
comments Optional description of why state is being set.
evidence Optional array of links to attestation evidence.
assessmentDate Date at which the evidence was assessed.
metadata Optional additional information about the attestation.

Because attestations are a separate resource from policy assignments, they have their own lifecycle. You can PUT, GET, and DELETE attestations using the Azure Resource Manager API. Attestations are removed if the related manual policy assignment or policyDefinitionReferenceId are deleted, or if a resource unique to the attestation is deleted. For more information, go to Policy REST API Reference for more details.

Next steps