Where can you go to check the Regulatory Compliance of your organizations Azure environment?
|
Show
The new Azure Security Center regulatory compliance dashboard is in public preview. It helps streamline the process for meeting regulatory compliance requirements by providing insights into your compliance posture. The information provided is based on continuous assessments of your Azure environment. To support your business needs and to provide compliance reports to auditors and executives, you can use the Download now link to generate a .pdf file which provides the overall status for each regulatory standard you select. For more information, see Improve your regulatory compliance. Skip to main content This browser is no longer supported. Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. Get compliance data of Azure resources
In this articleOne of the largest benefits of Azure Policy is the insight and controls it provides over resources in a subscription or management group of subscriptions. This control can be exercised in many different ways, such as preventing resources being created in the wrong location, enforcing common and consistent tag usage, or auditing existing resources for appropriate configurations and settings. In all cases, data is generated by Azure Policy to enable you to understand the compliance state of your environment. There are several ways to access the compliance information generated by your policy and initiative assignments:
Before looking at the methods to report on compliance, let's look at when compliance information is updated and the frequency and events that trigger an evaluation cycle. Warning If compliance state is being reported as Not registered, verify that the Microsoft.PolicyInsights Resource Provider is registered and that the user has the appropriate Azure role-based access control (Azure RBAC) permissions as described in Azure RBAC permissions in Azure Policy. Evaluation triggersThe results of a completed evaluation cycle are available in the Microsoft.PolicyInsights Resource Provider through PolicyStates and PolicyEvents operations. For more information about the operations of the Azure Policy Insights REST API, see Azure Policy Insights. Evaluations of assigned policies and initiatives happen as the result of various events:
On-demand evaluation scanAn evaluation scan for a subscription or a resource group can be started with Azure CLI, Azure PowerShell, a call to the REST API, or by using the Azure Policy Compliance Scan GitHub Action. This scan is an asynchronous process. Note Not all Azure resource providers support on-demand evaluation scans. For example, Azure Virtual Network Manager (AVNM) currently doesn't support either manual triggers or the standard policy compliance evaluation cycle (daily scans). On-demand evaluation scan - GitHub ActionUse the Azure Policy Compliance Scan action to trigger an on-demand evaluation scan from your GitHub workflow on one or multiple resources, resource groups, or subscriptions, and gate the workflow based on the compliance state of resources. You can also configure the workflow to run at a scheduled time so that you get the latest compliance status at a convenient time. Optionally, this GitHub Actions can generate a report on the compliance state of scanned resources for further analysis or for archiving. The following example runs a compliance scan for a subscription. on: schedule: - cron: '0 8 * * *' # runs every morning 8am jobs: assess-policy-compliance: runs-on: ubuntu-latest steps: - name: Login to Azure uses: azure/login@v1 with: creds: ${{secrets.AZURE_CREDENTIALS}} - name: Check for resource compliance uses: azure/policy-compliance-scan@v0 with: scopes: | /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxFor more information and workflow samples, see the GitHub Actions for Azure Policy Compliance Scan repo. On-demand evaluation scan - Azure CLIThe compliance scan is started with the az policy state trigger-scan command. By default, az policy state trigger-scan starts an evaluation for all resources in the current subscription. To start an evaluation on a specific resource group, use the resource-group parameter. The following example starts a compliance scan in the current subscription for the MyRG resource group: az policy state trigger-scan --resource-group "MyRG"You can choose not to wait for the asynchronous process to complete before continuing with the no-wait parameter. On-demand evaluation scan - Azure PowerShellThe compliance scan is started with the Start-AzPolicyComplianceScan cmdlet. By default, Start-AzPolicyComplianceScan starts an evaluation for all resources in the current subscription. To start an evaluation on a specific resource group, use the ResourceGroupName parameter. The following example starts a compliance scan in the current subscription for the MyRG resource group: Start-AzPolicyComplianceScan -ResourceGroupName 'MyRG'You can have PowerShell wait for the asynchronous call to complete before providing the results output or have it run in the background as a job. To use a PowerShell job to run the compliance scan in the background, use the AsJob parameter and set the value to an object, such as $job in this example: $job = Start-AzPolicyComplianceScan -AsJobYou can check on the status of the job by checking on the $job object. The job is of the type Microsoft.Azure.Commands.Common.AzureLongRunningJob. Use Get-Member on the $job object to see available properties and methods. While the compliance scan is running, checking the $job object outputs results such as these: $job Id Name PSJobTypeName State HasMoreData Location Command -- ---- ------------- ----- ----------- -------- ------- 2 Long Running O... AzureLongRunni... Running True localhost Start-AzPolicyCompliance...When the compliance scan completes, the State property changes to Completed. On-demand evaluation scan - RESTAs an asynchronous process, the REST endpoint to start the scan doesn't wait until the scan is complete to respond. Instead, it provides a URI to query the status of the requested evaluation. In each REST API URI, there are variables that are used that you need to replace with your own values:
The scan supports evaluation of resources in a subscription or in a resource group. Start a scan by scope with a REST API POST command using the following URI structures:
The call returns a 202 Accepted status. Included in the response header is a Location property with the following format: https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.PolicyInsights/asyncOperationResults/{ResourceContainerGUID}?api-version=2019-10-01{ResourceContainerGUID} is statically generated for the scope requested. If a scope is already running an on-demand scan, a new scan isn't started. Instead, the new request is provided the same {ResourceContainerGUID} location URI for status. A REST API GET command to the Location URI returns a 202 Accepted while the evaluation is ongoing. When the evaluation scan has completed, it returns a 200 OK status. The body of a completed scan is a JSON response with the status: { "status": "Succeeded" }On-demand evaluation scan - Visual Studio CodeThe Azure Policy extension for Visual Studio code is capable of running an evaluation scan for a specific resource. This scan is a synchronous process, unlike the Azure PowerShell and REST methods. For details and steps, see On-demand evaluation with the VS Code extension. How compliance worksIn an assignment, a resource is Non-compliant if it doesn't follow policy or initiative rules and isn't exempt. The following table shows how different policy effects work with the condition evaluation for the resulting compliance state:
Note The DeployIfNotExist and AuditIfNotExist effects require the IF statement to be TRUE and the existence condition to be FALSE to be non-compliant. When TRUE, the IF condition triggers evaluation of the existence condition for the related resources. For example, assume that you have a resource group - ContsoRG, with some storage accounts (highlighted in red) that are exposed to public networks.
In this example, you need to be wary of security risks. Now that you've created a policy assignment, it's evaluated for all included and non-exempt storage accounts in the ContosoRG resource group. It audits the three non-compliant storage accounts, consequently changing their states to Non-compliant.
 Besides Compliant and Non-compliant, policies and resources have four other states:
Azure Policy uses the type, name, or kind fields in the definition to determine whether a resource is a match. When the resource matches, it's considered applicable and has a status of either Compliant, Non-compliant, or Exempt. If either name or kind is the only property in the definition, then all included and non-exempt resources are considered applicable and are evaluated. The compliance percentage is determined by dividing Compliant and Exempt resources by total resources. Total resources is defined as the sum of the Compliant, Non-compliant, Exempt, and Conflicting resources. The overall compliance numbers are the sum of distinct resources that are Compliant or Exempt divided by the sum of all distinct resources. In the image below, there are 20 distinct resources that are applicable and only one is Non-compliant. The overall resource compliance is 95% (19 out of 20). Note Regulatory Compliance in Azure Policy is a Preview feature. Compliance properties from SDK and pages in portal are different for enabled initiatives. For more information, see Regulatory Compliance PortalThe Azure portal showcases a graphical experience of visualizing and understanding the state of compliance in your environment. On the Policy page, the Overview option provides details for available scopes on the compliance of both policies and initiatives. Along with the compliance state and count per assignment, it contains a chart showing compliance over the last seven days. The Compliance page contains much of this same information (except the chart), but provide additional filtering and sorting options. Since a policy or initiative can be assigned to different scopes, the table includes the scope for each assignment and the type of definition that was assigned. The number of non-compliant resources and non-compliant policies for each assignment are also provided. Selecting on a policy or initiative in the table provides a deeper look at the compliance for that particular assignment. The list of resources on the Resource compliance tab shows the evaluation status of existing resources for the current assignment. The tab defaults to Non-compliant, but can be filtered. Events (append, audit, deny, deploy, modify) triggered by the request to create a resource are shown under the Events tab. Note For an AKS Engine policy, the resource shown is the resource group. For Resource Provider mode resources, on the Resource compliance tab, selecting the resource or right-clicking on the row and selecting View compliance details opens the component compliance details. This page also offers tabs to see the policies that are assigned to this resource, events, component events, and change history. Back on the resource compliance page, select and hold (or right-click) on the row of the event you would like to gather more details on and select Show activity logs. The activity log page opens and is pre-filtered to the search showing details for the assignment and the events. The activity log provides additional context and information about those events. Understand non-complianceWhen a resource is determined to be non-compliant, there are many possible reasons. To determine the reason a resource is non-compliant or to find the change responsible, see Determine non-compliance. Command lineThe same information available in the portal can be retrieved with the REST API (including with ARMClient), Azure PowerShell, and Azure CLI. For full details on the REST API, see the Azure Policy reference. The REST API reference pages have a green 'Try It' button on each operation that allows you to try it right in the browser. Use ARMClient or a similar tool to handle authentication to Azure for the REST API examples. Note Currently "reason for non-compliance" cannot be retrieved from Command line. We are working on mapping the reason code to the "reason for non-compliance" and at this point there is no ETA on this. Summarize resultsWith the REST API, summarization can be performed by container, definition, or assignment. Here is an example of summarization at the subscription level using Azure Policy Insight's Summarize For Subscription: POST https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.PolicyInsights/policyStates/latest/summarize?api-version=2019-10-01The output summarizes the subscription. In the example output below, the summarized compliance are under value.results.nonCompliantResources and value.results.nonCompliantPolicies. This request provides further details, including each assignment that made up the non-compliant numbers and the definition information for each assignment. Each policy object in the hierarchy provides a queryResultsUri that can be used to get additional detail at that level. { "@odata.context": "https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.PolicyInsights/policyStates/$metadata#summary", "@odata.count": 1, "value": [{ "@odata.id": null, "@odata.context": "https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.PolicyInsights/policyStates/$metadata#summary/$entity", "results": { "queryResultsUri": "https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.PolicyInsights/policyStates/latest/queryResults?api-version=2019-10-01&$from=2018-05-18 04:28:22Z&$to=2018-05-19 04:28:22Z&$filter=ComplianceState eq 'NonCompliant'", "nonCompliantResources": 15, "nonCompliantPolicies": 1 }, "policyAssignments": [{ "policyAssignmentId": "/subscriptions/{subscriptionId}/resourcegroups/rg-tags/providers/microsoft.authorization/policyassignments/37ce239ae4304622914f0c77", "policySetDefinitionId": "", "results": { "queryResultsUri": "https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.PolicyInsights/policyStates/latest/queryResults?api-version=2019-10-01&$from=2018-05-18 04:28:22Z&$to=2018-05-19 04:28:22Z&$filter=ComplianceState eq 'NonCompliant' and PolicyAssignmentId eq '/subscriptions/{subscriptionId}/resourcegroups/rg-tags/providers/microsoft.authorization/policyassignments/37ce239ae4304622914f0c77'", "nonCompliantResources": 15, "nonCompliantPolicies": 1 }, "policyDefinitions": [{ "policyDefinitionReferenceId": "", "policyDefinitionId": "/providers/microsoft.authorization/policydefinitions/1e30110a-5ceb-460c-a204-c1c3969c6d62", "effect": "deny", "results": { "queryResultsUri": "https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.PolicyInsights/policyStates/latest/queryResults?api-version=2019-10-01&$from=2018-05-18 04:28:22Z&$to=2018-05-19 04:28:22Z&$filter=ComplianceState eq 'NonCompliant' and PolicyAssignmentId eq '/subscriptions/{subscriptionId}/resourcegroups/rg-tags/providers/microsoft.authorization/policyassignments/37ce239ae4304622914f0c77' and PolicyDefinitionId eq '/providers/microsoft.authorization/policydefinitions/1e30110a-5ceb-460c-a204-c1c3969c6d62'", "nonCompliantResources": 15 } }] }] }] }Query for resourcesIn the example above, value.policyAssignments.policyDefinitions.results.queryResultsUri provides a sample URI for all non-compliant resources for a specific policy definition. Looking at the $filter value, ComplianceState is equal (eq) to 'NonCompliant', PolicyAssignmentId is specified for the policy definition, and then the PolicyDefinitionId itself. The reason for including the PolicyAssignmentId in the filter is because the PolicyDefinitionId could exist in several policy or initiative assignments with different scopes. By specifying both the PolicyAssignmentId and the PolicyDefinitionId, we can be explicit in the results we're looking for. Previously, for PolicyStates we used latest, which automatically sets a from and to time window of the last 24-hours. https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.PolicyInsights/policyStates/latest/queryResults?api-version=2019-10-01&$from=2018-05-18 04:28:22Z&$to=2018-05-19 04:28:22Z&$filter=ComplianceState eq 'NonCompliant' and PolicyAssignmentId eq '/subscriptions/{subscriptionId}/resourcegroups/rg-tags/providers/microsoft.authorization/policyassignments/37ce239ae4304622914f0c77' and PolicyDefinitionId eq '/providers/microsoft.authorization/policydefinitions/1e30110a-5ceb-460c-a204-c1c3969c6d62'The example response below has been trimmed to a single non-compliant resource for brevity. The detailed response has several pieces of data about the resource, the policy or initiative, and the assignment. Notice that you can also see what assignment parameters were passed to the policy definition. { "@odata.context": "https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.PolicyInsights/policyStates/$metadata#latest", "@odata.count": 15, "value": [{ "@odata.id": null, "@odata.context": "https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.PolicyInsights/policyStates/$metadata#latest/$entity", "timestamp": "2018-05-19T04:41:09Z", "resourceId": "/subscriptions/{subscriptionId}/resourceGroups/rg-tags/providers/Microsoft.Compute/virtualMachines/linux", "policyAssignmentId": "/subscriptions/{subscriptionId}/resourceGroups/rg-tags/providers/Microsoft.Authorization/policyAssignments/37ce239ae4304622914f0c77", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1e30110a-5ceb-460c-a204-c1c3969c6d62", "effectiveParameters": "", "ComplianceState": "NonCompliant", "subscriptionId": "{subscriptionId}", "resourceType": "/Microsoft.Compute/virtualMachines", "resourceLocation": "westus2", "resourceGroup": "RG-Tags", "resourceTags": "tbd", "policyAssignmentName": "37ce239ae4304622914f0c77", "policyAssignmentOwner": "tbd", "policyAssignmentParameters": "{\"tagName\":{\"value\":\"costCenter\"},\"tagValue\":{\"value\":\"Contoso-Test\"}}", "policyAssignmentScope": "/subscriptions/{subscriptionId}/resourceGroups/RG-Tags", "policyDefinitionName": "1e30110a-5ceb-460c-a204-c1c3969c6d62", "policyDefinitionAction": "deny", "policyDefinitionCategory": "tbd", "policySetDefinitionId": "", "policySetDefinitionName": "", "policySetDefinitionOwner": "", "policySetDefinitionCategory": "", "policySetDefinitionParameters": "", "managementGroupIds": "", "policyDefinitionReferenceId": "" }] }View eventsWhen a resource is created or updated, a policy evaluation result is generated. Results are called policy events. Use the following URI to view recent policy events associated with the subscription. https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.PolicyInsights/policyEvents/default/queryResults?api-version=2019-10-01Your results resemble the following example: { "@odata.context": "https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.PolicyInsights/policyEvents/$metadata#default", "@odata.count": 1, "value": [{ "@odata.id": null, "@odata.context": "https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.PolicyInsights/policyEvents/$metadata#default/$entity", "NumAuditEvents": 16 }] }For more information about querying policy events, see the Azure Policy Events reference article. Azure CLIThe Azure CLI command group for Azure Policy covers most operations that are available in REST or Azure PowerShell. For the full list of available commands, see Azure CLI - Azure Policy Overview. Example: Getting the state summary for the topmost assigned policy with the highest number of non-compliant resources. az policy state summarize --top 1The top portion of the response looks like this example: { "odatacontext": "https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.PolicyInsights/policyStates/$metadata#summary/$entity", "odataid": null, "policyAssignments": [{ "policyAssignmentId": "/subscriptions/{subscriptionId}/providers/microsoft.authorization/policyassignments/e0704696df5e4c3c81c873e8", "policyDefinitions": [{ "effect": "audit", "policyDefinitionGroupNames": [ "" ], "policyDefinitionId": "/subscriptions/{subscriptionId}/providers/microsoft.authorization/policydefinitions/2e3197b6-1f5b-4b01-920c-b2f0a7e9b18a", "policyDefinitionReferenceId": "", "results": { "nonCompliantPolicies": null, "nonCompliantResources": 398, "policyDetails": [{ "complianceState": "noncompliant", "count": 1 }], "policyGroupDetails": [{ "complianceState": "noncompliant", "count": 1 }], "queryResultsUri": "https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.PolicyInsights/policyStates/latest/queryResults?api-version=2019-10-01&$from=2020-07-14 14:01:22Z&$to=2020-07-15 14:01:22Z and PolicyAssignmentId eq '/subscriptions/{subscriptionId}/providers/microsoft.authorization/policyassignments/e0704696df5e4c3c81c873e8' and PolicyDefinitionId eq '/subscriptions/{subscriptionId}/providers/microsoft.authorization/policydefinitions/2e3197b6-1f5b-4b01-920c-b2f0a7e9b18a'", "resourceDetails": [{ "complianceState": "noncompliant", "count": 398 }, { "complianceState": "compliant", "count": 4 } ] } }], ...Example: Getting the state record for the most recently evaluated resource (default is by timestamp in descending order). az policy state list --top 1 [ { "complianceReasonCode": "", "complianceState": "Compliant", "effectiveParameters": "", "isCompliant": true, "managementGroupIds": "{managementgroupId}", "odatacontext": "https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.PolicyInsights/policyStates/$metadata#latest/$entity", "odataid": null, "policyAssignmentId": "/subscriptions/{subscriptionId}/providers/microsoft.authorization/policyassignments/securitycenterbuiltin", "policyAssignmentName": "SecurityCenterBuiltIn", "policyAssignmentOwner": "tbd", "policyAssignmentParameters": "", "policyAssignmentScope": "/subscriptions/{subscriptionId}", "policyAssignmentVersion": "", "policyDefinitionAction": "auditifnotexists", "policyDefinitionCategory": "tbd", "policyDefinitionGroupNames": [ "" ], "policyDefinitionId": "/providers/microsoft.authorization/policydefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed", "policyDefinitionName": "aa633080-8b72-40c4-a2d7-d00c03e80bed", "policyDefinitionReferenceId": "identityenablemfaforownerpermissionsmonitoring", "policyDefinitionVersion": "", "policyEvaluationDetails": null, "policySetDefinitionCategory": "security center", "policySetDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8", "policySetDefinitionName": "1f3afdf9-d0c9-4c3d-847f-89da613e70a8", "policySetDefinitionOwner": "", "policySetDefinitionParameters": "", "policySetDefinitionVersion": "", "resourceGroup": "", "resourceId": "/subscriptions/{subscriptionId}", "resourceLocation": "", "resourceTags": "tbd", "resourceType": "Microsoft.Resources/subscriptions", "subscriptionId": "{subscriptionId}", "timestamp": "2020-07-15T08:37:07.903433+00:00" } ]Example: Getting the details for all non-compliant virtual network resources. az policy state list --filter "ResourceType eq 'Microsoft.Network/virtualNetworks'" [ { "complianceReasonCode": "", "complianceState": "NonCompliant", "effectiveParameters": "", "isCompliant": false, "managementGroupIds": "{managementgroupId}", "odatacontext": "https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.PolicyInsights/policyStates/$metadata#latest/$entity", "odataid": null, "policyAssignmentId": "/subscriptions/{subscriptionId}/providers/microsoft.authorization/policyassignments/e0704696df5e4c3c81c873e8", "policyAssignmentName": "e0704696df5e4c3c81c873e8", "policyAssignmentOwner": "tbd", "policyAssignmentParameters": "", "policyAssignmentScope": "/subscriptions/{subscriptionId}", "policyAssignmentVersion": "", "policyDefinitionAction": "audit", "policyDefinitionCategory": "tbd", "policyDefinitionGroupNames": [ "" ], "policyDefinitionId": "/subscriptions/{subscriptionId}/providers/microsoft.authorization/policydefinitions/2e3197b6-1f5b-4b01-920c-b2f0a7e9b18a", "policyDefinitionName": "2e3197b6-1f5b-4b01-920c-b2f0a7e9b18a", "policyDefinitionReferenceId": "", "policyDefinitionVersion": "", "policyEvaluationDetails": null, "policySetDefinitionCategory": "", "policySetDefinitionId": "", "policySetDefinitionName": "", "policySetDefinitionOwner": "", "policySetDefinitionParameters": "", "policySetDefinitionVersion": "", "resourceGroup": "RG-Tags", "resourceId": "/subscriptions/{subscriptionId}/resourceGroups/RG-Tags/providers/Microsoft.Network/virtualNetworks/RG-Tags-vnet", "resourceLocation": "westus2", "resourceTags": "tbd", "resourceType": "Microsoft.Network/virtualNetworks", "subscriptionId": "{subscriptionId}", "timestamp": "2020-07-15T08:37:07.901911+00:00" } ]Example: Getting events related to non-compliant virtual network resources that occurred after a specific date. az policy state list --filter "ResourceType eq 'Microsoft.Network/virtualNetworks'" --from '2020-07-14T00:00:00Z' [ { "complianceReasonCode": "", "complianceState": "NonCompliant", "effectiveParameters": "", "isCompliant": false, "managementGroupIds": "{managementgroupId}", "odatacontext": "https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.PolicyInsights/policyStates/$metadata#latest/$entity", "odataid": null, "policyAssignmentId": "/subscriptions/{subscriptionId}/providers/microsoft.authorization/policyassignments/e0704696df5e4c3c81c873e8", "policyAssignmentName": "e0704696df5e4c3c81c873e8", "policyAssignmentOwner": "tbd", "policyAssignmentParameters": "", "policyAssignmentScope": "/subscriptions/{subscriptionId}", "policyAssignmentVersion": "", "policyDefinitionAction": "audit", "policyDefinitionCategory": "tbd", "policyDefinitionGroupNames": [ "" ], "policyDefinitionId": "/subscriptions/{subscriptionId}/providers/microsoft.authorization/policydefinitions/2e3197b6-1f5b-4b01-920c-b2f0a7e9b18a", "policyDefinitionName": "2e3197b6-1f5b-4b01-920c-b2f0a7e9b18a", "policyDefinitionReferenceId": "", "policyDefinitionVersion": "", "policyEvaluationDetails": null, "policySetDefinitionCategory": "", "policySetDefinitionId": "", "policySetDefinitionName": "", "policySetDefinitionOwner": "", "policySetDefinitionParameters": "", "policySetDefinitionVersion": "", "resourceGroup": "RG-Tags", "resourceId": "/subscriptions/{subscriptionId}/resourceGroups/RG-Tags/providers/Microsoft.Network/virtualNetworks/RG-Tags-vnet", "resourceLocation": "westus2", "resourceTags": "tbd", "resourceType": "Microsoft.Network/virtualNetworks", "subscriptionId": "{subscriptionId}", "timestamp": "2020-07-15T08:37:07.901911+00:00" } ]Azure PowerShellThe Azure PowerShell module for Azure Policy is available on the PowerShell Gallery as Az.PolicyInsights. Using PowerShellGet, you can install the module using Install-Module -Name Az.PolicyInsights (make sure you have the latest Azure PowerShell installed): # Install from PowerShell Gallery via PowerShellGet Install-Module -Name Az.PolicyInsights # Import the downloaded module Import-Module Az.PolicyInsights # Login with Connect-AzAccount if not using Cloud Shell Connect-AzAccountThe module has the following cmdlets:
Example: Getting the state summary for the topmost assigned policy with the highest number of non-compliant resources. PS> Get-AzPolicyStateSummary -Top 1 NonCompliantResources : 15 NonCompliantPolicies : 1 PolicyAssignments : {/subscriptions/{subscriptionId}/resourcegroups/RG-Tags/providers/micros oft.authorization/policyassignments/37ce239ae4304622914f0c77}Example: Getting the state record for the most recently evaluated resource (default is by timestamp in descending order). PS> Get-AzPolicyState -Top 1 Timestamp : 5/22/2018 3:47:34 PM ResourceId : /subscriptions/{subscriptionId}/resourceGroups/RG-Tags/providers/Mi crosoft.Network/networkInterfaces/linux316 PolicyAssignmentId : /subscriptions/{subscriptionId}/resourceGroups/RG-Tags/providers/Mi crosoft.Authorization/policyAssignments/37ce239ae4304622914f0c77 PolicyDefinitionId : /providers/Microsoft.Authorization/policyDefinitions/1e30110a-5ceb-460c-a204-c1c3969c6d62 ComplianceState : NonCompliant SubscriptionId : {subscriptionId} ResourceType : /Microsoft.Network/networkInterfaces ResourceLocation : westus2 ResourceGroup : RG-Tags ResourceTags : tbd PolicyAssignmentName : 37ce239ae4304622914f0c77 PolicyAssignmentOwner : tbd PolicyAssignmentParameters : {"tagName":{"value":"costCenter"},"tagValue":{"value":"Contoso-Test"}} PolicyAssignmentScope : /subscriptions/{subscriptionId}/resourceGroups/RG-Tags PolicyDefinitionName : 1e30110a-5ceb-460c-a204-c1c3969c6d62 PolicyDefinitionAction : deny PolicyDefinitionCategory : tbdExample: Getting the details for all non-compliant virtual network resources. PS> Get-AzPolicyState -Filter "ResourceType eq '/Microsoft.Network/virtualNetworks'" Timestamp : 5/22/2018 4:02:20 PM ResourceId : /subscriptions/{subscriptionId}/resourceGroups/RG-Tags/providers/Mi crosoft.Network/virtualNetworks/RG-Tags-vnet PolicyAssignmentId : /subscriptions/{subscriptionId}/resourceGroups/RG-Tags/providers/Mi crosoft.Authorization/policyAssignments/37ce239ae4304622914f0c77 PolicyDefinitionId : /providers/Microsoft.Authorization/policyDefinitions/1e30110a-5ceb-460c-a204-c1c3969c6d62 ComplianceState : NonCompliant SubscriptionId : {subscriptionId} ResourceType : /Microsoft.Network/virtualNetworks ResourceLocation : westus2 ResourceGroup : RG-Tags ResourceTags : tbd PolicyAssignmentName : 37ce239ae4304622914f0c77 PolicyAssignmentOwner : tbd PolicyAssignmentParameters : {"tagName":{"value":"costCenter"},"tagValue":{"value":"Contoso-Test"}} PolicyAssignmentScope : /subscriptions/{subscriptionId}/resourceGroups/RG-Tags PolicyDefinitionName : 1e30110a-5ceb-460c-a204-c1c3969c6d62 PolicyDefinitionAction : deny PolicyDefinitionCategory : tbdExample: Getting events related to non-compliant virtual network resources that occurred after a specific date, converting to a CSV object, and exporting to a file. $policyEvents = Get-AzPolicyEvent -Filter "ResourceType eq '/Microsoft.Network/virtualNetworks'" -From '2020-09-19' $policyEvents | ConvertTo-Csv | Out-File 'C:\temp\policyEvents.csv'The output of the $policyEvents object looks like the following output: Timestamp : 9/19/2020 5:18:53 AM ResourceId : /subscriptions/{subscriptionId}/resourceGroups/RG-Tags/providers/Mi crosoft.Network/virtualNetworks/RG-Tags-vnet PolicyAssignmentId : /subscriptions/{subscriptionId}/resourceGroups/RG-Tags/providers/Mi crosoft.Authorization/policyAssignments/37ce239ae4304622914f0c77 PolicyDefinitionId : /providers/Microsoft.Authorization/policyDefinitions/1e30110a-5ceb-460c-a204-c1c3969c6d62 ComplianceState : NonCompliant SubscriptionId : {subscriptionId} ResourceType : /Microsoft.Network/virtualNetworks ResourceLocation : eastus ResourceGroup : RG-Tags ResourceTags : tbd PolicyAssignmentName : 37ce239ae4304622914f0c77 PolicyAssignmentOwner : tbd PolicyAssignmentParameters : {"tagName":{"value":"costCenter"},"tagValue":{"value":"Contoso-Test"}} PolicyAssignmentScope : /subscriptions/{subscriptionId}/resourceGroups/RG-Tags PolicyDefinitionName : 1e30110a-5ceb-460c-a204-c1c3969c6d62 PolicyDefinitionAction : deny PolicyDefinitionCategory : tbd TenantId : {tenantId} PrincipalOid : {principalOid}The PrincipalOid field can be used to get a specific user with the Azure PowerShell cmdlet Get-AzADUser. Replace {principalOid} with the response you get from the previous example. PS> (Get-AzADUser -ObjectId {principalOid}).DisplayName Trent BakerAzure Monitor logsIf you have a Log Analytics workspace with AzureActivity from the Activity Log Analytics solution tied to your subscription, you can also view non-compliance results from the evaluation of new and updated resources using simple Kusto queries and the AzureActivity table. With details in Azure Monitor logs, alerts can be configured to watch for non-compliance. Next steps
FeedbackSubmit and view feedback for Where can you go to check the Regulatory Compliance of your organization's Azure environment?Once you do, you can go to the Regulatory Compliance dashboard in Azure Security Center, and check for recommendations. The landing page will guide you through the actions you need to take, to fix potential issues for various compliances. That includes ones specific to identity and access management.
Where can you go to see what standards Microsoft is in compliance with?Within the Microsoft Compliance center, you can view your organization's compliance score. Your score starts with an initial score based on the Microsoft 365 data protection baseline, then additional points are added based on the standards of your selected compliance standard, such as NIST CSF or ISO 27001.
What is Regulatory Compliance in Azure?Regulatory compliance also provides compliance domains and security controls for Azure Arc-enabled Resources. This can help your Azure Arc resources comply with the specific standards. Based on Defender for Cloud assessments data, you can access the high-level summary of compliance status for the specified standard.
How do you evaluate whether your company's Azure environment meets regulatory requirements?Answer. Use Security Center blade from the Azure portal. Regulatory Compliance enables you to monitor your environment for risks based on compliance standards, and view a report that shows your compliance posture relative to each standard.
|
