Nmaster88
Reputation: 1585
Differences between Get-AzPolicyState from Powershell and az policy state list form az cli
If i run the command
Get-AzPolicyState -PolicyAssignmentName "xxxxxxxxxxxxxxxxxxxxx" -Filter "ResourceType eq 'Microsoft.KeyVault/vaults'" # | where-object { $_.ComplianceState -eq "NonCompliant" }
I get an example response:
Timestamp : 22/04/2022 11:38:58
ResourceId : /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourcegroups/group_name/providers/microsoft.keyvault/vaults/resouce_name
PolicyAssignmentId : /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/providers/microsoft.authorization/policyassignments/xxxxxxxxxxxxxxxxxx
PolicyDefinitionId : /providers/microsoft.authorization/policydefinitions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
IsCompliant : False
SubscriptionId : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
ResourceType : Microsoft.KeyVault/vaults
ResourceLocation : northeurope
ResourceGroup : neu-rg-dev-bicep
ResourceTags : tbd
PolicyAssignmentName : xxxxxxxxxxxxxxxxxxxxxx
PolicyAssignmentOwner : tbd
PolicyAssignmentScope : /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
PolicyDefinitionName : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
PolicyDefinitionAction : audit
PolicyDefinitionCategory : tbd
PolicySetDefinitionId : /providers/Microsoft.Authorization/policySetDefinitions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
PolicySetDefinitionName : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
PolicySetDefinitionCategory : security center
ManagementGroupIds : MSDN,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
PolicyDefinitionReferenceId : keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect
ComplianceState : NonCompliant
AdditionalProperties : {[complianceReasonCode, ]}
The correspondent command with Az cli is
az policy state list --filter "ResourceType eq 'Microsoft.KeyVault/vaults'" --query "[?complianceState=='NonCompliant']"
And the result:
{
"complianceReasonCode": "",
"complianceState": "NonCompliant",
"components": null,
"effectiveParameters": "",
"isCompliant": false,
"managementGroupIds": "MSDN,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"odataContext": "https://management.azure.com/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/providers/Microsoft.PolicyInsights/policyStates/$metadata#latest/$entity",
"odataId": null,
"policyAssignmentId": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/providers/microsoft.authorization/policyassignments/xxxxxxxxxxxxxxxxxx",
"policyAssignmentName": "a26a6876d6c14a45b79d547f",
"policyAssignmentOwner": "tbd",
"policyAssignmentParameters": "",
"policyAssignmentScope": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"policyAssignmentVersion": "",
"policyDefinitionAction": "audit",
"policyDefinitionCategory": "tbd",
"policyDefinitionGroupNames": [
"azure_security_benchmark_v3.0_dp-8"
],
"policyDefinitionId": "/providers/microsoft.authorization/policydefinitions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"policyDefinitionName": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"policyDefinitionReferenceId": "keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect",
"policyDefinitionVersion": "2.0.0",
"policyEvaluationDetails": null,
"policySetDefinitionCategory": "security center",
"policySetDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"policySetDefinitionName": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"policySetDefinitionOwner": "",
"policySetDefinitionParameters": "",
"policySetDefinitionVersion": "47.0.0",
"resourceGroup": "group_name",
"resourceId": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourcegroups/group_name/providers/microsoft.keyvault/vaults/resource_name",
"resourceLocation": "northeurope",
"resourceTags": "tbd",
"resourceType": "Microsoft.KeyVault/vaults",
"subscriptionId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"timestamp": "2022-04-22T11:38:58.831865+00:00"
}
As we can see, there is some information not on the powershell version. One of the properties with big impact is the policyDefinitionGroupNames.
Does anyone know a way to get that property using powershell?
Upvotes: 0
Views: 881
Answers (1)
AjayKumarGhose
Reputation: 4883
Does anyone know a way to get that property using powershell
As suggested by @Todd above, we have tried the same to get the property that you are looking for ,
Try to use the below cmdlts:
$outVar = Get-AzPolicyState -PolicyAssignmentName "xxxxxxxxx0" -Filter "ResourceType eq 'Microsoft.KeyVault/vaults'" # | where-object { $_.ComplianceState -eq "NonCompliant" }
To check if the property is available or not use $outVar | Get-Member
For more information please refer this MS DOC| Get-AzPolicyState & Azure policy Definition structure
Upvotes: 1
Related Questions
- az cli and powershell problems with values
- Why is Az powershell returning this error on a simple "show policy definition" command?
- Get-AzPolicyExemption and -Match
- Azure Policy Initiative Definition az cli or Powershell
- Powershell - Retrieve values from Azure (az) commands
- Powershell Get-AzkeyVault AccessPolicies not visible
- How can I get Azure container state from command line?
- Inconsistent functionality between Azure CLI and Powershell cmdlet
- Difference between Azure CLI and PowerShell
- Difference b/w New-AzureRmPolicyDefinition and New-AzPolicyDefinition