Raymondo
Raymondo

Reputation: 587

Get-AzPolicyExemption and -Match

I am trying to loop around all of our subscriptions and get Policy Exemptions, but only get the ones that we have created. The loop appears fine, but the Match element appears to bring back some Exemptions that don't meet the -Match criteria.

$allSubscriptions = Get-AzSubscription

$baseFolder = "C:\source\PowerShell Exemptions Dump\"

# loop subscriptions
foreach($sub in $allSubscriptions){
    $subName = $sub.Name

    # Get Exemptions at Sub level
    Set-AzContext -Subscription $subName

    # Write to File
    $exemptionsIn = Get-AzPolicyExemption|ConvertTo-Json
    $fileName = $baseFolder + $subName + ".json"
    $exemptionsOut = ''

    foreach($ex in $exemptionsIn|ConvertFrom-Json){
        if($ex.Properties.PolicyAssignmentId -Match "abc") {
            $exemptionsOut += $ex|ConvertTo-Json 
        }
    }

    if ($exemptionsOut -ne '') {
        $exemptionsOut | Out-File -filepath $fileName 
        $exemptionsOut = ''
    }
}

It does work to a certain extent i.e. if a Subscription has a 0% match in everything it brings back, then it doesn't create a file. but it appears if it finds one match, then it saves Exemptions to the file that don't match.

Here is some example Json that was saved to one of the files:

[
    {
        "Properties":  {
                           "PolicyAssignmentId":  "/providers/Microsoft.Management/managementGroups/abc-mg/providers/Microsoft.Authorization/policyAssignments/abc-mg",
                           "PolicyDefinitionReferenceIds":  "",
                           "ExemptionCategory":  "Waiver",
                           "DisplayName":  "abc - abc-mg Policy Assignment",
                           "Description":  "AIB Testing",
                           "ExpiresOn":  "\/Date(1662134400000)\/",
                           "Metadata":  ""
                       },
        "SystemData":  null,
        "Name":  "456",
        "ResourceId":  "/subscriptions/123/providers/Microsoft.Authorization/policyExemptions/789",
        "ResourceName":  "456",
        "ResourceGroupName":  null,
        "ResourceType":  "Microsoft.Authorization/policyExemptions",
        "SubscriptionId":  "123"
    },
    {
        "Properties":  {
                           "PolicyAssignmentId":  "/providers/Microsoft.Management/managementGroups/root-mg/providers/Microsoft.Authorization/policyAssignments/111",
                           "PolicyDefinitionReferenceIds":  "installEndpointProtection",
                           "ExemptionCategory":  "Waiver",
                           "DisplayName":  "root-mg - Azure Security Benchmark",
                           "Description":  "currently use sophos and not defender",
                           "ExpiresOn":  null,
                           "Metadata":  ""
                       },
        "SystemData":  null,
        "Name":  "345",
        "ResourceId":  "/providers/Microsoft.Management/managementGroups/root-mg/providers/Microsoft.Authorization/policyExemptions/345",
        "ResourceName":  "345",
        "ResourceGroupName":  null,
        "ResourceType":  "Microsoft.Authorization/policyExemptions",
        "SubscriptionId":  null
    }
]

Finally, I don't appear to get all Exemptions back in this loop i.e. some are set at Resource Group or Resource Level. Do I need to drill further beyond Set-AzContext?

Upvotes: 0

Views: 430

Answers (1)

SwethaKandikonda
SwethaKandikonda

Reputation: 8234

After reproducing the same code from my end, I could able to see the expected results. However, make sure you are checking in the right file and the location to which you are sending your data to.

Finally, I don't appear to get all Exemptions back in this loop i.e. some are set at Resource Group or Resource Level.

This might be due to the scope that you are looking into. After setting the scope to the required level I could able to get the expected results. Below is the code that worked for me.

$Resource = Get-AzResource -ResourceGroupName <YOUR_RESOURCEGROUP_NAME>
for($I=0;$I -lt $Resource.ResourceId.Count;$I++)
{
    $a=Get-AzPolicyExemption -Scope $Resource.ResourceId[$I]
    for($J=0;$J -lt $a.Count;$J++)
    {
        If($a.ResourceId[$J] -Match $Resource.ResourceId[$I])
        {
            $exemptionsIn = Get-AzPolicyExemption -Scope $Resource.ResourceId[$I] | ConvertTo-Json
            $fileName = "sample2" + ".json"
            $exemptionsOut = ''
            
            foreach($ex in $exemptionsIn|ConvertFrom-Json){
                    if($ex.Properties.PolicyAssignmentId -Match "Swetha*") {
                        $exemptionsOut += $ex|ConvertTo-Json 
                    }
                }
            
            if ($exemptionsOut -ne '') {
                    $exemptionsOut | Out-File -filepath $fileName 
                    $exemptionsOut = ''
                }

        }
    }
}

I have few policy exemptions in my subscription but above script gave me the results at Resource level which -Match with Swetha.

RESULTS:

enter image description here

Upvotes: 1

Related Questions