Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The first step in understanding compliance in Azure is to identify the status of your resources. In this quickstart, you create a policy assignment to identify non-compliant resources using Azure CLI. The policy is assigned to a resource group and audits virtual machines that don't use managed disks. After you create the policy assignment, you identify non-compliant virtual machines.
Azure CLI is used to create and manage Azure resources from the command line or in scripts. This guide uses Azure CLI to create a policy assignment and to identify non-compliant resources in your Azure environment.
When assigning a built-in policy or initiative definition, it's optional to reference a version. Policy assignments of built-in definitions default to the latest version and automatically inherit minor version changes unless otherwise specified.
Prerequisites
- If you don't have an Azure account, create a trial account before you begin.
- Azure CLI.
- Visual Studio Code.
Microsoft.PolicyInsightsmust be registered in your Azure subscription. To register a resource provider, you must have permission to register resource providers. That permission is included in the Contributor and Owner roles.- A resource group with at least one virtual machine that doesn't use managed disks.
Connect to Azure
From a Visual Studio Code terminal session, connect to Azure. If you have more than one subscription, run the commands to set context to your subscription. Replace <subscriptionID> with your Azure subscription ID.
az login
# Run these commands if you have multiple subscriptions
az account list --output table
az account set --subscription <subscriptionID>
Register resource provider
When a resource provider is registered, it's available to use in your Azure subscription.
To verify if Microsoft.PolicyInsights is registered, run Get-AzResourceProvider. The resource provider contains several resource types. If the result is NotRegistered run Register-AzResourceProvider:
az provider show \
--namespace Microsoft.PolicyInsights \
--query "{Provider:namespace,State:registrationState}" \
--output table
az provider register --namespace Microsoft.PolicyInsights
The Azure CLI commands use a backslash (\) for line continuation to improve readability. For more information, go to az provider.
Create policy assignment
Use the following commands to create a new policy assignment for your resource group. This example uses an existing resource group that contains a virtual machine without managed disks. The resource group is the scope for the policy assignment. This example uses the built-in policy definition Audit VMs that do not use managed disks.
Run the following commands and replace <resourceGroupName> with your resource group name:
rgid=$(az group show --resource-group <resourceGroupName> --query id --output tsv)
definition=$(az policy definition list \
--query "[?displayName=='Audit VMs that do not use managed disks']".name \
--output tsv)
The rgid variable stores the resource group ID. The definition variable stores the policy definition's name, which is a GUID.
Run the following command to create the policy assignment:
az policy assignment create \
--name 'audit-vm-managed-disks' \
--display-name 'Audit VM managed disks' \
--scope $rgid \
--policy $definition \
--description 'Azure CLI policy assignment to resource group'
namecreates the policy assignment name used in the assignment'sResourceId.display-nameis the name for the policy assignment and is visible in Azure portal.scopeuses the$rgidvariable to assign the policy to the resource group.policyassigns the policy definition stored in the$definitionvariable.descriptioncan be used to add context about the policy assignment.
The results of the policy assignment resemble the following example:
"description": "Azure CLI policy assignment to resource group",
"displayName": "Audit VM managed disks",
"enforcementMode": "Default",
"id": "/subscriptions/{subscriptionID}/resourceGroups/{resourceGroupName}/providers/Microsoft.Authorization/policyAssignments/audit-vm-managed-disks",
"identity": null,
"location": null,
"metadata": {
"createdBy": "11111111-1111-1111-1111-111111111111",
"createdOn": "2024-02-23T18:42:27.4780803Z",
"updatedBy": null,
"updatedOn": null
},
"name": "audit-vm-managed-disks",
If you want to redisplay the policy assignment information, run the following command:
az policy assignment show --name "audit-vm-managed-disks" --scope $rgid
For more information, go to az policy assignment.
Identify non-compliant resources
The compliance state for a new policy assignment takes a few minutes to become active and provide results about the policy's state.
Use the following command to identify resources that aren't compliant with the policy assignment you created:
policyid=$(az policy assignment show \
--name "audit-vm-managed-disks" \
--scope $rgid \
--query id \
--output tsv)
az policy state list --resource $policyid --filter "(isCompliant eq false)"
The policyid variable uses an expression to get the policy assignment's ID. The filter parameter limits the output to non-compliant resources.
The az policy state list output is verbose, but for this article the complianceState shows NonCompliant:
"complianceState": "NonCompliant",
"components": null,
"effectiveParameters": "",
"isCompliant": false,
For more information, go to az policy state.
Clean up resources
To remove the policy assignment, run the following command:
az policy assignment delete --name "audit-vm-managed-disks" --scope $rgid
To sign out of your Azure CLI session:
az logout
Next steps
In this quickstart, you assigned a policy definition to identify non-compliant resources in your Azure environment.
To learn more about how to assign policies that validate resource compliance, continue to the tutorial.