stackoom
  简体   繁体   中英

Differences between Get-AzPolicyState from Powershell and az policy state list form az cli

 原文  2022-04-22 14:31:17       azure/ powershell/ azure-powershell

Question

If i run the command

Get-AzPolicyState -PolicyAssignmentName "xxxxxxxxxxxxxxxxxxxxx" -Filter "ResourceType eq 'Microsoft.KeyVault/vaults'" # | where-object { $_.ComplianceState -eq "NonCompliant" }

I get an example response:

Timestamp                   : 22/04/2022 11:38:58
ResourceId                  : /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourcegroups/group_name/providers/microsoft.keyvault/vaults/resouce_name
PolicyAssignmentId          : /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/providers/microsoft.authorization/policyassignments/xxxxxxxxxxxxxxxxxx
PolicyDefinitionId          : /providers/microsoft.authorization/policydefinitions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
IsCompliant                 : False
SubscriptionId              : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
ResourceType                : Microsoft.KeyVault/vaults
ResourceLocation            : northeurope
ResourceGroup               : neu-rg-dev-bicep
ResourceTags                : tbd
PolicyAssignmentName        : xxxxxxxxxxxxxxxxxxxxxx
PolicyAssignmentOwner       : tbd
PolicyAssignmentScope       : /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
PolicyDefinitionName        : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
PolicyDefinitionAction      : audit
PolicyDefinitionCategory    : tbd
PolicySetDefinitionId       : /providers/Microsoft.Authorization/policySetDefinitions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
PolicySetDefinitionName     : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
PolicySetDefinitionCategory : security center
ManagementGroupIds          : MSDN,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
PolicyDefinitionReferenceId : keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect
ComplianceState             : NonCompliant
AdditionalProperties        : {[complianceReasonCode, ]}

The correspondent command with Az cli is 

az policy state list --filter "ResourceType eq 'Microsoft.KeyVault/vaults'" --query "[?complianceState=='NonCompliant']"

And the result:

  {
    "complianceReasonCode": "",
    "complianceState": "NonCompliant",
    "components": null,
    "effectiveParameters": "",
    "isCompliant": false,
    "managementGroupIds": "MSDN,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "odataContext": "https://management.azure.com/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/providers/Microsoft.PolicyInsights/policyStates/$metadata#latest/$entity",
    "odataId": null,
    "policyAssignmentId": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/providers/microsoft.authorization/policyassignments/xxxxxxxxxxxxxxxxxx",
    "policyAssignmentName": "a26a6876d6c14a45b79d547f",
    "policyAssignmentOwner": "tbd",
    "policyAssignmentParameters": "",
    "policyAssignmentScope": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "policyAssignmentVersion": "",
    "policyDefinitionAction": "audit",
    "policyDefinitionCategory": "tbd",
    "policyDefinitionGroupNames": [
      "azure_security_benchmark_v3.0_dp-8"
    ],
    "policyDefinitionId": "/providers/microsoft.authorization/policydefinitions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "policyDefinitionName": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "policyDefinitionReferenceId": "keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect",
    "policyDefinitionVersion": "2.0.0",
    "policyEvaluationDetails": null,
    "policySetDefinitionCategory": "security center",
    "policySetDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "policySetDefinitionName": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "policySetDefinitionOwner": "",
    "policySetDefinitionParameters": "",
    "policySetDefinitionVersion": "47.0.0",
    "resourceGroup": "group_name",
    "resourceId": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourcegroups/group_name/providers/microsoft.keyvault/vaults/resource_name",
    "resourceLocation": "northeurope",
    "resourceTags": "tbd",
    "resourceType": "Microsoft.KeyVault/vaults",
    "subscriptionId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "timestamp": "2022-04-22T11:38:58.831865+00:00"
  }

As we can see, there is some information not on the powershell version. One of the properties with big impact is the policyDefinitionGroupNames .

Does anyone know a way to get that property using powershell?

1 answers

solution1
 1 ACCPTED  2022-04-23 10:25:33

Does anyone know a way to get that property using powershell

As suggested by @Todd above, we have tried the same to get the property that you are looking for,

Try to use the below cmdlts :

$outVar = Get-AzPolicyState -PolicyAssignmentName "xxxxxxxxx0" -Filter "ResourceType eq 'Microsoft.KeyVault/vaults'" # | where-object { $_.ComplianceState -eq "NonCompliant" }

在此处输入图像描述

To check if the property is available or not use $outVar | Get-Member $outVar | Get-Member

在此处输入图像描述

For more information please refer this MS DOC| Get-AzPolicyState MS DOC| Get-AzPolicyState & Azure policy Definition structure

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question az keyvault key rotation-policy update - CLI supported version Powershell Az to create Azure Policy in an Initiative That Accepts An Array Parameters Getting TSV file output excluding 2 resource types from the az resource list in Azure CLI Get ADF pipelines status using az cli - bash script az cli logging into wrong account Az Powershell function - how to get output in JSON format Azure Powershell (Az module) get public IP address How to save output of az cli to a local database? Az cli to reset the service principal without overwriting Is possible to add an Azure DevOps Group of users through Azure CLI 'az repos policy required-reviewer create' command?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM