Cookie Consent by Free Privacy Policy Generator 📌 Get Azure Policy Compliance State with PowerShell


✅ Get Azure Policy Compliance State with PowerShell


💡 Newskategorie: Programmierung
🔗 Quelle: dev.to

Working with Azure Policy means that you will have to deal with non-compliant resources. You can see them by going to an Azure Policy assignment and clicking on “View Compliance”, or simply by going to the “Compliance” page in Azure Policy. This is a manual process, what if we can automate it a little?
To deal with non-compliant resources we need to use the Get-azPolicyState. With no parameters, you will get all resources evaluated by any policy in the current subscription for the last day. You can get resources from up to the last 90 days by using -From and -To.

$toToday = Get-Date
$90DaysBefore = $toToday.AddDays(-90)
Get-AzPolicyState -from $90DaysBefore -to $toToday

You can filter by subscription ID

Get-AzPolicyState -from $90DaysBefore -to $toToday -SubscriptionId XXXX-XXXX-XXX

By Policy assignment name

Get-AzPolicyState -from $90DaysBefore -to $toToday -PolicyAssignmentName SecurityCenterBuiltIn

But be careful, the -PolicyAssignmentName only works if the policy is assigned to a subscription, you will get no result if the assignment is at the management group level.
Or by a Management Group

Get-AzPolicyState -from $90DaysBefore -to $toToday -ManagementGroupName rootomiossec

In this case, you will not be able to use the -PolicyAssignmentName parameter.
Now, imagine you need to get only non-compliant resources from a given type, ex you want to list only non-compliant storage accounts. That is where you will need to use the -filter parameter. This parameter uses OData notation to query the result from Get-AzPolicyState.

Get-AzPolicyState -Filter "ComplianceState eq 'NonCompliant' and ResourceType eq 'Microsoft.Storage/storageAccounts'"

With the -filter parameter you can even query the policy state by assignment name even if the assignment is at the management group scope.

Get-AzPolicyState -Filter "ComplianceState eq 'NonCompliant' and ResourceType eq 'Microsoft.Storage/storageAccounts' and PolicyAssignmentName eq 'ca4ce57bdb00420b8a34b759'"

You can restrict the output by using the -select parameter, it works like select-object cmdlet. The parameter accepts a list of fields you want to see in the result.

Get-AzPolicyState -Filter "ComplianceState eq 'NonCompliant' and ResourceType eq 'Microsoft.Storage/storageAccounts' and PolicyAssignmentName eq 'ca4ce57bdb00420b8a34b759'" -Select "ResourceId, ResourceLocation, ResourceGroup"

You can also apply aggregation functions to the result you get.
For example, you can get the number of affected resources

Get-AzPolicyState -Filter "ComplianceState eq 'NonCompliant' and ResourceType eq 'Microsoft.Storage/storageAccounts' and PolicyAssignmentName eq 'ca4ce57bdb00420b8a34b759'" -Apply "aggregate(`$count as NumberOfResource)"

You will have something like
AdditionalProperties : {[NumberOfResource, 16]}
You can directly have the value.

(Get-AzPolicyState -Filter "ComplianceState eq 'NonCompliant' and ResourceType eq 'Microsoft.Storage/storageAccounts' and PolicyAssignmentName eq 'ca4ce57bdb00420b8a34b759'" -Apply "aggregate(`$count as NumberOfRecords)").AdditionalProperties.NumberOfResource

The -apply parameter uses the OData notation to form the query. You can group results to perform some more calculations.

Get-AzPolicyState -Filter "ResourceType eq 'Microsoft.Storage/storageAccounts' " -Apply "groupby((PolicyAssignmentName, ResourceId))/groupby((PolicyAssignmentName), aggregate(`$count as NumNonCompliantResources))"

Here, the cmdlet groups Resource by PolicyAssignmentID and then counts each resource and puts the count result into the $count variable.

The Get-AzPolicyState, is less intuitive than other Azure cmdlets, you need to use OData to perform some calculations. Fortunately, you can still use where-object with -filterscript to obtain the same result if you are not familiar. Also, remember that you will get no result if you try to use the -assignmentName when the assignment is at the management group level.

...

✅ Get Azure Policy Compliance State with PowerShell


📈 45.11 Punkte

✅ Azure Governance and the latest updates on Azure Policy | Azure Friday


📈 25.82 Punkte

✅ Azure Governance and the latest updates on Azure Policy | Azure Friday


📈 25.82 Punkte

✅ Azure Governance and the latest updates on Azure Policy | Azure Friday


📈 25.82 Punkte

✅ [Powershell for Pentester] Part 5: Get meterpreter session with powershell


📈 25.12 Punkte

✅ [Powershell for Pentester] Part 5: Get meterpreter session with powershell


📈 25.12 Punkte

✅ How to get started with Azure using Azure Quickstart Center | Azure Friday


📈 22.83 Punkte

✅ How to use PowerShell in Azure Data Studio | Azure Friday


📈 21.9 Punkte

✅ Monitor your Azure workload compliance with Azure Security Benchmark


📈 20.79 Punkte

✅ (g+) Teil 4 des Powershell-Tutorials: Arrays und Hashtable in Powershell


📈 20.08 Punkte

✅ PowerShell w/o PowerShell Simplified


📈 20.08 Punkte

✅ Creating a Batch File and PowerShell Script “Batch File to Run PowerShell Script


📈 20.08 Punkte

✅ dnscat2 powershell Powershell Features


📈 20.08 Punkte

✅ Powershell Without Powershell – How To Bypass Application Whitelisting, Environment Restrictions & AV


📈 20.08 Punkte

✅ [PowerShell for Pentester] Part 1: Hello PowerShell


📈 20.08 Punkte

✅ PowerShell DNS Command & Control with dnscat2-powershell


📈 20.08 Punkte

✅ [Powershell for Pentester] Part 4: Convert Powershell command into exe format


📈 20.08 Punkte

✅ [PowerShell for Pentester] Part 1: Hello PowerShell


📈 20.08 Punkte

✅ Exchange Online PowerShell V3 löst bald die PowerShell V2 ab


📈 20.08 Punkte

✅ [Powershell for Pentester] Part 4: Convert Powershell command into exe format


📈 20.08 Punkte

✅ PowerShell (ehemals PowerShell Core) 7.0.3 Deutsch


📈 20.08 Punkte

✅ Deobfuscate PowerShell using PowerShell Logging


📈 20.08 Punkte

✅ Powershell-Reverse-Tcp - PowerShell Script For Connecting To A Remote Host.


📈 20.08 Punkte

✅ Invisi-Shell - Hide Your Powershell Script In Plain Sight (Bypass All Powershell Security Features)


📈 20.08 Punkte

✅ Troubleshoot resource property changes using Change History in Azure Policy | Azure Friday


📈 19.89 Punkte

✅ Troubleshoot resource property changes using Change History in Azure Policy | Azure Friday


📈 19.89 Punkte

✅ PowerShell Tools I Use Audit and Compliance Measurement


📈 18.97 Punkte

✅ GPOZaurr - Group Policy Eater Is A PowerShell Module That Aims To Gather Information About Group Policies


📈 18.07 Punkte

✅ Cybersecurity-Compliance einfach automatisieren: Der ONEKEY Compliance Wizard spart


📈 17.86 Punkte

✅ Coalfire Compliance Report Unveils the Next Horizon in Compliance


📈 17.86 Punkte











matomo

Datei nicht gefunden!