Get The List of Non-Compliant Azure Resources With PowerShell

3 Min. Read

In this article, I will share with you how to get the list of non-compliant Azure resources to be remediated in all your Azure subscriptions with PowerShell.

A common theme in cloud environments today is to enforce organizational standards and adopt cloud governance since day one. And this is very important since it will give you the ability to define policies, processes, and procedures. These policies then dictate what can be done and verify that what does exist is correct. A service from Microsoft called Azure Policy is a great way to make that happen.

Introduction

Azure Policy is a service in Azure that you use to create, assign, and manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements. Azure Policy meets this need by continuously evaluating your resources for non-compliance with assigned policies.

With Azure Policy, you can leverage automatic remediation capability with the effect “deployIfNotExists” policy, where you can remediate newly deployed resources, as well as for an existing resource(s) in your environment. To understand how the Azure Policy effect works with “DeployIfNotExists” policy definition, please check the official documentation from Microsoft here.

I have recently come across a challenging scenario where I want to find all my non-compliant Azure resources to be remediated, so I can take corrective action and making sure that all resources are compliant with my policy.

This of course a very simple task to look at the ‘Compliancepolicy page in the Azure Portal. What about if you have a lot of policies and resources that you want to look at?

As you know, using the Azure Portal is not efficient to get this data. In this particular scenario, I want to get the list of all non-compliant Azure resources before I remediate them, so I can report back to the compliance and security department.

After some digging, I’ve found that I can pull the non-compliant policy for each of my Azure resource with PowerShell.

Get the list of non-compliant resources

Assuming you have the right permissions and the latest AZ and the AZ.PolicyInsights PowerShell module installed, log in with Connect-AzAccount if NOT using Cloud Shell and run the following script:

# Login with Connect-AzAccount if not using Cloud Shell
Connect-AzAccount

# Get all Azure Subscriptions
$azSubs = Get-AzSubscription

# Set array
$azPolicy = @()

# Loop through all Azure Subscriptions
foreach ($azSub in $azSubs) {
    Set-AzContext $azSub.id | Out-Null

$nonCompliantResources = Get-AzPolicyState | Where-Object { $_.ComplianceState -eq "NonCompliant" -and $_.PolicyDefinitionAction -eq "deployIfNotExists" }

# Loop through each non-compliant Azure resource to get the details  
foreach ($resource in $nonCompliantResources) {
    $resourceName     = $resource.resourceId.Split('/')[-1]
    $resourceType     = $resource.resourceType
    $complianceState  = $resource.complianceState
    $resourceGroup    = $resource.resourceGroup 
    $resourceLocation = $resource.resourceLocation
    $azPolicy += @($("Resource Name: " + $resourceName), ("Resource Type: " + $resourceType), `
              ("Compliance State: " + $complianceState), ("Resource Group: " + $resourceGroup), `
              ("Resource Location: " + $resourceLocation), ("Subscription Name: " + $azSub.Name))
    
    $azPolicy += @(" ")
}

# Save non-compliant report for each Azure Subscription
        $azSubName = $azSub.Name
        $azPolicy > .\$azSubName.txt

}

From the example above, I am pulling the following information:

  • Resource Name
  • Resource Type
  • Compliance Status
  • Resource Group Name
  • Resource Location (region)
  • Azure Subscription Name

The report will be saved in the current working path following the Azure Subscription name.

In my example, the output looks like this.

Get The List of Non-Compliant Azure Resources With PowerShell 2

That’s it there you have it!

I am planning to improve this small tool in the future. If you have any feedback or changes that everyone should receive, please feel free to share your thoughts in the comment section below.

Summary

In this article, I showed you how to get the list of non-compliant Azure resources to be remediated in your Azure subscription with PowerShell.

To learn more on how to enable diagnostic settings using Azure Policy, please check the following guide.

To learn more on how to find diagnostic settings configuration for Azure resources, please check the following guide.

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

Related Posts

Previous

(Solution) Move Protected Server Between Two DPM Servers – (ID: 31162)

Enable Azure Backup for Existing File Shares using ARM Templates

Next

Let me know what you think, or ask a question...

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to Stay in Touch

Never miss out on your favorite posts and our latest announcements!

The content of this website is copyrighted from being plagiarized!

You can copy from the 'Code Blocks' in 'Black' by selecting the Code.

Please send your feedback to the author using this form for any 'Code' you like.

Thank you for visiting!