How To Export and Backup Azure Policy Definitions

| ,

Published on | Updated on January 24, 2021

3 Min. Read

In this article, I will share with you how to export and backup Azure Policy definitions with PowerShell.

Introduction

Azure Policy is a service in Azure that you use to create, assign, and manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements. Azure Policy meets this need by continuously evaluating your resources for non-compliance with assigned policies.

Azure Policy is a service in Azure that you use to create, assign, and manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements. Azure Policy meets this need by continuously evaluating your resources for non-compliance with assigned policies.

In this article, I will share with you a PowerShell script that will help you to export Azure Policy (custom) definitions, and then upload them to an Azure storage account for backup. This comes in handy when working and updating many policies, so you can have a backup copy to revert back if needed, and this also helpful for auditing purposes. Please note that this approach is not perfect in any way, but I think it serves its purpose.

PowerShell script

Here is the script that will do the job for you. As a prerequisite, you need to have a storage account and one container with private access.

<#
.Synopsis
A script used to export and backup all Azure Policy custom definitions

.DESCRIPTION
A script used to get the list of all Azure Policy custom definitions in your Azure Subscription(s).
Finally, it will export the Policies into JSON files and then upload them to an Azure storage account.

.Notes
Created   : 2021-01-07
Version   : 1.0
Author    : Charbel Nemnom
Twitter   : @CharbelNemnom
Blog      : https://charbelnemnom.com
Disclaimer: This script is provided "AS IS" with no warranties.
#>

# Define Variables
$date = Get-Date -Format "dd-MM-yyyy"
$storageAccountRG     = "rg-storage-backup"
$storageAccountName   = "storaccazpolicybackup01"
$storageContainerName = "azure-policies"

# Get Storage Account Key
$storageAccountKey = (Get-AzStorageAccountKey -ResourceGroupName $storageAccountRG -AccountName $storageAccountName).Value[0]

# Set AzStorageContext
$destinationContext = New-AzStorageContext -StorageAccountName $storageAccountName -StorageAccountKey $storageAccountKey

# Generate SAS URI Token which is valid for 15 minutes ONLY
$containerSASURI = New-AzStorageContainerSASToken -Context $destinationContext -ExpiryTime(get-date).AddSeconds(900) -FullUri -Name $storageContainerName -Permission rw

# Export Azure Policy definitions
$policies = Get-AzPolicyDefinition | Where-Object {$_.Properties.PolicyType -eq "Custom"}
foreach ($policy in $policies) {
$policy.properties | ConvertTo-Json -Depth 12 | `
 Out-File "$($home)/clouddrive/Backup_$($policy.properties.DisplayName)_$date.json"
# Backup Azure Policy to Azure Storage
 azcopy cp "$($home)/clouddrive/Backup_$($policy.properties.DisplayName)_$date.json" $containerSASURI 
}

# Delete Azure Policies from the Azure Shell cloud drive
Remove-Item Backup* -Force

From the example above, I am performing the following steps:

  • Generate a temporary shared access signature (SAS) URI token for the container valid for 15 minutes with Read and Write permission.
  • Export all Azure Policy (custom) definitions as a JSON file.
  • Upload the Policies to a storage container using the AzCopy command-line.
  • Finally, delete the JSON files from the cloud shell drive.

Run the script

To run the script, you need to use the Azure Cloud Shell at (https://shell.azure.com), or you can use the Azure Cloud Shell Connector in Windows Terminal.

How To Export and Backup Azure Policy Definitions 1

The policies will be exported to the clouddrive path following the Policy Display name. In my example, I have 4 custom policies.

How To Export and Backup Azure Policy Definitions 2

Finally, switch to the storage account container and check the policies are uploaded as shown in the figure below.

How To Export and Backup Azure Policy Definitions 3

Please note that you can accomplish the same thing using Azure CLI, however, I prefer to use Azure PowerShell. Additionally, you can automate further and have it run on a scheduled basis.

Summary

In this article, I showed you how to export and backup Azure Policy definitions with PowerShell.

Azure Cloud Shell is so powerful, you don’t need to install Azure CLI or PowerShell modules locally on your machine to automate your tasks.

This is version 1.0 of this tool, do you want additional features? Please feel free to leave a comment below.

Hope this helps!

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

Related Posts

Previous

Export All NSG Rules from All Azure Subscriptions With PowerShell

Sync Between Azure File Share and Azure Blob Container

Next

Leave a comment below...

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to Charbel Nemnom’s Blog

Get the latest posts delivered right to your inbox

The content of this website is copyrighted from being plagiarized! You can copy from the 'Code Blocks' in Black.

Please send your feedback to the author using this form for any 'Code' you like.

Thank you for visiting!