On-demand Azure Policy Scan

2 minute read

When moving to a DevOps way of working it is important to have a good set of rules on how to work with software and infrastructure. When looking into Azure this rule set can be converted into Azure Policy and policies rules.

Azure policies enforce rules and effects over the resources, so those resources stay compliant with your standards and service level agreements. Azure Policy meets this need by evaluating your resources for non-compliance with assigned policies. For example, you can have a policy to allow only a certain location in your platform. Once this policy is implemented, new and existing resources are evaluated for compliance. For more information look at the documentation here.

As mentioned policies govern your Azure Subscription. The compliance of the platform is checked via the Portal or command line scripting. But when does the platform check the compliance of the resources?

Compliance check

The evaluation of the policies take place on the following events:

  • New policy assignment. ( ~30 minutes).
  • Updated assignment of a existing policy. (~ 30 minutes)
  • Deployment of a resources. (~15 minutes)
  • Every 24 hours
  • Update of the resource provider
  • On-demand (~3 minutes)

As described on the above list it can take a while for the policies are checked. If you want the fasted possible feedback you will need to do an on-demand scan.

On-demand

Via the rest API a on-demand scan of the policies can be triggered. When using this method information about the compliance will be available in around 3 minutes. Triggering can be done on resource group or on a Azure subscription.

https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.PolicyInsights/policyStates/latest/triggerEvaluation?api-version=2018-07-01-preview

Subscription (Post)

https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{ResourceGroup}/providers/Microsoft.PolicyInsights/policyStates/latest/triggerEvaluation?api-version=2018-07-01-preview

Resource Group (Post)

PowerShell

These API calls can be added in a simple PowerShell script to trigger the evaluation. The below example is a script to trigger the evaluation on every subscription you have access to.

$account = Get-AzContext
if ($null -eq $account.Account) {
    Write-Output("Account Context not found, please login")
    Connect-AzAccount
}

$subscriptions = Get-AzSubscription

foreach($subscription in $subscriptions){
    Set-AzContext -Subscription $subscription

    $SubscriptionId = $subscription.Id

    $azContext = Get-AzContext
    $azProfile = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile
    $profileClient = New-Object -TypeName Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient -ArgumentList ($azProfile)
    $token = $profileClient.AcquireAccessToken($azContext.Subscription.TenantId)

    $authHeader = @{
        'Content-Type'='application/json'
        'Authorization'='Bearer ' + $token.AccessToken
    }

    $restUri = "https://management.azure.com/subscriptions/$SubscriptionId/providers/Microsoft.PolicyInsights/policyStates/latest/triggerEvaluation?api-version=2018-07-01-preview"