Trigger an on-demand Azure Policy evaluation scan at Management Group scope

If you are working with Azure Policy you must know about the on-demand Azure Policy evaluation scan that Azure allows you to trigger. Currently, you can only trigger the compliance evaluation at your current subscription context or for a resource group. If your policy is applied at the management group level that contains a lot of subscriptions, triggering the compliance scan for every subscription manually sounds painful.

In this article, let’s see how we can get a list of respective subscriptions under a management group and trigger Azure Policy compliance evaluation at a management group scope.

Triggering Azure Policy compliance evaluation is not new. When an on-demand evaluation scan is triggered, Azure Policy first determines all lists of policies that are being assigned to the scope of the trigger. It then performs a GET request on resources in the scope and will check the compliance state for each resource based on the GET request’s response.

There are several use cases when you need them. One of the very common ones is when you deploy Azure resources in a CICD pipeline and would like to use Azure Policy to verify resource compliance. Instead of waiting for the next evaluation which would take 30-60 minutes or more, you’d need to trigger the evaluation immediately.Ā  Once you get the compliance state you would determine the next step for the resources (e.g. trigger remediation to set resource configuration to expected compliance state…)

Approach

To trigger on-demand evaluation, we first need to get the list of subscriptions under the target management group. The quickest way is to use Resource Graph Explorer below:

resourcecontainers 
| where type == 'microsoft.resources/subscriptions' 
| mv-expand mgAncestor = properties.managementGroupAncestorsChain 
| extend state = properties.state 
| where mgAncestor.name =~ 'enterprise-group' 
| where state == "Enabled" 
| summarize count() by subscriptionId

The query above lists all active subscriptions under a management group whose id is enterprise-group. The benefit of using a Resource graph query is that you don’t have to deal with multiple nested objects like PowerShell.

The managementGroupAncestorsChainĀ from the Resource Graph query shows you all root and parent levels on each subscription.

Now you can integrate the Resource Graph query to either your Azure CLI or PowerShell.

target_management_group="enterprise-group"
query="resourcecontainers | where type == 'microsoft.resources/subscriptions' | mv-expand mgAncestor = properties.managementGroupAncestorsChain | extend state = properties.state | where mgAncestor.name =~ '${target_management_group}' | where state == 'Enabled' | summarize count() by subscriptionId"

subscription_ids=$(az graph query -q "${query}" --query 'data[].subscriptionId' -o tsv)

Once you get the list of subscriptions you can simply set the context for each one and trigger the evaluation using az policy state trigger-scanĀ 

az policy state trigger-scan --subscription "${subscription_id}" --no-wait

You can find the full script here.

If you have any feedback, please feel free to leave a comment here in this blog post or create a new GitHub issue here.

This entry was posted in Governance & Compliance, Security Automation and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *