Azure Policy View Compliance Detail

Tengku Aiman 120 Reputation points

Hello, I want to ask whether it is possible to get this data from Azure Resource Graph

  1. This is the built-in policy from Azure 
     
 {
 "properties": {
 "displayName": "Inherit a tag from the resource group",
 "policyType": "BuiltIn",
 "mode": "Indexed",
 "description": "Adds or replaces the specified tag and value from the parent resource group when any resource is created or updated. Existing resources can be remediated by triggering a remediation task.",
 "metadata": {
 "version": "1.0.0",
 "category": "Tags"
 },
 "version": "1.0.0",
 "parameters": {
 "tagName": {
 "type": "String",
 "metadata": {
 "displayName": "Tag Name",
 "description": "Name of the tag, such as 'environment'"
 }
 }
 },
 "policyRule": {
 "if": {
 "allOf": [
 {
 "field": "[concat('tags[', parameters('tagName'), ']')]",
 "notEquals": "[resourceGroup().tags[parameters('tagName')]]"
 },
 {
 "value": "[resourceGroup().tags[parameters('tagName')]]",
 "notEquals": ""
 }
 ]
 },
 "then": {
 "effect": "modify",
 "details": {
 "roleDefinitionIds": [
 "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
 ],
 "operations": [
 {
 "operation": "addOrReplace",
 "field": "[concat('tags[', parameters('tagName'), ']')]",
 "value": "[resourceGroup().tags[parameters('tagName')]]"
 }
 ]
 }
 }
 }
 },
 "id": "/providers/Microsoft.Authorization/policyDefinitions/cd3aa116-8754-49c9-a813-ad46512ece54/versions/1.0.0",
 "type": "Microsoft.Authorization/policyDefinitions/versions",
 "name": "1.0.0"
 }
  2. This is the View Compliance Detail for the Assignments the policy is grouped at 👁 policy redacted
    The questions is:
    1. Is it possible to pull this data using Azure Resource Graph?
0 comments No comments
Sign in to comment

Answer accepted by question author

Siva shunmugam Nadessin 10,895 Reputation points Microsoft External Staff Moderator

Hello Tengku Aiman

Thank you for reaching out to the Microsoft Q&A forum.

When investigated you can absolutely pull policy‐compliance data out of Azure Resource Graph – at least the high-level stuff (which resources are compliant vs. non-compliant, when they were last evaluated, which assignment/definition they belong to, etc.). What you can’t get via Resource Graph is the deep “Compliance details” pane (the per-setting or per-field “Current value” vs. “Target value” info). For that, you’d need to call the Policy Insights APIs (or use az policy state list / PowerShell) instead.

Here’s a quick sample ARG query to list all non-compliant resources for a given assignment:

// Replace with your real assignment ID:
let assignmentId = '/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/InheritTagRG';
policyresources
| where properties.policyAssignmentId == assignmentId
      and properties.complianceState == 'NonCompliant'
| extend
    resourceId    = properties.resourceId,
    resourceType  = tostring(split(properties.resourceId, '/')[6])
                  + '/' + tostring(split(properties.resourceId, '/')[7]),
    location      = properties.resourceLocation,
    lastEvaluated = properties.timestamp
| project resourceId, resourceType, location, lastEvaluated

If you need the extra “Compliance reason” details (fields, current value, target value), switch over to the Policy Insights REST API or CLI:

az policy state list \
  --assignment '/subscriptions/…/providers/Microsoft.Authorization/policyAssignments/InheritTagRG' \
  --filter "complianceState eq 'NonCompliant'" \
  --query "[].{resource:resourceId, reason:complianceReason, details:policyDefinitionAction}" \
  --output table

Let me know if any further queries - feel free to reach out!

References

Get compliance data in Portal & ARG samples: https://learn.microsoft.com/azure/governance/policy/how-to/get-compliance-data

Export compliance with Azure Resource Graph: https://learn.microsoft.com/azure/governance/policy/samples/resource-graph-samples

Policy Insights REST API (detailed compliance): https://learn.microsoft.com/azure/governance/policy/concepts/policy-insights-rest-api

az policy state list docs: https://learn.microsoft.com/cli/azure/policy/state#az-policy-state-list

  1. Tengku Aiman 120 Reputation points

    Alright thank youu. Will try it

  2. Siva shunmugam Nadessin 10,895 Reputation points Microsoft External Staff Moderator

    Tengku Aiman, If the assistance was helpful, kindly 👁 User's image
    this can be beneficial to other community members.

  3. Tengku Aiman 120 Reputation points

    Hello sir, this policy is being placed in Management Group scope, do I need to change from subscriptions to scope?

  4. Siva shunmugam Nadessin 10,895 Reputation points Microsoft External Staff Moderator

    Hello Tengku Aiman,

    Since the policy is assigned at the Management Group level, you don’t need to change the query logic itself. Azure Resource Graph already evaluates resources across all subscriptions under that management group.

    However, you must update the policyAssignmentId to use the Management Group–scoped format, for example:

    /providers/Microsoft.Management/managementGroups/{mgId}/providers/Microsoft.Authorization/policyAssignments/{assignmentName}

    Once the correct assignment ID is used, the query will return results across the inherited scope.

  5. Tengku Aiman 120 Reputation points

    Using ARG, I can see the results, but the cmd, it returns empty sir

Sign in to comment

2 additional answers

  1. kholienchieh 0 Reputation points MVP

    Have you ever tried to connect the PowerBI tool with Microsoft Graph ?

    https://learn.microsoft.com/en-us/azure/defender-for-cloud/integration-power-bi

    1. Tengku Aiman 120 Reputation points

      Not yet sir

    2. kholienchieh 0 Reputation points MVP

      Let's have a try.
      Although it's still in the progress of adding more connectors, but it's a good start for more flexibility in reporting.

    3. Tengku Aiman 120 Reputation points

      OKay sir,i'll try to get the data first

    Sign in to comment

  2. AI answer

    Yes. Azure Policy compliance data, including per-assignment and per-resource compliance state, can be queried through Azure Resource Graph.

    Azure Policy continuously evaluates resources and produces compliance results. These results are exposed in several ways, one of which is Azure Resource Graph queries. The compliance information that appears in the View compliance details blade for a policy assignment is part of this same data set.

    To work with it at scale:

    1. Ensure policy evaluations have run so that compliance state is up to date (policy evaluation cycles are what populate the compliance data).
    2. Use Azure Resource Graph to query the policy compliance resources. From the documentation, Azure Policy compliance data is explicitly listed as one of the ways to access compliance information, alongside the Azure portal, command line, and Azure Monitor logs.

    This allows pulling the same compliance details shown in the portal (for example, which resources are compliant or non-compliant for the built-in policy Inherit a tag from the resource group) via Resource Graph queries.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.
Sign in to answer

Your answer