Identify the Azure Policy which is linked to a Policy Assignment

Question

Identify the Azure Policy which is linked to a Policy Assignment

Chris Pretorius 0

Hi

I am analysing a customer's Azure Policy and noticed that, in this case, there are 2x Policy Definitions, but 34x Policy Assignments.

When analysing each Policy Assignment (using the "View Definition" button at the top of the Assignment ribbon), the name is different (Assignment: "Require a tag on resource groups: "WorkloadName"", View Definition: "Require a tag on resource groups").

I thought each Assignment has a 1:1 relationship with a Definition, allowing the assignment of definitions to different scopes (MG, Sub, etc.).

How can I get an accurate (i.e., not different name, as above) view of the Policy within each Assignment?

Naveena Patlolla 5,365 Reputation points Microsoft External Staff Moderator

2025-08-21T01:44:53.3433333+00:00

Hi Chris Pretorius
I have reached out to you in a private message

Thankyou

Naveena Patlolla 5,365 Microsoft External Staff Moderator

Hi Chris Pretorius
One Definition can have many Assignments.
Definition Name: Require a tag on resource groups

Assignment Display Name: Require a tag on resource groups: Workload Name

You are seeing different, because the person who assigned this has given different name in policy assignment.

Please find the below script to export all definitions associated with policy assignment.

 <#
.SYNOPSIS
    This script retrieves non-compliant resources from all Azure subscriptions.
.DESCRIPTION
    - Connects to Azure using Connect-AzAccount.
    - Retrieves a list of all Azure subscriptions.
    - Iterates through each subscription to fetch non-compliant resources.
    - Fetches associated policy details, including Policy Definition Name and Initiative Display Name.
    - Outputs results in a sorted format.
    - Saves the compliance report to a CSV file.
.NOTES
    - Requires Az PowerShell Module.
    - User must have appropriate permissions to retrieve policy compliance data.
#>
# Login with Connect-AzAccount if not using Cloud Shell
Connect-AzAccount
# Initialize an empty array for storing non-compliant resources
$vmArray = @()
# Get all Azure subscriptions
$azureSubscriptions = Get-AzSubscription
# Loop through each subscription
foreach ($subscription in $azureSubscriptions) {
    # Set the Azure context to the current subscription
    Set-AzContext -SubscriptionId $subscription.Id
    # Get non-compliant resources for the current subscription
    $nonCompliantResources = Get-AzPolicyState | Where-Object { $_.ComplianceState -eq "NonCompliant" }
    # Output the count of non-compliant resources for the current subscription
    Write-Host "Subscription: $($subscription.Name) - Non-Compliant Resources: $($nonCompliantResources.Count)"
    # Retrieve and process non-compliant resources
    foreach ($resource in $nonCompliantResources) {
        $resourceName = $resource.resourceId.Split('/')[-1]
        $resourceType = $resource.resourceType
        $complianceState = $resource.complianceState
        $resourceGroup = $resource.resourceGroup
        $resourceLocation = $resource.resourceLocation
        $policyDefinitionName = $resource.PolicyDefinitionReferenceId
        $PolicyAssignmentName = $resource.PolicyAssignmentName
        $InitiativeId = $resource.PolicySetDefinitionId  # Get Initiative ID
        $InitiativeName = $resource.PolicySetDefinitionName  # Short Initiative Name
        # Retrieve Initiative Display Name
        $InitiativeDisplayName = $null
        if ($InitiativeId) {
            $initiativeDetails = Get-AzPolicySetDefinition -Id $InitiativeId -ErrorAction SilentlyContinue
            if ($initiativeDetails) {
                $InitiativeDisplayName = $initiativeDetails.Properties.DisplayName
            }
        }
        # Store resource details in an object
        $vmArray += New-Object PSObject -Property @{
            PolicyDefinitionName  = $policyDefinitionName
            InitiativeDisplayName = $InitiativeDisplayName  # Adding the Display Name
            ComplianceState       = $complianceState
            SubscriptionName      = $subscription.Name
            ResourceGroup         = $resourceGroup
            ResourceName          = $resourceName
            ResourceType          = $resourceType
            ResourceLocation      = $resourceLocation
        }
    }
}
# Sort and Export the results to a CSV file
$vmArray | Sort-Object PolicyDefinitionName, InitiativeDisplayName, ComplianceState, SubscriptionName, ResourceGroup, ResourceName, ResourceType, ResourceLocation | Export-CSV -Path ".\compliance.csv" -NoTypeInformation
Write-Host "Compliance report exported to compliance.csv"

Please find the Output.

Yes, there is a 1:1 relationship between an assignment and a definition reference, but one definition can be assigned many times with different parameters.

Please let me know if you face any challenge here, I can help you to resolve this issue further

If the comment was helpful, please click "Upvote"

Chris Pretorius 0 Reputation points

2025-08-21T03:38:19.5766667+00:00

Hi Naveena, thank you for providing the code.

I've successfully run it and, looking at the generated csv file data, it displays Subscription-level information. Are you able to advise what I need to change to have this run at Management level? All the policies are assigned at MG level, so would need to set the scope here.

Regards,

Chris
Naveena Patlolla 5,365 Reputation points Microsoft External Staff Moderator

2025-08-25T07:50:10.4266667+00:00

Hello Chris Pretorius
Just want to check if the above Comment worked for you or else please let us know if any help, we are always here to help whenever you need us.

If the comment is helpful, please click "Upvote it"

Thankyou
Naveena Patlolla 5,365 Reputation points Microsoft External Staff Moderator

2025-08-26T09:01:48.1866667+00:00

Hello Chris Pretorius
Have you had a chance to work on the script mentioned above?
Chris Pretorius 0 Reputation points

2025-08-26T21:17:19.7933333+00:00

Hi Naveena, apologies for the delay in getting back to you - busy few days!

This MG-level script worked perfectly, thanks so much for your assistance. Upvoted.

Regards,

Chris
Vinod Pittala 6,310 Reputation points Microsoft External Staff Moderator

2025-08-28T09:25:51.7666667+00:00

Hello Chris Pretorius,

I noticed that the provided solution has been helpful for you. I have converted the comment into an answer. If you could kindly accept answer and upvote it for the benefit of the community, it would be greatly appreciated and helpful to others.

Thanks

1 answer

Your answer

Naveena Patlolla 5,365 Reputation points Microsoft External Staff Moderator

2025-08-21T01:44:53.3433333+00:00

Hi Chris Pretorius
I have reached out to you in a private message

Thankyou
Chris Pretorius 0 Reputation points

2025-08-21T03:38:19.5766667+00:00

Hi Naveena, thank you for providing the code.

I've successfully run it and, looking at the generated csv file data, it displays Subscription-level information. Are you able to advise what I need to change to have this run at Management level? All the policies are assigned at MG level, so would need to set the scope here.

Regards,

Chris
Naveena Patlolla 5,365 Reputation points Microsoft External Staff Moderator

2025-08-25T07:50:10.4266667+00:00

Hello Chris Pretorius
Just want to check if the above Comment worked for you or else please let us know if any help, we are always here to help whenever you need us.

If the comment is helpful, please click "Upvote it"

Thankyou
Naveena Patlolla 5,365 Reputation points Microsoft External Staff Moderator

2025-08-26T09:01:48.1866667+00:00

Hello Chris Pretorius
Have you had a chance to work on the script mentioned above?
Chris Pretorius 0 Reputation points

2025-08-26T21:17:19.7933333+00:00

Hi Naveena, apologies for the delay in getting back to you - busy few days!

This MG-level script worked perfectly, thanks so much for your assistance. Upvoted.

Regards,

Chris
Vinod Pittala 6,310 Reputation points Microsoft External Staff Moderator

2025-08-28T09:25:51.7666667+00:00

Hello Chris Pretorius,

I noticed that the provided solution has been helpful for you. I have converted the comment into an answer. If you could kindly accept answer and upvote it for the benefit of the community, it would be greatly appreciated and helpful to others.

Thanks

Answer 1

Hello Chris Pretorius

Please use below updated script to get the policies list at management scope.

# Login if needed
Connect-AzAccount

# Initialize array
$vmArray = @()

# Get all management groups
$mgList = Get-AzManagementGroup

foreach ($mg in $mgList) {
    $mgName = $mg.Name
    Write-Host "Processing Management Group: $mgName"

    # Get non-compliant resources at MG level
    $nonCompliantResources = Get-AzPolicyState -ManagementGroupName $mgName | Where-Object { $_.ComplianceState -eq "NonCompliant" }

    Write-Host "Non-Compliant Resources in $mgName: $($nonCompliantResources.Count)"

    foreach ($resource in $nonCompliantResources) {
        $resourceName = $resource.resourceId.Split('/')[-1]
        $resourceType = $resource.resourceType
        $complianceState = $resource.complianceState
        $resourceGroup = $resource.resourceGroup
        $resourceLocation = $resource.resourceLocation
        $policyDefinitionName = $resource.PolicyDefinitionReferenceId
        $PolicyAssignmentName = $resource.PolicyAssignmentName
        $InitiativeId = $resource.PolicySetDefinitionId
        $InitiativeName = $resource.PolicySetDefinitionName
        $subscriptionId = $resource.SubscriptionId

        # Get Initiative Display Name
        $InitiativeDisplayName = $null
        if ($InitiativeId) {
            $initiativeDetails = Get-AzPolicySetDefinition -Id $InitiativeId -ErrorAction SilentlyContinue
            if ($initiativeDetails) {
                $InitiativeDisplayName = $initiativeDetails.Properties.DisplayName
            }
        }

        # Store details
        $vmArray += New-Object PSObject -Property @{
            ManagementGroupName   = $mgName
            PolicyDefinitionName  = $policyDefinitionName
            InitiativeDisplayName = $InitiativeDisplayName
            ComplianceState       = $complianceState
            SubscriptionId        = $subscriptionId
            ResourceGroup         = $resourceGroup
            ResourceName          = $resourceName
            ResourceType          = $resourceType
            ResourceLocation      = $resourceLocation
        }
    }
}

# Export to CSV
$vmArray | Sort-Object ManagementGroupName, PolicyDefinitionName, InitiativeDisplayName, ComplianceState, SubscriptionId, ResourceGroup, ResourceName, ResourceType, ResourceLocation | Export-CSV -Path ".\mg-compliance-all.csv" -NoTypeInformation

Please let me know if you face any challenge here, I can help you to resolve this issue further

If the comment was helpful, please click "Upvote"

Share via

Identify the Azure Policy which is linked to a Policy Assignment

1 answer

Your answer