获取 Azure 资源的符合性数据Get compliance data of Azure resources

Azure Policy 的最大优势之一在于它针对订阅或订阅管理组中的资源提供的见解和控制度。One of the largest benefits of Azure Policy is the insight and controls it provides over resources in a subscription or management group of subscriptions. 可通过许多不同的方式运用这种控制,例如,防止在错误的位置创建资源、强制实施常见且一致的标记用法,或者审核相应配置和设置的现有资源。This control can be exercised in many different ways, such as preventing resources being created in the wrong location, enforcing common and consistent tag usage, or auditing existing resources for appropriate configurations and settings. 在所有情况下,数据都由 Azure Policy 生成,使你能够了解环境的符合性状态。In all cases, data is generated by Azure Policy to enable you to understand the compliance state of your environment.

可通过多种方式访问策略和计划分配生成的符合性信息:There are several ways to access the compliance information generated by your policy and initiative assignments:

在探讨符合性报告方法之前,让我们了解符合性信息的更新时间和频率,以及触发评估周期的事件。Before looking at the methods to report on compliance, let's look at when compliance information is updated and the frequency and events that trigger an evaluation cycle.

警告

如果符合性状态被报告为“未注册”,请验证是否已注册 Microsoft.PolicyInsights 资源提供程序,并按照 Azure Policy 中的 Azure RBAC 权限中的说明来验证用户是否具有适当的 Azure 基于角色的访问控制 (RBAC) 权限 。If compliance state is being reported as Not registered, verify that the Microsoft.PolicyInsights Resource Provider is registered and that the user has the appropriate Azure role-based access control (Azure RBAC) permissions as described in Azure RBAC permissions in Azure Policy.

评估触发器Evaluation triggers

已完成的评估周期的结果通过 PolicyStatesPolicyEvents 操作在 Microsoft.PolicyInsights 资源提供程序中获取。The results of a completed evaluation cycle are available in the Microsoft.PolicyInsights Resource Provider through PolicyStates and PolicyEvents operations. 有关 Azure Policy Insights REST API 操作的详细信息,请参阅 。For more information about the operations of the Azure Policy Insights REST API, see Azure Policy Insights.

已分配的策略和计划的评估会在各种事件后发生:Evaluations of assigned policies and initiatives happen as the result of various events:

  • 最近已将策略或计划分配到某个范围。A policy or initiative is newly assigned to a scope. 需要大约花费 30 分钟将分配应用到定义的范围。It takes around 30 minutes for the assignment to be applied to the defined scope. 在应用了分配之后,会针对新分配的策略或计划开始该范围内资源的评估周期,并且,根据策略或计划使用的效果,会将资源标记为符合、不符合或豁免。Once it's applied, the evaluation cycle begins for resources within that scope against the newly assigned policy or initiative and depending on the effects used by the policy or initiative, resources are marked as compliant, non-compliant, or exempt. 针对大范围的资源评估的大型策略或计划可能需要花费一段时间。A large policy or initiative evaluated against a large scope of resources can take time. 因此,在评估周期何时完成方面,无法预先定义预期目标。As such, there's no pre-defined expectation of when the evaluation cycle completes. 完成评估后,更新的符合性结果会在门户和 SDK 中提供。Once it completes, updated compliance results are available in the portal and SDKs.

  • 更新了已分配到某个范围的策略或计划。A policy or initiative already assigned to a scope is updated. 此场景的评估周期和计时与新的范围分配相同。The evaluation cycle and timing for this scenario is the same as for a new assignment to a scope.

  • 资源将通过 Azure 资源管理器、REST API 或受支持的 SDK 部署到包含分配的范围或在其中进行更新。A resource is deployed to or updated within a scope with an assignment via Azure Resource Manager, REST API, or a supported SDK. 在此场景中,个体资源的效果事件(追加、审核、拒绝、部署)和符合性状态将在大约 15 分钟后出现在门户与 SDK 中。In this scenario, the effect event (append, audit, deny, deploy) and compliant status information for the individual resource becomes available in the portal and SDKs around 15 minutes later. 此事件不会导致对其他资源进行评估。This event doesn't cause an evaluation of other resources.

  • 创建、更新或删除了策略豁免A policy exemption is created, updated, or deleted. 在此方案中,会为定义的豁免范围评估相应的分配。In this scenario, the corresponding assignment is evaluated for the defined exemption scope.

  • 标准符合性评估周期。Standard compliance evaluation cycle. 分配每隔 24 小时自动重新评估一次。Once every 24 hours, assignments are automatically reevaluated. 涉及大量资源的大型策略或计划可能需要花费一段时间,因此,在评估周期何时完成方面,无法预先定义预期目标。A large policy or initiative of many resources can take time, so there's no pre-defined expectation of when the evaluation cycle completes. 完成评估后,更新的符合性结果会在门户和 SDK 中提供。Once it completes, updated compliance results are available in the portal and SDKs.

  • 来宾配置资源提供程序更新受管理资源的符合性详细信息。The Guest Configuration resource provider is updated with compliance details by a managed resource.

  • 按需扫描On-demand scan

按需评估扫描On-demand evaluation scan

可以使用 Azure CLI、Azure PowerShell、对 REST API 的调用或通过使用 Azure Policy 符合性扫描 GitHub 操作来启动对订阅或资源组的评估扫描。An evaluation scan for a subscription or a resource group can be started with Azure CLI, Azure PowerShell, a call to the REST API, or by using the Azure Policy Compliance Scan GitHub Action. 此扫描是一个异步过程。This scan is an asynchronous process.

按需评估扫描 - GitHub 操作On-demand evaluation scan - GitHub Action

使用 Azure Policy 符合性扫描操作可从 GitHub 工作流中触发对一个或多个资源、资源组或订阅的按需评估扫描,并基于资源的符合性状态来限制该工作流。Use the Azure Policy Compliance Scan action to trigger an on-demand evaluation scan from your GitHub workflow on one or multiple resources, resource groups, or subscriptions, and gate the workflow based on the compliance state of resources. 还可以将该工作流配置为按计划的时间运行,从而在方便时获取最新的符合性状态。You can also configure the workflow to run at a scheduled time so that you get the latest compliance status at a convenient time. 或者,此 GitHub 操作还可以生成有关已扫描资源的符合性状态报告,以便进一步分析或存档。Optionally, this GitHub action can generate a report on the compliance state of scanned resources for further analysis or for archiving.

以下示例对订阅运行符合性扫描。The following example runs a compliance scan for a subscription.

on:
  schedule:    
    - cron:  '0 8 * * *'  # runs every morning 8am
jobs:
  assess-policy-compliance:    
    runs-on: ubuntu-latest
    steps:         
    - name: Login to Azure
      uses: azure/login@v1
      with:
        creds: ${{secrets.AZURE_CREDENTIALS}} 

    
    - name: Check for resource compliance
      uses: azure/policy-compliance-scan@v0
      with:
        scopes: |
          /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

有关详细信息和工作流示例,请参阅“适用于 Azure Policy 符合性扫描的 GitHub 操作”存储库For more information and workflow samples, see the GitHub Action for Azure Policy Compliance Scan repo.

按需评估扫描 - Azure CLIOn-demand evaluation scan - Azure CLI

符合性扫描从 az policy state trigger-scan 命令开始。The compliance scan is started with the az policy state trigger-scan command.

默认情况下,az policy state trigger-scan 开始评估当前订阅中的所有资源。By default, az policy state trigger-scan starts an evaluation for all resources in the current subscription. 若要对特定资源组开始评估,请使用 resource-group 参数。To start an evaluation on a specific resource group, use the resource-group parameter. 以下示例启动对 MyRG 资源组的当前订阅的符合性扫描:The following example starts a compliance scan in the current subscription for the MyRG resource group:

az policy state trigger-scan --resource-group "MyRG"

利用 no-wait 参数,可以选择在继续之前不等待异步过程完成。You can choose not to wait for the asynchronous process to complete before continuing with the no-wait parameter.

按需评估扫描 - Azure PowerShellOn-demand evaluation scan - Azure PowerShell

符合性扫描从 Start-AzPolicyComplianceScan cmdlet 开始。The compliance scan is started with the Start-AzPolicyComplianceScan cmdlet.

默认情况下,Start-AzPolicyComplianceScan 开始评估当前订阅中的所有资源。By default, Start-AzPolicyComplianceScan starts an evaluation for all resources in the current subscription. 若要对特定资源组进行评估,请使用 ResourceGroupName 参数。To start an evaluation on a specific resource group, use the ResourceGroupName parameter. 以下示例启动对 MyRG 资源组的当前订阅的符合性扫描:The following example starts a compliance scan in the current subscription for the MyRG resource group:

Start-AzPolicyComplianceScan -ResourceGroupName 'MyRG'

你可以让 PowerShell 在提供结果输出前等待完成异步调用,或者将其作为作业在后台运行。You can have PowerShell wait for the asynchronous call to complete before providing the results output or have it run in the background as a job. 若要通过 PowerShell 作业在后台运行符合性扫描,请使用“Asob”参数,并将值设置为对象,例如本示例中的 $jobTo use a PowerShell job to run the compliance scan in the background, use the AsJob parameter and set the value to an object, such as $job in this example:

$job = Start-AzPolicyComplianceScan -AsJob

你可以通过检查 $job 对象来检查作业的状态。You can check on the status of the job by checking on the $job object. 作业类型为 Microsoft.Azure.Commands.Common.AzureLongRunningJobThe job is of the type Microsoft.Azure.Commands.Common.AzureLongRunningJob. 使用 $job 对象上的 Get-Member 查看可用的属性和方法。Use Get-Member on the $job object to see available properties and methods.

在运行符合性扫描时,检查 $job 对象会输出结果,如下所示:While the compliance scan is running, checking the $job object outputs results such as these:

$job

Id     Name            PSJobTypeName   State         HasMoreData     Location             Command
--     ----            -------------   -----         -----------     --------             -------
2      Long Running O… AzureLongRunni… Running       True            localhost            Start-AzPolicyCompliance…

符合性扫描完成后,“状态”属性更改为“已完成”。When the compliance scan completes, the State property changes to Completed.

按需评估扫描 - RESTOn-demand evaluation scan - REST

作为异步进程,启动扫描的 REST 终结点不是等到扫描完成才能响应。As an asynchronous process, the REST endpoint to start the scan doesn't wait until the scan is complete to respond. 而是提供一个 URI,用于查询请求的评估的状态。Instead, it provides a URI to query the status of the requested evaluation.

在每个 REST API URI 中,包含替换为自己的值所使用的变量:In each REST API URI, there are variables that are used that you need to replace with your own values:

  • {YourRG} - 替换为资源组的名称{YourRG} - Replace with the name of your resource group
  • {subscriptionId} - 替换为订阅 ID{subscriptionId} - Replace with your subscription ID

扫描支持评估订阅或资源组中的资源。The scan supports evaluation of resources in a subscription or in a resource group. 使用以下 URI 结构,通过 REST API POST 命令开始按范围扫描:Start a scan by scope with a REST API POST command using the following URI structures:

  • 订阅Subscription

    POST https://management.chinacloudapi.cn/subscriptions/{subscriptionId}/providers/Microsoft.PolicyInsights/policyStates/latest/triggerEvaluation?api-version=2019-10-01
    
  • 资源组Resource group

    POST https://management.chinacloudapi.cn/subscriptions/{subscriptionId}/resourceGroups/{YourRG}/providers/Microsoft.PolicyInsights/policyStates/latest/triggerEvaluation?api-version=2019-10-01
    

该调用返回“202 Accepted”状态。The call returns a 202 Accepted status. 响应标头中包含 Location 属性,格式如下:Included in the response header is a Location property with the following format:

https://management.chinacloudapi.cn/subscriptions/{subscriptionId}/providers/Microsoft.PolicyInsights/asyncOperationResults/{ResourceContainerGUID}?api-version=2019-10-01

以静态方式为请求的范围生成了 {ResourceContainerGUID}{ResourceContainerGUID} is statically generated for the scope requested. 如果某个范围已在运行按需扫描,则不会启动新扫描。If a scope is already running an on-demand scan, a new scan isn't started. 而是为新请求的状态提供相同的 {ResourceContainerGUID} 位置 URL。Instead, the new request is provided the same {ResourceContainerGUID} location URI for status. 在评估过程中,位置 URI 的 REST API GET 命令返回“202 Accepted”状态 。A REST API GET command to the Location URI returns a 202 Accepted while the evaluation is ongoing. 评估扫描完成后,返回“200 OK”状态。When the evaluation scan has completed, it returns a 200 OK status. 已完成的扫描的正文为 JSON 响应,其状态为:The body of a completed scan is a JSON response with the status:

{
    "status": "Succeeded"
}

按需评估扫描 - Visual Studio CodeOn-demand evaluation scan - Visual Studio Code

适用于 Visual Studio code 的 Azure Policy 扩展可以针对特定资源运行评估扫描。The Azure Policy extension for Visual Studio code is capable of running an evaluation scan for a specific resource. 与 Azure PowerShell 和 REST 方法不同,此扫描是同步过程。This scan is a synchronous process, unlike the Azure PowerShell and REST methods. 有关详细信息和步骤,请参阅使用 VS Code 扩展进行按需评估For details and steps, see On-demand evaluation with the VS Code extension.

符合性的工作原理How compliance works

在某个分配中,如果某资源未遵循策略或计划规则,且未经豁免,则该资源为“不符合”。In an assignment, a resource is Non-compliant if it doesn't follow policy or initiative rules and isn't exempt. 下表显示了对于生成的符合性状态,不同的策略效果是如何与条件评估配合使用的:The following table shows how different policy effects work with the condition evaluation for the resulting compliance state:

资源状态Resource State 效果Effect 策略评估Policy Evaluation 符合性状态Compliance State
新功能或更新功能New or Updated Audit、Modify、AuditIfNotExistAudit, Modify, AuditIfNotExist TrueTrue 不合规Non-Compliant
新功能或更新功能New or Updated Audit、Modify、AuditIfNotExistAudit, Modify, AuditIfNotExist FalseFalse 符合Compliant
ExistsExists Deny、Audit、Append、Modify、DeployIfNotExist、AuditIfNotExistDeny, Audit, Append, Modify, DeployIfNotExist, AuditIfNotExist TrueTrue 不合规Non-Compliant
ExistsExists Deny、Audit、Append、Modify、DeployIfNotExist、AuditIfNotExistDeny, Audit, Append, Modify, DeployIfNotExist, AuditIfNotExist FalseFalse 符合Compliant

备注

DeployIfNotExist 和 AuditIfNotExist 效果要求 IF 语句为 TRUE,而存在条件为 FALSE,即为不符合。The DeployIfNotExist and AuditIfNotExist effects require the IF statement to be TRUE and the existence condition to be FALSE to be non-compliant. 如果为 TRUE,则 IF 条件会触发相关资源存在条件的计算。When TRUE, the IF condition triggers evaluation of the existence condition for the related resources.

例如,假设有一个资源组 ContsoRG,其中包含一些向公共网络公开的存储帐户(以红色突出显示)。For example, assume that you have a resource group – ContsoRG, with some storage accounts (highlighted in red) that are exposed to public networks.

向 Contoso R G 资源组中的公共网络公开的存储帐户图。

图中显示了 Contoso R G 资源组中五个存储帐户的映像。Diagram showing images for five storage accounts in the Contoso R G resource group. 存储帐户 1 和 3 为蓝色,而存储帐户 2、4 和 5 为红色。Storage accounts one and three are blue, while storage accounts two, four, and five are red.

在此示例中,需要慎重考虑安全风险。In this example, you need to be wary of security risks. 在创建策略分配后,会针对 ContosoRG 资源组中所有已包含的未豁免存储帐户评估该分配。Now that you've created a policy assignment, it's evaluated for all included and non-exempt storage accounts in the ContosoRG resource group. 它对这三个不合规的存储帐户进行审核,并因此将其状态更改为“不合规”。It audits the three non-compliant storage accounts, consequently changing their states to Non-compliant.

Contoso R G 资源组中存储帐户的合规性图。

图中显示了 Contoso R G 资源组中五个存储帐户的映像。Diagram showing images for five storage accounts in the Contoso R G resource group. 存储帐户 1 和 3 下面现在有绿色的勾号,而存储帐户 2、4 和 5 下面现在有红色警告标志。Storage accounts one and three now have green checkmarks beneath them, while storage accounts two, four, and five now have red warning signs beneath them.

除了“符合”和“不符合”之外,策略和资源还有四种其他状态 :Besides Compliant and Non-compliant, policies and resources have four other states:

  • 豁免:资源在分配的范围中,但具有已定义的豁免Exempt: The resource is in scope of an assignment, but has a defined exemption.
  • 冲突:两项或多项策略定义的规则有冲突。Conflicting: Two or more policy definitions exist with conflicting rules. 例如,两项定义追加带有不同值的同一个标记。For example, two definitions append the same tag with different values.
  • 未启动:尚未针对策略或资源启动评估周期。Not started: The evaluation cycle hasn't started for the policy or resource.
  • 未注册:尚未注册 Azure Policy 资源提供程序,或者登录的帐户无权读取符合性数据。Not registered: The Azure Policy Resource Provider hasn't been registered or the account logged in doesn't have permission to read compliance data.

Azure Policy 使用定义中的“类型”、“名称”或“种类”字段来确定资源是否是匹配项 。Azure Policy uses the type, name, or kind fields in the definition to determine if a resource is a match. 如果资源匹配,则会被视为适用,并且其状态为“符合”、“不符合”或“豁免” 。When the resource matches, it's considered applicable and has a status of either Compliant, Non-compliant, or Exempt. 如果“类型”、“名称”或“种类”是定义中的唯一属性,则所有已包含的未豁免资源都会被视为适用并会接受评估 。If either type, name, or kind is the only property in the definition, then all included and non-exempt resources are considered applicable and are evaluated.

符合性百分比由“符合”资源与“豁免”资源之和与总资源之比来确定 。The compliance percentage is determined by dividing Compliant and Exempt resources by total resources. 根据定义,总资源是指“符合”、“不符合”、“豁免”以及“冲突”资源的总和 。Total resources is defined as the sum of the Compliant, Non-compliant, Exempt, and Conflicting resources. 总体符合性数值是“符合”的或“豁免”的非重复资源之和与所有非重复资源之和的比值 。The overall compliance numbers are the sum of distinct resources that are Compliant or Exempt divided by the sum of all distinct resources. 在下图中,有 20 种不同的资源适用,只有一种资源“不合规”。In the image below, there are 20 distinct resources that are applicable and only one is Non-compliant. 因此,资源的整体符合性为 95%(19/20)。The overall resource compliance is 95% (19 out of 20).

“合规性”页面中策略合规性详细信息的屏幕截图。

门户Portal

Azure 门户展示了一个图形体验用于可视化和了解环境中的符合性状态。The Azure portal showcases a graphical experience of visualizing and understanding the state of compliance in your environment. 在“策略”页上,“概述”选项提供了策略和计划符合性的可用范围的详细信息。 On the Policy page, the Overview option provides details for available scopes on the compliance of both policies and initiatives. 除了符合性状态和每个分配的计数以外,该页还包含一个图表,显示过去七天的符合性。Along with the compliance state and count per assignment, it contains a chart showing compliance over the last seven days. “符合性”页包含上述大量相同信息(图表除外),但提供附加的筛选和排序选项。The Compliance page contains much of this same information (except the chart), but provide additional filtering and sorting options.

“合规性”页面、筛选选项和详细信息的屏幕截图。

由于策略或计划可分配到不同的范围,因此表中包含每个分配的范围,以及分配的定义类型。Since a policy or initiative can be assigned to different scopes, the table includes the scope for each assignment and the type of definition that was assigned. 还提供每个分配项中不合规资源和不合规策略的数量。The number of non-compliant resources and non-compliant policies for each assignment are also provided. 选择表中的某个策略或计划可以更深入地了解该特定分配的合规性。Selecting on a policy or initiative in the table provides a deeper look at the compliance for that particular assignment.

“合规性详细信息”页面的屏幕截图,包括计数和资源合规性详细信息。

“资源符合性”选项卡上的资源列表显示当前分配的现有资源的评估状态。The list of resources on the Resource compliance tab shows the evaluation status of existing resources for the current assignment. 此选项卡默认为“不符合”,但是可以进行筛选。The tab defaults to Non-compliant, but can be filtered. 由创建资源的请求触发的事件(追加、审核、拒绝、部署、修改)会显示在“事件”选项卡下。Events (append, audit, deny, deploy, modify) triggered by the request to create a resource are shown under the Events tab.

“合规性详细信息”页面上“事件”选项卡的屏幕截图。

对于资源提供程序模式资源,在“资源符合性”选项卡上,选择资源,或右键单击行并选择“查看符合性详细信息”,即可打开组件符合性详细信息 。For Resource Provider mode resources, on the Resource compliance tab, selecting the resource or right-clicking on the row and selecting View compliance details opens the component compliance details. 该页面还提供了选项卡,以查看分配给此资源、事件、组件事件和更改历史记录的策略。This page also offers tabs to see the policies that are assigned to this resource, events, component events, and change history.

资源提供程序模式分配“组件合规性”选项卡及合规性详细信息的屏幕截图。

返回资源符合性页面,右键单击要收集其更多详细信息的事件所在的行,然后选择“显示活动日志”。Back on the resource compliance page, right-click on the row of the event you would like to gather more details on and select Show activity logs. 活动日志页将会打开,其中的搜索结果经过预先筛选,显示分配和事件的详细信息。The activity log page opens and is pre-filtered to the search showing details for the assignment and the events. 活动日志提供有关这些事件的其他上下文和信息。The activity log provides additional context and information about those events.

Azure Policy 活动和评估的活动日志屏幕截图。

了解不符合性Understand non-compliance

如果资源不符合,可能有很多原因。When a resource is determined to be non-compliant, there are many possible reasons. 若要确定资源不符合的原因或查找更改负责人,请参阅确定不符合性To determine the reason a resource is non-compliant or to find the change responsible, see Determine non-compliance.

命令行Command line

可以使用 REST API(包括使用 ARMClient)、Azure PowerShell 和 Azure CLI 来检索门户中提供的相同信息。The same information available in the portal can be retrieved with the REST API (including with ARMClient), Azure PowerShell, and Azure CLI. 有关 REST API 的完整详细信息,请参阅 Azure Policy Insights 参考文章。For full details on the REST API, see the Azure Policy Insights reference. REST API 参考页上针对每个操作提供了一个绿色的“试用”按钮,使用该按钮可在浏览器中直接试用该操作。The REST API reference pages have a green 'Try It' button on each operation that allows you to try it right in the browser.

对于 REST API 示例,使用 ARMClient 或类似工具来处理对 Azure 的身份验证。Use ARMClient or a similar tool to handle authentication to Azure for the REST API examples.

汇总结果Summarize results

使用 REST API 时,可以按容器、定义或分配进行汇总。With the REST API, summarization can be performed by container, definition, or assignment. 下面是使用 Azure Policy Insight 的按订阅汇总功能在订阅级别执行的汇总示例:Here is an example of summarization at the subscription level using Azure Policy Insight's Summarize For Subscription:

POST https://management.chinacloudapi.cn/subscriptions/{subscriptionId}/providers/Microsoft.PolicyInsights/policyStates/latest/summarize?api-version=2018-04-04

输出将汇总订阅。The output summarizes the subscription. 在以下示例输出中,汇总的符合性位于 value.results.nonCompliantResourcesvalue.results.nonCompliantPolicies 下面。In the example output below, the summarized compliance are under value.results.nonCompliantResources and value.results.nonCompliantPolicies. 此请求提供更多详细信息,包括构成不合规数的每个分配,以及每个分配的定义信息。This request provides further details, including each assignment that made up the non-compliant numbers and the definition information for each assignment. 层次结构中的每个策略对象提供一个可用于获取该级别的更多详细信息的 queryResultsUriEach policy object in the hierarchy provides a queryResultsUri that can be used to get additional detail at that level.

{
    "@odata.context": "https://management.chinacloudapi.cn/subscriptions/{subscriptionId}/providers/Microsoft.PolicyInsights/policyStates/$metadata#summary",
    "@odata.count": 1,
    "value": [{
        "@odata.id": null,
        "@odata.context": "https://management.chinacloudapi.cn/subscriptions/{subscriptionId}/providers/Microsoft.PolicyInsights/policyStates/$metadata#summary/$entity",
        "results": {
            "queryResultsUri": "https://management.chinacloudapi.cn/subscriptions/{subscriptionId}/providers/Microsoft.PolicyInsights/policyStates/latest/queryResults?api-version=2018-04-04&$from=2018-05-18 04:28:22Z&$to=2018-05-19 04:28:22Z&$filter=IsCompliant eq false",
            "nonCompliantResources": 15,
            "nonCompliantPolicies": 1
        },
        "policyAssignments": [{
            "policyAssignmentId": "/subscriptions/{subscriptionId}/resourcegroups/rg-tags/providers/microsoft.authorization/policyassignments/37ce239ae4304622914f0c77",
            "policySetDefinitionId": "",
            "results": {
                "queryResultsUri": "https://management.chinacloudapi.cn/subscriptions/{subscriptionId}/providers/Microsoft.PolicyInsights/policyStates/latest/queryResults?api-version=2018-04-04&$from=2018-05-18 04:28:22Z&$to=2018-05-19 04:28:22Z&$filter=IsCompliant eq false and PolicyAssignmentId eq '/subscriptions/{subscriptionId}/resourcegroups/rg-tags/providers/microsoft.authorization/policyassignments/37ce239ae4304622914f0c77'",
                "nonCompliantResources": 15,
                "nonCompliantPolicies": 1
            },
            "policyDefinitions": [{
                "policyDefinitionReferenceId": "",
                "policyDefinitionId": "/providers/microsoft.authorization/policydefinitions/1e30110a-5ceb-460c-a204-c1c3969c6d62",
                "effect": "deny",
                "results": {
                    "queryResultsUri": "https://management.chinacloudapi.cn/subscriptions/{subscriptionId}/providers/Microsoft.PolicyInsights/policyStates/latest/queryResults?api-version=2018-04-04&$from=2018-05-18 04:28:22Z&$to=2018-05-19 04:28:22Z&$filter=IsCompliant eq false and PolicyAssignmentId eq '/subscriptions/{subscriptionId}/resourcegroups/rg-tags/providers/microsoft.authorization/policyassignments/37ce239ae4304622914f0c77' and PolicyDefinitionId eq '/providers/microsoft.authorization/policydefinitions/1e30110a-5ceb-460c-a204-c1c3969c6d62'",
                    "nonCompliantResources": 15
                }
            }]
        }]
    }]
}

查询资源Query for resources

在上面的示例中,value.policyAssignments.policyDefinitions.results.queryResultsUri 提供了一个示例 URI,用于特定策略定义的所有不符合资源。In the example above, value.policyAssignments.policyDefinitions.results.queryResultsUri provides a sample Uri for all non-compliant resources for a specific policy definition. 查看 $filter 值,ComplianceState 等于 (eq)“NonCompliant”,PolicyAssignmentId 是针对策略定义,然后针对 PolicyDefinitionId 本身指定的。Looking at the $filter value, ComplianceState is equal (eq) to 'NonCompliant', PolicyAssignmentId is specified for the policy definition, and then the PolicyDefinitionId itself. 在筛选器中包含 PolicyAssignmentId 的原因是,PolicyDefinitionId 可能在具有不同范围的多个策略或计划分配中存在。The reason for including the PolicyAssignmentId in the filter is because the PolicyDefinitionId could exist in several policy or initiative assignments with different scopes. 通过指定 PolicyAssignmentId 和 PolicyDefinitionId,可以明确指定想要查找的结果。By specifying both the PolicyAssignmentId and the PolicyDefinitionId, we can be explicit in the results we're looking for. 以前,我们使用了 latest 作为 PolicyStates,因此将 起始截止 时间范围自动设置成了过去 24 小时。Previously, for PolicyStates we used latest, which automatically sets a from and to time window of the last 24-hours.

https://management.chinacloudapi.cn/subscriptions/{subscriptionId}/providers/Microsoft.PolicyInsights/policyStates/latest/queryResults?api-version=2018-04-04&$from=2018-05-18 04:28:22Z&$to=2018-05-19 04:28:22Z&$filter=IsCompliant eq false and PolicyAssignmentId eq '/subscriptions/{subscriptionId}/resourcegroups/rg-tags/providers/microsoft.authorization/policyassignments/37ce239ae4304622914f0c77' and PolicyDefinitionId eq '/providers/microsoft.authorization/policydefinitions/1e30110a-5ceb-460c-a204-c1c3969c6d62'

为简洁起见,以下示例响应已被截断,只显示一个不符合资源。The example response below has been trimmed to a single non-compliant resource for brevity. 详细响应包含有关资源、策略或计划以及分配的多个数据片段。The detailed response has several pieces of data about the resource, the policy or initiative, and the assignment. 请注意,还可以查看已将哪些分配参数传递给了策略定义。Notice that you can also see what assignment parameters were passed to the policy definition.

{
    "@odata.context": "https://management.chinacloudapi.cn/subscriptions/{subscriptionId}/providers/Microsoft.PolicyInsights/policyStates/$metadata#latest",
    "@odata.count": 15,
    "value": [{
        "@odata.id": null,
        "@odata.context": "https://management.chinacloudapi.cn/subscriptions/{subscriptionId}/providers/Microsoft.PolicyInsights/policyStates/$metadata#latest/$entity",
        "timestamp": "2018-05-19T04:41:09Z",
        "resourceId": "/subscriptions/{subscriptionId}/resourceGroups/rg-tags/providers/Microsoft.Compute/virtualMachines/linux",
        "policyAssignmentId": "/subscriptions/{subscriptionId}/resourceGroups/rg-tags/providers/Microsoft.Authorization/policyAssignments/37ce239ae4304622914f0c77",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1e30110a-5ceb-460c-a204-c1c3969c6d62",
        "effectiveParameters": "",
        "ComplianceState": "NonCompliant",
        "subscriptionId": "{subscriptionId}",
        "resourceType": "/Microsoft.Compute/virtualMachines",
        "resourceLocation": "chinaeast2",
        "resourceGroup": "RG-Tags",
        "resourceTags": "tbd",
        "policyAssignmentName": "37ce239ae4304622914f0c77",
        "policyAssignmentOwner": "tbd",
        "policyAssignmentParameters": "{\"tagName\":{\"value\":\"costCenter\"},\"tagValue\":{\"value\":\"Contoso-Test\"}}",
        "policyAssignmentScope": "/subscriptions/{subscriptionId}/resourceGroups/RG-Tags",
        "policyDefinitionName": "1e30110a-5ceb-460c-a204-c1c3969c6d62",
        "policyDefinitionAction": "deny",
        "policyDefinitionCategory": "tbd",
        "policySetDefinitionId": "",
        "policySetDefinitionName": "",
        "policySetDefinitionOwner": "",
        "policySetDefinitionCategory": "",
        "policySetDefinitionParameters": "",
        "managementGroupIds": "",
        "policyDefinitionReferenceId": ""
    }]
}

查看事件View events

创建或更新资源时,将生成策略评估结果。When a resource is created or updated, a policy evaluation result is generated. 结果称为“策略事件”。Results are called policy events. 使用以下 URI 查看与订阅关联的最近策略事件。Use the following Uri to view recent policy events associated with the subscription.

https://management.chinacloudapi.cn/subscriptions/{subscriptionId}/providers/Microsoft.PolicyInsights/policyEvents/default/queryResults?api-version=2018-04-04

结果应如以下示例所示:Your results resemble the following example:

{
    "@odata.context": "https://management.chinacloudapi.cn/subscriptions/{subscriptionId}/providers/Microsoft.PolicyInsights/policyEvents/$metadata#default",
    "@odata.count": 1,
    "value": [{
        "@odata.id": null,
        "@odata.context": "https://management.chinacloudapi.cn/subscriptions/{subscriptionId}/providers/Microsoft.PolicyInsights/policyEvents/$metadata#default/$entity",
        "NumAuditEvents": 16
    }]
}

有关查询策略事件的详细信息,请参阅 Azure Policy 事件参考文章。For more information about querying policy events, see the Azure Policy Events reference article.

Azure CLIAzure CLI

适用于 Azure Policy 的 Azure CLI 命令组涵盖 REST 或 Azure PowerShell 中提供的大多数操作。The Azure CLI command group for Azure Policy covers most operations that are available in REST or Azure PowerShell. 有关可用命令的完整列表,请参阅 Azure CLI - Azure Policy 概述For the full list of available commands, see Azure CLI - Azure Policy Overview.

示例:获取不符合资源数最多的、最前面的已分配策略的状态摘要。Example: Getting the state summary for the topmost assigned policy with the highest number of non-compliant resources.

az policy state summarize --top 1

响应的上半部分如以下示例所示:The top portion of the response looks like this example:

{
    "odatacontext": "https://management.chinacloudapi.cn/subscriptions/{subscriptionId}/providers/Microsoft.PolicyInsights/policyStates/$metadata#summary/$entity",
    "odataid": null,
    "policyAssignments": [{
            "policyAssignmentId": "/subscriptions/{subscriptionId}/providers/microsoft.authorization/policyassignments/e0704696df5e4c3c81c873e8",
            "policyDefinitions": [{
                "effect": "audit",
                "policyDefinitionGroupNames": [
                    ""
                ],
                "policyDefinitionId": "/subscriptions/{subscriptionId}/providers/microsoft.authorization/policydefinitions/2e3197b6-1f5b-4b01-920c-b2f0a7e9b18a",
                "policyDefinitionReferenceId": "",
                "results": {
                    "nonCompliantPolicies": null,
                    "nonCompliantResources": 398,
                    "policyDetails": [{
                        "complianceState": "noncompliant",
                        "count": 1
                    }],
                    "policyGroupDetails": [{
                        "complianceState": "noncompliant",
                        "count": 1
                    }],
                    "queryResultsUri": "https://management.chinacloudapi.cn/subscriptions/{subscriptionId}/providers/Microsoft.PolicyInsights/policyStates/latest/queryResults?api-version=2019-10-01&$from=2020-07-14 14:01:22Z&$to=2020-07-15 14:01:22Z and PolicyAssignmentId eq '/subscriptions/{subscriptionId}/providers/microsoft.authorization/policyassignments/e0704696df5e4c3c81c873e8' and PolicyDefinitionId eq '/subscriptions/{subscriptionId}/providers/microsoft.authorization/policydefinitions/2e3197b6-1f5b-4b01-920c-b2f0a7e9b18a'",
                    "resourceDetails": [{
                            "complianceState": "noncompliant",
                            "count": 398
                        },
                        {
                            "complianceState": "compliant",
                            "count": 4
                        }
                    ]
                }
            }],
    ...

示例:获取最近评估的资源的状态记录(默认按时间戳的降序排序)。Example: Getting the state record for the most recently evaluated resource (default is by timestamp in descending order).

az policy state list --top 1
[
  {
    "complianceReasonCode": "",
    "complianceState": "Compliant",
    "effectiveParameters": "",
    "isCompliant": true,
    "managementGroupIds": "{managementgroupId}",
    "odatacontext": "https://management.chinacloudapi.cn/subscriptions/{subscriptionId}/providers/Microsoft.PolicyInsights/policyStates/$metadata#latest/$entity",
    "odataid": null,
    "policyAssignmentId": "/subscriptions/{subscriptionId}/providers/microsoft.authorization/policyassignments/securitycenterbuiltin",
    "policyAssignmentName": "SecurityCenterBuiltIn",
    "policyAssignmentOwner": "tbd",
    "policyAssignmentParameters": "",
    "policyAssignmentScope": "/subscriptions/{subscriptionId}",
    "policyAssignmentVersion": "",
    "policyDefinitionAction": "auditifnotexists",
    "policyDefinitionCategory": "tbd",
    "policyDefinitionGroupNames": [
      ""
    ],
    "policyDefinitionId": "/providers/microsoft.authorization/policydefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed",
    "policyDefinitionName": "aa633080-8b72-40c4-a2d7-d00c03e80bed",
    "policyDefinitionReferenceId": "identityenablemfaforownerpermissionsmonitoring",
    "policyDefinitionVersion": "",
    "policyEvaluationDetails": null,
    "policySetDefinitionCategory": "security center",
    "policySetDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8",
    "policySetDefinitionName": "1f3afdf9-d0c9-4c3d-847f-89da613e70a8",
    "policySetDefinitionOwner": "",
    "policySetDefinitionParameters": "",
    "policySetDefinitionVersion": "",
    "resourceGroup": "",
    "resourceId": "/subscriptions/{subscriptionId}",
    "resourceLocation": "",
    "resourceTags": "tbd",
    "resourceType": "Microsoft.Resources/subscriptions",
    "subscriptionId": "{subscriptionId}",
    "timestamp": "2020-07-15T08:37:07.903433+00:00"
  }
]

示例:获取所有不符合虚拟网络资源的详细信息。Example: Getting the details for all non-compliant virtual network resources.

az policy state list --filter "ResourceType eq 'Microsoft.Network/virtualNetworks'"
[
  {
    "complianceReasonCode": "",
    "complianceState": "NonCompliant",
    "effectiveParameters": "",
    "isCompliant": false,
    "managementGroupIds": "{managementgroupId}",
    "odatacontext": "https://management.chinacloudapi.cn/subscriptions/{subscriptionId}/providers/Microsoft.PolicyInsights/policyStates/$metadata#latest/$entity",
    "odataid": null,
    "policyAssignmentId": "/subscriptions/{subscriptionId}/providers/microsoft.authorization/policyassignments/e0704696df5e4c3c81c873e8",
    "policyAssignmentName": "e0704696df5e4c3c81c873e8",
    "policyAssignmentOwner": "tbd",
    "policyAssignmentParameters": "",
    "policyAssignmentScope": "/subscriptions/{subscriptionId}",
    "policyAssignmentVersion": "",
    "policyDefinitionAction": "audit",
    "policyDefinitionCategory": "tbd",
    "policyDefinitionGroupNames": [
      ""
    ],
    "policyDefinitionId": "/subscriptions/{subscriptionId}/providers/microsoft.authorization/policydefinitions/2e3197b6-1f5b-4b01-920c-b2f0a7e9b18a",
    "policyDefinitionName": "2e3197b6-1f5b-4b01-920c-b2f0a7e9b18a",
    "policyDefinitionReferenceId": "",
    "policyDefinitionVersion": "",
    "policyEvaluationDetails": null,
    "policySetDefinitionCategory": "",
    "policySetDefinitionId": "",
    "policySetDefinitionName": "",
    "policySetDefinitionOwner": "",
    "policySetDefinitionParameters": "",
    "policySetDefinitionVersion": "",
    "resourceGroup": "RG-Tags",
    "resourceId": "/subscriptions/{subscriptionId}/resourceGroups/RG-Tags/providers/Microsoft.Network/virtualNetworks/RG-Tags-vnet",
    "resourceLocation": "chinaeast2",
    "resourceTags": "tbd",
    "resourceType": "Microsoft.Network/virtualNetworks",
    "subscriptionId": "{subscriptionId}",
    "timestamp": "2020-07-15T08:37:07.901911+00:00"
  }
]

示例:获取在特定日期后发生的、与不符合虚拟网络资源相关的事件。Example: Getting events related to non-compliant virtual network resources that occurred after a specific date.

az policy state list --filter "ResourceType eq 'Microsoft.Network/virtualNetworks'" --from '2020-07-14T00:00:00Z'
[
  {
    "complianceReasonCode": "",
    "complianceState": "NonCompliant",
    "effectiveParameters": "",
    "isCompliant": false,
    "managementGroupIds": "{managementgroupId}",
    "odatacontext": "https://management.chinacloudapi.cn/subscriptions/{subscriptionId}/providers/Microsoft.PolicyInsights/policyStates/$metadata#latest/$entity",
    "odataid": null,
    "policyAssignmentId": "/subscriptions/{subscriptionId}/providers/microsoft.authorization/policyassignments/e0704696df5e4c3c81c873e8",
    "policyAssignmentName": "e0704696df5e4c3c81c873e8",
    "policyAssignmentOwner": "tbd",
    "policyAssignmentParameters": "",
    "policyAssignmentScope": "/subscriptions/{subscriptionId}",
    "policyAssignmentVersion": "",
    "policyDefinitionAction": "audit",
    "policyDefinitionCategory": "tbd",
    "policyDefinitionGroupNames": [
      ""
    ],
    "policyDefinitionId": "/subscriptions/{subscriptionId}/providers/microsoft.authorization/policydefinitions/2e3197b6-1f5b-4b01-920c-b2f0a7e9b18a",
    "policyDefinitionName": "2e3197b6-1f5b-4b01-920c-b2f0a7e9b18a",
    "policyDefinitionReferenceId": "",
    "policyDefinitionVersion": "",
    "policyEvaluationDetails": null,
    "policySetDefinitionCategory": "",
    "policySetDefinitionId": "",
    "policySetDefinitionName": "",
    "policySetDefinitionOwner": "",
    "policySetDefinitionParameters": "",
    "policySetDefinitionVersion": "",
    "resourceGroup": "RG-Tags",
    "resourceId": "/subscriptions/{subscriptionId}/resourceGroups/RG-Tags/providers/Microsoft.Network/virtualNetworks/RG-Tags-vnet",
    "resourceLocation": "chinaeast2",
    "resourceTags": "tbd",
    "resourceType": "Microsoft.Network/virtualNetworks",
    "subscriptionId": "{subscriptionId}",
    "timestamp": "2020-07-15T08:37:07.901911+00:00"
  }
]

Azure PowerShellAzure PowerShell

适用于 Azure Policy 的 Azure PowerShell 模块在 PowerShell 库中以 Az.PolicyInsights 的形式提供。The Azure PowerShell module for Azure Policy is available on the PowerShell Gallery as Az.PolicyInsights. 使用 PowerShellGet,可以使用 Install-Module -Name Az.PolicyInsights 安装模块(请确保已安装了最新版 Azure PowerShell):Using PowerShellGet, you can install the module using Install-Module -Name Az.PolicyInsights (make sure you have the latest Azure PowerShell installed):

# Install from PowerShell Gallery via PowerShellGet
Install-Module -Name Az.PolicyInsights

# Import the downloaded module
Import-Module Az.PolicyInsights

# Login with Connect-AzAccount if not using CLI
Connect-AzAccount -EnvironmentName AzureChinaCloud

该模块拥有以下 cmdlet:The module has the following cmdlets:

  • Get-AzPolicyStateSummary
  • Get-AzPolicyState
  • Get-AzPolicyEvent
  • Get-AzPolicyRemediation
  • Remove-AzPolicyRemediation
  • Start-AzPolicyRemediation
  • Stop-AzPolicyRemediation

示例:获取不符合资源数最多的、最前面的已分配策略的状态摘要。Example: Getting the state summary for the topmost assigned policy with the highest number of non-compliant resources.

PS> Get-AzPolicyStateSummary -Top 1

NonCompliantResources : 15
NonCompliantPolicies  : 1
PolicyAssignments     : {/subscriptions/{subscriptionId}/resourcegroups/RG-Tags/providers/micros
                        oft.authorization/policyassignments/37ce239ae4304622914f0c77}

示例:获取最近评估的资源的状态记录(默认按时间戳的降序排序)。Example: Getting the state record for the most recently evaluated resource (default is by timestamp in descending order).

PS> Get-AzPolicyState -Top 1

Timestamp                  : 5/22/2018 3:47:34 PM
ResourceId                 : /subscriptions/{subscriptionId}/resourceGroups/RG-Tags/providers/Mi
                             crosoft.Network/networkInterfaces/linux316
PolicyAssignmentId         : /subscriptions/{subscriptionId}/resourceGroups/RG-Tags/providers/Mi
                             crosoft.Authorization/policyAssignments/37ce239ae4304622914f0c77
PolicyDefinitionId         : /providers/Microsoft.Authorization/policyDefinitions/1e30110a-5ceb-460c-a204-c1c3969c6d62
ComplianceState            : NonCompliant
SubscriptionId             : {subscriptionId}
ResourceType               : /Microsoft.Network/networkInterfaces
ResourceLocation           : chinaeast2
ResourceGroup              : RG-Tags
ResourceTags               : tbd
PolicyAssignmentName       : 37ce239ae4304622914f0c77
PolicyAssignmentOwner      : tbd
PolicyAssignmentParameters : {"tagName":{"value":"costCenter"},"tagValue":{"value":"Contoso-Test"}}
PolicyAssignmentScope      : /subscriptions/{subscriptionId}/resourceGroups/RG-Tags
PolicyDefinitionName       : 1e30110a-5ceb-460c-a204-c1c3969c6d62
PolicyDefinitionAction     : deny
PolicyDefinitionCategory   : tbd

示例:获取所有不符合虚拟网络资源的详细信息。Example: Getting the details for all non-compliant virtual network resources.

PS> Get-AzPolicyState -Filter "ResourceType eq '/Microsoft.Network/virtualNetworks'"

Timestamp                  : 5/22/2018 4:02:20 PM
ResourceId                 : /subscriptions/{subscriptionId}/resourceGroups/RG-Tags/providers/Mi
                             crosoft.Network/virtualNetworks/RG-Tags-vnet
PolicyAssignmentId         : /subscriptions/{subscriptionId}/resourceGroups/RG-Tags/providers/Mi
                             crosoft.Authorization/policyAssignments/37ce239ae4304622914f0c77
PolicyDefinitionId         : /providers/Microsoft.Authorization/policyDefinitions/1e30110a-5ceb-460c-a204-c1c3969c6d62
ComplianceState            : NonCompliant
SubscriptionId             : {subscriptionId}
ResourceType               : /Microsoft.Network/virtualNetworks
ResourceLocation           : chinaeast2
ResourceGroup              : RG-Tags
ResourceTags               : tbd
PolicyAssignmentName       : 37ce239ae4304622914f0c77
PolicyAssignmentOwner      : tbd
PolicyAssignmentParameters : {"tagName":{"value":"costCenter"},"tagValue":{"value":"Contoso-Test"}}
PolicyAssignmentScope      : /subscriptions/{subscriptionId}/resourceGroups/RG-Tags
PolicyDefinitionName       : 1e30110a-5ceb-460c-a204-c1c3969c6d62
PolicyDefinitionAction     : deny
PolicyDefinitionCategory   : tbd

示例:获取在某个特定日期之后发生的与不符合的虚拟网络资源相关的事件,转换为 CSV 对象,并导出到文件。Example: Getting events related to non-compliant virtual network resources that occurred after a specific date, converting to a CSV object, and exporting to a file.

$policyEvents = Get-AzPolicyEvent -Filter "ResourceType eq '/Microsoft.Network/virtualNetworks'" -From '2020-09-19'
$policyEvents | ConvertTo-Csv | Out-File 'C:\temp\policyEvents.csv'

$policyEvents 对象的输出类似于:The output of the $policyEvents object looks like the following:

Timestamp                  : 9/19/2020 5:18:53 AM
ResourceId                 : /subscriptions/{subscriptionId}/resourceGroups/RG-Tags/providers/Mi
                             crosoft.Network/virtualNetworks/RG-Tags-vnet
PolicyAssignmentId         : /subscriptions/{subscriptionId}/resourceGroups/RG-Tags/providers/Mi
                             crosoft.Authorization/policyAssignments/37ce239ae4304622914f0c77
PolicyDefinitionId         : /providers/Microsoft.Authorization/policyDefinitions/1e30110a-5ceb-460c-a204-c1c3969c6d62
ComplianceState            : NonCompliant
SubscriptionId             : {subscriptionId}
ResourceType               : /Microsoft.Network/virtualNetworks
ResourceLocation           : chinaeast2
ResourceGroup              : RG-Tags
ResourceTags               : tbd
PolicyAssignmentName       : 37ce239ae4304622914f0c77
PolicyAssignmentOwner      : tbd
PolicyAssignmentParameters : {"tagName":{"value":"costCenter"},"tagValue":{"value":"Contoso-Test"}}
PolicyAssignmentScope      : /subscriptions/{subscriptionId}/resourceGroups/RG-Tags
PolicyDefinitionName       : 1e30110a-5ceb-460c-a204-c1c3969c6d62
PolicyDefinitionAction     : deny
PolicyDefinitionCategory   : tbd
TenantId                   : {tenantId}
PrincipalOid               : {principalOid}

可以结合 Azure PowerShell cmdlet Get-AzADUser 使用 PrincipalOid 字段来获取特定的用户。The PrincipalOid field can be used to get a specific user with the Azure PowerShell cmdlet Get-AzADUser. 请将 {principalOid} 替换为在前一示例中获取的响应。Replace {principalOid} with the response you get from the previous example.

PS> (Get-AzADUser -ObjectId {principalOid}).DisplayName
Trent Baker

Azure Monitor 日志Azure Monitor logs

如果带有来自 Activity Log Analytics 解决方案AzureActivityLog Analytics 工作区已绑定到订阅,也可以使用简单的 Kusto 查询和 AzureActivity 表来查看对新资源和已更新资源的评估中的不符合性结果。If you have a Log Analytics workspace with AzureActivity from the Activity Log Analytics solution tied to your subscription, you can also view non-compliance results from the evaluation of new and updated resources using simple Kusto queries and the AzureActivity table. 借助 Azure Monitor 日志中的详细信息,可对警报进行配置,以监视不符合情况。With details in Azure Monitor logs, alerts can be configured to watch for non-compliance.

Azure Monitor 日志的屏幕截图,其中显示了 AzureActivity 表中的 Azure Policy 操作。

后续步骤Next steps