此页是针对 Azure Policy 的 Azure Resource Graph 示例查询的集合。
Azure Policy
按策略分配列出的合规性
为每个 Azure Policy 分配提供符合性状态、符合性百分比和资源计数。
PolicyResources
| where type =~ 'Microsoft.PolicyInsights/PolicyStates'
| extend complianceState = tostring(properties.complianceState)
| extend
resourceId = tostring(properties.resourceId),
policyAssignmentId = tostring(properties.policyAssignmentId),
policyAssignmentScope = tostring(properties.policyAssignmentScope),
policyAssignmentName = tostring(properties.policyAssignmentName),
policyDefinitionId = tostring(properties.policyDefinitionId),
policyDefinitionReferenceId = tostring(properties.policyDefinitionReferenceId),
stateWeight = iff(complianceState == 'NonCompliant', int(300), iff(complianceState == 'Compliant', int(200), iff(complianceState == 'Conflict', int(100), iff(complianceState == 'Exempt', int(50), int(0)))))
| summarize max(stateWeight) by resourceId, policyAssignmentId, policyAssignmentScope, policyAssignmentName
| summarize counts = count() by policyAssignmentId, policyAssignmentScope, max_stateWeight, policyAssignmentName
| summarize overallStateWeight = max(max_stateWeight),
nonCompliantCount = sumif(counts, max_stateWeight == 300),
compliantCount = sumif(counts, max_stateWeight == 200),
conflictCount = sumif(counts, max_stateWeight == 100),
exemptCount = sumif(counts, max_stateWeight == 50) by policyAssignmentId, policyAssignmentScope, policyAssignmentName
| extend totalResources = todouble(nonCompliantCount + compliantCount + conflictCount + exemptCount)
| extend compliancePercentage = iff(totalResources == 0, todouble(100), 100 * todouble(compliantCount + exemptCount) / totalResources)
| project policyAssignmentName, scope = policyAssignmentScope,
complianceState = iff(overallStateWeight == 300, 'noncompliant', iff(overallStateWeight == 200, 'compliant', iff(overallStateWeight == 100, 'conflict', iff(overallStateWeight == 50, 'exempt', 'notstarted')))),
compliancePercentage,
compliantCount,
nonCompliantCount,
conflictCount,
exemptCount
az graph query -q "PolicyResources | where type =~ 'Microsoft.PolicyInsights/PolicyStates' | extend complianceState = tostring(properties.complianceState) | extend resourceId = tostring(properties.resourceId), policyAssignmentId = tostring(properties.policyAssignmentId), policyAssignmentScope = tostring(properties.policyAssignmentScope), policyAssignmentName = tostring(properties.policyAssignmentName), policyDefinitionId = tostring(properties.policyDefinitionId), policyDefinitionReferenceId = tostring(properties.policyDefinitionReferenceId), stateWeight = iff(complianceState == 'NonCompliant', int(300), iff(complianceState == 'Compliant', int(200), iff(complianceState == 'Conflict', int(100), iff(complianceState == 'Exempt', int(50), int(0))))) | summarize max(stateWeight) by resourceId, policyAssignmentId, policyAssignmentScope, policyAssignmentName | summarize counts = count() by policyAssignmentId, policyAssignmentScope, max_stateWeight, policyAssignmentName | summarize overallStateWeight = max(max_stateWeight), nonCompliantCount = sumif(counts, max_stateWeight == 300), compliantCount = sumif(counts, max_stateWeight == 200), conflictCount = sumif(counts, max_stateWeight == 100), exemptCount = sumif(counts, max_stateWeight == 50) by policyAssignmentId, policyAssignmentScope, policyAssignmentName | extend totalResources = todouble(nonCompliantCount + compliantCount + conflictCount + exemptCount) | extend compliancePercentage = iff(totalResources == 0, todouble(100), 100 * todouble(compliantCount + exemptCount) / totalResources) | project policyAssignmentName, scope = policyAssignmentScope, complianceState = iff(overallStateWeight == 300, 'noncompliant', iff(overallStateWeight == 200, 'compliant', iff(overallStateWeight == 100, 'conflict', iff(overallStateWeight == 50, 'exempt', 'notstarted')))), compliancePercentage, compliantCount, nonCompliantCount, conflictCount, exemptCount"
按资源类型列出的符合性
为每个资源类型提供符合性状态、符合性百分比和资源计数。
PolicyResources
| where type =~ 'Microsoft.PolicyInsights/PolicyStates'
| extend complianceState = tostring(properties.complianceState)
| extend
resourceId = tostring(properties.resourceId),
resourceType = tolower(tostring(properties.resourceType)),
policyAssignmentId = tostring(properties.policyAssignmentId),
policyDefinitionId = tostring(properties.policyDefinitionId),
policyDefinitionReferenceId = tostring(properties.policyDefinitionReferenceId),
stateWeight = iff(complianceState == 'NonCompliant', int(300), iff(complianceState == 'Compliant', int(200), iff(complianceState == 'Conflict', int(100), iff(complianceState == 'Exempt', int(50), int(0)))))
| summarize max(stateWeight) by resourceId, resourceType
| summarize counts = count() by resourceType, max_stateWeight
| summarize overallStateWeight = max(max_stateWeight),
nonCompliantCount = sumif(counts, max_stateWeight == 300),
compliantCount = sumif(counts, max_stateWeight == 200),
conflictCount = sumif(counts, max_stateWeight == 100),
exemptCount = sumif(counts, max_stateWeight == 50) by resourceType
| extend totalResources = todouble(nonCompliantCount + compliantCount + conflictCount + exemptCount)
| extend compliancePercentage = iff(totalResources == 0, todouble(100), 100 * todouble(compliantCount + exemptCount) / totalResources)
| project resourceType,
overAllComplianceState = iff(overallStateWeight == 300, 'noncompliant', iff(overallStateWeight == 200, 'compliant', iff(overallStateWeight == 100, 'conflict', iff(overallStateWeight == 50, 'exempt', 'notstarted')))),
compliancePercentage,
compliantCount,
nonCompliantCount,
conflictCount,
exemptCount
az graph query -q "PolicyResources | where type =~ 'Microsoft.PolicyInsights/PolicyStates' | extend complianceState = tostring(properties.complianceState) | extend resourceId = tostring(properties.resourceId), resourceType = tolower(tostring(properties.resourceType)), policyAssignmentId = tostring(properties.policyAssignmentId), policyDefinitionId = tostring(properties.policyDefinitionId), policyDefinitionReferenceId = tostring(properties.policyDefinitionReferenceId), stateWeight = iff(complianceState == 'NonCompliant', int(300), iff(complianceState == 'Compliant', int(200), iff(complianceState == 'Conflict', int(100), iff(complianceState == 'Exempt', int(50), int(0))))) | summarize max(stateWeight) by resourceId, resourceType | summarize counts = count() by resourceType, max_stateWeight | summarize overallStateWeight = max(max_stateWeight), nonCompliantCount = sumif(counts, max_stateWeight == 300), compliantCount = sumif(counts, max_stateWeight == 200), conflictCount = sumif(counts, max_stateWeight == 100), exemptCount = sumif(counts, max_stateWeight == 50) by resourceType | extend totalResources = todouble(nonCompliantCount + compliantCount + conflictCount + exemptCount) | extend compliancePercentage = iff(totalResources == 0, todouble(100), 100 * todouble(compliantCount + exemptCount) / totalResources) | project resourceType, overAllComplianceState = iff(overallStateWeight == 300, 'noncompliant', iff(overallStateWeight == 200, 'compliant', iff(overallStateWeight == 100, 'conflict', iff(overallStateWeight == 50, 'exempt', 'notstarted')))), compliancePercentage, compliantCount, nonCompliantCount, conflictCount, exemptCount"
列出所有不合规的资源
提供处于 NonCompliant 状态的所有资源类型的列表。
PolicyResources
| where type == 'microsoft.policyinsights/policystates'
| where properties.complianceState == 'NonCompliant'
| extend NonCompliantResourceId = properties.resourceId, PolicyAssignmentName = properties.policyAssignmentName
az graph query -q "PolicyResources | where type == 'microsoft.policyinsights/policystates' | where properties.complianceState == 'NonCompliant' | extend NonCompliantResourceId = properties.resourceId, PolicyAssignmentName = properties.policyAssignmentName"
按状态汇总资源合规性
详细说明处于每种符合性状态的资源数。
PolicyResources
| where type == 'microsoft.policyinsights/policystates'
| extend complianceState = tostring(properties.complianceState)
| summarize count() by complianceState
az graph query -q "PolicyResources | where type == 'microsoft.policyinsights/policystates' | extend complianceState = tostring(properties.complianceState) | summarize count() by complianceState"
按每个位置的状态汇总资源符合性
详细说明每个位置处于每种符合性状态的资源数。
PolicyResources
| where type == 'microsoft.policyinsights/policystates'
| extend complianceState = tostring(properties.complianceState)
| extend resourceLocation = tostring(properties.resourceLocation)
| summarize count() by resourceLocation, complianceState
az graph query -q "PolicyResources | where type == 'microsoft.policyinsights/policystates' | extend complianceState = tostring(properties.complianceState) | extend resourceLocation = tostring(properties.resourceLocation) | summarize count() by resourceLocation, complianceState"
所有策略分配的符合性状态
此查询获取所有策略的符合性状态。 这不同于“按策略分配划分的符合性状态”,因为它仍将显示选择范围中没有资源的策略的结果。 所述的政策将显示为“合规”。
注释
若要在选择管理组范围时模拟 UX 行为,应将授权范围筛选器设置为“atScopeAndAbove”,否则使用“AtScopeAboveAndBelow”。 有关详细信息,请参阅此处,请参阅 “了解查询语言 - Azure Resource Graph”。 这样做的目的是限制选择管理组范围时返回的结果数。
policyResources
| where type =~ 'Microsoft.Authorization/PolicyAssignments'
| project assignmentId = tolower(id), policyDefinitionId = tolower(properties.policyDefinitionId), policyAssignmentScope = tolower(properties.scope)
| join kind = leftouter (
policyresources
| where type == 'microsoft.authorization/policysetdefinitions'
| project policySetDefinitionId = tolower(id), policyDefinitions = properties.policyDefinitions
| mv-expand policyDefinitions limit 2000
| project policySetDefinitionId, policyDefinitionId =
policyDefinitions.policyDefinitionId,
policyDefinitionReferenceId = tolower(policyDefinitions.policyDefinitionReferenceId)
) on $left.policyDefinitionId == $right.policySetDefinitionId
| project assignmentId, policyDefinitionId = coalesce(policyDefinitionId1, policyDefinitionId), policySetDefinitionId, policyDefinitionReferenceId
| join kind = leftouter (
policyResources
| where type =~ 'Microsoft.PolicyInsights/PolicyStates'
| project assignmentId = tolower(properties.policyAssignmentId),
policyDefinitionId = tolower(properties.policyDefinitionId),
policySetDefinitionId = tolower(properties.policySetDefinitionId),
policyDefinitionReferenceId = tolower(properties.policyDefinitionReferenceId),
stateWeight = toint(properties.stateWeight)
| summarize max_stateWeight = max(stateWeight) by assignmentId, policyDefinitionId, policySetDefinitionId, policyDefinitionReferenceId
| project assignmentId, policyDefinitionId, policySetDefinitionId, policyDefinitionReferenceId, complianceState = case(max_stateWeight == 300, 'noncompliant', max_stateWeight == 200, 'compliant', max_stateWeight == 150, 'error', max_stateWeight == 100, 'conflict', max_stateWeight == 50, 'exempt', max_stateWeight == 10, 'unknown', max_stateWeight == 0, 'notapplicable', 'notapplicable')
) on assignmentId and policySetDefinitionId and policyDefinitionId and policyDefinitionReferenceId
| project complianceState = coalesce(complianceState, 'compliant')
| summarize complianceCount = count() by complianceState
查询的逻辑为:
- 提取所有任务
- 左外连接策略(策略集)分配及其相应定义。 这是一个左外连接,以保留任何策略分配
- 展开倡议,以确保你对倡议中的每个政策都有记录。
- 已扩展的记录与策略状态连接
这将提供所有已分配策略的合规状态的计数,即便该策略在范围内没有任何资源或是属于某个方案的一部分。
若要使用 API 实现类似的结果,需要调用列表分配(策略分配 - 列表 - REST API (Azure Policy)和列表策略集定义(策略集定义 - 列表 - REST API (Azure Policy))在要查询的范围及更高范围内。 然后,你将运行与查询类似的逻辑,将此数据与要查看的范围的列表策略状态调用的结果(策略状态 - 列出订阅的查询结果 - REST API (Azure Policy))结合使用。
所有策略分配的合规状态
此查询获取所有计划的符合性状态。 这与“按策略分配划分的符合性状态”不同,因为它仍将显示选择范围中没有资源的计划的结果。 这些措施将显示为“合规”。
注释
要在选择管理组范围以模拟用户体验行为时,应将授权范围筛选设置为“atScopeAndAbove”;否则,使用“AtScopeAboveAndBelow”。 有关详细信息,请参阅此处,请参阅 “了解查询语言 - Azure Resource Graph”。 这样做的目的是限制选择管理组范围时返回的结果数。
policyResources
| where type =~ 'Microsoft.Authorization/PolicyAssignments'
| project assignmentId = tolower(id), definitionId = tolower(properties.policyDefinitionId), policyAssignmentScope = tolower(properties.scope)
| join kind = inner (
policyresources
| where type == 'microsoft.authorization/policysetdefinitions'
| project definitionId = tolower(id)
) on $left.definitionId == $right.definitionId
| project assignmentId
| join kind = leftouter (
policyResources
| where type =~ 'Microsoft.PolicyInsights/PolicyStates'
| where properties.policySetDefinitionId != ""
| project assignmentId = tolower(properties.policyAssignmentId), stateWeight = toint(properties.stateWeight)
| summarize max_stateWeight = max(stateWeight) by assignmentId
| project assignmentId, complianceState = case(max_stateWeight == 300, 'noncompliant', max_stateWeight == 200, 'compliant', max_stateWeight == 150, 'error', max_stateWeight == 100, 'conflict', max_stateWeight == 50, 'exempt', max_stateWeight == 10, 'unknown', max_stateWeight == 0, 'notapplicable', 'notapplicable')
) on $left.assignmentId == $right.assignmentId
| project complianceState = coalesce(complianceState, 'compliant')
| summarize complianceCount = count() by complianceState
查询的逻辑为:
- 提取所有任务
- 内部联接计划分配及其定义。 这是一个内部联接,用于将返回的数据限制为项目任务分配。
- 将计划记录与策略状态联接
这将提供所有已分配倡议的合规状态计数,即使这些倡议中的策略在范围内没有任何资源。
若要使用 API 实现类似的结果,需要在要查询的范围及更高的范围内调用 列出分配(策略分配 - 列表 - REST API (Azure Policy) |Microsoft Learn) 和 列出策略集定义(策略集定义 - 列表 - REST API (Azure Policy) |Microsoft Learn)。 然后,您将运行类似于查询的逻辑,以将此数据与您当前查看范围内的策略状态列表调用结果结合在一起< c0>(策略状态 - 列出订阅的查询结果 - REST API (Azure Policy) | Microsoft Learn)。
Azure 策略豁免
每个分配的策略豁免数
列出每个任务的豁免数。
PolicyResources
| where type == 'microsoft.authorization/policyexemptions'
| summarize count() by tostring(properties.policyAssignmentId)
将 --management-groups 参数与 Azure 管理组 ID 或租户 ID 一起使用。 在此示例中,tenantid 变量存储租户 ID。
tenantid="$(az account show --query tenantId --output tsv)"
az graph query -q "policyresources | where type == 'microsoft.authorization/policyexemptions' | summarize count() by tostring(properties.policyAssignmentId)" --management-groups $tenantid
在 90 天内过期的策略豁免
列出名称(豁免 ID)、显示名称和到期日期。
PolicyResources
| where type == 'microsoft.authorization/policyexemptions'
| extend expiresOnC = todatetime(properties.expiresOn)
| where isnotnull(expiresOnC)
| where expiresOnC >= now() and expiresOnC < now(+90d)
| project name, properties.displayName, expiresOnC
az graph query -q "PolicyResources | where type == 'microsoft.authorization/policyexemptions' | extend expiresOnC = todatetime(properties.expiresOn) | where isnotnull(expiresOnC) | where expiresOnC >= now() and expiresOnC < now(+90d) | project name, properties.displayName, expiresOnC"