Azure policy for auditing trial subscriptions

Question

My team is trying to create an audit effect Azure policy to audit any trial subscriptions. The goal of our policy is to show all the trial subscriptions as non-compliant.

Below is the JSON template we were able to come up with. We are testing for "Enterprise Agreement" as we don't have any trial subscriptions present in our environment.

The policy definition is getting saved successfully but all of the "Enterprise Agreement" subscriptions are showing as non-compliant.

Can anyone help with what's wrong with our logic or is it even possible to create a policy for our use case?

{
    "mode": "All",
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Resources/subscriptions"
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.Subscription/SubscriptionDefinitions",
          "existenceCondition": {
            "field": "Microsoft.Subscription/SubscriptionDefinitions/offerType",
            "equals": "Enterprise Agreement"
          }
        }
      }
    },
    "parameters": {}
  }

Answer 1

Hi Sparsh

Due to unavailability of Policy Alias, the policy cannot be applied to Audit the subscription offer type.

Since your goal is to list all Trial subscriptions, you can use Azure Resource Graph(https://learn.microsoft.com/en-us/azure/governance/resource-graph/overview) as an easy alternative to get the list of Trial subscriptions or any other type.

Since using ARG, REST API or other clients we can get only Quota ID and not the offer type, we have used the filter on Quota ID in the below query. Quota ID is unique for every offer name and number so you can easily query them and match it will offer details mentioned here: https://learn.microsoft.com/en-us/azure/cost-management-billing/costs/understand-cost-mgt-data#supported-microsoft-azure-offers

Category	Offer Name	Quota ID	Offer Number	Data Available From
Pay-as-you-go	Free Trial²	FreeTrial_2014-09-01	MS-AZR-0044P	October 2, 2018

Query:

resourcecontainers
| where type == "microsoft.resources/subscriptions"
| where properties.subscriptionPolicies.quotaId contains "FreeTrial" // comment: remove this line if you want to fetch all the subscription details
| project subscriptionId,id,name,tenantId,state =properties.state,Quota=properties.subscriptionPolicies.quotaId

Answer 2

@Sparsh Raj Thank you for reaching out to Microsoft Q&A.

Based on the error, the offerType for the subscriptions are definitely not a match. Could you check for more details of non-compliance?

1. In Azure portal --> Policy --> Compliance
2. Select the not-compliance policy
3. Click on Details in the "Compliance reason" column.
4. At the bottom of the blade that appears, you should the "target" and "current" value under "Reason for non-compliance" section.

This should give you an idea of the offertype to use instead. Furthermore, referring to the doc for Subscription resource definition here - Microsoft.Subscription subscriptionDefinitions.

According to this doc, the valid offertypes infact are the offerIds - For example, MS-AZR-0017P (EnterpriseAgreement) and MS-AZR-0148P (EnterpriseAgreement devTest)

I would suggest checking the offerId that is available for your subscription using the steps below and use that value instead of "Enterprise Agreement":

• Sign in the Azure portal > Navigate to Subscriptions > Select the subscription.
• That takes you to the subscription page for the selected subscription.
• Look at the offer ID (offer number) code.

For details on the offer codes, please see Supported Microsoft Azure offers

Hope this helps. Please let us know if you have any questions.