Determine causes of non-compliance

04/26/2019
7 minutes to read

When an Azure resource is determined to be non-compliant to a policy rule, it's helpful to understand which portion of the rule the resource isn't compliant with. It's also useful to understand what change altered a previously compliant resource to make it non-compliant. There are two ways to find this information:

Compliance details
Change history (Preview)

Compliance details

When a resource is non-compliant, the compliance details for that resource are available from the Policy compliance page. The compliance details pane includes the following information:

Resource details such as name, type, location, and resource ID
Compliance state and timestamp of the last evaluation for the current policy assignment
A list of reasons for the resource non-compliance

Important

As the compliance details for a Non-compliant resource shows the current value of properties on that resource, the user must have read operation to the type of resource. For example, if the Non-compliant resource is Microsoft.Compute/virtualMachines then the user must have the Microsoft.Compute/virtualMachines/read operation. If the user doesn't have the needed operation, an access error is displayed.

To view the compliance details, follow these steps:

Launch the Azure Policy service in the Azure portal by clicking All services, then searching for and selecting Policy.
On the Overview or Compliance page, select a policy in a compliance state that is Non-compliant.
Under the Resource compliance tab of the Policy compliance page, right-click or select the ellipsis of a resource in a compliance state that is Non-compliant. Then select View compliance details.
The Compliance details pane displays information from the latest evaluation of the resource to the current policy assignment. In this example, the field Microsoft.Sql/servers/version is found to be 12.0 while the policy definition expected 14.0. If the resource is non-compliant for multiple reasons, each is listed on this pane.

For an auditIfNotExists or deployIfNotExists policy definition, the details include the details.type property and any optional properties. For a list, see auditIfNotExists properties and deployIfNotExists properties. Last evaluated resource is a related resource from the details section of the definition.

Example partial deployIfNotExists definition:
```
{
    "if": {
        "field": "type",
        "equals": "[parameters('resourceType')]"
    },
    "then": {
        "effect": "DeployIfNotExists",
        "details": {
            "type": "Microsoft.Insights/metricAlerts",
            "existenceCondition": {
                "field": "name",
                "equals": "[concat(parameters('alertNamePrefix'), '-', resourcegroup().name, '-', field('name'))]"
            },
            "existenceScope": "subscription",
            "deployment": {
                ...
            }
        }
    }
}
```

Note

To protect data, when a property value is a secret the current value displays asterisks.

These details explain why a resource is currently non-compliant, but don't show when the change was made to the resource that caused it to become non-compliant. For that information, see Change history (Preview) below.

Compliance reasons

The following matrix maps each possible reason to the responsible condition in the policy definition:

Reason	Condition
Current value must contain the target value as a key.	containsKey or not notContainsKey
Current value must contain the target value.	contains or not notContains
Current value must be equal to the target value.	equals or not notEquals
Current value must be less than the target value.	less or not greaterOrEquals
Current value must be greater than or equal to the target value.	greaterOrEquals or not less
Current value must be greater than the target value.	greater or not lessOrEquals
Current value must be less than or equal to the target value.	lessOrEquals or not greater
Current value must exist.	exists
Current value must be in the target value.	in or not notIn
Current value must be like the target value.	like or not notLike
Current value must case-sensitive match the target value.	match or not notMatch
Current value must case-insensitive match the target value.	matchInsensitively or not notMatchInsensitively
Current value must not contain the target value as a key.	notContainsKey or not containsKey
Current value must not contain the target value.	notContains or not contains
Current value must not be equal to the target value.	notEquals or not equals
Current value must not exist.	not exists
Current value must not be in the target value.	notIn or not in
Current value must not be like the target value.	notLike or not like
Current value must not case-sensitive match the target value.	notMatch or not match
Current value must not case-insensitive match the target value.	notMatchInsensitively or not matchInsensitively
No related resources match the effect details in the policy definition.	A resource of the type defined in then.details.type and related to the resource defined in the if portion of the policy rule doesn't exist.

Compliance details for Guest Configuration

For audit policies in the Guest Configuration category, there could be multiple settings evaluated inside the VM and you'll need to view per-setting details. For example, if you're auditing for a list of installed applications and the assignment status is Non-compliant, you'll need to know which specific applications are missing.

You also might not have access to sign in to the VM directly but you need to report on why the VM is Non-compliant. For example, you might audit that VMs are joined to the correct domain and include the current domain membership in the reporting details.

Azure portal

Launch the Azure Policy service in the Azure portal by clicking All services, then searching for and selecting Policy.
On the Overview or Compliance page, select a policy assignment for any initiative that contains a Guest Configuration policy definition that's Non-compliant.
Select an audit policy in the initiative that's Non-compliant.
On the Resource compliance tab, the following information is provided:
- Name - The name of the Guest Configuration Assignments.
- Parent Resource - The virtual machine in a Non-Compliant state for the selected Guest Configuration assignment.
- Resource Type - The guestConfigurationAssignments full name.
- Last Evaluated - The last time the Guest Configuration service notified Azure Policy about the state of the target virtual machine.
Select the Guest Configuration Assignment name in the Name column to open the Resource Compliance page.
Select the View Resource button at the top of the page to open the Guest Assignment page.

The Guest Assignment page displays all available compliance details. Each row in the view represents an evaluation that was performed inside the virtual machine. In the Reason column, a phrase describing why the Guest Assignment is Non-compliant is shown. For example, if you're auditing that VMs should be joined to a domain, the Reason column would display text including the current domain membership.

View compliance details

Azure PowerShell

You can also view compliance details from Azure PowerShell. First, make sure you have the Guest Configuration module installed.

Install-Module Az.GuestConfiguration

You can view the current status of all Guest Assignments for a VM using the following command:

Get-AzVMGuestPolicyReport -ResourceGroupName <resourcegroupname> -VMName <vmname>

PolicyDisplayName                                                         ComplianceReasons
-----------------                                                         -----------------
Audit that an application is installed inside Windows VMs                 {[InstalledApplication]bwhitelistedapp}
Audit that an application is not installed inside Windows VMs.            {[InstalledApplication]NotInstalledApplica...

To view only the reason phrase that describes why the VM is Non-compliant, return only the Reason child property.

Get-AzVMGuestPolicyReport -ResourceGroupName <resourcegroupname> -VMName <vmname> | % ComplianceReasons | % Reasons | % Reason

The following applications are not installed: '<name>'.

You can also output a compliance history for Guest Assignments in scope for the virtual machine. The output from this command includes the details of each report for the VM.

Note

The output may return a large volume of data. It's recommended to store the output in a variable.

$guestHistory = Get-AzVMGuestPolicyStatusHistory -ResourceGroupName <resourcegroupname> -VMName <vmname>
$guestHistory

PolicyDisplayName                                                         ComplianceStatus ComplianceReasons StartTime              EndTime                VMName LatestRepor
                                                                                                                                                                  tId
-----------------                                                         ---------------- ----------------- ---------              -------                ------ -----------
[Preview]: Audit that an application is installed inside Windows VMs      NonCompliant                       02/10/2019 12:00:38 PM 02/10/2019 12:00:41 PM VM01  ../17fg0...
<truncated>

To simplify this view, use the ShowChanged parameter. The output from this command only includes the reports that followed a change in compliance status.

$guestHistory = Get-AzVMGuestPolicyStatusHistory -ResourceGroupName <resourcegroupname> -VMName <vmname> -ShowChanged
$guestHistory

PolicyDisplayName                                                         ComplianceStatus ComplianceReasons StartTime              EndTime                VMName LatestRepor
                                                                                                                                                                  tId
-----------------                                                         ---------------- ----------------- ---------              -------                ------ -----------
Audit that an application is installed inside Windows VMs                 NonCompliant                       02/10/2019 10:00:38 PM 02/10/2019 10:00:41 PM VM01  ../12ab0...
Audit that an application is installed inside Windows VMs.                Compliant                          02/09/2019 11:00:38 AM 02/09/2019 11:00:39 AM VM01  ../e3665...
Audit that an application is installed inside Windows VMs                 NonCompliant                       02/09/2019 09:00:20 AM 02/09/2019 09:00:23 AM VM01  ../15ze1...

Change history (Preview)

As part of a new public preview, the last 14 days of change history are available for all Azure resources that support complete mode deletion. Change history provides details about when a change was detected and a visual diff for each change. A change detection is triggered when the Resource Manager properties are added, removed, or altered.

Launch the Azure Policy service in the Azure portal by clicking All services, then searching for and selecting Policy.
On the Overview or Compliance page, select a policy in any compliance state.
Under the Resource compliance tab of the Policy compliance page, select a resource.
Select the Change History (preview) tab on the Resource Compliance page. A list of detected changes, if any exist, are displayed.
Select one of the detected changes. The visual diff for the resource is presented on the Change history page.

The visual diff aides in identifying changes to a resource. The changes detected may not be related to the current compliance state of the resource.

Change history data is provided by Azure Resource Graph. To query this information outside of the Azure portal, see Get resource changes.

Next steps

Review examples at Azure Policy samples.
Review the Azure Policy definition structure.
Review Understanding policy effects.
Understand how to programmatically create policies.
Learn how to get compliance data.
Learn how to remediate non-compliant resources.
Review what a management group is with Organize your resources with Azure management groups.