Export Azure Policy resources

This article provides information on how to export your existing Azure Policy resources. Exporting your resources is useful and recommended for backup, but is also an important step in your journey with Cloud Governance and treating your policy-as-code. Azure Policy resources can be exported through Azure portal, Azure CLI, Azure PowerShell, and each of the supported SDKs.

Export with Azure portal

Note

Exporting Azure Policy resources from the Azure portal isn't available for Azure sovereign clouds.

To export a policy definition from Azure portal, follow these steps:

  1. Launch the Azure Policy service in the Azure portal by clicking All services, then searching for and selecting Policy.

  2. Select Definitions on the left side of the Azure Policy page.

  3. Use the Export definitions button or select the ellipsis on the row of a policy definition and then select Export definition.

  4. Select the Sign in with GitHub button. If you haven't yet authenticated with GitHub to authorize Azure Policy to export the resource, review the access the GitHub Action needs in the new window that opens and select Authorize AzureGitHubActions to continue with the export process. Once complete, the new window self-closes.

  5. On the Basics tab, set the following options, then select the Policies tab or Next : Policies button at the bottom of the page.

    • Repository filter: Set to My repositories to see only repositories you own or All repositories to see all you granted the GitHub Action access to.
    • Repository: Set to the repository that you want to export the Azure Policy resources to.
    • Branch: Set the branch in the repository. Using a branch other than the default is a good way to validate your updates before merging further into your source code.
    • Directory: The root level folder to export the Azure Policy resources to. Subfolders under this directory are created based on what resources are exported.
  6. On the Policies tab, set the scope to search by selecting the ellipsis and picking a combination of management groups, subscriptions, or resource groups.

  7. Use the Add policy definition(s) button to search the scope for which objects to export. In the side window that opens, select each object to export. Filter the selection by the search box or the type. Once you've selected all objects to export, use the Add button at the bottom of the page.

  8. For each selected object, select the desired export options such as Only Definition or Definition and Assignment(s) for a policy definition. Then select the Review + Export tab or Next : Review + Export button at the bottom of the page.

    Note

    If option Definition and Assignment(s) is chosen, only policy assignments within the scope set by the filter when the policy definition is added are exported.

  9. On the Review + Export tab, check the details match and then use the Export button at the bottom of the page.

  10. Check your GitHub repo, branch, and root level folder to see that the selected resources are now exported to your source control.

The Azure Policy resources are exported into the following structure within the selected GitHub repository and root level folder:

|
|- <root level folder>/  ________________ # Root level folder set by Directory property
|  |- policies/  ________________________ # Subfolder for policy objects
|     |- <displayName>_<name>____________ # Subfolder based on policy displayName and name properties
|        |- policy.json _________________ # Policy definition
|        |- assign.<displayName>_<name>__ # Each assignment (if selected) based on displayName and name properties
|

Export with Azure CLI

Azure Policy definitions, initiatives, and assignments can each be exported as JSON with Azure CLI. Each of these commands uses a name parameter to specify which object to get the JSON for. The name property is often a GUID and isn't the displayName of the object.

Here is an example of getting the JSON for a policy definition with name of VirtualMachineStorage:

az policy definition show --name 'VirtualMachineStorage'

Export with Azure PowerShell

Azure Policy definitions, initiatives, and assignments can each be exported as JSON with Azure PowerShell. Each of these cmdlets uses a Name parameter to specify which object to get the JSON for. The Name property is often a GUID and isn't the displayName of the object.

Here is an example of getting the JSON for a policy definition with Name of VirtualMachineStorage:

Get-AzPolicyDefinition -Name 'VirtualMachineStorage' | ConvertTo-Json -Depth 10

Next steps