您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

快速入门:使用 Azure PowerShell 创建策略分配以识别不符合的资源Quickstart: Create a policy assignment to identify non-compliant resources using Azure PowerShell

若要了解 Azure 中的符合性,第一步是确定资源的状态。The first step in understanding compliance in Azure is to identify the status of your resources. 在本快速入门中,我们将创建策略分配,以识别未使用托管磁盘的虚拟机。In this quickstart, you create a policy assignment to identify virtual machines that aren't using managed disks. 完成后,我们便可以识别不合规的虚拟机。 When complete, you'll identify virtual machines that are non-compliant.

Azure PowerShell 模块用于从命令行或脚本管理 Azure 资源。The Azure PowerShell module is used to manage Azure resources from the command line or in scripts. 本指南介绍如何使用 Az 模块来创建策略分配。This guide explains how to use Az module to create a policy assignment.

先决条件Prerequisites

  • 如果没有 Azure 订阅,请在开始之前创建一个免费帐户。If you don't have an Azure subscription, create a free account before you begin.

  • 在开始之前,请确保安装 Azure PowerShell 的最新版本。Before you start, make sure that the latest version of Azure PowerShell is installed. 有关详细信息,请参阅安装 Azure PowerShell 模块See Install Azure PowerShell module for detailed information.

  • 使用 Azure PowerShell 注册 Azure Policy Insights 资源提供程序。Register the Azure Policy Insights resource provider using Azure PowerShell. 注册此资源提供程序可确保订阅能够使用它。Registering the resource provider makes sure that your subscription works with it. 要注册资源提供程序,必须具有注册资源提供程序操作的权限。To register a resource provider, you must have permission to the register resource provider operation. 此操作包含在“参与者”和“所有者”角色中。This operation is included in the Contributor and Owner roles. 运行以下命令,注册资源提供程序:Run the following command to register the resource provider:

    # Register the resource provider if it's not already registered
    Register-AzResourceProvider -ProviderNamespace 'Microsoft.PolicyInsights'
    

    有关注册和查看资源提供程序的详细信息,请参阅资源提供程序和类型For more information about registering and viewing resource providers, see Resource Providers and Types.

使用 Azure Cloud ShellUse Azure Cloud Shell

Azure 托管 Azure Cloud Shell(一个可通过浏览器使用的交互式 shell 环境)。Azure hosts Azure Cloud Shell, an interactive shell environment that you can use through your browser. 可以将 Bash 或 PowerShell 与 Cloud Shell 配合使用来使用 Azure 服务。You can use either Bash or PowerShell with Cloud Shell to work with Azure services. 可以使用 Azure Cloud Shell 预安装的命令来运行本文中的代码,而不必在本地环境中安装任何内容。You can use the Cloud Shell preinstalled commands to run the code in this article without having to install anything on your local environment.

若要启动 Azure Cloud Shell,请执行以下操作:To start Azure Cloud Shell:

选项Option 示例/链接Example/Link
选择代码块右上角的“试用”。Select Try It in the upper-right corner of a code block. 选择“试用”不会自动将代码复制到 Cloud Shell。Selecting Try It doesn't automatically copy the code to Cloud Shell. Azure Cloud Shell 的“试用”示例
转到 https://shell.azure.com 或选择“启动 Cloud Shell”按钮可在浏览器中打开 Cloud Shell。Go to https://shell.azure.com, or select the Launch Cloud Shell button to open Cloud Shell in your browser. 在新窗口中启动 Cloud ShellLaunch Cloud Shell in a new window
选择 Azure 门户右上角菜单栏上的 Cloud Shell 按钮。Select the Cloud Shell button on the menu bar at the upper right in the Azure portal. Azure 门户中的“Cloud Shell”按钮

若要在 Azure Cloud Shell 中运行本文中的代码,请执行以下操作:To run the code in this article in Azure Cloud Shell:

  1. 启动 Cloud Shell。Start Cloud Shell.

  2. 选择代码块上的“复制”按钮以复制代码。Select the Copy button on a code block to copy the code.

  3. 在 Windows 和 Linux 上选择 Ctrl+Shift+V 将代码粘贴到 Cloud Shell 会话中,或在 macOS 上选择 Cmd+Shift+V 将代码粘贴到 Cloud Shell 会话中。Paste the code into the Cloud Shell session by selecting Ctrl+Shift+V on Windows and Linux or by selecting Cmd+Shift+V on macOS.

  4. 选择 Enter 运行此代码。Select Enter to run the code.

创建策略分配Create a policy assignment

本快速入门将为 不带托管磁盘的审核 VM 定义创建策略分配。In this quickstart, you create a policy assignment for the Audit VMs without managed disks definition. 此策略定义可识别不使用托管磁盘的虚拟机。This policy definition identifies virtual machines not using managed disks.

运行以下命令创建新的策略分配:Run the following commands to create a new policy assignment:

# Get a reference to the resource group that is the scope of the assignment
$rg = Get-AzResourceGroup -Name '<resourceGroupName>'

# Get a reference to the built-in policy definition to assign
$definition = Get-AzPolicyDefinition | Where-Object { $_.Properties.DisplayName -eq 'Audit VMs that do not use managed disks' }

# Create the policy assignment with the built-in definition against your resource group
New-AzPolicyAssignment -Name 'audit-vm-manageddisks' -DisplayName 'Audit VMs without managed disks Assignment' -Scope $rg.ResourceId -PolicyDefinition $definition

上述命令使用以下信息:The preceding commands use the following information:

  • 名称 - 分配的实际名称。Name - The actual name of the assignment. 对于此示例,使用 audit-vm-manageddisksFor this example, audit-vm-manageddisks was used.
  • 显示名称 - 策略分配的显示名称。DisplayName - Display name for the policy assignment. 本例使用了“审核未使用托管磁盘分配的虚拟机” 。In this case, you're using Audit VMs without managed disks Assignment.
  • 定义 - 策略定义,用作创建分配的依据。Definition – The policy definition, based on which you're using to create the assignment. 在本例中,它为策略定义“审核未使用托管磁盘的 VM”的 ID 。In this case, it's the ID of policy definition Audit VMs that do not use managed disks.
  • 范围 - 范围确定在其中实施策略分配的资源或资源组。Scope - A scope determines what resources or grouping of resources the policy assignment gets enforced on. 它可以从订阅延伸至资源组。It could range from a subscription to resource groups. 请务必将 <scope> 替换为资源组的名称。Be sure to replace <scope> with the name of your resource group.

你现已准备好识别不合规的资源,了解环境的符合性状态。You're now ready to identify non-compliant resources to understand the compliance state of your environment.

识别不合规的资源Identify non-compliant resources

使用以下信息来识别不符合所创建的策略分配的资源。Use the following information to identify resources that aren't compliant with the policy assignment you created. 运行以下命令:Run the following commands:

# Get the resources in your resource group that are non-compliant to the policy assignment
Get-AzPolicyState -ResourceGroupName $rg.ResourceGroupName -PolicyAssignmentName 'audit-vm-manageddisks' -Filter 'IsCompliant eq false'

有关获取策略状态的详细信息,请参阅 Get-AzPolicyStateFor more information about getting policy state, see Get-AzPolicyState.

结果应如以下示例所示:Your results resemble the following example:

Timestamp                   : 3/9/19 9:21:29 PM
ResourceId                  : /subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/Microsoft.Compute/virtualMachines/{vmId}
PolicyAssignmentId          : /subscriptions/{subscriptionId}/providers/microsoft.authorization/policyassignments/audit-vm-manageddisks
PolicyDefinitionId          : /providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d
IsCompliant                 : False
SubscriptionId              : {subscriptionId}
ResourceType                : /Microsoft.Compute/virtualMachines
ResourceTags                : tbd
PolicyAssignmentName        : audit-vm-manageddisks
PolicyAssignmentOwner       : tbd
PolicyAssignmentScope       : /subscriptions/{subscriptionId}
PolicyDefinitionName        : 06a78e20-9358-41c9-923c-fb736d382a4d
PolicyDefinitionAction      : audit
PolicyDefinitionCategory    : Compute
ManagementGroupIds          : {managementGroupId}

结果与 Azure 门户视图中策略分配的“资源符合性” 选项卡中显示的内容相匹配。The results match what you see in the Resource compliance tab of a policy assignment in the Azure portal view.

清理资源Clean up resources

要删除创建的分配,请使用以下命令:To remove the assignment created, use the following command:

# Removes the policy assignment
Remove-AzPolicyAssignment -Name 'audit-vm-manageddisks' -Scope '/subscriptions/<subscriptionID>/resourceGroups/<resourceGroupName>'

后续步骤Next steps

本快速入门已分配一个策略定义用于识别 Azure 环境中的不合规资源。In this quickstart, you assigned a policy definition to identify non-compliant resources in your Azure environment.

要了解有关分配策略以验证新资源是否符合要求的详细信息,请继续以下教程:To learn more about assigning policies to validate that new resources are compliant, continue to the tutorial for: