您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

确定导致非符合性的原因Determine causes of non-compliance

将 Azure 资源确定为不符合策略规则时,了解资源不符合哪个规则部分会很有帮助。When an Azure resource is determined to be non-compliant to a policy rule, it's helpful to understand which portion of the rule the resource isn't compliant with. 这也有助于了解哪些更改更改了以前符合的资源,使其不符合。It's also useful to understand what change altered a previously compliant resource to make it non-compliant. 可以通过两种方法来查找此信息:There are two ways to find this information:

符合性详细信息Compliance details

当某个资源不符合时,该资源的符合性详细信息将在 "策略符合性" 页中提供。When a resource is non-compliant, the compliance details for that resource are available from the Policy compliance page. "符合性详细信息" 窗格包含以下信息:The compliance details pane includes the following information:

  • 资源详细信息,如名称、类型、位置和资源 IDResource details such as name, type, location, and resource ID
  • 当前策略分配的最后一个评估的符合性状态和时间戳Compliance state and timestamp of the last evaluation for the current policy assignment
  • 资源不合规的_原因_列表A list of reasons for the resource non-compliance

重要

由于_不符合_资源的符合性详细信息显示该资源的属性的当前值,因此用户必须对资源类型具有读取操作。As the compliance details for a Non-compliant resource shows the current value of properties on that resource, the user must have read operation to the type of resource. 例如,如果_不符合_的资源是 virtualMachines/ ,则用户必须具有virtualMachines/read操作。For example, if the Non-compliant resource is Microsoft.Compute/virtualMachines then the user must have the Microsoft.Compute/virtualMachines/read operation. 如果用户没有所需的操作,则会显示访问错误。If the user doesn't have the needed operation, an access error is displayed.

若要查看符合性详细信息,请执行以下步骤:To view the compliance details, follow these steps:

  1. 在 Azure 门户中单击“所有服务”,然后搜索并选择“策略”,启动 Azure Policy 服务。Launch the Azure Policy service in the Azure portal by clicking All services, then searching for and selecting Policy.

  2. 在 "概述" 或 "符合性" 页上,选择符合性状态中不_符合要求_的策略。On the Overview or Compliance page, select a policy in a compliance state that is Non-compliant.

  3. 在 "策略符合性" 页的 "资源符合性" 选项卡下,右键单击或选择符合性状态为 "不_符合_" 的资源的省略号。Under the Resource compliance tab of the Policy compliance page, right-click or select the ellipsis of a resource in a compliance state that is Non-compliant. 然后选择 "查看符合性详细信息"。Then select View compliance details.

    查看符合性详细信息选项

  4. "符合性详细信息" 窗格显示从最新的资源评估到当前策略分配的信息。The Compliance details pane displays information from the latest evaluation of the resource to the current policy assignment. 在此示例中,在策略定义应为_14.0_时,12.0字段的字段为 。In this example, the field Microsoft.Sql/servers/version is found to be 12.0 while the policy definition expected 14.0. 如果资源出于多种原因不符合,则每个原因都列在此窗格中。If the resource is non-compliant for multiple reasons, each is listed on this pane.

    符合性详细信息窗格和不符合性的原因

    对于auditIfNotExistsdeployIfNotExists策略定义,详细信息包括详细信息。类型属性和任何可选属性。For an auditIfNotExists or deployIfNotExists policy definition, the details include the details.type property and any optional properties. 有关列表,请参阅auditIfNotExists 属性deployIfNotExists 属性For a list, see auditIfNotExists properties and deployIfNotExists properties. 上次计算的资源是来自定义的详细信息部分的相关资源。Last evaluated resource is a related resource from the details section of the definition.

    示例部分deployIfNotExists定义:Example partial deployIfNotExists definition:

    {
        "if": {
            "field": "type",
            "equals": "[parameters('resourceType')]"
        },
        "then": {
            "effect": "DeployIfNotExists",
            "details": {
                "type": "Microsoft.Insights/metricAlerts",
                "existenceCondition": {
                    "field": "name",
                    "equals": "[concat(parameters('alertNamePrefix'), '-', resourcegroup().name, '-', field('name'))]"
                },
                "existenceScope": "subscription",
                "deployment": {
                    ...
                }
            }
        }
    }
    

    符合性详细信息窗格-* ifNotExists

备注

为了保护数据,当属性值为_机密_时,当前值显示星号。To protect data, when a property value is a secret the current value displays asterisks.

这些详细信息解释资源当前不符合的原因,但不显示对资源所做的更改导致不符合的情况。These details explain why a resource is currently non-compliant, but don't show when the change was made to the resource that caused it to become non-compliant. 有关此信息,请参阅下面的更改历史记录(预览版)For that information, see Change history (Preview) below.

合规性原因Compliance reasons

下表将每个可能的_原因_映射到策略定义中的负责人条件The following matrix maps each possible reason to the responsible condition in the policy definition:

ReasonReason 条件Condition
当前值必须包含作为键的目标值。Current value must contain the target value as a key. containsKey 或not notContainsKeycontainsKey or not notContainsKey
当前值必须包含目标值。Current value must contain the target value. contains 或not notContainscontains or not notContains
当前值必须等于目标值。Current value must be equal to the target value. 等于或notEqualsequals or not notEquals
当前值必须小于目标值。Current value must be less than the target value. 小于或greaterOrEqualsless or not greaterOrEquals
当前值必须大于或等于目标值。Current value must be greater than or equal to the target value. greaterOrEquals 或小于greaterOrEquals or not less
当前值必须大于目标值。Current value must be greater than the target value. 大于或lessOrEqualsgreater or not lessOrEquals
当前值必须小于或等于目标值。Current value must be less than or equal to the target value. lessOrEquals 或更高lessOrEquals or not greater
当前值必须存在。Current value must exist. 存在exists
当前值必须在目标值中。Current value must be in the target value. in 或not notInin or not notIn
当前值必须与目标值相同。Current value must be like the target value. like 或not notLikelike or not notLike
当前值必须与目标值区分大小写。Current value must case-sensitive match the target value. match 或not notMatchmatch or not notMatch
当前值必须不区分大小写匹配目标值。Current value must case-insensitive match the target value. matchInsensitively 或not notMatchInsensitivelymatchInsensitively or not notMatchInsensitively
当前值不能包含作为键的目标值。Current value must not contain the target value as a key. notContainsKey 或not containsKeynotContainsKey or not containsKey
当前值不能包含目标值。Current value must not contain the target value. notContains 或包含notContains or not contains
当前值不得等于目标值。Current value must not be equal to the target value. notEquals 或等于notEquals or not equals
当前值不能存在。Current value must not exist. 存在not exists
当前值不得在目标值中。Current value must not be in the target value. notInnotIn or not in
当前值不得与目标值相同。Current value must not be like the target value. notLike 或喜欢notLike or not like
当前值不得与目标值区分大小写。Current value must not case-sensitive match the target value. notMatch 或匹配notMatch or not match
当前值不能不区分大小写匹配目标值。Current value must not case-insensitive match the target value. notMatchInsensitively 或not matchInsensitivelynotMatchInsensitively or not matchInsensitively
没有与策略定义中的效果详细信息匹配的相关资源。No related resources match the effect details in the policy definition. 在中定义的类型的资源 在策略规则的if部分中定义的资源的类型和相关信息不存在。A resource of the type defined in then.details.type and related to the resource defined in the if portion of the policy rule doesn't exist.

来宾配置的符合性详细信息Compliance details for Guest Configuration

对于 "来宾配置" 类别中的_auditIfNotExists_策略,可以在 VM 内评估多个设置,并且需要查看每个设置的详细信息。For auditIfNotExists policies in the Guest Configuration category, there could be multiple settings evaluated inside the VM and you'll need to view per-setting details. 例如,如果你正在审核密码策略的列表,并且只有其中一个状态为 "不符合",则你需要知道哪些特定的密码策略不符合要求以及原因。For example, if you're auditing for a list of password policies and only one of them has status Non-compliant, you'll need to know which specific password policies are out of compliance and why.

你还可能无权直接登录到 VM,但需要报告 VM 为何不_符合_的原因。You also might not have access to sign in to the VM directly but you need to report on why the VM is Non-compliant.

Azure 门户Azure portal

首先遵循上述部分中的相同步骤查看策略符合性详细信息。Begin by following the same steps in the section above for viewing policy compliance details.

在 "符合性详细信息" 窗格视图中,单击链接上一次计算的资源In the Compliance details pane view click the link Last evaluated resource.

查看 auditIfNotExists 定义详细信息

"来宾分配" 页显示所有可用的符合性详细信息。The Guest Assignment page displays all available compliance details. 视图中的每一行都表示在计算机中执行的计算。Each row in the view represents an evaluation that was performed inside the machine. 在 "原因" 列中,会显示描述 "来宾分配不_符合_" 的原因的短语。In the Reason column, a phrase describing why the Guest Assignment is Non-compliant is shown. 例如,如果你要审核密码策略,"原因" 列将显示包含每个设置的当前值的文本。For example, if you're auditing password policies, the Reason column would display text including the current value for each setting.

查看符合性详细信息。

Azure PowerShellAzure PowerShell

你还可以从 Azure PowerShell 查看符合性详细信息。You can also view compliance details from Azure PowerShell. 首先,请确保已安装来宾配置模块。First, make sure you have the Guest Configuration module installed.

Install-Module Az.GuestConfiguration

可以使用以下命令查看 VM 的所有来宾分配的当前状态:You can view the current status of all Guest Assignments for a VM using the following command:

Get-AzVMGuestPolicyReport -ResourceGroupName <resourcegroupname> -VMName <vmname>
PolicyDisplayName                                                         ComplianceReasons
-----------------                                                         -----------------
Audit that an application is installed inside Windows VMs                 {[InstalledApplication]bwhitelistedapp}
Audit that an application is not installed inside Windows VMs.            {[InstalledApplication]NotInstalledApplica...

若要仅查看描述 VM 为何不_合规_的_原因_短语,只返回原因子属性。To view only the reason phrase that describes why the VM is Non-compliant, return only the Reason child property.

Get-AzVMGuestPolicyReport -ResourceGroupName <resourcegroupname> -VMName <vmname> | % ComplianceReasons | % Reasons | % Reason
The following applications are not installed: '<name>'.

你还可以在计算机范围内输出来宾分配的符合性历史记录。You can also output a compliance history for Guest Assignments in scope for the machine. 此命令的输出包含 VM 的每个报表的详细信息。The output from this command includes the details of each report for the VM.

备注

输出可能会返回大量的数据。The output may return a large volume of data. 建议将输出存储在变量中。It's recommended to store the output in a variable.

$guestHistory = Get-AzVMGuestPolicyStatusHistory -ResourceGroupName <resourcegroupname> -VMName <vmname>
$guestHistory
PolicyDisplayName                                                         ComplianceStatus ComplianceReasons StartTime              EndTime                VMName LatestRepor
                                                                                                                                                                  tId
-----------------                                                         ---------------- ----------------- ---------              -------                ------ -----------
[Preview]: Audit that an application is installed inside Windows VMs      NonCompliant                       02/10/2019 12:00:38 PM 02/10/2019 12:00:41 PM VM01  ../17fg0...
<truncated>

若要简化此视图,请使用ShowChanged参数。To simplify this view, use the ShowChanged parameter. 此命令的输出仅包括遵循符合性状态更改的报告。The output from this command only includes the reports that followed a change in compliance status.

$guestHistory = Get-AzVMGuestPolicyStatusHistory -ResourceGroupName <resourcegroupname> -VMName <vmname> -ShowChanged
$guestHistory
PolicyDisplayName                                                         ComplianceStatus ComplianceReasons StartTime              EndTime                VMName LatestRepor
                                                                                                                                                                  tId
-----------------                                                         ---------------- ----------------- ---------              -------                ------ -----------
Audit that an application is installed inside Windows VMs                 NonCompliant                       02/10/2019 10:00:38 PM 02/10/2019 10:00:41 PM VM01  ../12ab0...
Audit that an application is installed inside Windows VMs.                Compliant                          02/09/2019 11:00:38 AM 02/09/2019 11:00:39 AM VM01  ../e3665...
Audit that an application is installed inside Windows VMs                 NonCompliant                       02/09/2019 09:00:20 AM 02/09/2019 09:00:23 AM VM01  ../15ze1...

@no__t 0Change 历史记录(预览版)Change history (Preview)

作为新公共预览版的一部分,最后14天的更改历史记录适用于支持完整模式删除的所有 Azure 资源。As part of a new public preview, the last 14 days of change history are available for all Azure resources that support complete mode deletion. 更改历史记录提供有关何时检测到更改的详细信息,以及每个更改的_视觉差异_。Change history provides details about when a change was detected and a visual diff for each change. 添加、删除或更改资源管理器属性时,将触发更改检测。A change detection is triggered when the Resource Manager properties are added, removed, or altered.

  1. 在 Azure 门户中单击“所有服务”,然后搜索并选择“策略”,启动 Azure Policy 服务。Launch the Azure Policy service in the Azure portal by clicking All services, then searching for and selecting Policy.

  2. 在 "概述" 或 "符合性" 页上,选择任何符合性状态的策略。On the Overview or Compliance page, select a policy in any compliance state.

  3. 在 "策略符合性" 页的 "资源符合性" 选项卡下,选择一个资源。Under the Resource compliance tab of the Policy compliance page, select a resource.

  4. 选择“资源符合性”页上的“更改历史记录(预览版)”选项卡。Select the Change History (preview) tab on the Resource Compliance page. 此时会显示检测到的更改的列表(如果存在)。A list of detected changes, if any exist, are displayed.

    资源符合性页上的 Azure 策略更改历史记录选项卡

  5. 选择其中一个检测到的更改。Select one of the detected changes. "更改历史记录" 页上显示了资源的_可视化差异_。The visual diff for the resource is presented on the Change history page.

    "更改历史记录" 页上的 Azure 策略更改历史记录视觉差异

_视觉差异_可帮助识别资源的更改。The visual diff aides in identifying changes to a resource. 检测到的更改可能与资源的当前符合性状态不相关。The changes detected may not be related to the current compliance state of the resource.

更改历史记录数据由Azure 资源 Graph提供。Change history data is provided by Azure Resource Graph. 若要在 Azure 门户之外查询此信息,请参阅获取资源更改To query this information outside of the Azure portal, see Get resource changes.

后续步骤Next steps