判斷不符合規範的原因Determine causes of non-compliance

當 Azure 資源被判斷為不符合原則規則時,了解該資源不符合規則的哪個部分很有幫助。When an Azure resource is determined to be non-compliant to a policy rule, it's helpful to understand which portion of the rule the resource isn't compliant with. 這也有助於了解何種變更改變了先前符合規範的資源,使其變成不合規範。It's also useful to understand what change altered a previously compliant resource to make it non-compliant. 有兩種方式可尋找此資訊:There are two ways to find this information:

合規性詳細資料Compliance details

當資源不符合規範時,可從 [原則合規性] 頁面取得該資源的合規性詳細資料。When a resource is non-compliant, the compliance details for that resource are available from the Policy compliance page. [合規性詳細資料] 窗格包含下列資訊:The compliance details pane includes the following information:

  • 資源詳細資料,例如名稱、類型、位置和資源識別碼Resource details such as name, type, location, and resource ID
  • 上次評估目前原則指派的合規性狀態和時間戳記Compliance state and timestamp of the last evaluation for the current policy assignment
  • 資源不符合規範的「原因」清單A list of reasons for the resource non-compliance

重要

當「不符合規範」資源的合規性詳細資料顯示該資源的目前屬性值時,使用者就必須對資源的類型進行讀取作業。As the compliance details for a Non-compliant resource shows the current value of properties on that resource, the user must have read operation to the type of resource. 例如,若「不符合規範」的資源為 Microsoft.Compute/virtualMachines,則使用者必須擁有 Microsoft.Compute/virtualMachines/read 作業。For example, if the Non-compliant resource is Microsoft.Compute/virtualMachines then the user must have the Microsoft.Compute/virtualMachines/read operation. 如果使用者沒有所需的作業,則會顯示存取錯誤。If the user doesn't have the needed operation, an access error is displayed.

若要檢視合規性詳細資料,請遵循下列步驟:To view the compliance details, follow these steps:

  1. 藉由按一下 [所有服務] 然後搜尋並選取 [原則],在 Azure 入口網站中啟動 Azure 原則服務。Launch the Azure Policy service in the Azure portal by clicking All services, then searching for and selecting Policy.

  2. 在 [概觀] 或 [合規性] 頁面上,選取合規性狀態「不符合規範」的原則。On the Overview or Compliance page, select a policy in a compliance state that is Non-compliant.

  3. 在 [原則合規性] 頁面的 [資源合規性] 索引標籤下,以滑鼠右鍵按一下或選取合規性狀態「不符合規範」之資源的省略符號。Under the Resource compliance tab of the Policy compliance page, right-click or select the ellipsis of a resource in a compliance state that is Non-compliant. 然後選取 [檢視合規性詳細資料]。Then select View compliance details.

    檢視合規性詳細資料選項

  4. [合規性詳細資料] 窗格會顯示從資源的最新評估到目前原則指派的資訊。The Compliance details pane displays information from the latest evaluation of the resource to the current policy assignment. 在此範例中,當原則定義預計是 14.0 時,卻發現 [Microsoft.Sql/servers/version] 欄位為 12.0In this example, the field Microsoft.Sql/servers/version is found to be 12.0 while the policy definition expected 14.0. 如果資源因多種原因而不符合規範,則每個原因都會列在此窗格上。If the resource is non-compliant for multiple reasons, each is listed on this pane.

    合規性詳細資料窗格和不符合規範的原因

    對於 auditIfNotExistsdeployIfNotExists 原則定義,詳細資料包含 details.type 屬性和任何選擇性屬性。For an auditIfNotExists or deployIfNotExists policy definition, the details include the details.type property and any optional properties. 如需清單,請參閱 auditIfNotExists 屬性deployIfNotExists 屬性For a list, see auditIfNotExists properties and deployIfNotExists properties. [上次評估的資源] 是定義的 details 區段中的相關資源。Last evaluated resource is a related resource from the details section of the definition.

    範例部分 deployIfNotExists 定義:Example partial deployIfNotExists definition:

    {
        "if": {
            "field": "type",
            "equals": "[parameters('resourceType')]"
        },
        "then": {
            "effect": "DeployIfNotExists",
            "details": {
                "type": "Microsoft.Insights/metricAlerts",
                "existenceCondition": {
                    "field": "name",
                    "equals": "[concat(parameters('alertNamePrefix'), '-', resourcegroup().name, '-', field('name'))]"
                },
                "existenceScope": "subscription",
                "deployment": {
                    ...
                }
            }
        }
    }
    

    合規性詳細資料窗格 -*ifNotExists

注意

若要保護資料,當屬性值是「秘密」時,則目前值會顯示星號。To protect data, when a property value is a secret the current value displays asterisks.

這些詳細資料會說明資源目前不符合規範的原因,但不會顯示何時對資源進行變更,使其變成不符合規範。These details explain why a resource is currently non-compliant, but don't show when the change was made to the resource that caused it to become non-compliant. 如需相關資訊,請參閱下面的變更歷程記錄 (預覽)For that information, see Change history (Preview) below.

合規性原因Compliance reasons

下列矩陣將每個可能的「原因」對應至原則定義中負責的條件The following matrix maps each possible reason to the responsible condition in the policy definition:

原因Reason 條件Condition
目前的值必須包含作為索引鍵的目標值。Current value must contain the target value as a key. containsKey 或不是 notContainsKeycontainsKey or not notContainsKey
目前的值必須包含目標值。Current value must contain the target value. contains 或不是 notContainscontains or not notContains
目前的值必須等於目標值。Current value must be equal to the target value. equals 或不是 notEqualsequals or not notEquals
目前的值必須小於目標值。Current value must be less than the target value. less 或不是 greaterOrEqualsless or not greaterOrEquals
目前的值必須大於或等於目標值。Current value must be greater than or equal to the target value. greaterOrEquals 或不是 lessgreaterOrEquals or not less
目前的值必須大於目標值。Current value must be greater than the target value. greater 或不是 lessOrEqualsgreater or not lessOrEquals
目前的值必須小於或等於目標值。Current value must be less than or equal to the target value. lessOrEquals 或不是 greaterlessOrEquals or not greater
目前的值必須存在。Current value must exist. existsexists
目前的值必須位於目標值內。Current value must be in the target value. in 或不是 notInin or not notIn
目前的值必須與目標值相同。Current value must be like the target value. like 或不是 notLikelike or not notLike
目前的值必須符合目標值 (區分大小寫)。Current value must case-sensitive match the target value. match 或不是 notMatchmatch or not notMatch
目前的值必須符合目標值 (不區分大小寫)。Current value must case-insensitive match the target value. matchInsensitively 或不是 notMatchInsensitivelymatchInsensitively or not notMatchInsensitively
目前的值不得包含作為索引鍵的目標值。Current value must not contain the target value as a key. notContainsKey 或不是 containsKeynotContainsKey or not containsKey
目前的值不得包含目標值。Current value must not contain the target value. notContains 或不是 containsnotContains or not contains
目前的值不得等於目標值。Current value must not be equal to the target value. notEquals 或不是 equalsnotEquals or not equals
目前的值不得存在。Current value must not exist. 存在not exists
目前的值不得在目標值之中。Current value must not be in the target value. notIn 或不是 innotIn or not in
目前的值不得與目標值相同。Current value must not be like the target value. notLike 或不是 likenotLike or not like
目前的值不得符合目標值 (區分大小寫)。Current value must not case-sensitive match the target value. notMatch 或不是 matchnotMatch or not match
目前的值不得符合目標值 (不區分大小寫)。Current value must not case-insensitive match the target value. notMatchInsensitively 或不是 matchInsensitivelynotMatchInsensitively or not matchInsensitively
沒有任何相關的資源,符合原則定義中的效果詳細資料。No related resources match the effect details in the policy definition. 不存在屬於 then.details.type 中定義的類型並與原則規則的 if 部分中定義的資源相關的資源。A resource of the type defined in then.details.type and related to the resource defined in the if portion of the policy rule doesn't exist.

來賓設定的合規性詳細資料Compliance details for Guest Configuration

對於「來賓設定」類別中的 auditIfNotExists 原則,VM 內可能會評估多項設定,而且您必須檢視每項設定的詳細資料。For auditIfNotExists policies in the Guest Configuration category, there could be multiple settings evaluated inside the VM and you'll need to view per-setting details. 例如,如果您正在稽核密碼原則清單,而且其中只有一個原則具有「不符合規範」狀態,您就需要知道哪些特定密碼原則不符合規範,以及原因為何。For example, if you're auditing for a list of password policies and only one of them has status Non-compliant, you'll need to know which specific password policies are out of compliance and why.

您也可能沒有直接登入 VM 的權限,但您必須回報 VM 為何「不符合規範」。You also might not have access to sign in to the VM directly but you need to report on why the VM is Non-compliant.

Azure 入口網站Azure portal

首先遵循上一節中的相同步驟,以檢視原則合規性詳細資料。Begin by following the same steps in the section above for viewing policy compliance details.

在 [合規性詳細資料] 窗格檢視中,按一下 [上次評估的資源] 連結。In the Compliance details pane view, click the link Last evaluated resource.

檢視 auditIfNotExists 定義詳細資料

[來賓指派] 頁面會顯示所有可用的合規性詳細資料。The Guest Assignment page displays all available compliance details. 檢視中的每一列都代表在機器內執行的評估。Each row in the view represents an evaluation that was performed inside the machine. [原因] 欄會顯示一個詞組,說明來賓指派為何「不符合規範」。In the Reason column, a phrase is shown describing why the Guest Assignment is Non-compliant. 例如,若您要稽核密碼原則,[原因] 欄會顯示包含每項設定目前值的文字。For example, if you're auditing password policies, the Reason column would display text including the current value for each setting.

檢視合規性詳細資料

Azure PowerShellAzure PowerShell

您也可以從 Azure PowerShell 檢視合規性詳細資料。You can also view compliance details from Azure PowerShell. 首先,請確定您已安裝「來賓設定」模組。First, make sure you have the Guest Configuration module installed.

Install-Module Az.GuestConfiguration

您可以使用下列命令,檢視 VM 的所有來賓指派的目前狀態:You can view the current status of all Guest Assignments for a VM using the following command:

Get-AzVMGuestPolicyStatus -ResourceGroupName <resourcegroupname> -VMName <vmname>
PolicyDisplayName                                                         ComplianceReasons
-----------------                                                         -----------------
Audit that an application is installed inside Windows VMs                 {[InstalledApplication]bwhitelistedapp}
Audit that an application is not installed inside Windows VMs.            {[InstalledApplication]NotInstalledApplica...

若只要檢視說明 VM 為何「不符合規範」的「原因」詞組,則只會傳回 Reason 子屬性。To view only the reason phrase that describes why the VM is Non-compliant, return only the Reason child property.

Get-AzVMGuestPolicyStatus -ResourceGroupName <resourcegroupname> -VMName <vmname> | % ComplianceReasons | % Reasons | % Reason
The following applications are not installed: '<name>'.

您也可以針對電腦範圍內的來賓指派,輸出合規性歷程記錄。You can also output a compliance history for Guest Assignments in scope for the machine. 此命令的輸出包含 VM 的每份報告詳細資料。The output from this command includes the details of each report for the VM.

注意

輸出可能會傳回大量資料。The output may return a large volume of data. 建議您將輸出儲存在變數中。It's recommended to store the output in a variable.

$guestHistory = Get-AzVMGuestPolicyStatusHistory -ResourceGroupName <resourcegroupname> -VMName <vmname>
$guestHistory
PolicyDisplayName                                                         ComplianceStatus ComplianceReasons StartTime              EndTime                VMName LatestRepor
                                                                                                                                                                  tId
-----------------                                                         ---------------- ----------------- ---------              -------                ------ -----------
[Preview]: Audit that an application is installed inside Windows VMs      NonCompliant                       02/10/2019 12:00:38 PM 02/10/2019 12:00:41 PM VM01  ../17fg0...
<truncated>

若要簡化此檢視,請使用 ShowChanged 參數。To simplify this view, use the ShowChanged parameter. 此命令的輸出只包含合規性狀態變更後的報告。The output from this command only includes the reports that followed a change in compliance status.

$guestHistory = Get-AzVMGuestPolicyStatusHistory -ResourceGroupName <resourcegroupname> -VMName <vmname> -ShowChanged
$guestHistory
PolicyDisplayName                                                         ComplianceStatus ComplianceReasons StartTime              EndTime                VMName LatestRepor
                                                                                                                                                                  tId
-----------------                                                         ---------------- ----------------- ---------              -------                ------ -----------
Audit that an application is installed inside Windows VMs                 NonCompliant                       02/10/2019 10:00:38 PM 02/10/2019 10:00:41 PM VM01  ../12ab0...
Audit that an application is installed inside Windows VMs.                Compliant                          02/09/2019 11:00:38 AM 02/09/2019 11:00:39 AM VM01  ../e3665...
Audit that an application is installed inside Windows VMs                 NonCompliant                       02/09/2019 09:00:20 AM 02/09/2019 09:00:23 AM VM01  ../15ze1...

變更歷程記錄 (預覽)Change history (Preview)

在新的公開預覽版中,過去 14 天的變更歷程記錄適用於所有支援完整模式刪除的 Azure 資源。As part of a new public preview, the last 14 days of change history are available for all Azure resources that support complete mode deletion. 變更歷程記錄會提供關於何時偵測到變更的詳細資料,以及每項變更的_視覺化差異_。Change history provides details about when a change was detected and a visual diff for each change. 新增、移除或更改 Azure Resource Manager 的屬性時,就會觸發變更偵測。A change detection is triggered when the Azure Resource Manager properties are added, removed, or altered.

  1. 藉由按一下 [所有服務] 然後搜尋並選取 [原則],在 Azure 入口網站中啟動 Azure 原則服務。Launch the Azure Policy service in the Azure portal by clicking All services, then searching for and selecting Policy.

  2. 在 [概觀] 或 [合規性] 頁面上,選取處於任何合規性狀態的原則。On the Overview or Compliance page, select a policy in any compliance state.

  3. 在 [原則合規性] 頁面的 [資源合規性] 索引標籤下方,選取資源。Under the Resource compliance tab of the Policy compliance page, select a resource.

  4. 選取 [資源合規性] 頁面上的 [變更歷程記錄 (預覽)] 索引標籤。Select the Change History (preview) tab on the Resource Compliance page. 偵測到的變更清單 (如果有的話) 會隨即顯示。A list of detected changes, if any exist, are displayed.

    資源合規性頁面上的 Azure 原則變更歷程記錄索引標籤

  5. 選取其中一個偵測到的變更。Select one of the detected changes. 資源會在 [變更歷程記錄] 頁面上顯示其「視覺化差異」。The visual diff for the resource is presented on the Change history page.

    變更歷程記錄頁面上的 Azure 原則變更歷程記錄視覺化差異

_視覺化差異_有助於識別資源的變更。The visual diff aides in identifying changes to a resource. 偵測到的變更可能與資源目前的合規性狀態不相關。The changes detected may not be related to the current compliance state of the resource.

變更歷程記錄資料是由 Azure Resource Graph 提供。Change history data is provided by Azure Resource Graph. 若要在 Azure 入口網站之外查詢此資訊,請參閱取得資源變更To query this information outside of the Azure portal, see Get resource changes.

後續步驟Next steps