Query Azure policy assignment with exclude
Handling exceptions is an essential part of every platform. When there is a new project, there is often a rush to deploy it quickly, and some resource needs to be excluded from the policy temporarily, with the intention to fix it later. However, these exceptions can be forgotten, and the resources can remain unprotected. In the best case, the audit will detect them and we will resolve them, or in the worst case, some malicious actor will exploit them. In this article, I will show you a solution, how we gather every policy assignment that has some outofscope settings.
Azure Resource Graph
The new Azure Resource Graph one of my new favorite tool in Azure. It is a powerful tool to query the resources in the Azure.
The query is the following:
1
2
3
4
5
6
7
8
9
10
policyResources
| where type =~'Microsoft.Authorization/PolicyAssignments'
| project policyAssignmentId = tolower(tostring(id)), policyAssignmentDisplayName = tostring(properties.displayName), policyAssignmentDefinitionId = tolower(properties.policyDefinitionId),
policyAssignmentExclude = properties.notScopes, updatedOn = todatetime(properties.metadata.updatedOn), createdOn = todatetime(properties.metadata.createdOn)
| join kind=leftouter(
policyResources
| where type =~'Microsoft.Authorization/PolicySetDefinitions' or type =~'Microsoft.Authorization/PolicyDefinitions'
| project definitionId = tolower(id), category = tostring(properties.metadata.category), definitionType = iff(type =~ 'Microsoft.Authorization/PolicysetDefinitions', 'initiative', 'policy')
) on $left.policyAssignmentDefinitionId == $right.definitionId
| where policyAssignmentExclude != "[]"
So we know which policy assignment have some exclude settings, now we should start to review them.