Post

Do you use the latest version of Azure Policy definitions?

Posted Updated
By Otto Gudszent
1 min read

Azure Policy is a powerful tool for enforcing rules and managing resources in your Azure environment. It helps ensure that your resources comply with organizational standards and best practices. To maximize its effectiveness, it’s essential to keep your policy definitions up to date.

From a company and security perspective, it is critical to enforce the exact version of the policy definition you require. However, it is also important to periodically check if a newer version is available. I wrote a query to help you determine whether you’re using the latest version of a policy definition.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

policyresources
| where type =~ 'Microsoft.Authorization/policyAssignments'
| extend policyAssignmentVersion = tostring(properties.definitionVersion)
| project policyAssignmentId = tolower(id), policyAssignmentName = name, policyAssignmentDefinitionId = tolower(properties.policyDefinitionId), policyAssignmentVersion
| join kind=inner (
    policyresources
    | where type =~ 'Microsoft.Authorization/policyDefinitions'
    | extend policyDefinitionVersion = tostring(properties.metadata.version)
    | project policyDefinitionId = tolower(id), policyDefinitionName = name, policyDefinitionVersion
) on $left.policyAssignmentDefinitionId == $right.policyDefinitionId
| extend policyAssignmentVersionParts = split(policyAssignmentVersion, '.'), policyDefinitionVersionParts = split(policyDefinitionVersion, '.')
| extend policyAssignmentMajor = toint(policyAssignmentVersionParts[0]), policyAssignmentMinor = toint(policyAssignmentVersionParts[1]), policyAssignmentPatch = toint(policyAssignmentVersionParts[2])
| extend policyDefinitionMajor = toint(policyDefinitionVersionParts[0]), policyDefinitionMinor = toint(policyDefinitionVersionParts[1]), policyDefinitionPatch = toint(policyDefinitionVersionParts[2])
| where policyDefinitionMajor > policyAssignmentMajor or (policyDefinitionMajor == policyAssignmentMajor and policyDefinitionMinor > policyAssignmentMinor) or (policyDefinitionMajor == policyAssignmentMajor and policyDefinitionMinor == policyAssignmentMinor and policyDefinitionPatch > policyAssignmentPatch)
| project policyAssignmentId, policyAssignmentName, policyAssignmentVersion, policyDefinitionId, policyDefinitionName, policyDefinitionVersion

than you will see something like this, if you are using an older version of the policy definition:

KQL

Azure, Security
Azure Security Policy KQL
This post is licensed under CC BY 4.0 by the author.