azure-cli: az policy state - Trigger policy evaluation through CLI

Is your feature request related to a problem? Please describe. As a policy admin, I’d like to trigger policy evaluation through CLI. This helps in troubleshooting and validating policy definitions faster.

Describe the solution you’d like I would like another verb added to az policy state such as az policy state evaluate --scope ...

The scope will define where the policies should be validated and would allow for management group, subscription and resource groups.

Given that evaluation is an async process, we’ll then need a way to monitor status. Example: az policy state status --scope ...

Describe alternatives you’ve considered The only alternative for this is through a REST client and following instructions from https://docs.microsoft.com/en-us/azure/governance/policy/how-to/getting-compliance-data

Subscription

POST https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.PolicyInsights/policyStates/latest/triggerEvaluation?api-version=2018-07-01-preview`

Resource Group

POST https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{YourRG}/providers/Microsoft.PolicyInsights/policyStates/latest/triggerEvaluation?api-version=2018-07-01-preview

About this issue

  • Original URL
  • State: closed
  • Created 6 years ago
  • Comments: 17 (7 by maintainers)

Most upvoted comments

@calecarter Hi, Here is another customer who also has similar requirements. #12718 May I ask how is your progress?

+2
zhoxing-ms on Mar 25, 2020

Documentation on this can be found here: https://docs.microsoft.com/en-us/cli/azure/policy/state?view=azure-cli-latest#az_policy_state_trigger_scan

+1
kenieva on May 12, 2021
Read more comments on GitHub
← azure-cli: `az network vnet-gateway vpn-client show-url` unhandled exception
azure-cli: az quota list giving an error →