Skip to content

policy-resources-exemption-query.md

Latest commit

 

History

History
77 lines (54 loc) · 4.81 KB

policy-resources-exemption-query.md

File metadata and controls

77 lines (54 loc) · 4.81 KB
ms.service resource-graph
ms.topic include
ms.date 05/30/2023
author jaspkaur28
ms.author jaspkaur

Policy exemptions per assignment

Lists the number of exemptions for each assignment.

PolicyResources
| where type == 'microsoft.authorization/policyexemptions'
| summarize count() by tostring(properties.policyAssignmentId)

For more information about using scopes with Azure CLI or Azure PowerShell, go to Count Azure resources.

Azure CLI

Use the --management-groups parameter with an Azure management group ID or tenant ID. In this example, the tenantid variable stores the tenant ID.

tenantid="$(az account show --query tenantId --output tsv)"
az graph query -q "policyresources | where type == 'microsoft.authorization/policyexemptions' | summarize count() by tostring(properties.policyAssignmentId)" --management-groups $tenantid

Azure PowerShell

By default, PowerShell get results for all subscriptions in your tenant but you can also include the -UseTenantScope parameter.

Search-AzGraph -Query "policyresources | where type == 'microsoft.authorization/policyexemptions' | summarize count() by tostring(properties.policyAssignmentId)" -UseTenantScope

Portal

Policy exemptions that expire within 90 days

Lists the name and expiration date.

PolicyResources
| where type == 'microsoft.authorization/policyexemptions'
| extend expiresOnC = todatetime(properties.expiresOn)
| where isnotnull(expiresOnC)
| where expiresOnC >= now() and expiresOnC < now(+90d)
| project name, expiresOnC

Azure CLI

az graph query -q "policyresources | where type == 'microsoft.authorization/policyexemptions' | extend expiresOnC = todatetime(properties.expiresOn) | where isnotnull(expiresOnC) | where expiresOnC >= now() and expiresOnC < now(+90d) | project name, expiresOnC"

Azure PowerShell

Search-AzGraph -Query "policyresources | where type == 'microsoft.authorization/policyexemptions' | extend expiresOnC = todatetime(properties.expiresOn) | where isnotnull(expiresOnC) | where expiresOnC >= now() and expiresOnC < now(+90d) | project name, expiresOnC"

Portal