Wilfried Woivré

Cloud Solution Architect - MVP Microsoft Azure

Azure Policy - Trigger policy scan

Categories : Azure Azure   Policy Policy


When you create your own Azure Policies, it can be tedious to test them, as the evaluation is triggered by Azure.

It has been possible for some time to force its execution on the scope of a resource group or a subscription. Even if in our case, it is more about forcing on a test resource group than on a subscription in order not to impact your other policies.

To trigger an evaluation, you can use a PowerShell command like this:

# Subscription scope
Start-AzPolicyComplianceScan -AsJob

#Resource Group Scope
Start-AzPolicyComplianceScan -ResourceGroupName $rgName -AsJob

You can run without a Powershell Job, but the operation is very long, it’s why i recommend usage of Powershell Job in a development scenario

It is possible to do this also with a REST API

To do this, you need to use the following urls:

Subscription: https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.PolicyInsights/policyStates/latest/triggerEvaluation?api-version=2019-10-01

Resource Group: https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{YourRG}/providers/Microsoft.PolicyInsights/policyStates/latest/triggerEvaluation?api-version=2019-10-01

$token = Get-AzAccessToken
$authHeader = @{
    'Content-Type'='application/json'
    'Authorization'='Bearer ' + $token.Token
}

$subscriptionId = ""
$resourceGroup = ""

$restUrl = "https://management.azure.com/subscriptions/$subscriptionId/resourceGroups/$resourceGroup/providers/Microsoft.PolicyInsights/policyStates/latest/triggerEvaluation?api-version=2018-07-01-preview"

 Invoke-WebRequest -Uri $restUrl -Method POST -Headers $authHeader

And you will find this trace in your Activity Log:

So no more excuses to take a coffee while waiting for the policy to be triggered.

Comments

Post comment
Loading...