Skip to content

Policy waiver exemptions must expire#

Operational Excellence · Policy · 2021_06

Configure policy waiver exemptions to expire.


Azure Policy waiver exemptions are intended to be temporary acceptance of a non-compliance state. Use the Mitigated category when the issue intent has been met through an another method.


Consider configuring an expiry for policy exemption waivers within the maximum threshold.


Azure templates#

To deploy policy assignments that pass this rule:

  • Set the properties.expiresOn property with a valid date earlier than the maximum number of days.

For example:

    "comments": "An example exemption.",
    "name": "exemption-001",
    "type": "Microsoft.Authorization/policyExemptions",
    "apiVersion": "2020-07-01-preview",
    "properties": {
        "policyAssignmentId": "<assignment_id>",
        "policyDefinitionReferenceIds": [],
        "exemptionCategory": "Waiver",
        "expiresOn": "2021-04-27T14:00:00Z",
        "displayName": "Exemption 001",
        "description": "An example exemption.",
        "metadata": {
            "requestedBy": "Apps team",
            "approvedBy": "Security team",
            "createdBy": "DevOps pipeline"


This rule fails:

  • When the exemption is configured not to expire.
  • The exemption expiry date is greater than the maximum threshold.

Configure AZURE_POLICY_WAIVER_MAX_EXPIRY to set the maximum expiry date threshold.

# YAML: The default AZURE_POLICY_WAIVER_MAX_EXPIRY configuration option

Last update: 2021-08-20