Updating Exemptions
Exemptions are updated frequently as they are a method of preventing enforcement of policy on a scope while requiring review, should an expiration be set. This is generally desirable, and is well received during an audit process.
Decision: JSON or CSV
In the past, CSV has been the preferred tool in EPAC. However, the introduction of new ways to apply exemptions has caused a shift in recommendation to JSON. Regardless, the cmdlets provided will continue to output both to empower the consumer to leverage whichever format is preferred.
Updating exemptions manually
There are some usecases for manual update of the exemptions file. Generally, it is a consideration of what will be less effort to complete.
Expiration Update
Rather than update and export, an update to the date field can be accomplished with nominal effort.
Manual Date Update
- Browse to policyExemptions/[pacSelectorName] directory
- Open the json/jsonc/csv file used to manage Exemptions
- Update Content
- Search for the policyAssignmentId, including the full assignment path
- Example:
"policyAssignmentId": "/providers/Microsoft.Management/managementGroups/[ManagmenetGroupName]/providers/Microsoft.Authorization/policyAssignments/[PolicyAssignmentName]"
- Example:
- Modify the
expiresOnfield within the related block with the new timestamp- Format: "YYYY-MM-DDTmm:hh:ssZ"
- Example: "2025-01-01T01:00:00Z"
- Search for the policyAssignmentId, including the full assignment path
Assignment Relocation
Altering the target assignment is necessary if assignments are being moved during the initial onboarding process. For instance, moving assignments from the Tenant Root to the Tenant Intermediate Root. However, doing so will require transitioning all of the Exemptions rapidly to avoid a change in behavior.
In these cases, find each listing for affected assignments in the CSV/JSON file, and duplicate, then update, the reference to reflect the new assignment location. Doing so will allow the exemptions to be applied as the new assignments are applied while retaining the old exemptions until you are ready to remove the assignment entirely.
Adding/updating exemptions with script
During this process we will export the current Exemptions, and then add additional exemptions to them. The first step is optional as it is not desirable to allow other methods of updating Exemptions after moving to desiredState\"strategy":"full" configuration.
-
Add new listing
$pacSelector = "pacSelectorName" $supportId = "SystemName-approvalIdForChange" $policyAssignmentId = "/providers/Microsoft.Management/managementGroups/ManagementGroupName/AssignmentName" $scope = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/ExcludedResourceGroup/ExcludedResource" $name = "Exemption-$supportId" $displayName = "Exemption $supportId" $description = "EPAC $pacSelector - Exemption documented in $supportId" $exemptionCategory = "Waiver|Mitigated" $expiresOn = "YYYY-MM-DDTmm:hh:ssZ" Set-AzPolicyExemptionEpac -Scope $scope -Name $name -DisplayName $displayName -Description $description -ExemptionCategory $exemptionCategory -ExpiresOn $expiresOn -PolicyAssignmentId $policyAssignmentId -
Update Exemptions File
- Export New Data
-
Copy New Data to Definitions Folder
$pacSelector = "pacSelectorName" $definitionsFolder = "./Definitions" $outputFolder = "./Output" Get-AzExemptions ` -PacEnvironmentSelector $pacSelector ` -DefinitionsRootFolder $definitionsFolder ` -OutputFolder $outputFolder ` -FileExtension jsonc ` -ActiveExemptionsOnly Copy-Item ` $(Join-Path $outputFolder "policyExemptions" $pacSelector "active-exemptions.jsonc") ` $(Join-Path $definitionsFolder "policyExemptions" $pacSelector "active-exemptions.jsonc") ` -Force