Skip to content

Operational Scripts

The scripts are detailed in the reference page including syntax, descriptions and parameters.

Batch Creation of Remediation Tasks

The script New-AzRemediationTasks creates remediation tasks for all non-compliant resources for EPAC environments in the global-settings.jsonc file.

This script executes all remediation tasks in a Policy as Code environment specified with parameter PacEnvironmentSelector. The script will interactively prompt for the value if the parameter is not supplied. The script will recurse the Management Group structure and subscriptions from the defined starting point.

  • Find all Policy assignments with potential remediation capable resources
  • Query Policy Insights for non-complaint resources
  • Start remediation task for each Policy with non-compliant resources
  • Switch parameter -OnlyCheckManagedAssignments includes non-compliance data only for Policy assignments owned by this Policy as Code repo.

Documenting Policy

Build-PolicyDocumentation builds documentation from instructions in the policyDocumentations folder reading the deployed Policy Resources from the EPAC environment. It is also used to generate parameter/effect CSV files for Policy Assignment files. See usage documentation in Documenting Policy.

Policy Resources Exports

  • Export-AzPolicyResources exports Azure Policy resources in EPAC. See usage documentation in Extract existing Policy Resources.
  • Get-AzExemptions retrieves Policy Exemptions from an EPAC environment and saves them to files.
  • Get-AzPolicyAliasOutputCSV exports Policy Aliases to CSV format.

Hydration Kit

The Hydration Kit is a set of scripts that can be used to deploy an EPAC environment from scratch. The scripts are documented in the Hydration Kit page.

CI/CD Helpers

The scripts New-AzureDevOpsBug and New-GitHubIssue create a Bug or Issue when there are one or multiple failed Remediation Tasks.

Export from AzAdvertizer

The script Export-AzAdvertizerPolicy.ps1 creates for you the policyAssignments, policyDefinitions, and policySetDefinitions based on the provided URL in an Output folder under 'ALZ-Export'.

Parameters:

  • AzAdvertizerUrl: Mandatory url of the policy or policy set from AzAdvertizer.

  • OutputFolder: Output Folder. Defaults to the path 'Output'.

  • AutoCreateParameters: Automatically create parameters for Azure Policy Sets and Assignment Files.

  • UseBuiltIn: Default to using builtin policies rather than local versions.

  • Scope: Used to set scope value on each assignment file.

  • PacSelector: Used to set PacEnvironment for each assignment file.

  • OverwriteOutput: Used to Overwrite the contents of the output folder with each run. Helpful when running consecutively.

Non-compliance Reports

Export-NonComplianceReports exports non-compliance reports for EPAC environments . It outputs the reports in the $OutputFolders/non-compliance-reports folder.

  • summary-by-policy.csv contains the summary of the non-compliant resources by Policy definition. The columns contain the resource counts.
  • summary-by-resource.csv contains the summary of the non-compliant resources. The columns contain the number of Policies causing the non-compliance.
  • details-by-policy.csv contains the details of the non-compliant resources by Policy definition including the non-compliant resource ids. Assignments are combined by Policy definition.
  • details-by-resource.csv contains the details of the non-compliant resources sorted by Resource id. Assignments are combined by Resource id.
  • full-details-by-assignment.csv contains the details of the non-compliant resources sorted by Policy Assignment id.
  • full-details-by-resource.csv contains the details of the non-compliant resources sorted by Resource id including the Policy Assignment details.

Sample summary-by-policy.csv

Category Policy Name Policy Id Non Compliant Unknown Not Started Exempt Conflicting Error Assignment Ids Group Names
General Audit usage of custom RBAC roles /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 9 0 0 0 0 0 /providers/microsoft.management/managementgroups/pac-heinrich-dev-dev/providers/microsoft.authorization/policyassignments/dev-nist-800-53-r5,/providers/microsoft.management/managementgroups/pac-heinrich-dev-dev/providers/microsoft.authorization/policyassignments/dev-asb azure_security_benchmark_v3.0_pa-7,nist_sp_800-53_r5_ac-6(7),nist_sp_800-53_r5_ac-2(7),nist_sp_800-53_r5_ac-6,nist_sp_800-53_r5_ac-2
Regulatory Compliance Control use of portable storage devices /providers/microsoft.authorization/policydefinitions/0a8a1a7d-16d3-4d8e-9f2c-6b8d9e1c7c1d 0 0 0 0 0 0 /providers/microsoft.management/managementgroups/pac-heinrich-dev-dev/providers/microsoft.authorization/policyassignments/dev-nist-800-53-r5,/providers/microsoft.management/managementgroups/pac-heinrich-dev-dev/providers/microsoft.authorization/policyassignments/dev-asb azure_security_benchmark_v3.0_pa-7,nist_sp_800-53_r5_ac-6(7),nist_sp_800-53_r5_ac-2(7),nist_sp_800-53_r5_ac-6,nist_sp_800-53_r5_ac-2

Sample summary-by-resource.csv

Resource Id Subscription Id Subscription Name Resource Group Resource Type Resource Name Resource Qualifier Non Compliant Unknown Not Started Exempt Conflicting Error
/subscriptions/******** ******** PAC-DEV-001 subscriptions 25 481 0 0 0 0
/subscriptions/********/providers/microsoft.authorization/roledefinitions/0b00bc79-2207-410c-b9d5-d5d182ad514f ******** PAC-DEV-001 microsoft.authorization/roledefinitions 0b00bc79-2207-410c-b9d5-d5d182ad514f 0 0 0 0 0 0