Email: helpdesk@telkomuniversity.ac.id

This Portal for internal use only!

All Categories

All Categories

Search

0 Wishlist

Cart

Categories
More Categories Less Categories

iconTicket Service Desk

All Categories

All Categories

Search

0 Wishlist

Cart

Menu
Home/Microsoft/Automating Azure Remediation for Policy Initiatives with Azure PowerShell

Automating Azure Remediation for Policy Initiatives with Azure PowerShell

/ 2024-05-23 / Microsoft

Introduction and Current Challenges:

Policy remediation is a critical aspect in Azure Policy, a service in Azure that you use to create, assign, and manage policies. These policies enforce different rules and effects over your resources, so they stay compliant with your corporate standards and service level agreements.

 

As part of testing policy initiative, you might encounter an inconvenience where you cannot create remediation tasks for all policies inside an initiative assignment with a single click. Instead, you need to manually select and remediate each policy, which could be time-consuming if you have multiple policies created inside the policy initiative. In this blog post, we aim to address this challenge and provide a method for automation to create remediation tasks that apply to all policies of an initiative.

 

Prerequisites:

Before we dive into the solution, ensure you have the following:

An active Azure Subscription.
Azure PowerShell installed. If not, you can get it from here: How to install Azure PowerShell | Microsoft Learn
A clear understanding of Azure Policy and Policy Remediation: Remediate non-compliant resources – Azure Policy | Microsoft Learn

 

Automating Remediation Tasks for a Policy Initiative:

To automate the creation of remediation tasks for policy initiative, we will utilize Azure PowerShell script. The script loops through each policy and creates a remediation task for all “deployIfNotExists” or “modify” effect policies with non-compliant resources.

 

Here is the step-by-step breakdown of the script:

Declare your Initiative name as variables.

$InitiativeAssignmentName = “<myInitiativeAssignment>”

The script then retrieves all non-compliant policies that can be remediated within the initiative.

$RemediatablePolicies = Get-AzPolicyState | Where-Object { $_.PolicyAssignmentName -eq $InitiativeAssignmentName -and ($_.PolicyDefinitionAction -eq “deployIfNotExists” -or $_.PolicyDefinitionAction -eq “modify” -or $_.PolicyDefinitionAction -eq “append”) } | select-object PolicyDefinitionReferenceId, PolicyAssignmentId -Unique

It then loops through each policy and creates individual remediation tasks.

foreach ($policy in $RemediatablePolicies) {
$remediationName = “rem.” + $policy.PolicyDefinitionReferenceId
Start-AzPolicyRemediation -Name $remediationName -PolicyAssignmentId $policy.PolicyAssignmentId -PolicyDefinitionReferenceId $policy.PolicyDefinitionReferenceId -ResourceDiscoveryMode ReEvaluateCompliance
}

 

Detailed Explanation:
1. The variable $InitiativeAssignmentName should be assigned the actual name of your Initiative.
2. The $RemediatablePolicies line fetches all non-compliant policies from Azure which can be remediated based on the conditions specified in the Where-Object cmdlet. It uses the Initiative name provided and filters based on the policy definition actions (either “deployIfNotExists”, “modify”, or “append”). It then selects policies based on their PolicyDefinitionReferenceId and PolicyAssignmentId. The “-Unique” flag is used to remove duplicates.
3. The foreach loop then iterates through each of these policies. For each policy, a remediation task is created with a unique name by concatenating “rem.” with the policy’s PolicyDefinitionReferenceId. This remediation task is then started using the Start-AzPolicyRemediation cmdlet. This cmdlet uses the previously created unique name, the policy’s PolicyAssignmentId and PolicyDefinitionReferenceId, and a ResourceDiscoveryMode of ReEvaluateCompliance to start the remediation task.

 

Please find the complete script from below:

Complete Script

# Declare your Initiative name as variables
$InitiativeAssignmentName = “<your initiative name>”

# Get all non-compliant policies that can be remediated
$RemediatablePolicies = Get-AzPolicyState | Where-Object { $_.PolicyAssignmentName -eq $InitiativeAssignmentName -and ($_.PolicyDefinitionAction -eq “deployIfNotExists” -or $_.PolicyDefinitionAction -eq “modify” -or $_.PolicyDefinitionAction -eq “append”) } | select-object PolicyDefinitionReferenceId, PolicyAssignmentId -Unique

# Loop through each policy and create individual remediation tasks
foreach ($policy in $RemediatablePolicies) {
$remediationName = “rem.” + $policy.PolicyDefinitionReferenceId
Start-AzPolicyRemediation -Name $remediationName -PolicyAssignmentId $policy.PolicyAssignmentId -PolicyDefinitionReferenceId $policy.PolicyDefinitionReferenceId -ResourceDiscoveryMode ReEvaluateCompliance
}

 

With this script, you can automate the process of creating remediation tasks for each policy in a policy initiative. You can customize this script as per your requirements, or use it as a starting point to build more complex automation workflows.

 

Summary and Conclusion

In this blog post, we’ve highlighted a common challenge when dealing with policy remediation tasks for policy initiatives and presented a solution using Azure PowerShell to automate this process. The provided script offers a way to loop through all non-compliant policies and start remediation tasks for each, significantly simplifying the process and saving valuable time.

 

As always, we recommend testing this script in a controlled environment before deploying it in a production scenario. For further details on the remediation cmdlets, you can refer to the Azure PowerShell documentation.

 

I hope this post has been helpful. Stay tuned for more tips and tricks for managing your Azure subscriptions more effectively.

 

Disclaimer

The sample scripts are not supported by any Microsoft standard support program or service. The sample scripts are provided AS IS without a warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.

​Microsoft Tech Community – Latest Blogs –Read More 

Tags:

Related posts

From questions to discoveries: NASA’s new Earth Copilot brings Microsoft AI capabilities to democratize access to complex data
2024-11-14

From questions to discoveries: NASA’s new Earth Copilot brings Microsoft AI capabilities to democratize access to complex data

Microsoft introduces new adapted AI models for industry
2024-11-13

Microsoft introduces new adapted AI models for industry

IDC’s 2024 AI opportunity study: Top five AI trends to watch
2024-11-13

IDC’s 2024 AI opportunity study: Top five AI trends to watch

Leave a Reply

Your email address will not be published. Required fields are marked *

Adobe
Google for Education
IBM
Matlab
Microsoft
Wordpress
Visual Paradigm
Opensource

Portal Application Package Repository Telkom University, for internal use only, empower civitas academica in study and research.

Information

Contact Us

Copyright © Telkom University. All Rights Reserved. ch