Introduction and Current Challenges:
Policy remediation is a critical aspect in Azure Policy, a service in Azure that you use to create, assign, and manage policies. These policies enforce differen...
Updated May 23, 2024
Version 1.0
Blog Post
This is not working. I have tried it on multiple "initiativeassignmentnames" and all of them return empty values. I even modified the command to this: Get-AzPolicyState | Where-Object PolicyAssignmentName -eq $InitiativeAssignmentName | select-object PolicyDefinitionReferenceId, PolicyAssignmentId -Unique and its still empty.
I can confirm the portal shows multiple remediations.
ka8080
This worked for me. I ran across this post while implementing AMBA and had a ton of new initiatives to remediate, and didn't want to by hand.You just need to put in a csv list of your
$InitiativeAssignmentDisplayNames
and your managementGroup... ID. That ones poorly named.$managementGroupName = ""
# List of initiative assignment display names to process $InitiativeAssignmentDisplayNames = @( ) $managementGroupName = "" foreach ($initiativeName in $InitiativeAssignmentDisplayNames) { Write-Output "Processing initiative assignment: $initiativeName" # Get the policy assignment object by display name $initiativeAssignment = Get-AzPolicyAssignment | Where-Object { $_.DisplayName -eq $initiativeName } if (-not $initiativeAssignment) { Write-Warning "Policy assignment with display name '$initiativeName' not found; skipping" continue } $policySetName = $initiativeAssignment.PolicyDefinitionId.Split('/')[-1] $policySetDefinition = Get-AzPolicySetDefinition -ManagementGroupName $managementGroupName -Name $policySetName if (-not $policySetDefinition) { Write-Warning "Policy set definition '$policySetName' not found for initiative '$initiativeName'; skipping" continue } $assignmentId = $initiativeAssignment.Id Write-Output "Filtering policy states for assignment ID: $assignmentId" $policyStates = Get-AzPolicyState | Where-Object { $_.PolicyAssignmentId -eq $assignmentId } Write-Output "Total policy states found: $($policyStates.Count)" $uniquePolicyRefs = $policyStates | Select-Object -ExpandProperty PolicyDefinitionReferenceId -Unique Write-Output "Unique policy reference IDs found: $($uniquePolicyRefs.Count)" foreach ($policyRefId in $uniquePolicyRefs) { $remediationName = "rem." + $policyRefId.ToLower() $existingRemediation = Get-AzPolicyRemediation -Name $remediationName -ErrorAction SilentlyContinue if ($existingRemediation) { $state = $existingRemediation.ProvisioningState if ($state -eq 'Accepted' -or $state -eq 'Running' -or $state -eq 'Evaluating') { Write-Output "Remediation '$remediationName' already active (state: $state). Skipping..." continue } elseif ($state -eq 'Succeeded') { Write-Output "Remediation '$remediationName' already succeeded. Skipping..." continue } else { Write-Output "Remediation '$remediationName' found with state '$state'. Skipping..." continue } } Write-Output "Starting remediation: $remediationName" Start-AzPolicyRemediation -Name $remediationName ` -PolicyAssignmentId $assignmentId ` -PolicyDefinitionReferenceId $policyRefId ` -ResourceDiscoveryMode ReEvaluateCompliance } }
