external help file | Module Name | online version | schema |
---|---|---|---|
Microsoft.Azure.PowerShell.Cmdlets.PolicyInsights.dll-Help.xml |
Az.PolicyInsights |
2.0.0 |
Creates a new policy attestation for a policy assignment.
New-AzPolicyAttestation -Name <String> [-Scope <String>] [-ResourceGroupName <String>]
-PolicyAssignmentId <String> [-ComplianceState <String>] [-PolicyDefinitionReferenceId <String>]
[-ExpiresOn <DateTime>] [-Owner <String>] [-Comment <String>] [-Evidence <PSAttestationEvidence[]>]
[-AssessmentDate <DateTime>] [-Metadata <String>] [-DefaultProfile <IAzureContextContainer>] [-WhatIf]
[-Confirm] [<CommonParameters>]
New-AzPolicyAttestation -ResourceId <String> -PolicyAssignmentId <String> [-ComplianceState <String>]
[-PolicyDefinitionReferenceId <String>] [-ExpiresOn <DateTime>] [-Owner <String>] [-Comment <String>]
[-Evidence <PSAttestationEvidence[]>] [-AssessmentDate <DateTime>] [-Metadata <String>]
[-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm] [<CommonParameters>]
The New-AzPolicyAttestation cmdlet creates a policy attestation for a particular policy assignment. Attestations are used by Azure Policy to set compliance states of resources or scopes targeted by manual policies. They also allow users to provide additional metadata or link to evidence which accompanies the attested compliance state.
Set-AzContext -Subscription "d1acb22b-c876-44f7-b08e-3fcf9f6767f4"
$policyAssignmentId = "/subscriptions/d1acb22b-c876-44f7-b08e-3fcf9f6767f4/providers/microsoft.authorization/policyassignments/psattestationsubassignment"
$attestationName = "attestation-subscription"
New-AzPolicyAttestation -PolicyAssignmentId $policyAssignmentId -Name $attestationName -ComplianceState "Compliant"
Id : /subscriptions/d1acb22b-c876-44f7-b08e-3fcf9f6767f4/providers/microsoft.policyinsights
/attestations/attestation-subscription
Name : attestation-subscription
Type : Microsoft.PolicyInsights/attestations
PolicyAssignmentId : /subscriptions/d1acb22b-c876-44f7-b08e-3fcf9f6767f4/providers/microsoft.authorization/
policyassignments/psattestationsubassignment
PolicyDefinitionReferenceId :
ComplianceState : Compliant
ExpiresOn :
Owner :
Comment :
Evidence :
ProvisioningState : Succeeded
LastComplianceStateChangeAt : 1/27/2023 2:26:24 AM
AssessmentDate :
Metadata :
SystemData :
This command creates a new policy attestation at subscription 'd1acb22b-c876-44f7-b08e-3fcf9f6767f4' for the given policy assignment.
Note: This command creates an attestation for the subscription and not the resources underneath it. For ease of management, manual policies should be designed to target the scope which defines the boundary of resources whose compliance state needs to be attested. In this case, the manual policy should be targeting
Microsoft.Resources/subscriptions
. For more information, go to https://learn.microsoft.com/en-us/azure/governance/policy/concepts/attestation-structure to understand the best practices for creating attestations.
$policyAssignmentId = "/subscriptions/d1acb22b-c876-44f7-b08e-3fcf9f6767f4/providers/microsoft.authorization/policyassignments/psattestationrgassignment"
$attestationName = "attestation-RG"
$rgName = "ps-attestation-test-rg"
New-AzPolicyAttestation -ResourceGroupName $RGName -PolicyAssignmentId $policyAssignmentId -Name $attestationName -ComplianceState "Compliant"
Id : /subscriptions/d1acb22b-c876-44f7-b08e-3fcf9f6767f4/resourcegroups/ps-attestation-test
-rg/providers/microsoft.policyinsights/attestations/attestation-rg
Name : attestation-RG
Type : Microsoft.PolicyInsights/attestations
PolicyAssignmentId : /subscriptions/d1acb22b-c876-44f7-b08e-3fcf9f6767f4/providers/microsoft.authorization/
policyassignments/psattestationrgassignment
PolicyDefinitionReferenceId :
ComplianceState : Compliant
ExpiresOn :
Owner :
Comment :
Evidence :
ProvisioningState : Succeeded
LastComplianceStateChangeAt : 1/27/2023 2:35:28 AM
AssessmentDate :
Metadata :
SystemData :
This command creates a new policy attestation at the resource group 'ps-attestation-test-rg' for the given policy assignment.
Note: This command creates an attestation for the resource group and not the resources underneath it. For ease of management, manual policies should be designed to target the scope which defines the boundary of resources whose compliance state needs to be attested. In this case, the manual policy should be targeting
Microsoft.Resources/subscriptions/resourceGroups
. For more information, go to https://learn.microsoft.com/en-us/azure/governance/policy/concepts/attestation-structure to understand the best practices for creating attestations.
$policyAssignmentId = "/subscriptions/d1acb22b-c876-44f7-b08e-3fcf9f6767f4/providers/microsoft.authorization/policyassignments/psattestationresourceassignment"
$attestationName = "attestation-resource"
$scope = "/subscriptions/d1acb22b-c876-44f7-b08e-3fcf9f6767f4/resourceGroups/ps-attestation-test-rg/providers/Microsoft.Network/networkSecurityGroups/pstests0"
New-AzPolicyAttestation `
-PolicyAssignmentId $policyAssignmentId `
-Name $attestationName `
-Scope $scope `
-ComplianceState "NonCompliant"
Id : /subscriptions/d1acb22b-c876-44f7-b08e-3fcf9f6767f4/resourcegroups/ps-attestation-test
-rg/providers/microsoft.network/networksecuritygroups/pstests0/providers/microsoft.pol
icyinsights/attestations/attestation-resource
Name : attestation-resource
Type : Microsoft.PolicyInsights/attestations
PolicyAssignmentId : /subscriptions/d1acb22b-c876-44f7-b08e-3fcf9f6767f4/providers/microsoft.authorization/
policyassignments/psattestationresourceassignment
PolicyDefinitionReferenceId :
ComplianceState : NonCompliant
ExpiresOn :
Owner :
Comment :
Evidence :
ProvisioningState : Succeeded
LastComplianceStateChangeAt : 1/27/2023 2:38:17 AM
AssessmentDate :
Metadata :
SystemData :
This command creates an attestation for the resource 'pstests0' for the given policy assignment.
$attestationName = "attestationRGAllProps"
$policyInitiativeAssignmentId = "/subscriptions/d1acb22b-c876-44f7-b08e-3fcf9f6767f4/providers/microsoft.authorization/policyassignments/psattestationinitiativergassignment"
$policyDefinitionReferenceId = "PSTestAttestationRG_1"
$RGName = "ps-attestation-test-rg"
$description = "This is a test description"
$sourceURI = "https://contoso.org/test.pdf"
$evidence = @{
"Description"=$description
"SourceUri"=$sourceURI
}
$policyEvidence = @($evidence)
$owner = "Test Owner"
$expiresOn = [datetime]::UtcNow.AddYears(1)
$metadata = '{"TestKey":"TestValue"}'
New-AzPolicyAttestation `
-Name $attestationName `
-ResourceGroupName $RGName `
-PolicyAssignmentId $policyInitiativeAssignmentId `
-PolicyDefinitionReferenceId $policyDefinitionReferenceId `
-ComplianceState $Compliant `
-Comment $comment `
-Evidence $policyEvidence `
-ExpiresOn $expiresOn `
-AssessmentDate $expiresOn.AddDays(-2) `
-Owner $owner `
-Metadata $metadata
Id : /subscriptions/d1acb22b-c876-44f7-b08e-3fcf9f6767f4/resourcegroups/ps-attestation-test
-rg/providers/microsoft.policyinsights/attestations/attestationrgallprops
Name : attestationRGAllProps
Type : Microsoft.PolicyInsights/attestations
PolicyAssignmentId : /subscriptions/d1acb22b-c876-44f7-b08e-3fcf9f6767f4/providers/microsoft.authorization/
policyassignments/psattestationinitiativergassignment
PolicyDefinitionReferenceId : pstestattestationrg_1
ComplianceState :
ExpiresOn : 1/27/2024 2:51:54 AM
Owner : Test Owner
Comment :
Evidence : {Microsoft.Azure.Commands.PolicyInsights.Models.Attestations.PSAttestationEvidence}
ProvisioningState : Succeeded
LastComplianceStateChangeAt : 1/27/2023 2:51:57 AM
AssessmentDate : 1/25/2024 2:51:54 AM
Metadata : {
"TestKey": "TestValue"
}
SystemData :
The time the evidence of an attestation was assessed.
Type: System.Nullable`1[System.DateTime]
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
Comments describing why this attestation was created.
Type: System.String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
The Compliance State of the resource. E.g. 'Compliant', 'NonCompliant', 'Unknown'
Type: System.String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
The credentials, account, tenant, and subscription used for communication with Azure.
Type: Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer
Parameter Sets: (All)
Aliases: AzContext, AzureRmContext, AzureCredential
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
The evidence supporting the compliance state set in this attestation.
Type: Microsoft.Azure.Commands.PolicyInsights.Models.Attestations.PSAttestationEvidence[]
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
The time the compliance state set in the attestation should expire.
Type: System.Nullable`1[System.DateTime]
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
Additional metadata for the attestation.
Type: System.String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
Resource name.
Type: System.String
Parameter Sets: ByName
Aliases:
Required: True
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
The person responsible for setting the state of the resource. This value is typically a Microsoft Entra object ID.
Type: System.String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
Policy assignment ID. E.g. '/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/policyAssignments/{assignmentName}'.
Type: System.String
Parameter Sets: (All)
Aliases:
Required: True
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
The policy definition reference ID of the individual definition. Required when the policy assignment assigns a policy set definition.
Type: System.String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
Resource group name.
Type: System.String
Parameter Sets: ByName
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
Resource ID.
Type: System.String
Parameter Sets: ByResourceId
Aliases: Id
Required: True
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
Scope of the resource. E.g. '/subscriptions/{subscriptionId}/resourceGroups/{rgName}'.
Type: System.String
Parameter Sets: ByName
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
Prompts you for confirmation before running the cmdlet.
Type: System.Management.Automation.SwitchParameter
Parameter Sets: (All)
Aliases: cf
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
Shows what would happen if the cmdlet runs. The cmdlet is not run.
Type: System.Management.Automation.SwitchParameter
Parameter Sets: (All)
Aliases: wi
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.