Merge pull request #266307 from davidsmatlak/ds-update-policy-powershell-qs-20240213

Update Azure Policy PowerShell quickstart

Author: Stacyrch140

articles/governance/policy/assign-policy-powershell.md

@@ -1,127 +1,166 @@
 ---
-title: "Quickstart: New policy assignment with PowerShell"
-description: In this quickstart, you use Azure PowerShell to create an Azure Policy assignment to identify non-compliant resources.
-ms.date: 08/17/2021
+title: "Quickstart: Create policy assignment using Azure PowerShell"
+description: In this quickstart, you create an Azure Policy assignment to identify non-compliant resources using Azure PowerShell.
+ms.date: 02/15/2024
 ms.topic: quickstart
 ms.custom: devx-track-azurepowershell
 ---
+
 # Quickstart: Create a policy assignment to identify non-compliant resources using Azure PowerShell
 
-The first step in understanding compliance in Azure is to identify the status of your resources. In
-this quickstart, you create a policy assignment to identify virtual machines that aren't using
-managed disks. When complete, you'll identify virtual machines that are _non-compliant_.
+The first step in understanding compliance in Azure is to identify the status of your resources. In this quickstart, you create a policy assignment to identify non-compliant resources using Azure PowerShell. This example evaluates virtual machines that don't use managed disks. After you create the policy assignment, you identify non-compliant virtual machines.
 
-The Azure PowerShell module is used to manage Azure resources from the command line or in scripts.
-This guide explains how to use Az module to create a policy assignment.
+The Azure PowerShell modules can be used to manage Azure resources from the command line or in scripts. This article explains how to use Azure PowerShell to create a policy assignment.
 
 ## Prerequisites
 
-- If you don't have an Azure subscription, create a [free](https://azure.microsoft.com/free/)
-  account before you begin.
+- If you don't have an Azure account, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.
+- [Azure PowerShell](/powershell/azure/install-az-ps).
+- [Visual Studio Code](https://code.visualstudio.com/).
+- `Microsoft.PolicyInsights` must be [registered](../../azure-resource-manager/management/resource-providers-and-types.md) in your Azure subscription. To register a resource provider, you must have permission to register resource providers. That permission is included in the Contributor and Owner roles.
+- A resource group with at least one virtual machine that doesn't use managed disks.
+
+## Connect to Azure
+
+From a Visual Studio Code terminal session, connect to Azure. If you have more than one subscription, run the commands to set context to your subscription. Replace `<subscriptionID>` with your Azure subscription ID.
+
+```azurepowershell
+Connect-AzAccount
+
+# Run these commands if you have multiple subscriptions
+Get-AzSubScription
+Set-AzContext -Subscription <subscriptionID>
+```
 
-- Before you start, make sure that the latest version of Azure PowerShell is installed. See
-  [Install Azure PowerShell module](/powershell/azure/install-azure-powershell) for detailed information.
+## Register resource provider
 
-- Register the Azure Policy Insights resource provider using Azure PowerShell. Registering the
-  resource provider makes sure that your subscription works with it. To register a resource
-  provider, you must have permission to the register resource provider operation. This operation is
-  included in the Contributor and Owner roles. Run the following command to register the resource
-  provider:
+When a resource provider is registered, it's available to use in your Azure subscription.
 
-  ```azurepowershell-interactive
-  # Register the resource provider if it's not already registered
-  Register-AzResourceProvider -ProviderNamespace 'Microsoft.PolicyInsights'
-  ```
+To verify if `Microsoft.PolicyInsights` is registered, run `Get-AzResourceProvider`. The resource provider contains several resource types. If the result is `NotRegistered` run `Register-AzResourceProvider`:
 
-  For more information about registering and viewing resource providers, see
-  [Resource Providers and Types](../../azure-resource-manager/management/resource-providers-and-types.md).
+```azurepowershell
+ Get-AzResourceProvider -ProviderNamespace 'Microsoft.PolicyInsights' |
+   Select-Object -Property ResourceTypes, RegistrationState
 
-[!INCLUDE [cloud-shell-try-it.md](../../../includes/cloud-shell-try-it.md)]
+Register-AzResourceProvider -ProviderNamespace 'Microsoft.PolicyInsights'
+```
 
-## Create a policy assignment
+## Create policy assignment
 
-In this quickstart, you create a policy assignment for the _Audit VMs without managed disks_
-definition. This policy definition identifies virtual machines not using managed disks.
+Use the following commands to create a new policy assignment for your resource group. This example uses an existing resource group that contains a virtual machine _without_ managed disks. The resource group is the scope for the policy assignment.
 
-Run the following commands to create a new policy assignment:
+Run the following commands and replace `<resourceGroupName>` with your resource group name:
 
-```azurepowershell-interactive
-# Get a reference to the resource group that is the scope of the assignment
+```azurepowershell
 $rg = Get-AzResourceGroup -Name '<resourceGroupName>'
 
-# Get a reference to the built-in policy definition to assign
-$definition = Get-AzPolicyDefinition | Where-Object { $_.Properties.DisplayName -eq 'Audit VMs that do not use managed disks' }
+$definition = Get-AzPolicyDefinition |
+  Where-Object { $_.Properties.DisplayName -eq 'Audit VMs that do not use managed disks' }
+```
+
+The `$rg` variable stores properties for the resource group and the `$definition` variable stores the policy definition's properties. The properties are used in subsequent commands.
+
+Run the following command to create the policy assignment:
 
-# Create the policy assignment with the built-in definition against your resource group
-New-AzPolicyAssignment -Name 'audit-vm-manageddisks' -DisplayName 'Audit VMs without managed disks Assignment' -Scope $rg.ResourceId -PolicyDefinition $definition
+```azurepowershell
+$policyparms = @{
+Name = 'audit-vm-managed-disks'
+DisplayName = 'Audit VMs without managed disks Assignment'
+Scope = $rg.ResourceId
+PolicyDefinition = $definition
+Description = 'Az PowerShell policy assignment to resource group'
+}
+
+New-AzPolicyAssignment @policyparms
 ```
 
-The preceding commands use the following information:
+The `$policyparms` variable uses [splatting](/powershell/module/microsoft.powershell.core/about/about_splatting) to create parameter values and improve readability. The `New-AzPolicyAssignment` command uses the parameter values defined in the `$policyparms` variable.
+
+- `Name` creates the policy assignment name used in the assignment's `ResourceId`.
+- `DisplayName` is the name for the policy assignment and is visible in Azure portal.
+- `Scope` uses the `$rg.ResourceId` property to assign the policy to the resource group.
+- `PolicyDefinition` assigns the policy definition stored in the `$definition` variable.
+- `Description` can be used to add context about the policy assignment.
+
+The results of the policy assignment resemble the following example:
 
-- **Name** - The actual name of the assignment. For this example, _audit-vm-manageddisks_ was used.
-- **DisplayName** - Display name for the policy assignment. In this case, you're using _Audit VMs
-  without managed disks Assignment_.
-- **Definition** - The policy definition, based on which you're using to create the assignment. In
-  this case, it's the ID of policy definition _Audit VMs that do not use managed disks_.
-- **Scope** - A scope determines what resources or grouping of resources the policy assignment gets
-  enforced on. It could range from a subscription to resource groups. Be sure to replace
-  &lt;scope&gt; with the name of your resource group.
+```output
+Name               : audit-vm-managed-disks
+ResourceId         : /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Authorization/policyAssignments/audit-vm-managed-disks
+ResourceName       : audit-vm-managed-disks
+ResourceGroupName  : {resourceGroupName}
+ResourceType       : Microsoft.Authorization/policyAssignments
+SubscriptionId     : {subscriptionId}
+PolicyAssignmentId : /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Authorization/policyAssignments/audit-vm-managed-disks
+Properties         : Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.Policy.PsPolicyAssignmentProperties
+```
 
-You're now ready to identify non-compliant resources to understand the compliance state of your
-environment.
+For more information, go to [New-AzPolicyAssignment](/powershell/module/az.resources/new-azpolicyassignment).
 
 ## Identify non-compliant resources
 
-Use the following information to identify resources that aren't compliant with the policy assignment
-you created. Run the following commands:
+The compliance state for a new policy assignment takes a few minutes to become active and provide results about the policy's state.
 
-```azurepowershell-interactive
-# Get the resources in your resource group that are non-compliant to the policy assignment
-Get-AzPolicyState -ResourceGroupName $rg.ResourceGroupName -PolicyAssignmentName 'audit-vm-manageddisks' -Filter 'IsCompliant eq false'
+Use the following command to identify resources that aren't compliant with the policy assignment
+you created:
+
+```azurepowershell
+$complianceparms = @{
+ResourceGroupName = $rg.ResourceGroupName
+PolicyAssignmentName = 'audit-vm-managed-disks'
+Filter = 'IsCompliant eq false'
+}
+
+Get-AzPolicyState @complianceparms
 ```
 
-For more information about getting policy state, see
-[Get-AzPolicyState](/powershell/module/az.policyinsights/Get-AzPolicyState).
+The `$complianceparms` variable uses splatting to create parameter values used in the `Get-AzPolicyState` command.
+
+- `ResourceGroupName` gets the resource group name from the `$rg.ResourceGroupName` property.
+- `PolicyAssignmentName` specifies the name used when the policy assignment was created.
+- `Filter` uses an expression to find resources that aren't compliant with the policy assignment.
 
-Your results resemble the following example:
+For more information, go to [Get-AzPolicyState](/powershell/module/az.policyinsights/Get-AzPolicyState).
+
+Your results resemble the following example and `ComplianceState` shows `NonCompliant`:
 
 ```output
-Timestamp                   : 3/9/19 9:21:29 PM
-ResourceId                  : /subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/Microsoft.Compute/virtualMachines/{vmId}
-PolicyAssignmentId          : /subscriptions/{subscriptionId}/providers/microsoft.authorization/policyassignments/audit-vm-manageddisks
-PolicyDefinitionId          : /providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d
-IsCompliant                 : False
-SubscriptionId              : {subscriptionId}
-ResourceType                : /Microsoft.Compute/virtualMachines
-ResourceTags                : tbd
-PolicyAssignmentName        : audit-vm-manageddisks
-PolicyAssignmentOwner       : tbd
-PolicyAssignmentScope       : /subscriptions/{subscriptionId}
-PolicyDefinitionName        : 06a78e20-9358-41c9-923c-fb736d382a4d
-PolicyDefinitionAction      : audit
-PolicyDefinitionCategory    : Compute
-ManagementGroupIds          : {managementGroupId}
+Timestamp                : 2/14/2024 18:25:37
+ResourceId               : /subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/microsoft.compute/virtualmachines/{vmId}
+PolicyAssignmentId       : /subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/microsoft.authorization/policyassignments/audit-vm-managed-disks
+PolicyDefinitionId       : /providers/microsoft.authorization/policydefinitions/06a78e20-9358-41c9-923c-fb736d382a4d
+IsCompliant              : False
+SubscriptionId           : {subscriptionId}
+ResourceType             : Microsoft.Compute/virtualMachines
+ResourceLocation         : {location}
+ResourceGroup            : {resourceGroupName}
+ResourceTags             : tbd
+PolicyAssignmentName     : audit-vm-managed-disks
+PolicyAssignmentOwner    : tbd
+PolicyAssignmentScope    : /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}
+PolicyDefinitionName     : 06a78e20-9358-41c9-923c-fb736d382a4d
+PolicyDefinitionAction   : audit
+PolicyDefinitionCategory : tbd
+ManagementGroupIds       : {managementGroupId}
+ComplianceState          : NonCompliant
+AdditionalProperties     : {[complianceReasonCode, ]}
 ```
 
-The results match what you see in the **Resource compliance** tab of a policy assignment in the
-Azure portal view.
-
 ## Clean up resources
 
-To remove the assignment created, use the following command:
+To remove the policy assignment, use the following command:
 
-```azurepowershell-interactive
-# Removes the policy assignment
-Remove-AzPolicyAssignment -Name 'audit-vm-manageddisks' -Scope '/subscriptions/<subscriptionID>/resourceGroups/<resourceGroupName>'
+```azurepowershell
+Remove-AzPolicyAssignment -Name 'audit-vm-managed-disks' -Scope $rg.ResourceId
 ```
 
 ## Next steps
 
 In this quickstart, you assigned a policy definition to identify non-compliant resources in your
 Azure environment.
 
-To learn more about assigning policies to validate that new resources are compliant, continue to the
-tutorial for:
+To learn more how to assign policies that validate if new resources are compliant, continue to the
+tutorial.
 
 > [!div class="nextstepaction"]
-> [Creating and managing policies](./tutorials/create-and-manage.md)
+> [Tutorial: Create and manage policies to enforce compliance](./tutorials/create-and-manage.md)