Get-AzPolicyStateSummary does not return compliant resource count, only noncompliant ones

Azure / azure-powershell

Microsoft Azure PowerShell

Other

4.27k stars 3.87k forks source link

Get-AzPolicyStateSummary does not return compliant resource count, only noncompliant ones #16286

Open evanrappe opened 3 years ago

evanrappe commented 3 years ago

Get-AzPolicyStateSummary does not return compliant resource count

Per the docs this is by design, but why?

For metric/KPI purposes it is required to know both compliant and noncompliant totals for a given assignment. The equivalent azcli command az policy state summarize returns both values, but PowerShell does not.

ghost commented 3 years ago

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @kenieva.

Issue Details

`Get-AzPolicyStateSummary` does not return compliant resource count Per the [docs](https://docs.microsoft.com/en-us/powershell/module/az.policyinsights/get-azpolicystatesummary?view=azps-6.5.0#description) this is by design, but why? For metric/KPI purposes it is required to know both compliant and noncompliant totals for a given assignment. The equivalent azcli command `az policy state summarize` returns both values, but PowerShell does not.

Author:	bsod99
Assignees:	-
Labels:	`Policy Insights`, `Service Attention`, `question`, `customer-reported`
Milestone:	-

dingmeng-xue commented 3 years ago

Policy Insights team, please look into this feature question.

kenieva commented 2 years ago

Investigating...

navba-MSFT commented 2 years ago

@evanrappe Apologies for the late reply. Could you please use the Get-AzPolicyState cmdlet and test if that serves your requirement ?

Get-AzPolicyState -Filter "ComplianceState eq 'Compliant'"

Awaiting your reply.

evanrappe commented 2 years ago

@navba-MSFT I think with a bit of local filtering and counting I could get to where we needed for this, but it feels inefficient. It would be great if Get-AzPolicyStateSummary reported both compliant/noncompliant counts for a given assignment ID like az policy state summarize

Am I missing something, are these two not supposed to be equivalent commands?

evanrappe commented 2 years ago

My apologies -- been a while since I worked on this one. I believe the reason I had originally decided to use the "Summary" commands to get what I needed was because Get-AzPolicyState only outputs 1000 results, thus making filtering and counting with this command unusable for this case.

https://github.com/MicrosoftDocs/azure-docs/issues/26325

kenieva commented 2 years ago

@evanrappe At what scope are you making this request? and its just for one particular assignment ID? I want to see if I can reproduce the issue on my side.

evanrappe commented 2 years ago

@kenieva Yeah, it's just for one assignment ID, but I'm making this request on a management group above all subscriptions, so there's unfortunately far more than 1000 results.

kenieva commented 2 years ago

Can you post the full query you are using? (expect for any MGNames, or other customer data).

evanrappe commented 2 years ago

To see that Get-AzPolicyState was capped at 1000 results, I used:

(Get-AzPolicyState -ManagementGroupName MGname -Filter "(policyAssignmentId eq '/providers/Microsoft.Management/managementGroups/MGname/providers/Microsoft.Authorization/policyAssignments/policyAssignmentID')").count

To see that `Get-AzPolicyStateSummary isn't returning the noncompliant count like az policy state summarize does, I used:

get-azpolicystatesummary -managementgroupname "MGname" -filter "(policyAssignmentId eq '/providers/Microsoft.Management/managementGroups/MGname/providers/Microsoft.Authorization/policyAssignments/policyAssignmentID')"