While testing the Set-AzPolicyAssignment command with the latest version, we noticed the following behavior:
Policy Enforcement Mode and Non-Compliant Messages: These properties are maintained correctly when running the command.
Description and Display Name: These properties are lost when executing the command directly.
Issue script & Debug output
# Connect to Azure
Note: Policy assignment is set to DoNotEnforce, for testing.
Get-AzPolicyAssignment -Id "/subscriptions/<SubscriptionId>/providers/Microsoft.Authorization/policyAssignments/<PolicyAssignmentId>"
# Set the subscription context
Set-AzContext -SubscriptionId "<SubscriptionId>"
# Assign a policy with the Set-AzPolicyAssignment command
Set-AzPolicyAssignment -Id "/subscriptions/<SubscriptionId>/providers/Microsoft.Authorization/policyAssignments/<PolicyAssignmentId>" -EnforcementMode Default
Environment data
Name Value
---- -----
PSVersion 7.4.2
PSEdition Core
GitCommitId 7.4.2
OS Microsoft Windows 10.0.22635
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
Module versions
Get-InstalledModule -Name Az -AllVersions
Version Name Repository Description
------- ---- ---------- -----------
12.0.0 Az PSGallery Microsoft Azure PowerShell - Cmdlets to manage resources in Azure. This module is compatib…
Get-InstalledModule -Name Az.Resources -AllVersions
Version Name Repository Description
------- ---- ---------- -----------
7.1.0 Az.Resources PS
Error output
Example Output Before Changing Enforcement Mode:
Metadata : @{parameterScopes=; createdBy=<CreatedById>; createdOn=5/27/2024 7:36:55 PM; updatedBy=<UpdatedById>; updatedOn=6/24/2024 6:17:53 PM}
NonComplianceMessage :
NotScope :
Parameter : @{profileName=}
Description : This is a test
DisplayName : DiagOpenAI
EnforcementMode : DoNotEnforce
Id : /subscriptions/<SubscriptionId>/providers/Microsoft.Authorization/policyAssignments/<PolicyAssignmentId>
IdentityPrincipalId :
IdentityTenantId :
IdentityType :
IdentityUserAssignedIdentity : Microsoft.Azure.PowerShell.Cmdlets.Policy.Models.IdentityUserAssignedIdentities
Location :
Name : <PolicyAssignmentName>
Override : {}
PolicyDefinitionId : /subscriptions/<SubscriptionId>/providers/Microsoft.Authorization/policyDefinitions/<PolicyDefinitionId>
ResourceSelector : {}
SystemDataCreatedAt : 5/27/2024 7:36:55 PM
SystemDataCreatedByType : User
SystemDataLastModifiedAt : 6/24/2024 6:17:53 PM
SystemDataLastModifiedByType : User
Type : Microsoft.Authorization/policyAssignments
Example Output After Changing Enforcement Mode:
Metadata : @{createdBy=<CreatedById>; createdOn=5/27/2024 7:36:55 PM; updatedBy=<UpdatedById>; updatedOn=6/24/2024 6:43:50 PM}
NonComplianceMessage :
NotScope :
Parameter : @{profileName=}
Description :
DisplayName :
EnforcementMode : Default
Id : /subscriptions/<SubscriptionId>/providers/Microsoft.Authorization/policyAssignments/<PolicyAssignmentId>
IdentityPrincipalId :
IdentityTenantId :
IdentityType :
IdentityUserAssignedIdentity : Microsoft.Azure.PowerShell.Cmdlets.Policy.Models.IdentityUserAssignedIdentities
Location :
Name : <PolicyAssignmentName>
Override :
PolicyDefinitionId : /subscriptions/<SubscriptionId>/providers/Microsoft.Authorization/policyDefinitions/<PolicyDefinitionId>
ResourceSelector :
SystemDataCreatedAt : 5/27/2024 7:36:55 PM
SystemDataCreatedByType : User
SystemDataLastModifiedAt : 6/24/2024 6:43:50 PM
SystemDataLastModifiedByType : User
Type : Microsoft.Authorization/policyAssignments
Example of workaround:
Piping the output of Get to the Set:
Get-AzPolicyAssignment -Id "/subscriptions/<SubscriptionId>/providers/Microsoft.Authorization/policyAssignments/<PolicyAssignmentId>" | Set-AzPolicyAssignment
Nonetheless, documentation does not state this, so it could be somewhat confusing.
Description
While testing the Set-AzPolicyAssignment command with the latest version, we noticed the following behavior:
Policy Enforcement Mode and Non-Compliant Messages: These properties are maintained correctly when running the command.
Description and Display Name: These properties are lost when executing the command directly.
Issue script & Debug output
Environment data
Module versions
Error output