In our test environment we are currently busy working on replacing our current policy solution with epac :) and almost everything runs fine, and the almost is in that I can't get the exemptions to work,
I created an exemption file (all-exemptions.json) that according to the documentation is correct (i hope :)), and the plan deployment also sees that exemptions file but the policy exemption counts stays on 0 and also in azure there are no policy exemptions added, help what goes wrong or I am doing wrong
all-exemptions.json content
"exemptions": [
{
"name": "Exempting DDOS Landingzone",
"displayName": "o-LandingZones - Virtual networks should not be protected by Azure DDoS Network Protection",
"description": "o-LandingZones - Virtual networks should not be protected by Azure DDoS Network Protection",
"exemptionCategory": "Waiver",
"expiresOn": null,
"status": "active",
"expiresInDays": "n/a",
"scope": "/providers/Microsoft.Management/managementGroups/alz-landingzones",
"policyAssignmentId": "/providers/microsoft.management/managementgroups/alz-landingzones/providers/microsoft.authorization/policyassignments/enable-ddos-vnet",
"policyDefinitionReferenceIds": null,
"metadata": {}
},
{
"name": "Exempting DDOS Connectivity",
"displayName": "o-Connectivity - Virtual networks should not be protected by Azure DDoS Network Protection",
"description": "o-Connectivity - Virtual networks should not be protected by Azure DDoS Network Protection",
"exemptionCategory": "Waiver",
"expiresOn": null,
"status": "active",
"expiresInDays": "n/a",
"scope": "/providers/Microsoft.Management/managementGroups/alz-Connectivity",
"policyAssignmentId": "/providers/Microsoft.Management/managementGroups/alz-Connectivity/providers/Microsoft.Authorization/policyAssignments/Enable-DDoS-VNET",
"policyDefinitionReferenceIds": null,
"metadata": {}
},
{
"name": "Exempting IaaS-Antimalware Sandbox",
"displayName": "o-Sandbox - Don't deploy default Microsoft IaaS-Antimalware extension for Windows Server.",
"description": "o-Sandbox - Don't deploy default Microsoft IaaS-Antimalware extension for Windows Server.",
"exemptionCategory": "Waiver",
"expiresOn": null,
"status": "active",
"expiresInDays": "n/a",
"scope": "/providers/Microsoft.Management/managementGroups/alz-Sandbox",
"policyAssignmentId": "/providers/microsoft.management/managementgroups/alz-o/providers/microsoft.authorization/policyassignments/win-antimalware",
"policyDefinitionReferenceIds": null,
"metadata": {}
}
]
}
And the pipeline output of the plan deployment
Processing Policy Exemption files in folder 'Definitions/policyExemptions/tenant1'
===================================================================================================
Number of Policy Exemption files = 1
Processing file '/home/vsts/work/1/s/Definitions/policyExemptions/tenant1/all-exemptions.json'
===================================================================================================
Summary
===================================================================================================
Policy counts:
132 unchanged
0 changes
Policy Set counts:
12 unchanged
0 changes
Policy Assignment counts:
54 unchanged
0 changes
Policy Exemption counts:
0 unchanged
0 changes
Role Assignment counts:
0 changes
---------------------------------------------------------------------------------------------------
Output plan(s)
Skipping Policy deployment stage/step - no changes
Skipping Role Assignment stage/step - no changes
---------------------------------------------------------------------------------------------------
Finishing: Run Build```
Hallo,
In our test environment we are currently busy working on replacing our current policy solution with epac :) and almost everything runs fine, and the almost is in that I can't get the exemptions to work,
I created an exemption file (all-exemptions.json) that according to the documentation is correct (i hope :)), and the plan deployment also sees that exemptions file but the policy exemption counts stays on 0 and also in azure there are no policy exemptions added, help what goes wrong or I am doing wrong
all-exemptions.json content
And the pipeline output of the plan deployment