Closed DrCefas closed 1 year ago
This is likely something in the payload:
Hi,
Here is the information that is requested (i hope that this is the correct information) and we scope them on management groups
- Can you send me the Exemption for the exemption with the displayName "Exempting DDOS Landingzone" (redact subscription ids).
{
"name": "ExemptingDDOSLandingzone",
"displayName": "Exempting DDOS Landingzone",
"description": "o-LandingZones - Virtual networks should not be protected by Azure DDoS Network Protection",
"exemptionCategory": "Waiver",
"expiresOn": null,
"status": "active",
"expiresInDays": "n/a",
"scope": "/providers/Microsoft.Management/managementGroups/alz-Landingzones",
"policyAssignmentId": "/providers/Microsoft.Management/managementgroups/alz-Landingzones/providers/Microsoft.Authorization/policyAssignments/enable-ddos-vnet",
"policyDefinitionReferenceIds": null,
"metadata": {}
},
- Even better send me the plan section with the two new exemptions (again with subscription id redacted)
And to get a clean test I even created two brand new exemptions, which gave the same error
{
"exemptions": [
{
"name": "Allow Kubernetes clusters",
"displayName": "Allow Kubernetes clusters container privilege escalation",
"description": "Allow Kubernetes clusters should not allow container privilege escalation",
"exemptionCategory": "Waiver",
"expiresOn": null,
"status": "active",
"expiresInDays": "n/a",
"scope": "/providers/Microsoft.Management/managementGroups/alz-Landingzones",
"policyAssignmentId": "/providers/microsoft.management/managementgroups/alz-landingzones/providers/microsoft.authorization/policyassignments/deny-priv-esc-aks",
"policyDefinitionReferenceIds": null,
"metadata": {}
},
{
"name": "Azure Defender SQL",
"displayName": "Disable Azure Defender SQL",
"description": "Configure Azure Defender to be enabled on SQL Servers and SQL Managed Instances",
"exemptionCategory": "Waiver",
"expiresOn": null,
"status": "active",
"expiresInDays": "n/a",
"scope": "/providers/Microsoft.Management/managementGroups/alz-Connectivity",
"policyAssignmentId": "/providers/microsoft.management/managementgroups/alz-oanwb/providers/microsoft.authorization/policyassignments/deploy-mdfc-sqlatp",
"policyDefinitionReferenceIds": null,
"metadata": {}
}
]
}
With the plan section of those two new exemptions
2023-09-01T14:13:49.8170851Z ##[section]Starting: Run Build
2023-09-01T14:13:49.8175615Z ==============================================================================
2023-09-01T14:13:49.8175744Z Task : Azure PowerShell
2023-09-01T14:13:49.8175814Z Description : Run a PowerShell script within an Azure environment
2023-09-01T14:13:49.8175911Z Version : 5.226.0
2023-09-01T14:13:49.8175988Z Author : Microsoft Corporation
2023-09-01T14:13:49.8176060Z Help : https://aka.ms/azurepowershelltroubleshooting
2023-09-01T14:13:49.8176146Z ==============================================================================
2023-09-01T14:13:50.1172387Z Generating script.
2023-09-01T14:13:50.1376292Z [command]/usr/bin/pwsh -NoLogo -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -Command . '/home/vsts/work/_temp/<>.ps1'
2023-09-01T14:13:50.1376779Z File saved!
2023-09-01T14:13:51.3916438Z ##[command]Import-Module -Name /usr/share/az_9.3.0/Az.Accounts/2.12.5/Az.Accounts.psd1 -Global
2023-09-01T14:13:52.0170731Z ##[command]Clear-AzContext -Scope Process
2023-09-01T14:13:52.1509704Z ##[command]Clear-AzContext -Scope CurrentUser -Force -ErrorAction SilentlyContinue
2023-09-01T14:13:52.5897977Z ##[command]Connect-AzAccount -ServicePrincipal -Tenant <> -Credential System.Management.Automation.PSCredential -Environment AzureCloud @processScope
2023-09-01T14:13:53.9162078Z [33;1mVERBOSE: Exporting function 'Build-DeploymentPlans'.[0m
2023-09-01T14:13:53.9199219Z [33;1mVERBOSE: Exporting function 'Build-PolicyDocumentation'.[0m
2023-09-01T14:13:53.9243808Z [33;1mVERBOSE: Exporting function 'Create-AzRemediationTasks'.[0m
2023-09-01T14:13:53.9292652Z [33;1mVERBOSE: Exporting function 'Deploy-PolicyPlan'.[0m
2023-09-01T14:13:53.9315265Z [33;1mVERBOSE: Exporting function 'Deploy-RolesPlan'.[0m
2023-09-01T14:13:53.9376486Z [33;1mVERBOSE: Exporting function 'Export-AzPolicyResources'.[0m
2023-09-01T14:13:53.9495315Z [33;1mVERBOSE: Exporting function 'Export-NonComplianceReports'.[0m
2023-09-01T14:13:53.9507570Z [33;1mVERBOSE: Exporting function 'Get-AzExemptions'.[0m
2023-09-01T14:13:53.9529017Z [33;1mVERBOSE: Exporting function 'Get-AzMissingTags'.[0m
2023-09-01T14:13:53.9548694Z [33;1mVERBOSE: Exporting function 'Get-AzPolicyAliasOutputCSV'.[0m
2023-09-01T14:13:53.9573147Z [33;1mVERBOSE: Exporting function 'Get-AzResourceTags'.[0m
2023-09-01T14:13:53.9590484Z [33;1mVERBOSE: Exporting function 'Get-AzStorageNetworkConfig'.[0m
2023-09-01T14:13:53.9606376Z [33;1mVERBOSE: Exporting function 'Get-AzUserRoleAssignments'.[0m
2023-09-01T14:13:53.9630976Z [33;1mVERBOSE: Exporting function 'New-AzPolicyReaderRole'.[0m
2023-09-01T14:13:53.9640643Z [33;1mVERBOSE: Exporting function 'New-EPACDefinitionFolder'.[0m
2023-09-01T14:13:53.9654903Z [33;1mVERBOSE: Exporting function 'New-EPACPolicyAssignmentDefinition'.[0m
2023-09-01T14:13:53.9682965Z [33;1mVERBOSE: Exporting function 'New-EPACPolicyDefinition'.[0m
2023-09-01T14:13:53.9703530Z [33;1mVERBOSE: Exporting function 'Sync-ALZPolicies'.[0m
2023-09-01T14:13:53.9723530Z [33;1mVERBOSE: Exporting function 'Sync-CAFPolicies'.[0m
2023-09-01T14:13:54.0270794Z
2023-09-01T14:13:54.0271478Z ===================================================================================================
2023-09-01T14:13:54.0273508Z Read global settings from 'Definitions/global-settings.jsonc'.
2023-09-01T14:13:54.0275595Z ===================================================================================================
2023-09-01T14:13:54.0278468Z PowerShell Versions: 7.2.13
2023-09-01T14:13:54.1235931Z PAC Environments: tenant1
2023-09-01T14:13:54.1236333Z Definitions root folder: Definitions
2023-09-01T14:13:54.1236535Z Input folder: ./Output
2023-09-01T14:13:54.1239846Z Output folder: ./Output
2023-09-01T14:13:54.1243672Z
2023-09-01T14:13:54.1268366Z Environment Selected: tenant1
2023-09-01T14:13:54.1271771Z cloud = AzureCloud
2023-09-01T14:13:54.1275202Z tenant = <>
2023-09-01T14:13:54.1279167Z root scope = /providers/Microsoft.Management/managementGroups/alz-O
2023-09-01T14:13:54.1281982Z
2023-09-01T14:13:54.1977705Z Telemetry is disabled
2023-09-01T14:13:54.1978039Z
2023-09-01T14:13:54.2117802Z
2023-09-01T14:13:54.2118447Z ===================================================================================================
2023-09-01T14:13:54.2148217Z Get scope tree for EPAC environment 'tenant1' at root scope /managementGroups/alz-O
2023-09-01T14:13:54.2148681Z ===================================================================================================
2023-09-01T14:13:54.8185436Z Retrieved 30 resource containers
2023-09-01T14:13:54.8193144Z
2023-09-01T14:13:54.8204228Z Processing 30 resource containers:
2023-09-01T14:13:54.8625556Z Management groups = 13
2023-09-01T14:13:54.8626329Z Subscriptions = 3
2023-09-01T14:13:54.8700020Z Resource groups = 14
2023-09-01T14:13:54.9241674Z
2023-09-01T14:13:54.9247672Z ===================================================================================================
2023-09-01T14:13:54.9254458Z Get Policy Resources for EPAC environment 'tenant1' at root scope /managementGroups/alz-O
2023-09-01T14:13:54.9259579Z ===================================================================================================
2023-09-01T14:13:58.4718345Z Retrieved 2000 Policy definitions, Policy Set definitions, and Policy Assignments
2023-09-01T14:14:05.9377056Z Retrieved 3820 Policy definitions, Policy Set definitions, and Policy Assignments
2023-09-01T14:14:06.6583840Z Processed 1000 Policy definitions, Policy Set definitions, and Policy Assignments
2023-09-01T14:14:07.2370280Z Processed 2000 Policy definitions, Policy Set definitions, and Policy Assignments
2023-09-01T14:14:07.8307009Z Processed 3000 Policy definitions, Policy Set definitions, and Policy Assignments
2023-09-01T14:14:08.4071946Z Processed 3820 Policy definitions, Policy Set definitions, and Policy Assignments
2023-09-01T14:14:08.4089779Z
2023-09-01T14:14:08.8229546Z Retrieved 1 Policy Exemptions
2023-09-01T14:14:08.8319429Z Processed 1 Policy Exemptions
2023-09-01T14:14:08.8328788Z
2023-09-01T14:14:08.8335148Z Collecting Role assignments (this may take a while):
2023-09-01T14:14:08.8361579Z /subscriptions/
2023-09-01T14:14:11.6524483Z /subscriptions/
2023-09-01T14:14:13.1133113Z /subscriptions/
2023-09-01T14:14:14.5377514Z /providers/Microsoft.Management/managementGroups/alz-Production
2023-09-01T14:14:15.5462878Z /providers/Microsoft.Management/managementGroups/Alz-connectivity
2023-09-01T14:14:16.5007286Z /providers/Microsoft.Management/managementGroups/alz-Identity
2023-09-01T14:14:22.4507582Z /providers/Microsoft.Management/managementGroups/alz-Decommissioned
2023-09-01T14:14:23.4053973Z
2023-09-01T14:14:23.4054770Z ===================================================================================================
2023-09-01T14:14:23.4055538Z Policy Resources found for EPAC environment 'tenant1' at root scope /managementGroups/alz-O
2023-09-01T14:14:23.4055933Z ===================================================================================================
2023-09-01T14:14:23.4065468Z
2023-09-01T14:14:23.4066436Z Policy counts:
2023-09-01T14:14:23.4067337Z BuiltIn = 2984
2023-09-01T14:14:23.4070091Z Managed (132) by:
2023-09-01T14:14:23.4071030Z This PaC = 132
2023-09-01T14:14:23.4071938Z Other PaC = 0
2023-09-01T14:14:23.4072877Z Unknown = 0
2023-09-01T14:14:23.4082327Z Inherited = 0
2023-09-01T14:14:23.4091614Z Excluded = 0
2023-09-01T14:14:23.4093602Z
2023-09-01T14:14:23.4094521Z Policy Set counts:
2023-09-01T14:14:23.4095374Z BuiltIn = 106
2023-09-01T14:14:23.4096384Z Managed (12) by:
2023-09-01T14:14:23.4097300Z This PaC = 12
2023-09-01T14:14:23.4098339Z Other PaC = 0
2023-09-01T14:14:23.4099226Z Unknown = 0
2023-09-01T14:14:23.4100451Z Inherited = 0
2023-09-01T14:14:23.4101179Z Excluded = 0
2023-09-01T14:14:23.4103198Z
2023-09-01T14:14:23.4104007Z Policy Assignment counts:
2023-09-01T14:14:23.4104819Z Managed (74) by:
2023-09-01T14:14:23.4105685Z This PaC = 53
2023-09-01T14:14:23.4106686Z Other PaC = 3
2023-09-01T14:14:23.4107692Z Unknown = 18
2023-09-01T14:14:23.4134950Z With identity = 36
2023-09-01T14:14:23.4135249Z Excluded = 0
2023-09-01T14:14:23.4136092Z
2023-09-01T14:14:23.4136882Z Policy Exemptions:
2023-09-01T14:14:23.4137929Z Managed (0) by:
2023-09-01T14:14:23.4138869Z This PaC = 0
2023-09-01T14:14:23.4139869Z Other PaC = 0
2023-09-01T14:14:23.4140830Z Unknown = 0
2023-09-01T14:14:23.4150281Z Orphaned = 0
2023-09-01T14:14:23.4151115Z Excluded = 0
2023-09-01T14:14:23.4153099Z
2023-09-01T14:14:23.4162135Z Role Assignments:
2023-09-01T14:14:23.4163242Z Total principalIds = 36
2023-09-01T14:14:23.4164206Z Total Scopes = 10
2023-09-01T14:14:23.4165247Z Total Role Assignments = 92
2023-09-01T14:14:23.4363647Z ===================================================================================================
2023-09-01T14:14:23.4364941Z Processing Policy JSON files in folder 'Definitions/policyDefinitions'
2023-09-01T14:14:23.4365823Z ===================================================================================================
2023-09-01T14:14:29.7872472Z Number of Policy files = 132
2023-09-01T14:14:32.8755886Z Number of unchanged Policies = 132
2023-09-01T14:14:32.8756483Z
2023-09-01T14:14:32.8902633Z ===================================================================================================
2023-09-01T14:14:32.8903596Z Processing Policy Set JSON files in folder 'Definitions/policySetDefinitions'
2023-09-01T14:14:32.8948358Z ===================================================================================================
2023-09-01T14:14:33.5697019Z Number of Policy Set files = 12
2023-09-01T14:14:35.2505915Z Number of unchanged Policy SetPolicy Sets definition = 12
2023-09-01T14:14:35.2506518Z
2023-09-01T14:14:35.2636386Z ===================================================================================================
2023-09-01T14:14:35.2637426Z Processing Policy Assignments JSON files in folder 'Definitions/policyAssignments'
2023-09-01T14:14:35.2637940Z ===================================================================================================
2023-09-01T14:14:35.8693388Z Calculating effect parameters for 3116 Policies.
2023-09-01T14:14:42.5098409Z Calculating effect parameters for 118 Policy Sets.
2023-09-01T14:14:55.7307085Z Number of Policy Assignment files = 18
2023-09-01T14:14:57.7695967Z Desired State(unknownOwner,ownedOnly) - no delete 'ASC provisioning default LA agent Linux Arc' at /subscriptions/
2023-09-01T14:14:57.7704835Z Desired State(unknownOwner,ownedOnly) - no delete 'OpenSourceRelationalDatabasesProtectionSecurityCenter' at /subscriptions/
2023-09-01T14:14:57.7715108Z Desired State(unknownOwner,ownedOnly) - no delete 'Defender for Containers provisioning AKS Security Profile' at /subscriptions/
2023-09-01T14:14:57.7726085Z Desired State(unknownOwner,ownedOnly) - no delete 'OpenSourceRelationalDatabasesProtectionSecurityCenter' at /subscriptions/
2023-09-01T14:14:57.7737004Z Desired State(unknownOwner,ownedOnly) - no delete 'Defender for Containers provisioning AKS Security Profile' at /subscriptions/
2023-09-01T14:14:57.7748176Z Desired State(unknownOwner,ownedOnly) - no delete 'Defender for Containers provisioning Azure Policy Addon for Kub' at /subscriptions/
2023-09-01T14:14:57.7758933Z Desired State(otherPaC,ownedOnly) - no delete 'Deny-Public-IP-On-NIC' at /managementGroups/alz-Sandbox
2023-09-01T14:14:57.7781121Z Desired State(unknownOwner,ownedOnly) - no delete 'DataProtectionSecurityCenter' at /subscriptions/
2023-09-01T14:14:57.7781896Z Desired State(unknownOwner,ownedOnly) - no delete 'Defender for Containers provisioning ARC k8s Enabled' at /subscriptions/
2023-09-01T14:14:57.7792126Z Desired State(unknownOwner,ownedOnly) - no delete 'Defender for Containers provisioning Policy extension for Arc-e' at /subscriptions/
2023-09-01T14:14:57.7802832Z Desired State(unknownOwner,ownedOnly) - no delete 'Defender for Containers provisioning Policy extension for Arc-e' at /subscriptions/
2023-09-01T14:14:57.7813684Z Desired State(unknownOwner,ownedOnly) - no delete 'Defender for Containers provisioning Policy extension for Arc-e' at /subscriptions/
2023-09-01T14:14:57.7824893Z Desired State(unknownOwner,ownedOnly) - no delete 'Defender for Containers provisioning ARC k8s Enabled' at /subscriptions/
2023-09-01T14:14:57.7835533Z Desired State(unknownOwner,ownedOnly) - no delete 'DataProtectionSecurityCenter' at /subscriptions/
2023-09-01T14:14:57.7847055Z Desired State(unknownOwner,ownedOnly) - no delete 'DataProtectionSecurityCenter' at /subscriptions/
2023-09-01T14:14:57.7857823Z Desired State(unknownOwner,ownedOnly) - no delete 'Defender for Containers provisioning ARC k8s Enabled' at /subscriptions/
2023-09-01T14:14:57.7909535Z Desired State(unknownOwner,ownedOnly) - no delete 'ASC provisioning default LA agent Windows Arc' at /subscriptions/
2023-09-01T14:14:57.7910614Z Desired State(unknownOwner,ownedOnly) - no delete 'OpenSourceRelationalDatabasesProtectionSecurityCenter' at /subscriptions/
2023-09-01T14:14:57.7913143Z Desired State(unknownOwner,ownedOnly) - no delete 'Defender for Containers provisioning AKS Security Profile' at /subscriptions/
2023-09-01T14:14:57.7913587Z Desired State(otherPaC,ownedOnly) - no delete 'Deny-HybridNetworking' at /managementGroups/alz-Sandbox
2023-09-01T14:14:57.7913943Z Desired State(otherPaC,ownedOnly) - no delete 'Audit-PeDnsZones' at /managementGroups/alz-Sandbox
2023-09-01T14:14:57.7915569Z Number of unchanged Policy Assignments = 53
2023-09-01T14:14:57.7915659Z
2023-09-01T14:14:57.8083504Z ===================================================================================================
2023-09-01T14:14:57.8084636Z Processing Policy Exemption files in folder 'Definitions/policyExemptions/tenant1'
2023-09-01T14:14:57.8085295Z ===================================================================================================
2023-09-01T14:14:57.8149549Z Number of Policy Exemption files = 1
2023-09-01T14:14:57.8150332Z Processing file '/home/vsts/work/1/s/Definitions/policyExemptions/tenant1/new-exemptions.json'
2023-09-01T14:14:57.8161524Z
2023-09-01T14:14:57.8262782Z New 'Allow Kubernetes clusters', '/providers/Microsoft.Management/managementGroups/alz-Landingzones'
2023-09-01T14:14:57.8292687Z New 'Azure Defender SQL', '/providers/Microsoft.Management/managementGroups/alz-Connectivity'
2023-09-01T14:14:57.8293864Z
2023-09-01T14:14:57.8294365Z
2023-09-01T14:14:57.8316847Z ===================================================================================================
2023-09-01T14:14:57.8317316Z Summary
2023-09-01T14:14:57.8318527Z ===================================================================================================
2023-09-01T14:14:57.8319003Z Policy counts:
2023-09-01T14:14:57.8327741Z 132 unchanged
2023-09-01T14:14:57.8336782Z 0 changes
2023-09-01T14:14:57.8337808Z Policy Set counts:
2023-09-01T14:14:57.8338936Z 12 unchanged
2023-09-01T14:14:57.8339870Z 0 changes
2023-09-01T14:14:57.8341726Z Policy Assignment counts:
2023-09-01T14:14:57.8342085Z 53 unchanged
2023-09-01T14:14:57.8343501Z 0 changes
2023-09-01T14:14:57.8343851Z Policy Exemption counts:
2023-09-01T14:14:57.8344910Z 0 unchanged
2023-09-01T14:14:57.8353739Z 0 orphaned
2023-09-01T14:14:57.8362754Z 0 expired
2023-09-01T14:14:57.8363710Z 2 changes:
2023-09-01T14:14:57.8374144Z new = 2
2023-09-01T14:14:57.8384483Z update = 0
2023-09-01T14:14:57.8394147Z replace = 0
2023-09-01T14:14:57.8403880Z delete = 0
2023-09-01T14:14:57.8404824Z Role Assignment counts:
2023-09-01T14:14:57.8406223Z 0 changes
2023-09-01T14:14:57.8407801Z ---------------------------------------------------------------------------------------------------
2023-09-01T14:14:57.8408474Z Output plan(s)
2023-09-01T14:14:57.8423997Z Policy resource deployment required; writing Policy plan file './Output/plans-tenant1/policy-plan.json'
2023-09-01T14:14:57.8513819Z Skipping Role Assignment stage/step - no changes
2023-09-01T14:14:57.8514534Z ---------------------------------------------------------------------------------------------------
2023-09-01T14:14:57.8515121Z
2023-09-01T14:14:57.9716553Z ##[section]Finishing: Run Build
And deploy policies log (to be complete)
2023-09-01T14:15:42.7803242Z ##[section]Starting: Deploy Policies
2023-09-01T14:15:42.7808348Z ==============================================================================
2023-09-01T14:15:42.7808498Z Task : Azure PowerShell
2023-09-01T14:15:42.7808580Z Description : Run a PowerShell script within an Azure environment
2023-09-01T14:15:42.7808694Z Version : 5.226.0
2023-09-01T14:15:42.7808783Z Author : Microsoft Corporation
2023-09-01T14:15:42.7809022Z Help : https://aka.ms/azurepowershelltroubleshooting
2023-09-01T14:15:42.7809125Z ==============================================================================
2023-09-01T14:15:43.1689601Z Generating script.
2023-09-01T14:15:43.1798137Z [command]/usr/bin/pwsh -NoLogo -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -Command . '/home/vsts/work/_temp/a88aa23e-f48b-4778-9489-96343aa70b6a.ps1'
2023-09-01T14:15:43.1798658Z File saved!
2023-09-01T14:15:43.8618290Z ##[command]Import-Module -Name /usr/share/az_9.3.0/Az.Accounts/2.12.5/Az.Accounts.psd1 -Global
2023-09-01T14:15:44.6175996Z ##[command]Clear-AzContext -Scope Process
2023-09-01T14:15:44.7754544Z ##[command]Clear-AzContext -Scope CurrentUser -Force -ErrorAction SilentlyContinue
2023-09-01T14:15:45.1485088Z ##[command]Connect-AzAccount -ServicePrincipal -Tenant <> -Credential System.Management.Automation.PSCredential -Environment AzureCloud @processScope
2023-09-01T14:15:46.4062357Z [33;1mVERBOSE: Exporting function 'Build-DeploymentPlans'.[0m
2023-09-01T14:15:46.4108276Z [33;1mVERBOSE: Exporting function 'Build-PolicyDocumentation'.[0m
2023-09-01T14:15:46.4162175Z [33;1mVERBOSE: Exporting function 'Create-AzRemediationTasks'.[0m
2023-09-01T14:15:46.4224853Z [33;1mVERBOSE: Exporting function 'Deploy-PolicyPlan'.[0m
2023-09-01T14:15:46.4255381Z [33;1mVERBOSE: Exporting function 'Deploy-RolesPlan'.[0m
2023-09-01T14:15:46.4330343Z [33;1mVERBOSE: Exporting function 'Export-AzPolicyResources'.[0m
2023-09-01T14:15:46.4492309Z [33;1mVERBOSE: Exporting function 'Export-NonComplianceReports'.[0m
2023-09-01T14:15:46.4506049Z [33;1mVERBOSE: Exporting function 'Get-AzExemptions'.[0m
2023-09-01T14:15:46.4533080Z [33;1mVERBOSE: Exporting function 'Get-AzMissingTags'.[0m
2023-09-01T14:15:46.4557315Z [33;1mVERBOSE: Exporting function 'Get-AzPolicyAliasOutputCSV'.[0m
2023-09-01T14:15:46.4589779Z [33;1mVERBOSE: Exporting function 'Get-AzResourceTags'.[0m
2023-09-01T14:15:46.4611476Z [33;1mVERBOSE: Exporting function 'Get-AzStorageNetworkConfig'.[0m
2023-09-01T14:15:46.4634764Z [33;1mVERBOSE: Exporting function 'Get-AzUserRoleAssignments'.[0m
2023-09-01T14:15:46.4664306Z [33;1mVERBOSE: Exporting function 'New-AzPolicyReaderRole'.[0m
2023-09-01T14:15:46.4676822Z [33;1mVERBOSE: Exporting function 'New-EPACDefinitionFolder'.[0m
2023-09-01T14:15:46.4698558Z [33;1mVERBOSE: Exporting function 'New-EPACPolicyAssignmentDefinition'.[0m
2023-09-01T14:15:46.4764161Z [33;1mVERBOSE: Exporting function 'New-EPACPolicyDefinition'.[0m
2023-09-01T14:15:46.4796618Z [33;1mVERBOSE: Exporting function 'Sync-ALZPolicies'.[0m
2023-09-01T14:15:46.4831872Z [33;1mVERBOSE: Exporting function 'Sync-CAFPolicies'.[0m
2023-09-01T14:15:46.5912949Z
2023-09-01T14:15:46.5918818Z ===================================================================================================
2023-09-01T14:15:46.5923027Z Read global settings from 'Definitions/global-settings.jsonc'.
2023-09-01T14:15:46.5928562Z ===================================================================================================
2023-09-01T14:15:46.5929020Z PowerShell Versions: 7.2.13
2023-09-01T14:15:46.6978112Z PAC Environments: tenant1
2023-09-01T14:15:46.6978966Z Definitions root folder: Definitions
2023-09-01T14:15:46.6986112Z Input folder: /home/vsts/work/1/policy-plan-tenant1
2023-09-01T14:15:46.6991594Z Output folder: ./Output
2023-09-01T14:15:46.6996951Z
2023-09-01T14:15:46.7028657Z Environment Selected: tenant1
2023-09-01T14:15:46.7033732Z cloud = AzureCloud
2023-09-01T14:15:46.7038461Z tenant = <>
2023-09-01T14:15:46.7044044Z root scope = /providers/Microsoft.Management/managementGroups/alz-O
2023-09-01T14:15:46.7044355Z
2023-09-01T14:15:46.7606580Z Telemetry is disabled
2023-09-01T14:15:46.7613351Z
2023-09-01T14:15:46.7719301Z ***************************************************************************************************
2023-09-01T14:15:46.7724801Z Deploy Policy resources from plan in file '/home/vsts/work/1/policy-plan-tenant1/plans-tenant1/policy-plan.json'
2023-09-01T14:15:46.7731333Z Plan created on 2023-09-01 14:14:57Z.
2023-09-01T14:15:46.7734950Z ***************************************************************************************************
2023-09-01T14:15:46.8075014Z
2023-09-01T14:15:46.8081642Z ===================================================================================================
2023-09-01T14:15:46.8087509Z Create new Exemptions (2)
2023-09-01T14:15:46.8088276Z ---------------------------------------------------------------------------------------------------
2023-09-01T14:15:46.8170794Z Disable Azure Defender SQL
2023-09-01T14:15:47.2310628Z [31;1mWrite-Error: [0m/home/vsts/.local/share/powershell/Modules/EnterprisePolicyAsCode/8.1.0/functions/Deploy-PolicyPlan.ps1:318
2023-09-01T14:15:47.2311091Z [36;1mLine |
2023-09-01T14:15:47.2311845Z [36;1m 318 | [0m … $null = [36;1mSet-AzPolicyExemptionRestMethod -ExemptionObj $exemption[0m
2023-09-01T14:15:47.2312396Z [36;1m | [31;1m ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2023-09-01T14:15:47.2312750Z [31;1m[36;1m | [31;1mPolicy Exemption error 404 --
2023-09-01T14:15:47.2313140Z [36;1m | [31;1m{"error":{"code":"MissingSubscription","message":"The request did not
2023-09-01T14:15:47.2313513Z [36;1m | [31;1mhave a subscription or a valid tenant level resource provider."}}
2023-09-01T14:15:47.2313768Z [0m
2023-09-01T14:15:47.3374080Z ##[error]PowerShell exited with code '1'.
2023-09-01T14:15:47.3429634Z ##[section]Finishing: Deploy Policies
I found the problem. Fix will be out shortly. Thank you for all your testing
Hi,
After the merge of #342 I did some extensive testing and it seems to run a lot beter, some strange warnings about exemptions being duplicated etc. are gone :) but unfortunately the error reported in #341 is still there in Deploy Policies, I already tried it with a json and a csv exemptions file but both files still give the same error