Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
956 questions
Azure Resource Graph (ARG) Query to List All Failed Policy Deployments
Adin Ermie
0
Reputation points
When using Azure Policy, in particular a policy with Deploy If Not Exist (DINE), naturally the policy will try to remediate anything that doesn't align to the policy definition.
However, if there is something that prevents the Policy Deployment from executing properly, the Resource Group's Deployments will show a Status of Failed.
This is different than an error when actually remediating, or something being non-compliant.
I want to create an Azure Resource Graph (ARG) query that will list all of the Resource Groups that have any "Failed" deployments, where Deployment Name contains PolicyDeployment_.
I've used something like the following, but this doesn't seem to find the actual failed policy deployments. I tried cross-referencing for similar ways to use Azure Activity Logs as well.
resourcecontainers
| where type == "microsoft.resources/subscriptions/resourcegroups"
| project subscriptionId, resourceGroup=name, location, tostring(properties['provisioningState'])
Any ideas would be appreciated.
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(268.8, 47%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERP%3C/text%3E%3C/svg%3E)
Rahul Podila 1,730 Reputation points Microsoft Vendor2025-02-11T05:58:56.7033333+00:00 Hi @Adin Ermie
Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.
To create an Azure Resource Graph (ARG) query that lists all Resource Groups with failed deployments where the Deployment Name contains
PolicyDeployment_, you can modify your existing query to include a join with thedeploymentsresource type.Here's an example of how you might structure your query:
resourcecontainers | where type == "microsoft.resources/subscriptions/resourcegroups" | join kind=inner ( deployments | where properties.provisioningState == "Failed" | where name contains "PolicyDeployment_" ) on $left.id == $right.resourceGroup | project subscriptionId, resourceGroup=name, location, deploymentName=name, deploymentStatus=properties.provisioningStateThis query first filters the
resourcecontainersfor resource groups and then joins it with thedeploymentsto find those with a provisioning state of "Failed" and a name that containsPolicyDeployment_. The final projection includes the relevant details.If you have any concerns, please go through this link: -
If you have any further queries, do let us know
If the answer is helpful, please click "Upvote it"
-
Rahul Podila 1,730 Reputation points Microsoft Vendor
2025-02-12T01:44:19.3433333+00:00 Hi @Adin Ermie
Just want to check if the above Comment worked for you or else please let us know if any help, we are always here to help whenever you need us.
If the comment is helpful, please click "Upvote it"
Thankyou
Sign in to comment
Sign in to answer