Modifier

Partager via


New-AzPolicyExemption

Creates or updates a policy exemption.

Syntax

New-AzPolicyExemption
   -Name <String>
   -ExemptionCategory <String>
   -PolicyAssignment <PSObject>
   [-Scope <String>]
   [-PolicyDefinitionReferenceId <String[]>]
   [-AssignmentScopeValidation <String>]
   [-DisplayName <String>]
   [-Description <String>]
   [-ExpiresOn <DateTime>]
   [-Metadata <String>]
   [-ResourceSelector <IResourceSelector[]>]
   [-BackwardCompatible]
   [-DefaultProfile <PSObject>]
   [-WhatIf]
   [-Confirm]
   [<CommonParameters>]

Description

The New-AzPolicyExemption cmdlet creates a policy exemption with the given scope and name.

Examples

Example 1: Policy exemption at subscription level

$Subscription = Get-AzSubscription -SubscriptionName 'Subscription01'
$Assignment = Get-AzPolicyAssignment -Name 'VirtualMachinePolicyAssignment'
New-AzPolicyExemption -Name 'VirtualMachinePolicyExemption' -PolicyAssignment $Assignment -Scope "/subscriptions/$($Subscription.Id)" -ExemptionCategory Waiver

The first command gets a subscription named Subscription01 by using the Get-AzSubscription cmdlet and stores it in the $Subscription variable. The second command gets the policy assignment named VirtualMachinePolicyAssignment by using the Get-AzPolicyAssignment cmdlet and stores it in the $Assignment variable. The final command exempts the policy assignment in $Assignment at the level of the subscription identified by the subscription scope string.

Example 2: Policy exemption at resource group level

$ResourceGroup = Get-AzResourceGroup -Name 'ResourceGroup11'
$Assignment = Get-AzPolicyAssignment -Name 'VirtualMachinePolicyAssignment'
New-AzPolicyExemption -Name 'VirtualMachinePolicyAssignment' -PolicyAssignment $Assignment -Scope $ResourceGroup.ResourceId -ExemptionCategory Mitigated

The first command gets a resource group named ResourceGroup11 by using the Get-AzResourceGroup cmdlet and stores it in the $ResourceGroup variable. The second command gets the policy assignment named VirtualMachinePolicyAssignment by using the Get-AzPolicyAssignment cmdlet and stores it in the $Assignment variable. The final command exempts the policy assignment in $Assignment at the level of the resource group identified by the ResourceId property of $ResourceGroup.

Example 3: Policy exemption at management group level

$ManagementGroup = Get-AzManagementGroup -GroupName 'AManagementGroup'
$Assignment = Get-AzPolicyAssignment -Name 'VirtualMachinePolicyAssignment'
New-AzPolicyExemption -Name 'VirtualMachinePolicyAssignment' -PolicyAssignment $Assignment -Scope $ManagementGroup.Id -ExemptionCategory Mitigated

The first command gets a management group named AManagementGroup by using the Get-AzManagementGroup cmdlet and stores it in the $ManagementGroup variable. The second command gets the policy assignment named VirtualMachinePolicyAssignment by using the Get-AzPolicyAssignment cmdlet and stores it in the $Assignment variable. The final command exempts the policy assignment in $Assignment at the level of the management group identified by the Id property of $ManagementGroup.

Example 4: Policy exemption at resource level

$VM = Get-AzVM -Name 'SpecialVM'
$Assignment = Get-AzPolicyAssignment -Name 'VirtualMachinePolicyAssignment'
New-AzPolicyExemption -Name 'VirtualMachinePolicyAssignment' -PolicyAssignment $Assignment -Scope $SpecialVM.Id -ExemptionCategory Waiver

The first command gets a VM named SpecialVM by using the Get-AzVM cmdlet and stores it in the $VM variable. The second command gets the policy assignment named VirtualMachinePolicyAssignment by using the Get-AzPolicyAssignment cmdlet and stores it in the $Assignment variable. The final command exempts the resource identified by the Id property of $VM from the policy assignment in $Assignment.

Example 5: Policy exemption with resource selector

$Assignment = Get-AzPolicyAssignment -Name 'VirtualMachineAssignment'
$ResourceSelector = @{Name = "MyLocationSelector"; Selector = @(@{Kind = "resourceLocation"; In = @("eastus", "eastus2")})}
New-AzPolicyExemption -Name 'VirtualMachinePolicyExemption' -PolicyAssignment $Assignment -ResourceSelector $ResourceSelector

The first command gets the policy assignment named VirtualMachineAssignment by using the Get-AzPolicyAssignment cmdlet and stores it in the $Assignment variable. The second command creates a resource selector object that will be used to specify the exemption should only apply to resources located in East US or East US 2 and stores it in the $ResourceSelector variable. The final command creates a policy exemption for the assignment $Assignment with the resource selector specified by $ResourceSelector.

Parameters

-AssignmentScopeValidation

Whether to validate the exemption is at or under the assignment scope.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-BackwardCompatible

Causes cmdlet to return artifacts using legacy format placing policy-specific properties in a property bag object.

Type:SwitchParameter
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-Confirm

Prompts you for confirmation before running the cmdlet.

Type:SwitchParameter
Aliases:cf
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-DefaultProfile

The DefaultProfile parameter is not functional. Use the SubscriptionId parameter when available if executing the cmdlet against a different subscription.

Type:PSObject
Aliases:AzureRMContext, AzureCredential
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-Description

This message will be part of response in case of policy violation.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-DisplayName

The display name of the policy assignment.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-ExemptionCategory

The policy exemption category

Type:String
Position:Named
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-ExpiresOn

The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption.

Type:Nullable<T>[DateTime]
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-Metadata

The policy assignment metadata. Metadata is an open ended object and is typically a collection of key value pairs.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-Name

The name of the policy exemption.

Type:String
Aliases:PolicyExemptionName
Position:Named
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-PolicyAssignment

The policy assignment id filter.

Type:PSObject
Position:Named
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-PolicyDefinitionReferenceId

The policy definition reference ID list when the associated policy assignment is for a policy set (initiative).

Type:String[]
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-ResourceSelector

The resource selector list to filter policies by resource properties.

Type:IResourceSelector[]
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-Scope

The scope of the policy exemption. Valid scopes are: management group (format: '/providers/Microsoft.Management/managementGroups/{managementGroup}'), subscription (format: '/subscriptions/{subscriptionId}'), resource group (format: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}', or resource (format: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/[{parentResourcePath}/]{resourceType}/{resourceName}'

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.

Type:SwitchParameter
Aliases:wi
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

Inputs

PSObject

Nullable<T>[[System.DateTime, System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e]]

String

String[]

Outputs

IPolicyExemption