Editar

Partilhar via


Enable Insights for Azure Local at scale using Azure policies

Applies to: Azure Local, versions 23H2 and 22H2

This document describes how to enable Insights for Azure Local systems at scale using Azure policies. To enable Insights for a single Azure Local system, see Monitor a single Azure Local system with Insights.

For an overview of Azure Policy, see What is Azure Policy?

About using Azure policies to enable Insights at scale

To monitor multiple Azure Local systems with Insights, you need to enable Insights for each system individually. To simplify this process, you can use Azure policies to automatically enable Insights at the subscription or resource group level. These policies check the compliance of resources within their scope based on the defined rules. If any non-compliant resources are found after assigning the policies, you can remediate them through remediation tasks.

This section describes the Azure policies to use to enable Insights at scale. For each policy, it also provides policy definition template in JSON that you can use as-is to create policy definitions, or as a starting point for further customization.

Policy to repair AMA

For Azure Local systems registered before Nov 2023, you need to repair cluster registration and Azure Monitor Agent (AMA) before configuring Insights again. For details, see Troubleshoot clusters registered before November 2023.

The policy to repair AMA performs the following function:

  • Removes the registry key, if present, which determines the resource ID for which AMA collects data.

Before applying this policy, keep in mind the following things:

  • This policy is applicable only to Azure Local, version 22H2 systems. Apply it before any other policies to ensure AMA picks up the correct resource ID.
  • Uninstall AMA before applying this policy to set the correct resource ID. If AMA isn't uninstalled first, data might not appear. For more information, see Uninstall AMA.

Here's the policy definition in JSON:

{
  "mode": "INDEXED",
  "policyRule": {
   "then": { 
        "effect": "deployIfNotExists", 
        "details": { 
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments", 
          "existenceCondition": { 
            "allOf": [ 
              { 
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus", 
                "equals": "Compliant" 
              }, 
              { 
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash", 
                "equals": "[base64(concat('[RepairClusterAMA]RepairClusterAMAInstanceName;Path', '=', parameters('Path'), ',', '[RepairClusterAMA]RepairClusterAMAInstanceName;Content', '=', parameters('Content')))]" 
              } 
            ] 
          }, 
          "roleDefinitionIds": [ 
            "/providers/Microsoft.Authorization/roleDefinitions/088ab73d-1256-47ae-bea9-9de8e7131f31" 
          ], 
          "deployment": { 
            "properties": { 
              "parameters": { 
                "type": { 
                  "value": "[field('type')]" 
                }, 
                "location": { 
                  "value": "[field('location')]" 
                }, 
                "vmName": { 
                  "value": "[field('name')]" 
                }, 
                "assignmentName": { 
                  "value": "[concat('RepairClusterAMA$pid', uniqueString(policy().assignmentId, policy().definitionReferenceId))]" 
                }, 
                "Content": { 
                  "value": "[parameters('Content')]" 
                }, 
                "Path": { 
                  "value": "[parameters('Path')]" 
                } 
              }, 
              "mode": "incremental", 
              "template": { 
                "parameters": { 
                  "type": { 
                    "type": "string" 
                  }, 
                  "location": { 
                    "type": "string" 
                  }, 
                  "vmName": { 
                    "type": "string" 
                  }, 
                  "assignmentName": { 
                    "type": "string" 
                  }, 
                  "Content": { 
                    "type": "string" 
                  }, 
                  "Path": { 
                    "type": "string" 
                  } 
                }, 
                "contentVersion": "1.0.0.0", 
                "resources": [ 
                  { 
                    "type": "Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments", 
                    "properties": { 
                      "guestConfiguration": { 
                        "version": "1.0.0", 
                        "name": "RepairClusterAMA", 
                        "configurationParameter": [ 
                          { 
                            "value": "[parameters('Path')]", 
                            "name": "[RepairClusterAMA]RepairClusterAMAInstanceName;Path" 
                          }, 
                          { 
                            "value": "[parameters('Content')]", 
                            "name": "[RepairClusterAMA]RepairClusterAMAInstanceName;Content" 
                          } 
                        ], 
                        "contentHash": "7EA99B10AE79EA5C1456A134441270BC48F5208F3521BFBFDCAE5EF7B6A9D9BD", 
                        "contentUri": "https://guestconfiguration4.blob.core.windows.net/guestconfiguration/RepairClusterAMA.zip", 
                        "contentType": "Custom", 
                        "assignmentType": "ApplyAndAutoCorrect" 
                      } 
                    }, 
                    "location": "[parameters('location')]", 
                    "apiVersion": "2018-11-20", 
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('assignmentName'))]", 
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]" 
                  }, 
                  { 
                    "type": "Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments", 
                    "properties": { 
                      "guestConfiguration": { 
                        "version": "1.0.0", 
                        "name": "RepairClusterAMA", 
                        "configurationParameter": [ 
                          { 
                            "value": "[parameters('Path')]", 
                            "name": "[RepairClusterAMA]RepairClusterAMAInstanceName;Path" 
                          }, 
                          { 
                            "value": "[parameters('Content')]", 
                            "name": "[RepairClusterAMA]RepairClusterAMAInstanceName;Content" 
                          } 
                        ], 
                        "contentHash": "7EA99B10AE79EA5C1456A134441270BC48F5208F3521BFBFDCAE5EF7B6A9D9BD", 
                        "contentUri": "https://guestconfiguration4.blob.core.windows.net/guestconfiguration/RepairClusterAMA.zip", 
                        "contentType": "Custom", 
                        "assignmentType": "ApplyAndAutoCorrect" 
                      } 
                    }, 
                    "location": "[parameters('location')]", 
                    "apiVersion": "2018-11-20", 
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('assignmentName'))]", 
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.HybridCompute/machines'))]" 
                  }, 
                  { 
                    "type": "Microsoft.Compute/virtualMachineScaleSets/providers/guestConfigurationAssignments", 
                    "properties": { 
                      "guestConfiguration": { 
                        "version": "1.0.0", 
                        "name": "RepairClusterAMA", 
                        "configurationParameter": [ 
                          { 
                            "value": "[parameters('Path')]", 
                            "name": "[RepairClusterAMA]RepairClusterAMAInstanceName;Path" 
                          }, 
                          { 
                            "value": "[parameters('Content')]", 
                            "name": "[RepairClusterAMA]RepairClusterAMAInstanceName;Content" 
                          } 
                        ], 
                        "contentHash": "7EA99B10AE79EA5C1456A134441270BC48F5208F3521BFBFDCAE5EF7B6A9D9BD", 
                        "contentUri": "https://guestconfiguration4.blob.core.windows.net/guestconfiguration/RepairClusterAMA.zip", 
                        "contentType": "Custom", 
                        "assignmentType": "ApplyAndAutoCorrect" 
                      } 
                    }, 
                    "location": "[parameters('location')]", 
                    "apiVersion": "2018-11-20", 
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('assignmentName'))]", 
                    "condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachineScaleSets'))]" 
                  } 
                ], 
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#" 
              } 
            } 
          }, 
          "name": "[concat('RepairClusterAMA$pid', uniqueString(policy().assignmentId, policy().definitionReferenceId))]" 
        } 
      }, 
      "if": { 
        "anyOf": [ 
          { 
            "allOf": [ 
              { 
                "anyOf": [ 
                  { 
                    "field": "type", 
                    "equals": "Microsoft.Compute/virtualMachines" 
                  }, 
                  { 
                    "field": "type", 
                    "equals": "Microsoft.Compute/virtualMachineScaleSets" 
                  } 
                ] 
              }, 
              { 
                "field": "tags['aks-managed-orchestrator']", 
                "exists": "false" 
              }, 
              { 
                "field": "tags['aks-managed-poolName']", 
                "exists": "false" 
              }, 
              { 
                "anyOf": [ 
                  { 
                    "field": "Microsoft.Compute/imagePublisher", 
                    "in": [ 
                      "esri", 
                      "incredibuild", 
                      "MicrosoftDynamicsAX", 
                      "MicrosoftSharepoint", 
                      "MicrosoftVisualStudio", 
                      "MicrosoftWindowsDesktop", 
                      "MicrosoftWindowsServerHPCPack" 
                    ] 
                  }, 
                  { 
                    "allOf": [ 
                      { 
                        "field": "Microsoft.Compute/imagePublisher", 
                        "equals": "MicrosoftWindowsServer" 
                      }, 
                      { 
                        "field": "Microsoft.Compute/imageSKU", 
                        "notLike": "2008*" 
                      } 
                    ] 
                  }, 
                  { 
                    "allOf": [ 
                      { 
                        "field": "Microsoft.Compute/imagePublisher", 
                        "equals": "MicrosoftSQLServer" 
                      }, 
                      { 
                        "field": "Microsoft.Compute/imageOffer", 
                        "notLike": "SQL2008*" 
                      } 
                    ] 
                  }, 
                  { 
                    "allOf": [ 
                      { 
                        "field": "Microsoft.Compute/imagePublisher", 
                        "equals": "microsoft-dsvm" 
                      }, 
                      { 
                        "field": "Microsoft.Compute/imageOffer", 
                        "like": "dsvm-win*" 
                      } 
                    ] 
                  }, 
                  { 
                    "allOf": [ 
                      { 
                        "field": "Microsoft.Compute/imagePublisher", 
                        "equals": "microsoft-ads" 
                      }, 
                      { 
                        "field": "Microsoft.Compute/imageOffer", 
                        "in": [ 
                          "standard-data-science-vm", 
                          "windows-data-science-vm" 
                        ] 
                      } 
                    ] 
                  }, 
                  { 
                    "allOf": [ 
                      { 
                        "field": "Microsoft.Compute/imagePublisher", 
                        "equals": "batch" 
                      }, 
                      { 
                        "field": "Microsoft.Compute/imageOffer", 
                        "equals": "rendering-windows2016" 
                      } 
                    ] 
                  }, 
                  { 
                    "allOf": [ 
                      { 
                        "field": "Microsoft.Compute/imagePublisher", 
                        "equals": "center-for-internet-security-inc" 
                      }, 
                      { 
                        "field": "Microsoft.Compute/imageOffer", 
                        "like": "cis-windows-server-201*" 
                      } 
                    ] 
                  }, 
                  { 
                    "allOf": [ 
                      { 
                        "field": "Microsoft.Compute/imagePublisher", 
                        "equals": "pivotal" 
                      }, 
                      { 
                        "field": "Microsoft.Compute/imageOffer", 
                        "like": "bosh-windows-server*" 
                      } 
                    ] 
                  }, 
                  { 
                    "allOf": [ 
                      { 
                        "field": "Microsoft.Compute/imagePublisher", 
                        "equals": "cloud-infrastructure-services" 
                      }, 
                      { 
                        "field": "Microsoft.Compute/imageOffer", 
                        "like": "ad*" 
                      } 
                    ] 
                  }, 
                  { 
                    "allOf": [ 
                      { 
                        "anyOf": [ 
                          { 
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration", 
                            "exists": true 
                          }, 
                          { 
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType", 
                            "like": "Windows*" 
                          }, 
                          { 
                            "field": "Microsoft.Compute/VirtualMachineScaleSets/osProfile.windowsConfiguration", 
                            "exists": true 
                          }, 
                          { 
                            "field": "Microsoft.Compute/virtualMachineScaleSets/virtualMachineProfile.storageProfile.osDisk.osType", 
                            "like": "Windows*" 
                          } 
                        ] 
                      }, 
                      { 
                        "anyOf": [ 
                          { 
                            "field": "Microsoft.Compute/imageSKU", 
                            "exists": false 
                          }, 
                          { 
                            "allOf": [ 
                              { 
                                "field": "Microsoft.Compute/imageOffer", 
                                "notLike": "SQL2008*" 
                              }, 
                              { 
                                "field": "Microsoft.Compute/imageSKU", 
                                "notLike": "2008*" 
                              } 
                            ] 
                          } 
                        ] 
                      } 
                    ] 
                  } 
                ] 
              } 
            ] 
          }, 
          { 
            "allOf": [ 
              { 
                "equals": true, 
                "value": "[parameters('IncludeArcMachines')]" 
              }, 
              { 
                "anyOf": [ 
                  { 
                    "allOf": [ 
                      { 
                        "field": "type", 
                        "equals": "Microsoft.HybridCompute/machines" 
                      }, 
                      { 
                        "field": "Microsoft.HybridCompute/imageOffer", 
                        "like": "windows*" 
                      } 
                    ] 
                  }, 
                  { 
                    "allOf": [ 
                      { 
                        "field": "type", 
                        "equals": "Microsoft.ConnectedVMwarevSphere/virtualMachines" 
                      }, 
                      { 
                        "field": "Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType", 
                        "like": "windows*" 
                      } 
                    ] 
                  } 
                ] 
              } 
            ] 
          } 
        ] 
      }
  },
  "parameters": {
 "IncludeArcMachines": { 
        "allowedValues": [ 
          "true", 
          "false" 
        ], 
        "defaultValue": "false", 
        "metadata": { 
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine.", 
          "displayName": "Include Arc connected machines", 
          "portalReview": true
        }, 
        "type": "String"
      }, 
      "Content": {  
        "defaultValue": "File content XYZ", 
        "metadata": { 
          "description": "File content", 
          "displayName": "Content" 
        }, 
        "type": "String"
      }, 
      "Path": { 
        "defaultValue": "C:\\DSC\\CreateFileXYZ.txt", 
        "metadata": { 
          "description": "Path including file name and extension", 
          "displayName": "Path" 
        }, 
        "type": "String" 
      }
  }
}

Policy to install AMA

The policy to install AMA performs the following functions:

  • Evaluates if Azure Local systems have the AzureMonitoringAgent extension installed.

  • Installs AMA on systems that aren't compliant with the policy through a remediation task.

Here's the policy definition in JSON:

{
  "mode": "Indexed",
  "policyRule": {
     "if": {
          "field": "type",
          "equals": "Microsoft.AzureStackHCI/clusters"
        },
        "then": {
          "effect": "[parameters('effect')]",
          "details": {
            "type": "Microsoft.AzureStackHCI/clusters/arcSettings/extensions",
            "name": "[concat(field('name'), '/default/AzureMonitorWindowsAgent')]",
            "roleDefinitionIds": [
              "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
            ],
            "existenceCondition": {
              "field": "Microsoft.AzureStackHCI/clusters/arcSettings/extensions/extensionParameters.type",
              "equals": "AzureMonitorWindowsAgent"
            },
            "deployment": {
              "properties": {
                "mode": "incremental",
                "template": {
                  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                  "contentVersion": "1.0.0.0",
                  "parameters": {
                    "clusterName": {
                      "type": "string",
                      "metadata": {
                        "description": "The name of Cluster."
                      }
                    }
                  },
                  "resources": [
                    {
                      "type": "Microsoft.AzureStackHCI/clusters/arcSettings/extensions",
                      "apiVersion": "2023-08-01",
                      "name": "[concat(parameters('clusterName'), '/default/AzureMonitorWindowsAgent')]",
                      "properties": {
                        "extensionParameters": {
                          "publisher": "Microsoft.Azure.Monitor",
                          "type": "AzureMonitorWindowsAgent",
                          "autoUpgradeMinorVersion": false,
                          "enableAutomaticUpgrade": false
                        }
                      }
                    }
                  ]
                },
                "parameters": {
                  "clusterName": {
                    "value": "[field('Name')]"
                  }
                }
              }
            }
          }
        }
  },
  "parameters": {
   "effect": {
          "type": "String",
          "metadata": {
            "displayName": "Effect",
            "description": "Enable or disable the execution of the policy"
          },
          "allowedValues": [
            "DeployIfNotExists",
            "Disabled"
          ],
          "defaultValue": "DeployIfNotExists"
        }
  }
}

Policy to configure DCR association

This policy is applied to each node in the Azure Local system and performs the following function:

  • Takes the dataCollectionResourceId as input and associates the Data Collection Rule (DCR) with each node.

    Note

    This policy doesn’t create Data Collection Endpoint (DCE). If you're using private links, you must create DCE to ensure there's data available in Insights. For more information, see Enable network isolation for Azure Monitor Agent by using Private Link.

Here's the policy definition in JSON:

{
  "mode": "INDEXED",
  "policyRule": {
     "if": {
          "field": "type",
          "equals": "Microsoft.HybridCompute/machines"
        },
        "then": {
          "effect": "[parameters('effect')]",
          "details": {
            "type": "Microsoft.Insights/dataCollectionRuleAssociations",
            "name": "[concat(field('name'), '-dataCollectionRuleAssociations')]",
            "roleDefinitionIds": [
              "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
            ],
            "deployment": {
              "properties": {
                "mode": "incremental",
                "template": {
                  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                  "contentVersion": "1.0.0.0",
                  "parameters": {
                    "machineName": {
                      "type": "string",
                      "metadata": {
                        "description": "The name of the machine."
                      }
                    },
                    "dataCollectionResourceId": {
                      "type": "string",
                      "metadata": {
                        "description": "Resource Id of the DCR"
                      }
                    }
                  },
                  "resources": [
                    {
                      "type": "Microsoft.Insights/dataCollectionRuleAssociations",
                      "apiVersion": "2022-06-01",
                      "name": "[concat(parameters('machineName'), '-dataCollectionRuleAssociations')]",
                      "scope": "[format('Microsoft.HybridCompute/machines/{0}', parameters('machineName'))]",
                      "properties": {
                        "description": "Association of data collection rule. Deleting this association will break the data collection for this machine",
                        "dataCollectionRuleId": "[parameters('dataCollectionResourceId')]"
                      }
                    }
                  ]
                },
                "parameters": {
                  "machineName": {
                    "value": "[field('Name')]"
                  },
                  "dataCollectionResourceId": {
                    "value": "[parameters('dcrResourceId')]"
                  }
                }
              }
            }
          }
        }
  },
  "parameters": { "effect": {
        "type": "String",
        "metadata": {
        "displayName": "Effect",
        "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
        "DeployIfNotExists",
        "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
    },
    "dcrResourceId": {
        "type": "String",
        "metadata": {
        "displayName": "dcrResourceId",
        "description": "Resource Id of the DCR"
        }
    }

  }
}

Enable Insights at scale using Azure policies

This section describes how to enable Insights for Azure Local at scale using Azure policies.

Prerequisites

Before you enable Insights for Azure Local at scale using Azure policies, complete the following prerequisites:

  • You must have access to deployed and registered Azure Local systems on which you will enable Insights.
  • You must have the managed identity for the Azure resources enabled. For more information, see Enabled enhanced management.
  • You must have the Guest Configuration Resource Contributor role in your Azure subscription.
  • (For Azure Local, version 22H2 systems only) You must uninstall AMA before start applying the Azure policies.

Order of policy application

To enable Insights at scale for Azure Local systems, apply the Azure policies in the following order:

  1. Repair AMA (for Azure Local, version 22H2 systems only):

    • If you're using Azure Local, version 22H2 systems, start by applying the policy to repair AMA. This step isn't required for Azure Local, version 23H2 systems.
    • For policy definition template, see Policy to repair AMA.
  2. Install AMA:

  3. Configure DCR association.

Workflow to apply policies to enable Insights at scale

Follow these steps for each policy to enable Insights at scale:

  1. Create a policy definition. Define the rules and conditions for compliance using the policy definition template. See Create a policy definition.
  2. Create a policy assignment. Define the scope of the policy, exclusions if any, and parameters for enforcement. Use the policy definition defined in the previous step. See Create a policy assignment.
  3. View compliance status. Monitor the compliance status of the policy assignment. Check for any non-compliant resources. See View compliance status.
  4. Remediate non-compliant resources. Create remediation tasks to remediate non-compliant resources. See Remediate non-compliant resources.

Create a policy definition

To create a policy definition, follow these steps:

  1. In the Azure portal, navigate to the Azure Policy service.

  2. Under the Authoring section, select Definitions.

  3. Select + Policy definition to create a new policy definition.

  4. On the Policy definition page, specify the following values:

    Field Action
    Definition location Select the ellipsis (...) to specify where the policy resource is located. On the Definition location pane, select the Azure subscription and then select Select.
    Name Specify a friendly name for the policy definition. You can optionally specify a description and category.
    POLICY RULE The JSON edit box is prepopulated with a policy definition template. Replace this template with the policy definition template you want to apply. For the definition templates for Insights policies in JSON format, see the About using Azure policies to enable Insights at scale section.
    Role definitions This field is displayed after you copy and paste the policy definition into the POLICY RULE field. Select the Guest Configuration Resource Contributor role from the list.

    Screenshot of the Policy definition page to create a new policy definition.

  5. Select Save.

    You get a notification that the policy definition creation was successful and the policy definition page is displayed. You can now proceed to create the policy assignment.

Create a policy assignment

Next, you create a policy assignment and assign the policy definition at the subscription or resource group level. For more information on policy assignment, see Azure Policy assignment structure.

To create a policy assignment, follow these steps:

  1. On the Policy | Definitions page for the policy definition you created in the previous step, select Assign policy.

    Screenshot of the Policy Definitions page for the new policy definition.

  2. On the Assign policy page > Basic tab, specify the following values:

    Field Action
    Scope This field is prepopulated with the scope that you defined during policy definition creation. If you want to change the scope for policy assignment, you can use the ellipsis (...) and then select a subscription and optionally a resource group. Then select Select to apply the scope.
    Exclusions Optional. Use the ellipsis (...) to select the resources to exclude from the policy assignment.
    Policy definition This field is prepopulated with the policy definition name created in the Create a policy definition step.
    Assignment name This field is prepopulated with the name of the selected policy definition. You can change it if necessary.
    Policy enforcement Defaults to Enabled. For more information, see enforcement mode.

    Screenshot of the Assign policy page to assign the policy definition.

  3. Select Next to view the Parameters tab. If the policy definition you selected on the Basics tab included parameters, they show up on the Parameters tab.

    For example, the policy to repair AMA shows the Include Arc connected machines parameter. Select True to include Arc connected machines in the policy assignment.

    Screenshot of the Parameters tab on Assign policy page to define or modify parameters.

  4. Select Next to view the Remediation tab. No action is needed on this tab. The policy definition templates support the deployIfNotExists effect, so the resources that aren't compliant with the policy rule get automatically remediated. Additionally, notice that the Create a Managed Identity parameter is selected by default since the policy definition templates use the deployIfNotExists effect.

    Screenshot of the Remediation tab on the Assign policy page to define remediation task if necessary.

  5. Select Review + create to review the assignment.

  6. Select Create to create the assignment.

    You get notifications that the role assignment and policy assignment creations were successful. Once the assignment is created, the Azure Policy engine identifies all Azure Local systems located within the scope and applies the policy configuration to each system. Typically, it takes 5 to 15 minutes for the policy assignment to take effect.

View compliance status

After you've created the policy assignment, you can monitor compliance of resources under Compliance and remediation status under Remediation on the Azure Policy home page. The compliance state for a new policy assignment takes a few minutes to become active and provide results about the policy's state.

To view the compliance status of the policy, follow these steps:

  1. In the Azure portal, navigate to the Azure Policy service.

  2. Select Compliance.

  3. Filter the results for the name of the policy assignment that you created in the Create a policy assignment step. The Compliance state column displays the compliance state as Compliant or Non-compliant.

    Screenshot of the Policy Compliance page showing the compliance status.

  4. Select the policy assignment name to view the Resource Compliance status. For example, the compliance report for the repair AMA policy shows the nodes that need to be repaired:

    Screenshot of the Policy Compliance status page showing the compliance status.

  5. Once you know which resources are non-compliant, you can create the remediation task to bring them into compliance.

Remediate non-compliant resources

To remediate non-compliant resources and track remediation task progress, follow these steps:

  1. In the Azure portal, navigate to the Azure Policy service.

  2. Select Remediation.

  3. The Remediation page displays the list of assigned policies that have non-compliant resources. Filter the results for the name of the policy assignment that you created in the Create a policy assignment step.

  4. Select the Policy Definition link.

    Screenshot of the Policy Remediation page showing the policies to remediate.

  5. The New remediation task page displays the resources that need remediation. Select the Re-evaluate resource compliance before remediating checkbox and then select Remediate.

    Screenshot of New remediation task page.

  6. You get a notification that a remediation task is created, and you are directed to the Remediation tasks tab. This tab shows the status of different remediation tasks. The one you created might be in the Evaluating or In Progress state.

    Screenshot of the Policy Remediation tab showing the status of the remediation task.

    Once the remediation is complete, the state changes to Complete.

    For more information about remediation, see Remediate non-compliant resources with Azure Policy.

Next steps