Determine causes of non-compliance - Azure Policy (2023)

  • Article
  • 9 minutes to read

When an Azure resource is determined to be non-compliant to a policy rule, it's helpful tounderstand which portion of the rule the resource isn't compliant with. It's also useful tounderstand what change altered a previously compliant resource to make it non-compliant. There aretwo ways to find this information:

  • Compliance details
  • Change history (Preview)

Compliance details

When a resource is non-compliant, the compliance details for that resource are available from thePolicy compliance page. The compliance details pane includes the following information:

  • Resource details such as name, type, location, and resource ID
  • Compliance state and timestamp of the last evaluation for the current policy assignment
  • A list of reasons for the resource non-compliance

Important

As the compliance details for a Non-compliant resource shows the current value of properties onthat resource, the user must have read operation to the type of resource. For example, ifthe Non-compliant resource is Microsoft.Compute/virtualMachines then the user must have theMicrosoft.Compute/virtualMachines/read operation. If the user doesn't have the neededoperation, an access error is displayed.

To view the compliance details, follow these steps:

  1. Launch the Azure Policy service in the Azure portal by selecting All services, then searchingfor and selecting Policy.

  2. On the Overview or Compliance page, select a policy in a compliance state that isNon-compliant.

    (Video) Azure Policy - Non-compliance messages

  3. Under the Resource compliance tab of the Policy compliance page, select and hold (orright-click) or select the ellipsis of a resource in a compliance state that isNon-compliant. Then select View compliance details.

    Determine causes of non-compliance - Azure Policy (1)

  4. The Compliance details pane displays information from the latest evaluation of the resourceto the current policy assignment. In this example, the field Microsoft.Sql/servers/version isfound to be 12.0 while the policy definition expected 14.0. If the resource is non-compliantfor multiple reasons, each is listed on this pane.

    Determine causes of non-compliance - Azure Policy (2)

    For an auditIfNotExists or deployIfNotExists policy definition, the details include thedetails.type property and any optional properties. For a list, see auditIfNotExistsproperties and deployIfNotExistsproperties. Last evaluated resource isa related resource from the details section of the definition.

    Example partial deployIfNotExists definition:

    { "if": { "field": "type", "equals": "[parameters('resourceType')]" }, "then": { "effect": "DeployIfNotExists", "details": { "type": "Microsoft.Insights/metricAlerts", "existenceCondition": { "field": "name", "equals": "[concat(parameters('alertNamePrefix'), '-', resourcegroup().name, '-', field('name'))]" }, "existenceScope": "subscription", "deployment": { ... } } }}

    Determine causes of non-compliance - Azure Policy (3)

Note

To protect data, when a property value is a secret the current value displays asterisks.

(Video) Azure Policies and Initiatives-A definitive Guide:Meet Regulatory Compliance and Security standards

These details explain why a resource is currently non-compliant, but don't show when the change wasmade to the resource that caused it to become non-compliant. For that information, see Changehistory (Preview) below.

Compliance reasons

Resource Manager modes andResource Provider modes each havedifferent reasons for non-compliance.

General Resource Manager mode compliance reasons

The following table maps eachResource Manager mode reason to theresponsible condition in the policy definition:

ReasonCondition
Current value must contain the target value as a key.containsKey or not notContainsKey
Current value must contain the target value.contains or not notContains
Current value must be equal to the target value.equals or not notEquals
Current value must be less than the target value.less or not greaterOrEquals
Current value must be greater than or equal to the target value.greaterOrEquals or not less
Current value must be greater than the target value.greater or not lessOrEquals
Current value must be less than or equal to the target value.lessOrEquals or not greater
Current value must exist.exists
Current value must be in the target value.in or not notIn
Current value must be like the target value.like or not notLike
Current value must be case-sensitive match the target value.match or not notMatch
Current value must be case-insensitive match the target value.matchInsensitively or not notMatchInsensitively
Current value must not contain the target value as a key.notContainsKey or not containsKey
Current value must not contain the target value.notContains or not contains
Current value must not be equal to the target value.notEquals or not equals
Current value must not exist.not exists
Current value must not be in the target value.notIn or not in
Current value must not be like the target value.notLike or not like
Current value must not be case-sensitive match the target value.notMatch or not match
Current value must not be case-insensitive match the target value.notMatchInsensitively or not matchInsensitively
No related resources match the effect details in the policy definition.A resource of the type defined in then.details.type and related to the resource defined in the if portion of the policy rule doesn't exist.

Azure Policy Resource Provider mode compliance reasons

The following table maps each Microsoft.PolicyInsightsResource Provider mode reason code toits corresponding explanation:

Compliance reason codeError message and explanation
NonModifiablePolicyAliasNonModifiableAliasConflict: The alias '{alias}' is not modifiable in requests using API version '{apiVersion}'. This error happens when a request using an API version where the alias does not support the 'modify' effect or only supports the 'modify' effect with a different token type.
AppendPoliciesNotApplicableAppendPoliciesUnableToAppend: The aliases: '{ aliases }' are not modifiable in requests using API version: '{ apiVersion }'. This can happen in requests using API versions for which the aliases do not support the 'modify' effect, or support the 'modify' effect with a different token type.
ConflictingAppendPoliciesConflictingAppendPolicies: Found conflicting policy assignments that modify the '{notApplicableFields}' field. Policy identifiers: '{policy}'. Please contact the subscription administrator to update the policy assignments.
AppendPoliciesFieldsExistAppendPoliciesFieldsExistWithDifferentValues: Policy assignments attempted to append fields which already exist in the request with different values. Fields: '{existingFields}'. Policy identifiers: '{policy}'. Please contact the subscription administrator to update the policies.
AppendPoliciesUndefinedFieldsAppendPoliciesUndefinedFields: Found policy definition that refers to an undefined field property for API version '{apiVersion}'. Fields: '{nonExistingFields}'. Policy identifiers: '{policy}'. Please contact the subscription administrator to update the policies.
MissingRegistrationForTypeMissingRegistrationForResourceType: The subscription is not registered for the resource type '{ResourceType}'. Please check that the resource type exists and that the resource type is registered.
AmbiguousPolicyEvaluationPathsThe request content has one or more ambiguous paths: '{0}' required by policies: '{1}'.
InvalidResourceNameWildcardPositionThe policy assignment '{0}' associated with the policy definition '{1}' could not be evaluated. The resource name '{2}' within an ifNotExists condition contains the wildcard '?' character in an invalid position. Wildcards can only be located at the end of the name in a segment by themselves (ex. TopLevelResourceName/?). Please either fix the policy or remove the policy assignment to unblock.
TooManyResourceNameSegmentsThe policy assignment '{0}' associated with the policy definition '{1}' could not be evaluated. The resource name '{2}' within an ifNotExists condition contains too many name segments. The number of name segments must be equal to or less than the number of type segments (excluding the resource provider namespace). Please either fix the policy definition or remove the policy assignment to unblock.
InvalidPolicyFieldPathThe field path '{0}' within the policy definition is invalid. Field paths must contain no empty segments. They may contain only alphanumeric characters with the exception of the '.' character for splitting segments and the '[*]' character sequence to access array properties.

AKS Resource Provider mode compliance reasons

The following table maps each Microsoft.Kubernetes.DataResource Provider mode reason tothe responsible state of theconstraint templatein the policy definition:

ReasonConstraint template reason description
Constraint/TemplateCreateFailedThe resource failed to create for a policy definition with a Constraint/Template that doesn't match an existing Constraint/Template on cluster by resource metadata name.
Constraint/TemplateUpdateFailedThe Constraint/Template failed to update for a policy definition with a Constraint/Template that matches an existing Constraint/Template on cluster by resource metadata name.
Constraint/TemplateInstallFailedThe Constraint/Template failed to build and was unable to be installed on cluster for either create or update operation.
ConstraintTemplateConflictsThe Template has a conflict with one or more policy definitions using the same Template name with different source.
ConstraintStatusStaleThere is an existing 'Audit' status, but Gatekeeper has not performed an audit within the last hour.
ConstraintNotProcessedThere is no status and Gatekeeper has not performed an audit within the last hour.
InvalidConstraint/TemplateAPI Server has rejected the resource due to a bad YAML. This reason can also be caused by a parameter type mismatch (example: string provided for an integer)

Note

For existing policy assignments and constraint templates already on the cluster, if thatConstraint/Template fails, the cluster is protected by maintaining the existingConstraint/Template. The cluster reports as non-compliant until the failure is resolved on thepolicy assignment or the add-on self-heals. For more information about handling conflict, seeConstraint template conflicts.

Component details for Resource Provider modes

For assignments with aResource Provider mode, select theNon-compliant resource to open a deeper view. Under the Component Compliance tab is additionalinformation specific to the Resource Provider mode on the assigned policy showing theNon-compliant Component and Component ID.

Determine causes of non-compliance - Azure Policy (4)

(Video) Module Azure Governance & Compliance - 18 Azure Policy

Compliance details for guest configuration

For policy definitions in the Guest Configuration category, there could be multiplesettings evaluated inside the virtual machine and you'll need to view per-setting details. Forexample, if you're auditing for a list of security settings and only one of them has statusNon-compliant, you'll need to know which specific settings are out of compliance and why.

You also might not have access to sign in to the virtual machine directly but you need to report onwhy the virtual machine is Non-compliant.

Azure portal

Begin by following the same steps in the section above for viewing policy compliance details.

In the Compliance details pane view, select the link Last evaluated resource.

Determine causes of non-compliance - Azure Policy (5)

The Guest Assignment page displays all available compliance details. Each row in the viewrepresents an evaluation that was performed inside the machine. In the Reason column, a phraseis shown describing why the Guest Assignment is Non-compliant. For example, if you're auditingpassword policies, the Reason column would display text including the current value for eachsetting.

Determine causes of non-compliance - Azure Policy (6)

View configuration assignment details at scale

The guest configuration feature can be used outside of Azure Policy assignments.For example,Azure AutoManagecreates guest configuration assignments, or you mightassign configurations when you deploy machines.

To view all guest configuration assignments across your tenant, from the Azureportal open the Guest Assignments page. To view detailed complianceinformation, select each assignment using the link in the column "Name".

Determine causes of non-compliance - Azure Policy (7)

(Video) Azure Policy Remediation Deep Dive

Change history (Preview)

As part of a new public preview, the last 14 days of change history are available for all Azureresources that support complete modedeletion. Change historyprovides details about when a change was detected and a visual diff for each change. A changedetection is triggered when the Azure Resource Manager properties are added, removed, or altered.

  1. Launch the Azure Policy service in the Azure portal by selecting All services, then searchingfor and selecting Policy.

  2. On the Overview or Compliance page, select a policy in any compliance state.

  3. Under the Resource compliance tab of the Policy compliance page, select a resource.

  4. Select the Change History (preview) tab on the Resource Compliance page. A list ofdetected changes, if any exist, are displayed.

    Determine causes of non-compliance - Azure Policy (8)

  5. Select one of the detected changes. The visual diff for the resource is presented on theChange history page.

    Determine causes of non-compliance - Azure Policy (9)

The visual diff aides in identifying changes to a resource. The changes detected may not berelated to the current compliance state of the resource.

Change history data is provided by Azure Resource Graph. Toquery this information outside of the Azure portal, see Get resource changes.

(Video) AZ 900 Microsoft Azure Fundamentals LAB 14 Create an Azure Policy, Allowed Locations, Delete Policy

Next steps

  • Review examples at Azure Policy samples.
  • Review the Azure Policy definition structure.
  • Review Understanding policy effects.
  • Understand how to programmatically create policies.
  • Learn how to get compliance data.
  • Learn how to remediate non-compliant resources.
  • Review what a management group is with Organize your resources with Azure management groups.

FAQs

How do you determine noncompliance? ›

Noncompliance is commonly identified in the following ways: A report or complaint received from a participant, research team member, or others. A report initiated by the Investigator through a Reportable Event Form. Information provided in a Continuing Review Form.

What are 3 possible consequences of noncompliance? ›

Non-compliance leaves you at risk for financial losses, security breaches, license revocations, business disruptions, poor patient care, erosion of trust, and a damaged reputation. Here is a quick overview of the impact of non-compliance.

What is compliance in Azure policy? ›

Azure Policy helps to enforce organizational standards and to assess compliance at-scale. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill down to the per-resource, per-policy granularity.

What are the possible causes for noncompliance? ›

Common Causes of Noncompliant Behavior
  • Failure of Communication and Lack of Comprehension. ...
  • Cultural Issues. ...
  • “Psychological” Issues. ...
  • Secondary Gain. ...
  • Psychosocial Stress. ...
  • Drug and Alcohol Dependence.

What is a reason for non-compliance? ›

Patient's lack of understanding.

Noncompliance often occurs when patients don't understand why they're taking a certain medication. Help them understand the purpose of the medication and why and how it will benefit them. Also, describe potential side effects.

What is the major risk of non-compliance? ›

It is likely the business reputation will be tarnished and consequently can suffer loss of business activity. Depending on the type of business, there is also the likelihood the entity can face financial losses due to imposition of hefty criminal penalties.

What is the most common implication of noncompliance? ›

The most well-known consequence of non-compliance is the financial loss from government action, which can take the form of:
  • Fines.
  • Limitations on your business activities.
  • Legal fees associated with a legal investigation.
  • In extreme cases, even prison time.
Jun 4, 2022

How to deal with non-compliance to the customer service policy? ›

Addressing Non-compliance
  1. taking all allegations seriously;
  2. investigating allegations efficiently and in a timely manner;
  3. assessing the facts objectively and impartially; and.
  4. taking adequate corrective measures and sanctions, in case an allegation is substantiated.

What are examples of compliance issues? ›

Some common compliance risks include:
  • Corruption. ...
  • Employee Behavior. ...
  • Workplace Health and Safety. ...
  • Environmental Impact. ...
  • Data Management. ...
  • Quality. ...
  • Process. ...
  • Social Responsibility.

What are three examples of compliance? ›

Examples of Compliance
  • A child cleaning up their room because their parent asked them to.
  • A student helping another student with their homework when asked.
  • Buying an item because a saleperson encourages you to do so.
  • Helping a friend because they ask you for a favor.
Jun 8, 2022

What are the four types of compliance? ›

Different types of compliance business owners need to know
  • Regulatory compliance. Regulatory compliance is when a business follows the local and international laws and regulations that are relevant to its operations. ...
  • HR compliance. ...
  • Data compliance. ...
  • Health and safety compliance.
May 18, 2022

What are the four key compliance issues? ›

The 4 Most Common Compliance Risks and How to Avoid Them
  • Legal & Liability Concerns.
  • Data Security.
  • Business Reputation.
Aug 11, 2022

What is non compliant in Azure? ›

As the compliance details for a Non-compliant resource shows the current value of properties on that resource, the user must have read operation to the type of resource. For example, if the Non-compliant resource is Microsoft. Compute/virtualMachines then the user must have the Microsoft.

What five 5 factors must a compliance plan include? ›

The five elements are:
  • Leadership.
  • Risk Assessment.
  • Standards and Controls.
  • Training and Communications.
  • Oversight.
Dec 1, 2019

What are the most basic types of non compliance? ›

Non-Compliance Types
  • Child Support (CSS) Penalty.
  • Failure to Provide.
  • Failure to Pursue Potential Resources.
  • Felony Drug Conviction.
  • Fraud Penalties.
  • Fugitive Felons.
  • Potential Employment Penalty.
  • Quality Control.

What are the possible cause and effect of non adherence? ›

Factors that may predict nonadherence include forgetfulness, illiteracy, inability to understand the purpose of treatment, not perceiving the treatment as necessary, a lack of trust in the treatment, and a lack of knowledge about the effects of treatment.

What are the actions for non compliance? ›

Actions for noncompliance are one or more time-ordered actions that are taken by a policy to help protect devices and your organization.

What is a non-compliance issue? ›

What is Non-Compliance? Non-compliance refers to an individual's failure to act within stated boundaries or refusal to comply with such regulations or rules. Non compliant behaviour can be both intentional or unintentional, depending on the situation.

What is considered non-compliance? ›

Noncompliant behavior involves behavior that does not conform to or follow the rules, regulations, or advice of others. In the workplace, this can be demonstrated by failure to act in accordance with the workplace policies and rules, or the inability to meet specified standards.

What is a statement of non-compliance? ›

A Noncompliance Statement and Correction Plan (DCF-F-CFS0294), often referred to as a '294', is used by certification workers to enumerate, document and communicate to the operator statute and / or administrative rule violations.

How do you measure non adherence? ›

Several different approaches to monitor medication adherence have been developed. These include (a) self-report questionnaires or structured interviews, (b) therapeutic drug monitoring (TDM), (c) electronic devices and (d) pharmacy pick-up/refill rates.

What is considered non compliance? ›

Noncompliant behavior involves behavior that does not conform to or follow the rules, regulations, or advice of others. In the workplace, this can be demonstrated by failure to act in accordance with the workplace policies and rules, or the inability to meet specified standards.

How do you determine compliance requirements? ›

Typical steps to achieve regulatory compliance include the following:
  1. Identify applicable regulations. Determine which laws and compliance regulations apply to the company's industry and operations. ...
  2. Determine requirements. ...
  3. Document compliance processes. ...
  4. Monitor changes, and determine whether they apply.

What happens if there is non compliance identified? ›

Non- compliance with laws and regulations may result in fines, litigation or other consequences for the entity that may have a material effect on the financial statements.

What are risk factors for non adherence? ›

Conclusions: Risk factors for non-adherence are younger age, busy working life, recent diagnosis and disease remission. Good communication with the doctor might improve adherence.

What are the two types of non adherence? ›

There are many causes of non˗adherence but they fall into two overlapping categories: intentional and unintentional.

How do you reduce non adherence? ›

10 Strategies to Improve Patient Compliance with Medication
  1. Understand each patient's medication-taking behaviors. ...
  2. Talk about side effects. ...
  3. Write it down. ...
  4. Collaborate with patients. ...
  5. Consider the financial burden to the patient. ...
  6. Assess health literacy. ...
  7. Reduce complexity. ...
  8. Follow up with patients.
Jan 22, 2020

What are the 7 elements of compliance? ›

7 Elements Of A Legally Effective Compliance Program
  • Policies & Procedures.
  • Chief Compliance Officer/Compliance Committee.
  • Education & Training.
  • Reporting.
  • Monitoring & Auditing.
  • Enforcement.
  • Responding To Issues.

What are the 4 steps in maintaining compliance? ›

  1. Step 1 :: Review the compliance and security features of your software in each of these categories. eDiscovery. ...
  2. Step 2 :: Identify your company's specific security and compliance needs and policies. ...
  3. Step 3 :: Implement your policies, settings, and management in your software. ...
  4. Step 4 :: Report & Audit.
Sep 16, 2022

Videos

1. AZ-304: Achieving compliance with Azure Policy
(LearnNowOnline)
2. Microsoft Endpoint Manager Intune Compliance Policy Part II Compliance Policies
(Microsoft Endpoint Manager - Steve Rachui)
3. Azure Policy Insights & Multi-tag Demo via Azure Policy
(Inside Cloud and Security)
4. AZ 103 Module 11 Governance and Compliance, Azure Policy,RBAC,User & Groups
(Jiang Robin)
5. Azure Governance: How to Implement Azure Policy for Compliance and Governance | Lecture 68
(CLOUD LEARN)
6. Help Everyone Follow The Rules | Azure Policy
(Azure Academy)
Top Articles
Latest Posts
Article information

Author: Fr. Dewey Fisher

Last Updated: 02/10/2023

Views: 6186

Rating: 4.1 / 5 (42 voted)

Reviews: 81% of readers found this page helpful

Author information

Name: Fr. Dewey Fisher

Birthday: 1993-03-26

Address: 917 Hyun Views, Rogahnmouth, KY 91013-8827

Phone: +5938540192553

Job: Administration Developer

Hobby: Embroidery, Horseback riding, Juggling, Urban exploration, Skiing, Cycling, Handball

Introduction: My name is Fr. Dewey Fisher, I am a powerful, open, faithful, combative, spotless, faithful, fair person who loves writing and wants to share my knowledge and understanding with you.