Azure Policy View Compliance Detail

Question

Azure Policy View Compliance Detail

Tengku Aiman 0

Hello, I want to ask whether it is possible to get this data from Azure Resource Graph

This is the built-in policy from Azure

   
   {
     "properties": {
       "displayName": "Inherit a tag from the resource group",
       "policyType": "BuiltIn",
       "mode": "Indexed",
       "description": "Adds or replaces the specified tag and value from the parent resource group when any resource is created or updated. Existing resources can be remediated by triggering a remediation task.",
       "metadata": {
         "version": "1.0.0",
         "category": "Tags"
       },
       "version": "1.0.0",
       "parameters": {
         "tagName": {
           "type": "String",
           "metadata": {
             "displayName": "Tag Name",
             "description": "Name of the tag, such as 'environment'"
           }
         }
       },
       "policyRule": {
         "if": {
           "allOf": [
             {
               "field": "[concat('tags[', parameters('tagName'), ']')]",
               "notEquals": "[resourceGroup().tags[parameters('tagName')]]"
             },
             {
               "value": "[resourceGroup().tags[parameters('tagName')]]",
               "notEquals": ""
             }
           ]
         },
         "then": {
           "effect": "modify",
           "details": {
             "roleDefinitionIds": [
               "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
             ],
             "operations": [
               {
                 "operation": "addOrReplace",
                 "field": "[concat('tags[', parameters('tagName'), ']')]",
                 "value": "[resourceGroup().tags[parameters('tagName')]]"
               }
             ]
           }
         }
       }
     },
     "id": "/providers/Microsoft.Authorization/policyDefinitions/cd3aa116-8754-49c9-a813-ad46512ece54/versions/1.0.0",
     "type": "Microsoft.Authorization/policyDefinitions/versions",
     "name": "1.0.0"
   }

This is the View Compliance Detail for the Assignments the policy is grouped at The questions is:
1. Is it possible to pull this data using Azure Resource Graph?

0 comments

Answer accepted by question author

2 additional answers

Your answer

Answer 1

Siva shunmugam Nadessin 9,625 Microsoft External Staff Moderator

Hello Tengku Aiman

Thank you for reaching out to the Microsoft Q&A forum.

When investigated you can absolutely pull policy‐compliance data out of Azure Resource Graph – at least the high-level stuff (which resources are compliant vs. non-compliant, when they were last evaluated, which assignment/definition they belong to, etc.). What you can’t get via Resource Graph is the deep “Compliance details” pane (the per-setting or per-field “Current value” vs. “Target value” info). For that, you’d need to call the Policy Insights APIs (or use az policy state list / PowerShell) instead.

Here’s a quick sample ARG query to list all non-compliant resources for a given assignment:

// Replace with your real assignment ID:
let assignmentId = '/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/InheritTagRG';
policyresources
| where properties.policyAssignmentId == assignmentId
      and properties.complianceState == 'NonCompliant'
| extend
    resourceId    = properties.resourceId,
    resourceType  = tostring(split(properties.resourceId, '/')[6])
                  + '/' + tostring(split(properties.resourceId, '/')[7]),
    location      = properties.resourceLocation,
    lastEvaluated = properties.timestamp
| project resourceId, resourceType, location, lastEvaluated

If you need the extra “Compliance reason” details (fields, current value, target value), switch over to the Policy Insights REST API or CLI:

az policy state list \
  --assignment '/subscriptions/…/providers/Microsoft.Authorization/policyAssignments/InheritTagRG' \
  --filter "complianceState eq 'NonCompliant'" \
  --query "[].{resource:resourceId, reason:complianceReason, details:policyDefinitionAction}" \
  --output table

Let me know if any further queries - feel free to reach out!

References

Get compliance data in Portal & ARG samples: https://learn.microsoft.com/azure/governance/policy/how-to/get-compliance-data

Export compliance with Azure Resource Graph: https://learn.microsoft.com/azure/governance/policy/samples/resource-graph-samples

Policy Insights REST API (detailed compliance): https://learn.microsoft.com/azure/governance/policy/concepts/policy-insights-rest-api

az policy state list docs: https://learn.microsoft.com/cli/azure/policy/state#az-policy-state-list

Tengku Aiman 0 Reputation points

2026-05-06T00:04:29.5966667+00:00

Alright thank youu. Will try it
Siva shunmugam Nadessin 9,625 Reputation points Microsoft External Staff Moderator

2026-05-06T01:05:05.0766667+00:00

Tengku Aiman, If the assistance was helpful, kindly this can be beneficial to other community members.
Tengku Aiman 0 Reputation points

2026-05-06T02:34:13.5733333+00:00

Hello sir, this policy is being placed in Management Group scope, do I need to change from subscriptions to scope?
Siva shunmugam Nadessin 9,625 Reputation points Microsoft External Staff Moderator

2026-05-06T03:22:31.9866667+00:00

Hello Tengku Aiman,

Since the policy is assigned at the Management Group level, you don’t need to change the query logic itself. Azure Resource Graph already evaluates resources across all subscriptions under that management group.

However, you must update the policyAssignmentId to use the Management Group–scoped format, for example:

/providers/Microsoft.Management/managementGroups/{mgId}/providers/Microsoft.Authorization/policyAssignments/{assignmentName}

Once the correct assignment ID is used, the query will return results across the inherited scope.
Tengku Aiman 0 Reputation points

2026-05-06T03:30:13.52+00:00

Using ARG, I can see the results, but the cmd, it returns empty sir
Siva shunmugam Nadessin 9,625 Reputation points Microsoft External Staff Moderator

2026-05-06T03:32:23.04+00:00

Hello Tengku Aiman,

The issue is due to scope — your policy is at Management Group level, so you must use --management-group in the CLI command; otherwise it defaults to subscription scope and returns no results.
Tengku Aiman 0 Reputation points

2026-05-06T03:36:54.7633333+00:00

Alright, will try it
Tengku Aiman 0 Reputation points

2026-05-06T03:43:26.9066667+00:00

To get the results, I still need to have the permission to that management group right?
Siva shunmugam Nadessin 9,625 Reputation points Microsoft External Staff Moderator

2026-05-06T03:44:56.1266667+00:00

Hello Tengku Aiman,

Yes, to retrieve compliance data using the CLI at management group scope, you need at least Reader (or equivalent) access on that management group. Without this permission, the command may return empty results even though Azure Resource Graph shows data based on subscription-level access.

Answer 2

kholienchieh 0 MVP

Have you ever tried to connect the PowerBI tool with Microsoft Graph ?

https://learn.microsoft.com/en-us/azure/defender-for-cloud/integration-power-bi

Tengku Aiman 0 Reputation points

2026-05-06T02:16:45.1933333+00:00

Not yet sir
kholienchieh 0 Reputation points MVP

2026-05-06T02:31:13.1066667+00:00

Let's have a try.
Although it's still in the progress of adding more connectors, but it's a good start for more flexibility in reporting.
Tengku Aiman 0 Reputation points

2026-05-06T02:32:13.73+00:00

OKay sir,i'll try to get the data first

Answer 3

Yes. Azure Policy compliance data, including per-assignment and per-resource compliance state, can be queried through Azure Resource Graph.

Azure Policy continuously evaluates resources and produces compliance results. These results are exposed in several ways, one of which is Azure Resource Graph queries. The compliance information that appears in the View compliance details blade for a policy assignment is part of this same data set.

To work with it at scale:

Ensure policy evaluations have run so that compliance state is up to date (policy evaluation cycles are what populate the compliance data).
Use Azure Resource Graph to query the policy compliance resources. From the documentation, Azure Policy compliance data is explicitly listed as one of the ways to access compliance information, alongside the Azure portal, command line, and Azure Monitor logs.

This allows pulling the same compliance details shown in the portal (for example, which resources are compliant or non-compliant for the built-in policy Inherit a tag from the resource group) via Resource Graph queries.

References:

Share via

Azure Policy View Compliance Detail

2 additional answers

Your answer