View Compliance Details with Azure Resource Graph or Powershell

Question

View Compliance Details with Azure Resource Graph or Powershell

Tengku Aiman 0

Hello, I am trying to view compliance details in View Compliance for Policy compliance builtin "Inherit a tag from the resource group"

Right now I can see from the portal

Reason for non-compliance

Current value must be equal to the target value.

Field

tags[]

Current value

--

Target value

"a"

Reason for non-compliance

Current value must be equal to the target value.

Expression

[resourceGroup().tags[parameters('tagName')]]

Current value

"a"

Target value

""

How can I fetch this using Azure Resource Graph or Powershell?

0 comments

2 answers

Your answer

Answer 1

Azure Resource Graph (via CLI)

Bash

az graph query -q "

Resources

| where type == 'microsoft.policyinsights/policystates/latest'

| where properties.policyAssignmentId == '/subscriptions/<your-sub>/resourceGroups/<your-rg>/providers/Microsoft.Authorization/policyAssignments/<your-assignment>'

| mv-expand detail = properties.evaluationDetails.details

| project resourceId = tostring(properties.resourceId),

      complianceState = tostring(properties.complianceState),

      field = tostring(detail.details.field),

      currentValue = tostring(detail.details.currentValue),

      targetValue = tostring(detail.details.targetValue)"

This will return one row per non-compliant detail, showing the field, current value, and target value

PowerShell (requires Az.PolicyInsights)

Get-AzPolicyState -Recurse `

-PolicyAssignmentId '/subscriptions/<your-sub>/resourceGroups/<your-rg>/providers/Microsoft.Authorization/policyAssignments/<your-assignment>' `

-ExpandPolicyDetails |

Select-Object ResourceId, ComplianceState, Timestamp,

@{Name= 'Details'; Expression={ $_.PolicyDetails.evaluationDetails.details }} |

Expand-Property Details |

Select-Object ResourceId,

@{Name= 'Field'; Expression={ $_.details.field }},

@{Name= 'CurrentValue'; Expression={ $_.details.currentValue }},

@{Name= 'TargetValue'; Expression={ $_.details.targetValue }}

This expands the evaluation details so you can see exactly why a resource is non-compliant

Answer 2

Hello Tengku Aiman

Thank you for reaching out to the Microsoft Q&A forum.

When investigated we see that you can absolutely pull the same “Compliance details” you see in the portal by querying the Policy Insights data via Azure Resource Graph or PowerShell. Under the covers, the portal is hitting the Microsoft.PolicyInsights/policyStates resource, so you can do the same yourself.

Azure CLI / Resource Graph example

az graph query -q "
Resources
| where type == 'microsoft.policyinsights/policystates/latest'
| where properties.policyAssignmentId == '/subscriptions/<your-sub>/resourceGroups/<your-rg>/providers/Microsoft.Authorization/policyAssignments/<your-assignment>'
| mv-expand detail = properties.evaluationDetails.details
| project
    resourceId     = tostring(properties.resourceId),
    complianceState= tostring(properties.complianceState),
    field          = tostring(detail.details.field),
    currentValue   = tostring(detail.details.currentValue),
    targetValue    = tostring(detail.details.targetValue)

This will return one row per non-compliant detail (field / currentValue / targetValue).

PowerShell example

# Requires Az.PolicyInsights module
Get-AzPolicyState -Recurse -PolicyAssignmentId '/subscriptions/<your-sub>/resourceGroups/<your-rg>/providers/Microsoft.Authorization/policyAssignments/<your-assignment>' `
    -ExpandPolicyDetails |
  Select-Object ResourceId, ComplianceState, Timestamp,
    @{Name='Details';Expression={$_.PolicyDetails.evaluationDetails.details}} |
  Expand-Property Details |
  Select-Object ResourceId,
    @{Name='Field';       Expression={$_.details.field}},
    @{Name='CurrentValue';Expression={$_.details.currentValue}},
    @{Name='TargetValue'; Expression={$_.details.targetValue}}

If you just want summary counts or to pivot by resource type/location, you can adapt these Kusto queries against the same PolicyStates index in Resource Graph.

Hope this helps you automate pulling the exact same compliance-reason details you see in the portal!

References

Get compliance data of Azure resources (Azure CLI / CLI samples) https://learn.microsoft.com/azure/governance/policy/how-to/get-compliance-data?wt.mc_id=knowledgesearch_inproduct_azure-cxp-community-insider#portal
Azure Resource Graph sample queries for Azure Policy https://learn.microsoft.com/azure/governance/resource-graph/samples/samples-by-category?wt.mc_id=knowledgesearch_inproduct_azure-cxp-community-insider#azure-policy
Determine reasons for non-compliance (compliance-details section) https://docs.microsoft.com/azure/governance/policy/how-to/determine-non-compliance#compliance-details-for-guest-configuration
Az.PolicyInsights PowerShell cmdlets https://docs.microsoft.com/powershell/module/az.policyinsights/?view=azps-

Siva shunmugam Nadessin 9,625 Reputation points Microsoft External Staff Moderator

2026-05-06T00:45:27.76+00:00

Hello Tengku Aiman,

Just checking in to see if the solution shared above help you to resolve your issue. please reach out to us If you have any further questions.

Thanks

Share via

View Compliance Details with Azure Resource Graph or Powershell

2 answers

Your answer