Policy
Policy Overview:
This category contains records of all effect action operations performed by Azure Policy. Examples of the types of events you would see in this category include Audit and Deny. Every action taken by Policy is modeled as an operation on a resource.
Schema:
| Element Name | Description |
|---|---|
authorization | Array of Azure RBAC properties of the event. For new resources, this is the action and scope of the request that triggered evaluation. For existing resources, the action is "Microsoft.Resources/checkPolicyCompliance/read". |
caller | For new resources, the identity that initiated a deployment. For existing resources, the GUID of the Microsoft Azure Policy Insights RP. |
channels | Policy events use only the "Operation" channel. |
claims | The JWT token used by Active Directory to authenticate the user or application to perform this operation in Resource Manager. |
correlationId | Usually a GUID in the string format. Events that share a correlationId belong to the same uber action. |
description | This field is blank for Policy events. |
eventDataId | Unique identifier of an event. |
eventName | Either "BeginRequest" or "EndRequest". "BeginRequest" is used for delayed auditIfNotExists and deployIfNotExists evaluations and when a deployIfNotExists effect starts a template deployment. All other operations return "EndRequest". |
category | Declares the activity log event as belonging to "Policy". |
eventTimestamp | Timestamp when the event was generated by the Azure service processing the request corresponding the event. |
ID | Unique identifier of the event on the specific resource. |
level | Severity level of the event. Audit uses "Warning" and Deny uses "Error". An auditIfNotExists or deployIfNotExists error can generate "Warning" or "Error" depending on severity. All other Policy events use "Informational". |
operationId | A GUID shared among the events that correspond to a single operation. |
operationName | Name of the operation and directly correlates to the Policy effect. |
resourceGroupName | Name of the resource group for the evaluated resource. |
resourceProviderName | Name of the resource provider for the evaluated resource. |
resourceType | For new resources, it's the type being evaluated. For existing resources, returns "Microsoft.Resources/checkPolicyCompliance". |
resourceId | Resource ID of the evaluated resource. |
status | String describing the status of the Policy evaluation result. Most Policy evaluations return "Succeeded", but a Deny effect returns "Failed". Errors in auditIfNotExists or deployIfNotExists also return "Failed". |
subStatus | Field is blank for Policy events. |
submissionTimestamp | Timestamp when the event became available for querying. |
subscriptionId | Azure Subscription ID. |
properties.isComplianceCheck | Returns "False" when a new resource is deployed or an existing resource's Resource Manager properties are updated. All other evaluation triggers result in "True". |
properties.resourceLocation | The Azure region of the resource being evaluated. |
properties.ancestors | A comma-separated list of parent management groups ordered from direct parent to farthest grandparent. |
properties.policies | Includes details about the policy definition, assignment, effect, and parameters that this Policy evaluation is a result of. |
relatedEvents | This field is blank for Policy events. |
Last updated