Share via

Expired attestations cannot be updated or removed

D-J 20 Reputation points Microsoft Employee
2026-02-05T13:15:59.37+00:00

When using 'Set-AzPolicyAttestation @AttestationParams', we get a

Set-AzPolicyAttestation : Operation returned an invalid status code 'BadRequest'

This same command does NOT give an error for non-expired attestations

When using 'Remove-AzPolicyAttestation -Name $a.Name -Scope $scope' there is no output message, but expired attestations remains.

When the attestation in not expired, the attestation is successfully removed.

When running 'Invoke-AzRestMethod -Method DELETE -Path "$attestationId`?api-version=2022-09-01"' the output is a 200 OK, but policy remains. Full output when using this command:

StatusCode : 200

Content : 

Headers    : {
           "Pragma": "no-cache",
           "Strict-Transport-Security": "max-age=31536000; includeSubDomains",
           "x-ms-ratelimit-remaining-policy-insights-requests": "99",
           "x-ms-operation-identifier": <PII Removed>,
           "x-ms-ratelimit-remaining-subscription-deletes": "199",
           "x-ms-ratelimit-remaining-subscription-global-deletes": "2999",
           "x-ms-request-id": "<PII Removed>",
           "x-ms-correlation-request-id": "<PII Removed>",
           "x-ms-routing-request-id": "UKSOUTH:20260205T130547Z:916f2eb1-4a28-44e1-aa92-5b1d79753355",
           "X-Content-Type-Options": "nosniff",
           "X-Cache": "CONFIG_NOCACHE",
           "X-MSEdge-Ref": "Ref A: 1385E13119B242819479B561FCADBCF5 Ref B: AMS231020615027 Ref C: 2026-02-05T13:05:47Z",
           "Cache-Control": "no-cache",
           "Date": "Thu, 05 Feb 2026 13:05:47 GMT"
         }

Method     : DELETE

RequestUri : https://management.azure.com/subscriptions/<PII Removed>/providers/microsoft.policyinsights/attestations/scf-iam-02-attestation-scf__manual_attestation_for_validating_membership_into_roles_is_approved_and_recorded_in_an_access_request_management_system?api-version=2022-09-01

Version    : 1.1

Again: all above comments work successful when updating or removing a non-expired attestation.

First idea was to update the 'ComplianceState' to unknown, when the attestation is expired

This caused 'bad request', probably because the attestation is expired (same command used for this works when attestation isn't expired).

Updating the 'ExpiresOn'  property of an expired policy also throws a 'bad request'.

Therefore, instead of updating, we want to delete the attestation.

This works again for any non-expired attestations, but expired attestations are not removed/deleted. No error or informational message is given

Azure Policy
Azure Policy

An Azure service that is used to implement corporate governance and standards at scale for Azure resources.

Answer accepted by question author
  1. Bharath Y P 5,800 Reputation points Microsoft External Staff Moderator
    2026-02-05T21:44:35.3366667+00:00

    Hello D-J, You are trying to update or delete Azure Policy attestations after they have expired. The same PowerShell commands and REST calls work correctly for non‑expired attestations, but once an attestation is expired:

    • Set-AzPolicyAttestation returns BadRequest
    • Remove-AzPolicyAttestation shows no error, but the attestation remains
    • Invoke-AzRestMethod -Method DELETE returns 200 OK, but the attestation is not removed

    Look like you want to clean up expired attestations, but none of the supported methods actually remove them.

    Once an attestation reaches its expiresOn date, Azure Policy treats it as immutable historical evidence:

    • Expiry affects policy compliance evaluation only
    • The attestation resource itself becomes read‑only
    • Any attempt to:
      • Change ComplianceState
      • Extend ExpiresOn
      • Delete the attestation is rejected or silently ignored by the backend

    This explains why updates return 400 BadRequest and deletes return success, but do nothing

    This behavior is different from Policy Exemptions, which can be deleted after expiry.

    Expired attestations no longer affect compliance. You can safely filter them out in scripts and reports:

    Get-AzPolicyAttestation |
Where-Object { $_.ExpiresOn -gt (Get-Date) }

     If you delete the policy assignment itself:

    • All related attestations (expired or not) are automatically removed

    This is currently the only guaranteed cleanup method.

     Create a new attestation instead of updating, If a new attestation is required:

    • Create a new attestation with a new name
    • Leave the expired one as historical record

    This aligns with current service behavior.

    Hope this helps! If you have any question, please reach out to us. Thanks.

    1 person found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.