New-AzPolicyAttestation
Creates a new policy attestation for a policy assignment.
Syntax
ByName (Default)
New-AzPolicyAttestation
-Name <String>
-PolicyAssignmentId <String>
[-Scope <String>]
[-ResourceGroupName <String>]
[-ComplianceState <String>]
[-PolicyDefinitionReferenceId <String>]
[-ExpiresOn <DateTime>]
[-Owner <String>]
[-Comment <String>]
[-Evidence <PSAttestationEvidence[]>]
[-AssessmentDate <DateTime>]
[-Metadata <String>]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
ByResourceId
New-AzPolicyAttestation
-ResourceId <String>
-PolicyAssignmentId <String>
[-ComplianceState <String>]
[-PolicyDefinitionReferenceId <String>]
[-ExpiresOn <DateTime>]
[-Owner <String>]
[-Comment <String>]
[-Evidence <PSAttestationEvidence[]>]
[-AssessmentDate <DateTime>]
[-Metadata <String>]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
Description
The New-AzPolicyAttestation cmdlet creates a policy attestation for a particular policy assignment. Attestations are used by Azure Policy to set compliance states of resources or scopes targeted by manual policies. They also allow users to provide additional metadata or link to evidence which accompanies the attested compliance state.
Examples
Example 1: Create an attestation at subscription scope
Set-AzContext -Subscription "d1acb22b-c876-44f7-b08e-3fcf9f6767f4"
$policyAssignmentId = "/subscriptions/d1acb22b-c876-44f7-b08e-3fcf9f6767f4/providers/microsoft.authorization/policyassignments/psattestationsubassignment"
$attestationName = "attestation-subscription"
New-AzPolicyAttestation -PolicyAssignmentId $policyAssignmentId -Name $attestationName -ComplianceState "Compliant"
Id : /subscriptions/d1acb22b-c876-44f7-b08e-3fcf9f6767f4/providers/microsoft.policyinsights
/attestations/attestation-subscription
Name : attestation-subscription
Type : Microsoft.PolicyInsights/attestations
PolicyAssignmentId : /subscriptions/d1acb22b-c876-44f7-b08e-3fcf9f6767f4/providers/microsoft.authorization/
policyassignments/psattestationsubassignment
PolicyDefinitionReferenceId :
ComplianceState : Compliant
ExpiresOn :
Owner :
Comment :
Evidence :
ProvisioningState : Succeeded
LastComplianceStateChangeAt : 1/27/2023 2:26:24 AM
AssessmentDate :
Metadata :
SystemData :
This command creates a new policy attestation at subscription 'd1acb22b-c876-44f7-b08e-3fcf9f6767f4' for the given policy assignment.
Note:
This command creates an attestation for the subscription and not the resources underneath it. For ease of management, manual policies should be designed to target the scope which defines the boundary of resources whose compliance state needs to be attested. In this case, the manual policy should be targeting Microsoft.Resources/subscriptions. For more information, go to https://learn.microsoft.com/en-us/azure/governance/policy/concepts/attestation-structure to understand the best practices for creating attestations.
Example 2: Create an attestation at resource group
$policyAssignmentId = "/subscriptions/d1acb22b-c876-44f7-b08e-3fcf9f6767f4/providers/microsoft.authorization/policyassignments/psattestationrgassignment"
$attestationName = "attestation-RG"
$rgName = "ps-attestation-test-rg"
New-AzPolicyAttestation -ResourceGroupName $RGName -PolicyAssignmentId $policyAssignmentId -Name $attestationName -ComplianceState "Compliant"
Id : /subscriptions/d1acb22b-c876-44f7-b08e-3fcf9f6767f4/resourcegroups/ps-attestation-test
-rg/providers/microsoft.policyinsights/attestations/attestation-rg
Name : attestation-RG
Type : Microsoft.PolicyInsights/attestations
PolicyAssignmentId : /subscriptions/d1acb22b-c876-44f7-b08e-3fcf9f6767f4/providers/microsoft.authorization/
policyassignments/psattestationrgassignment
PolicyDefinitionReferenceId :
ComplianceState : Compliant
ExpiresOn :
Owner :
Comment :
Evidence :
ProvisioningState : Succeeded
LastComplianceStateChangeAt : 1/27/2023 2:35:28 AM
AssessmentDate :
Metadata :
SystemData :
This command creates a new policy attestation at the resource group 'ps-attestation-test-rg' for the given policy assignment.
Note:
This command creates an attestation for the resource group and not the resources underneath it. For ease of management, manual policies should be designed to target the scope which defines the boundary of resources whose compliance state needs to be attested. In this case, the manual policy should be targeting Microsoft.Resources/subscriptions/resourceGroups. For more information, go to https://learn.microsoft.com/en-us/azure/governance/policy/concepts/attestation-structure to understand the best practices for creating attestations.
Example 3: Create an attestation at resource
$policyAssignmentId = "/subscriptions/d1acb22b-c876-44f7-b08e-3fcf9f6767f4/providers/microsoft.authorization/policyassignments/psattestationresourceassignment"
$attestationName = "attestation-resource"
$scope = "/subscriptions/d1acb22b-c876-44f7-b08e-3fcf9f6767f4/resourceGroups/ps-attestation-test-rg/providers/Microsoft.Network/networkSecurityGroups/pstests0"
New-AzPolicyAttestation `
-PolicyAssignmentId $policyAssignmentId `
-Name $attestationName `
-Scope $scope `
-ComplianceState "NonCompliant"
Id : /subscriptions/d1acb22b-c876-44f7-b08e-3fcf9f6767f4/resourcegroups/ps-attestation-test
-rg/providers/microsoft.network/networksecuritygroups/pstests0/providers/microsoft.pol
icyinsights/attestations/attestation-resource
Name : attestation-resource
Type : Microsoft.PolicyInsights/attestations
PolicyAssignmentId : /subscriptions/d1acb22b-c876-44f7-b08e-3fcf9f6767f4/providers/microsoft.authorization/
policyassignments/psattestationresourceassignment
PolicyDefinitionReferenceId :
ComplianceState : NonCompliant
ExpiresOn :
Owner :
Comment :
Evidence :
ProvisioningState : Succeeded
LastComplianceStateChangeAt : 1/27/2023 2:38:17 AM
AssessmentDate :
Metadata :
SystemData :
This command creates an attestation for the resource 'pstests0' for the given policy assignment.
Example 4: Create an attestation with all properties at resource group
$attestationName = "attestationRGAllProps"
$policyInitiativeAssignmentId = "/subscriptions/d1acb22b-c876-44f7-b08e-3fcf9f6767f4/providers/microsoft.authorization/policyassignments/psattestationinitiativergassignment"
$policyDefinitionReferenceId = "PSTestAttestationRG_1"
$RGName = "ps-attestation-test-rg"
$description = "This is a test description"
$sourceURI = "https://contoso.org/test.pdf"
$evidence = @{
"Description"=$description
"SourceUri"=$sourceURI
}
$policyEvidence = @($evidence)
$owner = "Test Owner"
$expiresOn = [datetime]::UtcNow.AddYears(1)
$metadata = '{"TestKey":"TestValue"}'
New-AzPolicyAttestation `
-Name $attestationName `
-ResourceGroupName $RGName `
-PolicyAssignmentId $policyInitiativeAssignmentId `
-PolicyDefinitionReferenceId $policyDefinitionReferenceId `
-ComplianceState $Compliant `
-Comment $comment `
-Evidence $policyEvidence `
-ExpiresOn $expiresOn `
-AssessmentDate $expiresOn.AddDays(-2) `
-Owner $owner `
-Metadata $metadata
Id : /subscriptions/d1acb22b-c876-44f7-b08e-3fcf9f6767f4/resourcegroups/ps-attestation-test
-rg/providers/microsoft.policyinsights/attestations/attestationrgallprops
Name : attestationRGAllProps
Type : Microsoft.PolicyInsights/attestations
PolicyAssignmentId : /subscriptions/d1acb22b-c876-44f7-b08e-3fcf9f6767f4/providers/microsoft.authorization/
policyassignments/psattestationinitiativergassignment
PolicyDefinitionReferenceId : pstestattestationrg_1
ComplianceState :
ExpiresOn : 1/27/2024 2:51:54 AM
Owner : Test Owner
Comment :
Evidence : {Microsoft.Azure.Commands.PolicyInsights.Models.Attestations.PSAttestationEvidence}
ProvisioningState : Succeeded
LastComplianceStateChangeAt : 1/27/2023 2:51:57 AM
AssessmentDate : 1/25/2024 2:51:54 AM
Metadata : {
"TestKey": "TestValue"
}
SystemData :
Parameters
-AssessmentDate
The time the evidence of an attestation was assessed.
Parameter properties
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
Comments describing why this attestation was created.
Type: String
Default value: None Supports wildcards: False DontShow: False
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
-ComplianceState
The Compliance State of the resource.
E.g.
'Compliant', 'NonCompliant', 'Unknown'
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
-Confirm
Prompts you for confirmation before running the cmdlet.
Parameter properties
Type: SwitchParameter
Default value: None Supports wildcards: False DontShow: False Aliases: cf
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-DefaultProfile
The credentials, account, tenant, and subscription used for communication with Azure.
Parameter properties
Type: IAzureContextContainer
Default value: None Supports wildcards: False DontShow: False Aliases: AzContext, AzureRmContext, AzureCredential
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-Evidence
The evidence supporting the compliance state set in this attestation.
Parameter properties
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
-ExpiresOn
The time the compliance state set in the attestation should expire.
Parameter properties
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
Additional metadata for the attestation.
Type: String
Default value: None Supports wildcards: False DontShow: False
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
-Name
Resource name.
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False
Parameter sets
ByName
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
-Owner
The person responsible for setting the state of the resource.
This value is typically a Microsoft Entra object ID.
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
-PolicyAssignmentId
Policy assignment ID.
E.g.
'/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/policyAssignments/{assignmentName}'.
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False
Parameter sets
(All)
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
-PolicyDefinitionReferenceId
The policy definition reference ID of the individual definition.
Required when the policy assignment assigns a policy set definition.
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
-ResourceGroupName
Resource group name.
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False
Parameter sets
ByName
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
-ResourceId
Resource ID.
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False Aliases: Id
Parameter sets
ByResourceId
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
-Scope
Scope of the resource.
E.g.
'/subscriptions/{subscriptionId}/resourceGroups/{rgName}'.
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False
Parameter sets
ByName
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
-WhatIf
Shows what would happen if the cmdlet runs.
The cmdlet is not run.
Parameter properties
Type: SwitchParameter
Default value: None Supports wildcards: False DontShow: False Aliases: wi
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable,
-InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable,
-ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see
about_CommonParameters .
Outputs