get policy assignment

Get-AzPolicyAssignment

In this Azure PowerShell article, we will discuss the syntax and usage of the Get-AzPolicyAssignment PowerShell cmdlet and along with that, we will also discuss the use of the Get-AzPolicyAssignment PowerShell command with an example.

Table of Contents

Get-AzPolicyAssignment – Video Tutorial

Get-AzPolicyAssignment is a very good Azure PowerShell command to retrieve the policy assignments.

Below is the syntax of the Get-AzPolicyAssignment PowerShell command.

Now, let’s discuss a few examples of how to use the Get-AzPolicyAssignment PowerShell command with a few examples.

Below PowerShell command can help you to retrieve the lists of policy assignments.

After running the above command, I got the below output.

You can see the same output here as below

Check out a video tutorial on this command.

In this Azure article, we discussed, the syntax and usage of the Get-AzPolicyAssignment PowerShell cmdlet and along with certain examples of how to use this command.

I am Rajkishore, and I have over 14 years of experience in Microsoft Azure and AWS, with good experience in Azure Functions, Storage, Virtual Machine, Logic Apps, PowerShell Commands, CLI Commands, Machine Learning, AI, Azure Cognitive Services, DevOps, etc. Not only that, I do have good real-time experience in designing and developing cloud-native data integrations on Azure or AWS, etc. I hope you will learn from these practical Azure tutorials. Read more .

Navigation Menu

Search code, repositories, users, issues, pull requests..., provide feedback.

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly.

To see all available qualifiers, see our documentation .

• Notifications You must be signed in to change notification settings

DEV Community

Posted on Oct 31, 2022

Bicep and Azure Policy: Manage Policy and Initiative Assignment

This is the third post about Azure Policy. This time, the post will focus on policy assignments with Azure Bicep and PowerShell. Policy assignment enforces a policy and a policy set at a given scope, management group, or subscription. This is where policies are applied to target resources.

A policy Assignment object has several properties:

• A name (limited to 24 characters at the management group scope, 64 characters for other scopes)
• A location, the Azure to store the operation metadata
• A display name, limited to 128 characters
• An identity object
• A description
• The enforcement mode, either default (enforced) or DonotEnforce
• A non-compliance object. The message will be displayed when resources are not compliant with the policy.
• A not scope array, to not apply the assignment at some management group or subscriptions
• A parameters object, to apply parameters for the policy for the assignment
• The Policy definition ID, resource ID of the policy definition, or the policy set

In Bicep language

The deployment of this bicep file could be done by the New-AzManagementGroupDeployment cmdlet. But like custom policy definitions and policy sets, you will certainly be asked to not assign only one policy. How can you manage several policy assignments in one place? This is the same problem we had with deploying policies. But even if a policy assignment can be seen as a JSON document, the amount of information needed to assign a policy is limited. Instead of using one JSON file per assignment, we can create a single JSON document with all assignments, but we need to take care of the scope.

the bicep file:

This Bicep file will deploy a policy assignment. As the deployment will be made via PowerShell, we need to convert the value of the parameters and the nonComplianceMessage properties from string to JSON with the JSON function in Bicep.

All the parameters needed for the deployment are stored in a JSON document.

There is one policy to assign but two assignments in the JSON document. It’s to illustrate the power of parameters in the assignment process. You can assign the same policy, multiple times, even at the same scope, as long as the name changes and the parameters are different.

Each object in the JSON document will serve to deploy the assignment via a PowerShell script.

The script read the content of the JSON document and for each object, it extracts the variable needed to deploy the bicep file. But there is a difficulty, the bicep nonComplianceMessages require a JSON array, but most of the time there will be only one message or no message at all (multiple messages are only used for policy set). And if there is only one message (or none) you will not end up with a JSON array, but a simple JSON object, so a modification is needed.

To deploy, simply run the deployAssignment.ps1 from its folder. You can add the "location" parameter to adjust the azure region for your needs.

You can find the related PwSh/Bicep code here

Top comments (0)

Templates let you quickly answer FAQs or store snippets for re-use.

Are you sure you want to hide this comment? It will become hidden in your post, but will still be visible via the comment's permalink .

Hide child comments as well

For further actions, you may consider blocking this person and/or reporting abuse

Unleashing Efficiency: The Power of DevOps Automation in Modern Software Development

Danubius IT Solutions - May 28

Let's Build an E-Commerce Store with Nuxt.js

WebCraft Notes - May 28

Text Quality-Based Pruning for Efficient Training of Language Models

Aishik - May 28

Mastering TypeScript Generics: A Simple Guide

Hasan Moboarak - May 28

We're a place where coders share, stay up-to-date and grow their careers.

John Folberth

Resources and posts for those figuring out DevOps in Azure

• Professional

Testing Azure Policy via PowerShell

Azure Policy is a powerful tool that can be used as effective guardrails to safeguard an environment. In addition it can be leverage to auto remediate anything required a developer may forget about. For some examples on Azure Policy check out my posts “ Creating and Deploying Azure Policy via Terraform ” or “Dynamically Adding Terraform Policy Assignments…Reusing Infrastructure as code “. Specifically, this post is related to “ Terraform, Azure Policy, and Datas OH MY! “

Problem Statement

In a nutshell this policy ensures Azure Resource Groups require a delete-by tag and this delete-by tag must be within a certain date range. The follow up to this is a PowerShell script hooked up to an Azure Automation account which will delete resource groups who have past expiration. The dilemma is how can we seed test data to validate the script when Azure Policy will deny it? We could just delete the policy assignment do our testing and re assign it; however, that is a manual process and leaves open the room for error that the policy is never assigned. So that leaves us with the problem statement: How to seed test data that violates a policy?

Requirements

To run this the following Az Modules will need to be installed:

• Az.Resources

Breaking down this problem we can outline the steps we should take:

Remove the Policy Assignment

• Create the Resources that would violate the policy
• Re add the Policy Assignment

To do this successfully we should read in the existing policy assignment and store that information in our script so we reapply the policy with the same information that was originally available.

Store Policy Assignment Information

To store the policy assignment information, we will use the Get-AzPolicyAssignment PowerShell module:

The $PolicyParameterObject is a hashtable of parameters the Policy Assignment expects.

Can see we look up the Policy Assignment by name and store that as well as the Policy Definition ID as this will be used later.

Removing the Policy Assignment is quite easily actually. We just use the Remove-AzPolicyAssignment command.

Create the Resources that Violate the Policy

For this specific example the resources being created will be Resource Groups who have a delete-by tag value which is in the past. To accomplish this and provide a more realistic scenario the Get-Random command will be used.

The random number will be different for each resource group being created and will be used with the .addDays() function to subtract days from the $dateRan which is the starting point.

Re Add the Policy Assignment

Lastly, we need to re add the policy assignment to ensure this doesn’t drift.

This is being done with the New-AzPolicyAssignmnt function and passing in the assignment parameters as a hash table and the necessary information which was scraped from the original Policy Assignment that was saved off.

Sometimes when testing automation or the cleaning up of resources automatically it is important to create an automated way to seed test data. This will help improve consistency and help minimize the potential for human error.

Source Code

Leave a reply cancel reply.

Your email address will not be published. Required fields are marked *

Save my name, email, and website in this browser for the next time I comment.

Azure Policy: Starter Guide

My coworkers and teammates often reach out to me with similar questions regarding the best practices for creating and applying Azure Policy . That tendency encouraged me to compile this starter guide for Azure Policy, which is based on my practical experience in multiple projects and covers the 20% baseline that allows you to implement 80% of typical use cases, aka the Pareto principle .

Learn the topic

RTFM stands for “read the fucking manual,” bro.

Seriously, I mean, read the Microsoft Azure Policy docs first. Microsoft is doing a great job with documenting their services and solutions recently, and without knowing the basic Azure Policy principles, it will be really hard for you to grasp the concepts. After investigating what Azure Policy is for, I suggest looking through the list of built-in policies to get an idea about typical use cases for different Azure service types.

The two most important points to pay attention to initially are understanding Azure Policy effects and Azure Policy deployment scopes . The effects will give you some insights into what you can actually do with the policies. At the same time, the deployment scope will save you time for troubleshooting why you cannot assign a policy deployed at the subscription level to another subscription.

The evaluation of logical conditions in policy rules, I would say less critical. It might cause you some headache initially, but as soon as you understand how the double negation works, you shall be fine.

Although Azure policies can modify the configuration of existing Azure resources and even deploy new resources, I suggest starting with auditing resource configuration (Audit and AuditIfNotExists effects) and putting some guardrails (Deny effect) in your environment as the latter ones are easier to learn and understand.

Apart from the official documentation, I definitely recommend watching a few learning courses about Azure Governance on Pluralsight :

• Mastering Microsoft Azure Governance by James Bannan
• Microsoft Azure DevOps Engineer: Implementing Infrastructure Control and Compliance by John Savill

They are just a few hours long and can provide you with a really good starting point to advance your Azure Policy learning.

Make an assessment

“Think first before you act.” An unknown guru.

Before making any changes in your environment, i.e., assigning a new Azure Policy to your subscription, it is worth knowing first what policies are already in effect and their compliance results. Besides, assigned policies are evaluated in a specific order you should be aware of. Otherwise, it is easy to mess up your Azure environment: policies usually control something on a global scale (a whole subscription or management group), therefore impacting lots of resources.

In 80 percent of use cases, using the Azure portal to assess what existing policy and initiative assignments are and their compliance state will be the right choice – when there are only a few policies applied, no need to overcomplicate things.

In more advanced scenarios, when an organization already deployed dozens of custom Azure Policy definitions and extensively uses them at the management group level and on the individual subscriptions, manual assessment is somewhat complicated. Here I can suggest using AzGovViz – a community build solution (a PowerShell script) that can help you quickly create a comprehensive report in different formats containing all the details about Azure Policy configuration in your environment and more. You can event integrate AzGovViz with Azure DevOps pipelines to document the policy configuration as part of your deployments.

Create your policy

“Let’s roll up your sleeves and get to work!” A motivational speech.

Even though Microsoft already provided us with lots of useful built-in ready-to-use policies, I encourage you to not hurry on assigning them left and right. You will never understand how Azure Policy works to the full extent until you learn how to create and manage your custom policies.

A typical antipattern to avoid is dozens of individually assigned policies when they should be applied as a group via a policy initiative.

Firstly, you can look into the source code of built-in Azure policies (check the last column with the links to GitHub) and use it as a draft for your custom policy or initiative definitions. Alternatively, you can go straight to the Azure Policy Samples repository on GitHub , clone it, and explore with your coding tools.

Probably, the best coding experience with Azure Policy as of now is to use Visual Studio Code with Azure Policy extension for it . Additionally, I suggest installing the ARM Tools extension . It will significantly help you with syntax validation, snippets, and auto-completion if you decide to define your policies in ARM templates to make your deployment experience more consistent.

Recently, Microsoft has updated its docs with some ARM snippets for policy definitions , policy set definitions (aka policy initiatives), and their assignments . Still, those articles miss many nuances and details, and I suggest checking out my work on Azure Policies and my repository for sample Azure Policies on GitHub .

For more advanced cases, check the recent updates to Azure Policy on AzPolicyAdvertizer . As documenting new policies usually takes some time, AzPolicyAdvertizer closes that gap by providing short information about policies and recent changes to them.

A common use case is to duplicate a built-in policy logic in your custom definition completely. The reason for that is the way how Azure Policy engine handles updates to the existing definitions. When you update a definition, all existing policy assignment of it will automatically be using the new definition. Although there are some controls for backward compatibility, and Microsoft usually doesn’t introduce breaking changes in the existing definitions, many teams prefer to have full control over their configuration.

“Damn it! I said, test it first!” A senior developer, fixing a bug in production.

I honestly must warn you that testing Azure Policy is not an easy task. Nevertheless, I strongly encourage you to test your policy work before putting it into use. Considering the usual scope the policies are applied and the effects they can make (change configuration, deploy new resources), the results of careless policy assignments can be quite devastating to your environment.

First of all, you need to ensure that the syntax of your policy or initiative is correct. Whether you define your definitions in JSON policy format or ARM templates, the Visual Studio Code extensions mentioned above should help you find and fix basic syntax errors. If you stick with the ARM template option , you can use Test-Az*Deployment Azure PowerShell cmdlets to validate your templates’ syntax against Azure Resource Manager APIs. Unfortunately, the policy-related cmdlets in the Az.Resources module don’t support any testing options yet.

As a matter of caution, set the policy ‘enforcementMode’ parameter into the disabled state when creating assignments for your tested policies so you can safely audit their work results.

Secondly, be aware that Azure Policy assignments don’t come into effect immediately. There is a policy evaluation delay , which is around 30 minutes or so. Also, auditing your resources might take some time as the Azure Policy engine needs to evaluate all resources against policy rules within the assigned scope. In other words, you cannot test the results of your policy work immediately. Apart from that, the delay effectively complicates automated tests for Azure Policy.

Although there is an option to initiate an on-demand evaluation scan , it still won’t make the whole process much faster if a policy needs to process thousands of resources.

Due to all the complications, I would say that the testing process for your policies will be manual or semi-manual in most cases. You will validate the syntax, deploy the definitions into a test environment, i.e., a dedicated subscription, assign them to a test scope, deploy some resources to test the expected policy behavior, and check results on the portal . In the end, the code for Azure Policy is not something that is often updated, and manual testing can be a reasonable tradeoff to creating automated test cases.

However, in advanced scenarios, when you need to create and maintain more than a handful of simple policies, creating automated Azure Policy tests as part of your CI/CD pipeline is a must. I’m planning to cover this topic in detail in a separate post as it requires quite a lot of explanation not explicitly tied to Azure Policy.

“Do. Or do not. There is no try.” Master Yoda to young Skywalker.

As I already mentioned, before actually deploying your custom policy or initiative definitions, you should clearly understand what the deployment scopes are. Besides, you should also understand how Azure Policy inclusions, exclusions, and exemptions work. Apart from that, you should have a clear distinction between a policy/initiative definition and its assignment: you should deploy the definition and assign it to your scope to make your Azure policy work.

Technically, you can deploy policies and create assignments using any supported method: the portal, Azure CLI, Azure PowerShell, Azure REST API, etc . It’s really up to you to choose which one o them fits your configuration management and deployment practices.

When I started working with Azure Policy myself, I was a bit frustrated with the default programming experience of maintaining two separate files for each definition and came up with a solution on how to deploy Azure Policy with ARM templates . However, things have changed since then, and now the policies are defined in a single file . A slight improvement, but the Azure PowerShell cmdlets still require lots of additional parameters that should be duplicated on their usage.

Optionally, you can try using the AzOps deployment framework, which could be a good choice for large environments when you run your Azure Governance as a separate project.

Just be consistent in the way you do your deployments and preferably manage Azure Policy as a part of your CI/CD pipelines .

Check the results

“A man reaps what he sows” A proverb.

Finally, your first policy is deployed, the assignment is created, and it’s time to see what we have got.

Remember about the time it takes for policy to come into effect and evaluate your resources .

Using the Azure portal to get Azure Policy compliance results would be the most obvious and probably the most reasonable choice at the beginning – it won’t heart to keep things simple.

For advanced scenarios, when you are already proficient with managing Azure Policy from deployment pipelines, you might want to check how you can get Policy insights with code to evaluate them in your test cases. Also, take a look at the Az.PolicyInsights PowerShell module, and what kind of data you can extract with it.

In conclusion

Just reading this guide won’t make you an expert in Azure Policy. For that, you need to have some practice too. So, give it a try – look into your Azure infrastructure, find some areas you can improve with Azure Policy (trust me, there is always something that can be improved 😉), come up with a solution, test it, apply and reap the benefits!

If you have any questions about this topic, put them in the comments below 👇.

Written by:

Andrew Matveychuk

Member discussion:.

• Privacy Policy

Coder & Traveler

Get Started with Azure Policy – Policy Assignment

• July 1, 2023 July 1, 2023
• by gowthamk91

Introduction:

    The Azure policy builds a strong foundation for your organization’s cloud governance. It reduces the time needed to audit the cloud environment by defining all compliance in a single place. It sets a rule for your resources to ensure compliance, misconfiguration, and resource governance.

  In this blog, I will explain how to apply the policy at the Management group level in an Azure cloud environment.

 Applying Azure Policy for Management Group:

  The below picture is a pictorial representation of my current cloud environment at a high level.

Tenant Root Group is my top-level root management group associated with the Azure subscription and at very low level we have two resource groups Learning and Dev.

What is a Management Group?

Management Group is basically used to organize the subscriptions. It provides a governance scope above the subscription. In my case, I have only one subscription, but still, I created a Management Group to organize it because it is one of the best practices in the cloud adoption framework. One of the benefits of Management Group is for cloud governance if you apply any Azure policy at the Management Group level, it will be inherited and the policy is applied to all the Management Group or subscription or resource groups under it. In this blog, we are going to see how to apply the Azure policy (Require a tag and its value on resources) at the Management Group level.

In the Azure portal, go to management user, as shown in the below figure.

Click on the Policy option from the Governance Blade. It will take you to the Policy | Definitions page.

Click on the Definitions option from the Authoring blade and search for a tag, and select the “Require a tag and its value on the resources” option from the list.

In the next policy definitions page click on Assign.

 Next, select the scope of the policy. Click on the More button, it will open the Scope blade, select the management scope and the respective subscription and click on Select.

Add the mandatory tag name and value from the parameters section, as shown in the below figure. In my case my Tag Name is ‘Org’ and my Tag Value is ‘TechnoNimbuss’.

For now, we can skip other steps by clicking on Review + create

Successfully assigned the policy to the management group.

Now, whenever you try to create a resource under the resource group that is associated with this Management group, will expect the tag name and value to be defined.

I got a policy validation error message when I tried to create a storage account with the resource group ‘Learning’ which is associated with ‘Tenant Root Group’ Management Group.

Basically, Tags give you the context about the resources associated with applications, ownership, and operation. So, it’s always good to add a resource tagging policy in your cloud governance.

Advantages/Benefits of using Azure policy

• Ensuring and managing security.
• Enforce compliance with standards
• Managing identity.
• Real-time policy enforcement.

In this article, we discussed how to get started with Azure policy for our cloud governance, assigning the policy(Requiring a tag and its value on resources) to the Management group scope, testing it by adding new resources, and finally the advantage of using Azure policies.

Overview of Azure Policy – Azure Policy | Microsoft Learn

Share this:

• Click to share on Twitter (Opens in new window)
• Click to share on Facebook (Opens in new window)
• Click to print (Opens in new window)
• Click to share on LinkedIn (Opens in new window)
• Click to share on WhatsApp (Opens in new window)

Related posts

Azure ad b2c custom policy – multi-factor authentication (totp- authentication app), azure ad b2c custom policy to pre-populate email field in sign-up flow, get started with azure ad b2c app registration – user flows, switching account types in azure ad b2c application registration, leave a reply cancel reply, discover more from gowtham k.

Subscribe now to keep reading and get access to the full archive.

Type your email…

Continue reading

Manage Azure Policy with Terraform

I am going to reverse the order I would normally explain a concept, in this blog we will look at the call to the module first and then dive into each of the components.

The Module Call

The initiative definition.

Let's step into the initiative definition next.

There are four top-level keys that we have to set:

• name — unique name for the initiative.
• display_name — the name displayed with the initiative.
• description — a description of what the policy is for and does.
• policies — objects containing the value definitions of BuiltIn and Custom policies.

With these properties we will be able to pass in all of the relevant values into our policies for a range of environments, further, we can also set a default if we don't have values specific to an environment. Let's take a look at the two types of policy definitions.

First, let's take a look at the policy properties:

• type — the type of policy that we are referencing; Custom or BuiltIn .
• file — if the policy is Custom we require the name of the file to import. This will be forced into the ${path.root}/policies/ directory by the Terraform code.
• id — the GUID id of an existing Azure policy provided by Microsoft, this is required when type is set to BuiltIn .
• default — the default parameter and effect values.
• dev/uat/prd/... — the key is the environment and the keys must be the same as default , this provides an optional setting of policy parameters by the environment.

Inside the default or environment block we have the following few properties:

• effect — the effect this policy will have, deny as an example. This property cannot be set on BuiltIn policies.

Custom Policy Definition

The key at the beginning AllowedLocations is how we will reference our policy and retrieve its components in the Terraform code. By allowing us to pass in the file to a json file it allows us to easily create custom policies alongside the fantastic baseline policies that Microsoft already give us. In the above example if we were running our Terraform code in the uat environment our code would use the properties we have defined in default as there are no environment-specific overrides. Allowing this makes our Terraform more powerful as perhaps when we start with Azure policy we don't necessarily understand what each environment requires, or they all explicitly require the same types of enforcement.

Built-in Policy Definition

The above is how we would set our parameters for a Built-in Azure policy. Remembering that we cannot set the effect of this policy as that is set by Microsoft, if you did need to alter that effect then it would be best to use a custom policy.

The Custom Policy Definition

We won't go into the mud on how to write an Azure Policy Definition if you're interested in that then check out the Azure Policy definition structure article by Microsoft.

The main point here is that you have a json definition of the Azure Policy either that you have written from scratch or perhaps you're pulling from the Azure portal so that you're now able to change the effect. As you can see on the high-lighted line below the value for the effect key is using string interpolation which will be set by templatefile in our Terraform code later. This is how we are going to be setting the effect on a per-environment basis.

Now we get into the fun stuff 🎉! Whilst going through the module I am going to split it up into some sub-sections to make it easier for us to talk through. Further, the module supports three scopes; Management Group ( mg ), Subscription ( sub ), and Resource Group ( rg ) I will just be referencing the resource group code below as it is almost identical to the other scopes.

The Module Interface .css-1a60e3e{transition-property:var(--chakra-transition-property-common);transition-duration:var(--chakra-transition-duration-fast);transition-timing-function:var(--chakra-transition-easing-ease-out);cursor:pointer;-webkit-text-decoration:none;text-decoration:none;outline:2px solid transparent;outline-offset:2px;color:inherit;font-weight:var(--chakra-fontWeights-normal);opacity:0;margin-left:var(--chakra-space-2);}.css-1a60e3e:hover,.css-1a60e3e[data-hover]{opacity:1;color:var(--chakra-colors-accent-500);-webkit-text-decoration:underline;text-decoration:underline;}.css-1a60e3e:focus,.css-1a60e3e[data-focus]{opacity:1;color:var(--chakra-colors-accent-500);-webkit-text-decoration:underline;text-decoration:underline;} #

If you've worked with me or read my articles before you would know that I treat the variables.tf as our documented API interface, think of it like an OpenAPI definition for a REST API. We will go through each variable one by one.

Our first variable is initiative_definition this is where we pass the full path to our definition yaml file like we discussed in The Initiative Definition .

Secondly, we need to pass in an environment , this must be in whatever format you've used in the initiative definition otherwise our Terraform code won't be able to retrieve the properties for an environment.

The most important input variable for us is the assignment variable, this is where we pass in a single or list of resource IDs we are going to be assigning the policy initiative. Allowing a list of assignments means that we can deal with assignments on a larger scale than a single resource. This is especially powerful when operating in an enterprise environment.

The name property of the assignments object we will use as part of our exemptions process, this ensures there is an easy and intentional lookup for us when we are trying to exempt a resource from a given initiative.

We also have some validation ensuring that the scope passed in is valid for our scenario.

When Azure Policy is concerned there is always going to be a requirement to be able to exempt some resources from having that policy applied/enforced on them. We manage that here through the use of the exemptions variable. This variable allows us to pass in a list of our exemptions object. We have the assignment_reference which as we mentioned above is a reference to name in the assignments object. This allows us to cleanly look up which assignment we are looking to exempt a given resource for.

In this variable, we need to validate that our exemption scope is valid, not only valid for Azure but for our given scenario. For instance, you can exempt a single resource from a policy but our module only supports down to the resource group is the most granular level. The second thing we are validating is that the category on the exemption is one of the two valid strings as expected by Microsoft.

Local Variables and Setup #

The first few pieces of setup that we are going to do is get some random_uuid 's setup that we can use for unique names of our policies, assignments and exemptions. Some properties in the azurerm the provider will auto-generate names for us, and others won't. In this instance, we are going to be dealing with the generation of the names.

Next, we need to decode our initiative_definition yaml into a Terraform object that we can use throughout our module. The policies local variable is a convenience variable for us so that we can quickly access the property. Also, if the way we access the policies object/key from our yaml file changes the code that consumes the policies doesn't need to know about that change.

Policy definitions #

We use an azurerm_policy_definition resource for a Custom policy and the azurerm_policy_definition data source for our BuiltIn policies. Doing so allows us to support both in our module.

When we are creating a Custom policy we have an object that is the filename of a policy json file before creating these policy instances we need to complete the templatefile on each policy. We will loop through our local.policies object and decodes each file to json once the templatefile action has been performed and we have applied the effect either via a default key from our initiative definition or an environment-specific one. This will only occur when the type property is Custom . Then we simply take the properties from our json and plug them into the resource. Some properties such as; metadata , policy_rule , and parameters require to have jsonencode on the object we are retrieving from the policy json as when we do our for_each those are converted into objects that Terraform can deal with.

For the data source, we simply need to loop through our local.policies object and filter to only use objects where the type property is BuiltIn . We do this by using a for expression within the for_each block. You can read more about that in my post Terraform For Expressions .

Policy Initiative #

Now that we have all of our policies in the state we require them its time to create our initiative and pass in the parameter values to each policy.

First off we will merge all our policies, both the resource and the data source. This will give us a single object to operate on. Using the new all_policies object we will get the parameter values, this will be environment specific if available otherwise it will return default . Having a pre-populated property for this allows for easy access within the azurerm_policy_set_definition resource.

Now we have two objects; all_policies and parameters these two combined are what allow us to set up all the policies within the initiative. Using a dynamic block -which you can read more about here - we will iterate over each policy in local.all_policies and assign the parameter_values from the local.parameters variable based on the key from our for_each . This is easily possible as when we created the local.parameters variable we did so by doing a for_each over the local.all_policies variable, this means that both the dynamic block and our parameters variable will use the same value as a key.

Policy Assignment #

The actual policy assignment portion of the module is most likely the simplest part. In this, we simply for through the var.assignment.assignments list and return a map where the key is the name property and the value is the id property of our assignments object.

We do however do a check on scope to ensure that we are operating on the right scope for the right resource type. In this instance the resource group. If we were doing this on azurerm_management_group_policy_assignment the resource then our check would be if var.assignment.scope == "mg" . You can see that in the full module code the terraform-azurerm-policy-initiative repository on my GitHub.

Policy Exemption #

The exemptions are where things get a little funkier, as we need to be able to match zero or more exemptions to the correct assignment.

Our first problem to solve is how we reference the correct Terraform resource block given each assignment type ( mg , sub , rg ) has its own Terraform resource. We do this by using the local variables' ability to reference a resource rather than a string. The try is important as Terraform will try to evaluate each of these even if they're not called which would be fine except that they will never all exist at the same time given assignment can only be done on a single scope.

With the above we can now access the right Terraform resource with the following:

To be honest, the ability to reference other resources with locals is INCREDIBLY powerful!!

Now that we can get the right policy assignment it's time to deal with the exemption side of things. For this, we are going to for through our assignments and our exemptions variables to create a new data structure containing all the relevant pieces of data. The assignment_id key will only ever return one value due to the use of the one function, this behavior is 💯 what we want if there was an instance where there were more than one assignment ID for a specific assignment_reference we would know someone has made a mistake. At this stage, we also validate that the assignment.scope is correct.

You can read more about the for expressions in my Terraform For Expressions post.

The name property is something that we construct out of the random_uuid for the exemptions as well as the last component of the resource ID. In the instance of a resource group that will be the name of the resource group. We also use this same logic to generate the id or key field on our for_each it is because of this that the resource we are referencing must exist before this code is run. If the resource does not exist then Terraform will error out saying that it is unable to determine the value of something that is part of the ID of a map. Whilst this behavior is not ideal I also don't think that it is that bad. The reason being is that should we ever try and exempt a policy on a resource that doesn't exist Terraform/Azure is going to wig out, therefore the behavior is more or less the same just at a different place in the run.

Closing Out #

Today we have gone through a module I've created to deal with creating Azure Policy initiatives. We went through the initiative definition, the custom policy definition and the module itself. By using this module we are now easily able to deploy and manage Azure Policies and exemptions on our cloud platform at scale. We also ensured that we can have the right level of flexibility when it comes to setting the parameter values and the effects on an Azure Policy.

For me, this was not what I would call an easy module to write, as it required me to think about how I could get the most amount of configuration information into the module without making it overly complex to consume. However, going back to My Development Workflow helped me through the process. This module had four iterations before it got to what we have here today.

You can find this module at BrendanThompson/terraform-azurerm-policy-initiative

I would love to hear from you on if you think this module is useful and what you have done to manage something as complex as Azure Policy in your cloud environment!

TimmyIT.com

Get all assigned Intune policies and apps per Azure AD group

IMPORTANT NOTICE. A new updated article on this topic has been published here: https://timmyit.com/2023/10/09/get-all-assigned-intune-policies-and-apps-from-a-microsoft-entra-group/ The new article covers using the new Microsoft.Graph Powershell SDK instead of the old Intune Powershell SDK that has not been updated since 2019. I recommend you take a look at the newer article.

Get all assigned Intune policies and apps from a Microsoft Entra group

During MMS JAZZ Edition in New Orleans a couple of weeks ago me and the amazing Sandy Zeng did a presentation on using the Intune Powershell SDK and in this demo packed session we showed off a script that were able to find assigned policies and apps from AAD groups.

https://mmsjazz.sched.com/event/Rmdh/intune-graph-api-ftw

More info about MMS:

https://mmsmoa.com/

Little bit of a back story to this script. One of the most frustating things we’ve came a cross when working with Intune and AAD is the lack of capability to go to an AAD group and see what kind of Intune assignments has been targeted to that group. What you have to do instead is to go to each policy or app and see which group it’s assigned to, this can be a nightmare if you have a lot of different policies and apps assigned to multiple groups.

In the sample script below we have one section for getting information for all the Applications thats been assigned and then we have one section for Device Compliance, Device Configuration, Device Configuration Powershell scripts and Administrative templates.

The one thing that might be confusing when looking throug the script is the fact that not all policies even tho they are in the same blade and pane in the Intune portal they haven’t one common propertyname.

So for example, Device Configuration policies and Administrative templates are different and when we use the Intune Powershell SDK and the Get-IntuneDeviceConfigurationPolicy we won’t get any Administrative templates or powershell scripts. I haven’t been able to find any specific cmdlet for those in the 1907 SDK version so thats why we need to do a Invoke-MSGraphRequest to be able to get those policies.

Note. You need to have the Intune Powershell module installed to use the script. https://www.powershellgallery.com/packages/Microsoft.Graph.Intune/6.1907.1.0

Sample script

The result of running script will be output to the screen using Write-host and give you information on which group did it look at and what kind of policy or app did it find and out put the name of it.

Running the sample script on all AAD groups

If you instead want to run the script against all of your Azure AD groups you can simply do this by just changing the $Group variable and then add a foreach loop. If you have a lot of AAD groups it can take a while for the script to run.

Thats it for this time, leave any comments below and don’t forget to follow me on twitter @Timmyitdotcom You can also find me blogging over at http://blog.ctglobalservices.com/

Share this:

• Click to share on Twitter (Opens in new window)
• Click to share on Facebook (Opens in new window)
• Click to share on LinkedIn (Opens in new window)
• Click to share on Reddit (Opens in new window)

61 comments

Exactly what I needed after inheriting an existing Intune deployment that 3 other IT providers have been administering over the past 3 years… Thanks!

When I run Get-IntuneMobileApp I dont’t get “assignments”property. Any ideas why? Thanks!

change line 17. its backwards. need to -expand property before selecting it

$AllAssignedApps = Get-IntuneMobileApp -Expand assignments | Select id, displayName, lastModifiedDateTime, assignments | Where-Object {$_.assignments -match $Group.id}

Please correct me if I’m wrong, but to my understanding “Get-AADGroup” is not a real command. What you should be using is Get-AzureADGroup ?

Get-AADGroup is one of the cmdlets in the Intune Graph SDK.

Great resource and learning aid to GraphAPI for Intune.

There is however an error in the # Device Configuration Powershell Scripts section in both scripts.

$AllDeviceConfigScripts = $DMS.value | Where-Object {$_.assignments -match $Group.id}

$AllDeviceConfigScripts = $DMS.value | Where-Object {$_.groupAssignments -match $Group.id}

You say “If you have a lot of AAD groups it can take a while for the script to run.” You can speed this up significantly by running:

$AllAssignedApps = Get-IntuneMobileApp -Select id, displayName, lastModifiedDateTime, assignments -Expand assignments $AllDeviceCompliance = Get-IntuneDeviceCompliancePolicy -Select id, displayName, lastModifiedDateTime, assignments -Expand assignments $AllDeviceConfig = Get-IntuneDeviceConfigurationPolicy -Select id, displayName, lastModifiedDateTime, assignments -Expand assignments

..outside of the main loop, and:

$AssignedApps = $AllAssignedApps | Where-Object {$_.assignments -match $Group.id} $DeviceCompliance = $AllDeviceCompliance | Where-Object {$_.assignments -match $Group.id} $DeviceConfig = $AllDeviceConfig | Where-Object {$_.assignments -match $Group.id}

..inside it.

that’s a great idea, thanks for the input

Echoing the previous comment made for gathering assigned PowerShell scripts.

you can verify by looking at $DMS.Value … there’s no “assignments” property.

thanks, I’ll update the script as soon as i get time.

I’ve modified the script to make it run faster and slightly more readable: https://pastebin.com/ZVr2VCwP

Sorry, pasted wrong link. Here’s the correct one – https://pastebin.com/gq3YEcFT

Great scripts! works well

great script , but it doesn’t list the ” settings catalog ” profiles type deployed

+1 Can you please update the script to search settings catalog as well?

• Pingback: MANAGING INTUNE WITH POWERSHELL - TALES FROM THE DESKTOP

Here is what I added to the script get the settings catalogs:

# Settings Catalogs $Resource = “deviceManagement/configurationPolicies” $graphApiVersion = “Beta” $uri = “https://graph.microsoft.com/$graphApiVersion/$($Resource)?`$expand=Assignments” $SC = Invoke-MSGraphRequest -HttpMethod GET -Url $uri $AllSC = $SC.value | Where-Object {$_.assignments -match $Group.id} Write-host “Number of Device Settings Catalogs found: $($AllSC.Name.Count)” -ForegroundColor cyan

Foreach ($Config in $AllSC) {

Write-host $Config.Name -ForegroundColor Yellow

thank you, I will test this.

Seems to work great, awesome!

Exactly what I needed! Works great thanks for putting this up!

Thank you! This is great as is and an awesome jumping off point to customize and learn!

I would like to try this script. Does anyone have a version that combines the improvements from chaozkreator and the section for Settings Catalogue at GitHub or another location? Unfortunately I cannot access the script at the location chaozkreator provided.

Thank you all for your help!

# Fixed scripts # Added group members # Added Settings Catalogs

# Connect and change schema Connect-MSGraph -ForceInteractive Update-MSGraphEnvironment -SchemaVersion beta Connect-MSGraph

# All Intune groups in AAD $Groups = Get-AADGroup | Get-MSGraphAllPages | Where {($_.displayName -like “NL-*” -or $_.displayName -like “*Intune*”)}

#### Config Foreach ($Group in $Groups) { Write-host “AAD Group Name: $($Group.displayName)” -ForegroundColor Green

# Members $AllAssignedUsers = (Get-AADGroupMember -groupId $Group.id) | Select-Object -Property displayName Write-host ” Number of Users found: $($AllAssignedUsers.DisplayName.Count)” -ForegroundColor cyan Foreach ($User in $AllAssignedUsers) {

Write-host ” “, $User.DisplayName -ForegroundColor Gray

# Apps $AllAssignedApps = Get-IntuneMobileApp -Filter “isAssigned eq true” -Select id, displayName, lastModifiedDateTime, assignments -Expand assignments | Where-Object {$_.assignments -match $Group.id} Write-host ” Number of Apps found: $($AllAssignedApps.DisplayName.Count)” -ForegroundColor cyan Foreach ($Config in $AllAssignedApps) {

Write-host ” “, $Config.displayName -ForegroundColor Yellow

# Device Compliance $AllDeviceCompliance = Get-IntuneDeviceCompliancePolicy -Select id, displayName, lastModifiedDateTime, assignments -Expand assignments | Where-Object {$_.assignments -match $Group.id} Write-host ” Number of Device Compliance policies found: $($AllDeviceCompliance.DisplayName.Count)” -ForegroundColor cyan Foreach ($Config in $AllDeviceCompliance) {

# Device Configuration $AllDeviceConfig = Get-IntuneDeviceConfigurationPolicy -Select id, displayName, lastModifiedDateTime, assignments -Expand assignments | Where-Object {$_.assignments -match $Group.id} Write-host ” Number of Device Configurations found: $($AllDeviceConfig.DisplayName.Count)” -ForegroundColor cyan Foreach ($Config in $AllDeviceConfig) {

# Device Configuration Powershell Scripts $Resource = “deviceManagement/deviceManagementScripts” $graphApiVersion = “Beta” $uri = “https://graph.microsoft.com/$graphApiVersion/$($Resource)?`$expand=groupAssignments” $DMS = Invoke-MSGraphRequest -HttpMethod GET -Url $uri $AllDeviceConfigScripts = $DMS.value | Where-Object {$_.groupAssignments -match $Group.id} Write-host ” Number of Device Configurations Powershell Scripts found: $($AllDeviceConfigScripts.DisplayName.Count)” -ForegroundColor cyan

Foreach ($Config in $AllDeviceConfigScripts) {

# Settings Catalogs $Resource = “deviceManagement/configurationPolicies” $graphApiVersion = “Beta” $uri = “https://graph.microsoft.com/$graphApiVersion/$($Resource)?`$expand=Assignments” $SC = Invoke-MSGraphRequest -HttpMethod GET -Url $uri $AllSC = $SC.value | Where-Object {$_.assignments -match $Group.id} Write-host “ Number of Device Settings Catalogs found: $($AllSC.Name.Count)” -ForegroundColor cyan

Write-host ” “, $Config.Name -ForegroundColor Yellow

# Administrative templates $Resource = “deviceManagement/groupPolicyConfigurations” $graphApiVersion = “Beta” $uri = “https://graph.microsoft.com/$graphApiVersion/$($Resource)?`$expand=Assignments” $ADMT = Invoke-MSGraphRequest -HttpMethod GET -Url $uri $AllADMT = $ADMT.value | Where-Object {$_.assignments -match $Group.id} Write-host ” Number of Device Administrative Templates found: $($AllADMT.DisplayName.Count)” -ForegroundColor cyan Foreach ($Config in $AllADMT) {

oh my god, thank you so much !

Hi, great tool! Thanks

Sharing my modification

##################### select groups by containing text

###################### new section listing members of the group

# members $AllAssignedUsers = (Get-AADGroupMember -groupId $Group.id) | Select-Object -Property displayName Write-host ” Number of Users found: $($AllAssignedUsers.DisplayName.Count)” -ForegroundColor cyan Foreach ($User in $AllAssignedUsers) { Write-host ” “, $User.DisplayName -ForegroundColor Gray }

############################################################################

You guys are the best. Had a call with MS re this yesterday and they had nothing!! Thank the Lord for community

Trying to use this (looks helpful) but I am unsure how to make it work. I placed the code into a .ps1 file and tried to execute it but even after allowing the script to run it still fails and does not even attempt to prompt me to connect to the online services. I am use MFA.

Got it, I forgot to load the graph addin

For some reason I don’t see the powershell scripts. Result show 0 but I have some assigned to the group?

Love it….. is there a way to do the following I tried to decipher the PS code but was unsuccessful. 1. Get any security policies: Antivirus, Firewall, Encryption ect. 2. Instead of scanning a security Group scan a device by name?

hey guys. how about displaying the Proactive Remediation scripts? do you have any idea how to do it?

This is what I am using and seems to work well. Rest of the script and output is the same as other areas.

# Proactive Remediation $Resource = “deviceManagement/deviceHealthScripts” $graphApiVersion = “Beta” $uri = “https://graph.microsoft.com/$graphApiVersion/$($Resource)?`$expand=Assignments” $Proactive = Invoke-MSGraphRequest -HttpMethod GET -Url $uri $AllProactive = $Proactive.value | Where-Object {$_.assignments -match $Group.id}

Thanks for sharing !

great info. it works perfectly. thanks.

Does anyone know of a way to save the output of this into a csv?

Your original script is fantastic. Thank you!! Our environment has thousands of AAD groups so it’s a lot to weed through. I’ve used some of the tweaks that others have made to improve the script in the following ways: 1. Faster as it only does a single API query run for all groups and uses a for-each to process the data from the array. 2. Added Settings Catalogs to the script 3. My own addition of a conditional for outputting data from each group, as I’m not interesting in knowing if a group has 0 assigned policies and apps. Literally thousands! 🙂

https://pastebin.com/Taz6KFtk

^ This way I only get AAD groups which have Intune policies, apps etc

Great script! Thank you so much for sharing! Is there a way to add if the app is deployed as “required” or “available”?

Microsoft must have changed something recently, because listing of apps through “$AllAssignedApps = Get-IntuneMobileApp -Expand assignments | Select id, displayName, lastModifiedDateTime, assignments” does not work anymore. It was working maybe 2 weeks ago. Now, it seems that the property “assignments” is no longer present in the application attributes, that are retrieved from Graph API and it returns 0 apps for all groups. How do you tackle that?

Im having the same issue too, would be great to have this resolved. Thanks

Nice Script. Would you check this script too: https://github.com/sibranda/GetIntuneAssignments

I found that one too. This C# app need registration in azure app’s on your tenant, if you can’t “read” this language very well you don’t know what it does. So security wise don’t just trust it. Make sure with someone that knows C# pretty good the app is safe and doesn’t open any backdoors or something.

Number of Device Configurations Powershell Scripts found: 0

But group in question definitely has PS scripts assigned…

There was a typo in the script, it has been fixed now.

Guys this is incredible! Thanks!

Guys, I found this crazy script too https://www.powershellgallery.com/packages/Get-IntuneGroupAssignments/1.0/Content/Get-IntuneGroupAssignments.ps1

FYI theres a typo in the scripts part:

$AllDeviceConfigScripts = $DMS.value | Where-Object {$_.groupassignments -match $Group.id}

Could have been something Microsoft have changed though as I know it was written a few years ago

Hi I have over 1000 Apps so the script doesnt list any apps assigned to groups. I believe its due to the script not including paging and i think some data for additional pages go into odata.nextlink and so the script needs modification to take into account large numbers. Would be amazing if you could modify this script. Thanks

Hello, I use this script a lot, but I just found an inconsistency, what makes me wonder if I have missed any assignments in the past.

I have a user group where I have applied two configuration policies to. – set desktopbackground and lockscreen image – set edge to open a new specified tab Both of them are applied and work, When I run the script it only shows me the “set desktop background and lockscreen image” has been applied. The policy about edge is not mentioned.

Any ideas? Thanks

Its most likely that those 2 policies are using different Graph API resources. Some settings and policies uses different resources in the backend tho from the UI they are configured in the same place. I would need to get some more info on the settings and how you configured them to be able to test it myself. What OS are they for ? And are they from the Settings catalog or Templates ?

Hi all, has anyone re-written the original script for Powershell 7.0+ yet? Love the idea of this, but need it updated for PS 7.

Super! Appreciated.

This is an awesome script! Any chance there’s a way to add endpoint security policies as well?

Thank you for this script. I tried to put all outputs into an excel with export-excel but failed. Does someone know how to modify the script to get the output as an excel?

Any specific reason why you want to use export-excel ? What if you try, export-csv and open the file with excel. Or out-file and save it as any other format ?

I have to send this as a report to another departement and they need it as a formatted excel file.the reason is that they have other scripts for automation processes that grab information from certain colums.

Can we export the output of powershell script in excel file?

Hey All, I’m able to connect to the tenant but then I get a “Get-MSGraphNextPage: Not authenticated. Please use the “Connect-MSGraph” command to authenticate”. arguement. Any thoughts?

Great script! Couldn’t work out why some proactive remediation scripts weren’t showing, then realised they’re assigned to ‘All Users’ or ‘All Devices’. So, in the assignments I’m seeing two groups with IDs starting ‘acacacac…’ and ‘adadadad…’ but they don’t show in the group list! Am i on the right track?

• Pingback: Get all assigned Intune policies and apps from a Microsoft Entra group

Leave a Reply Cancel reply

Discover more from timmyit.com.

Subscribe now to keep reading and get access to the full archive.

Type your email…

Continue reading

• Books & Press
• Proceedings
• Naval History

Suggestions

Trending topics, approximately 30 percent of sailors remain in same area following new billet assignment, cnp says.

Three in 10 sailors did not have to move due to their new billet assignments, the head of naval personnel said Wednesday.

As a result of changes to billet assignments, such as the detailing marketplace assignment policy , sailors are able to stay in the same geographic area longer, Chief of Naval Personnel Vice Adm. Richard Cheeseman said Wednesday during a Navy Memorial talk. The detailing marketplace assignment policy is the Navy’s billet-based advancement program that aims to give sailors more control over their promotions and next assignments.

While 30 percent does not come across as particularly high, Cheeseman said it is for the sea service. Retired Rear Adm. Frank Thorp, president of the U.S. Navy Memorial, said he remembered during his service that the rate was less than 1 percent. When people got new assignments, they expected to move.

Consistent geographic location is one way the Navy is working to retain sailors. Cheeseman noted that the service is on track to meet its goals for retention. For some sailors, especially those with families, the chance to stay in the same location can be enough of an incentive to keep them in the service.

Selected reenlistment bonuses are another tactic, he said. In some cases, the Navy has done so well at retention that it does not need to offer retention bonuses for some billets, he said.

“But you got to figure out where to take risk. Can we have some really critical skills that we’re going to need now and going forward? So how do we incentivize those folks correctly?” Cheeseman asked rhetorically.

But while the Navy can retain sailors, getting them in the door is a different issue, Cheeseman said.

It’s unlikely that the Navy will meet its recruiting mission, which set a goal of 40,600 sailors for Fiscal Year 2024, Cheeseman said. The Navy’s goal is higher than its one in Fiscal Year 2023, which the service also missed.

But the Navy saw more contracts in FY 2023 than in FY 2022 despite meeting its goal in FY 2022. In order to meet its recruiting goals, the Navy drained its delayed entry program – the group of people who sign contracts but are not immediately sent to bootcamp, Cheeseman said.

Without the buffer provided by the delayed entry program, the service needs to bring in more people to meet its goal, the personnel chief said.

While the Navy is likely to miss its recruitment goal, the service is slowly closing the gap. Earlier in the year, the service estimated it would miss the mark by 6,700 sailors. Now, it’s at 6,200.

How many sailors the Navy will be short is still unclear, Cheeseman said, but recruiters are working every day to close the gap.

Heather Mongilio

Heather Mongilio is a reporter with USNI News. She has a master’s degree in science journalism and has covered local courts, crime, health, military affairs and the Naval Academy. Follow @hmongilio

Get USNI News updates delivered to your inbox

Email address:

Frequency Daily Weekly All

Related Topics

• News & Analysis

Related Posts

Sweden’s NATO Membership Unlocks the Baltic Sea for Alliance, Ends 200 Years of Neutrality

Destroyer John Basilone Completes Acceptance Trials

Japan to Join U.S. in Valiant Shield Exercise, China Continues Military Drills Near Taiwan

Senators Quiz Navy Leaders on Proposed Sea-Launched Nuclear Cruise Missile

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Get-Role Assignment Policy

This cmdlet is available in on-premises Exchange and in the cloud-based service. Some parameters and settings may be exclusive to one environment or the other.

Use the Get-RoleAssignmentPolicy cmdlet to view existing management role assignment policies in your organization.

For information about the parameter sets in the Syntax section below, see Exchange cmdlet syntax .

Description

For more information about assignment policies, see Understanding management role assignment policies .

You need to be assigned permissions before you can run this cmdlet. Although this topic lists all parameters for the cmdlet, you may not have access to some parameters if they're not included in the permissions assigned to you. To find the permissions required to run any cmdlet or parameter in your organization, see Find the permissions required to run any Exchange cmdlet .

This example returns a list of all the existing role assignment policies.

This example returns the details of the specified assignment policy. The output of the Get-RoleAssignmentPolicy cmdlet is piped to the Format-List cmdlet.

For more information about pipelining and the Format-List cmdlet, see About Pipelines and Working with command output .

This example returns the default assignment policy.

The output of the Get-RoleAssignmentPolicy cmdlet is piped to the Where cmdlet. The Where cmdlet filters out all of the policies except the policy that has the IsDefault property set to $True.

-DomainController

This parameter is available only in on-premises Exchange.

The DomainController parameter specifies the domain controller that's used by this cmdlet to read data from or write data to Active Directory. You identify the domain controller by its fully qualified domain name (FQDN). For example, dc01.contoso.com.

The DomainController parameter isn't supported on Edge Transport servers. An Edge Transport server uses the local instance of Active Directory Lightweight Directory Services (AD LDS) to read and write data.

The Identity parameter specifies the name of the assignment policy to view. If the name contains spaces, enclose the name in quotation marks (").

Input types

To see the input types that this cmdlet accepts, see Cmdlet Input and Output Types . If the Input Type field for a cmdlet is blank, the cmdlet doesn't accept input data.

Output types

To see the return types, which are also known as output types, that this cmdlet accepts, see Cmdlet Input and Output Types . If the Output Type field is blank, the cmdlet doesn't return data.

Was this page helpful?

Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback .

Submit and view feedback for

Additional resources