General availability: Update in Policy Compliance for Resource Type Policies
公開日: 6月 07, 2021
Starting on June 16, 2021, policies where resource type is the only evaluation criterion (e.g. Allowed Resource Types, Disallowed Resource Types) will not have 'compliant' resources stored in compliance records. This means that if there are zero non-compliant resources, the policy will show 100% compliance. If there is one or more non-compliant resources, the policy will show 0% compliance, with the total resources equaling the non-compliant resources. This change is to address feedback that resource type policies skew overall compliance percentage data (which are calculated as compliant + exempt resources out of the total resources across all policies, deduped for unique resource IDs) due to a high number of total resources.
The resource type policy has a high total resource count, because it’s the only policy where all resources in the scope of the assignment count towards ‘total resources’. Other policies only consider applicable resource types to count towards total resources (i.e. VM extension policy would only count VMs in total resources).
Going forward, the resource type policies will only count the non-compliant resources (when ‘if’ statement evaluates to true) towards the total resources. So, if there are zero-non-compliant resources, the policy will show 100% compliance. Alternatively, if there are one or more non-compliant resources, the policy will show 0% compliance (since non-compliant resources = total resources). Aggregated with other policies, this logic would provide more accurate assessment of your overall environment.
If this is a concern, and if you’d like other resource types to be reflected as compliant resources, please include the statement ‘allOf:[ field: type in [list of resource types to be counted towards total]],’, as in the built-in policy definition ‘Storage accounts should be migrated to new Azure Resource Manager resources’.
If you have a support plan and need technical help, please create a support request.