Bendrinti naudojant

az policy attestation

Manage resource policy attestations.


Name Description Type Status
az policy attestation create

Create a policy attestation.

Core GA
az policy attestation delete

Delete an existing policy attestation.

Core GA
az policy attestation list

List all attestations for a resource.

Core GA
az policy attestation show

Get a policy attestation.

Core GA
az policy attestation update

Update an existing policy attestation.

Core GA

az policy attestation create

Create a policy attestation.

az policy attestation create --attestation-name
                             [--compliance-state {Compliant, NonCompliant, Unknown}]


Create an attestation at resource group scope for a policy assignment

az policy attestation create -g myRg -n myAttestation --policy-assignment eeb18edc813c42d0ad5a9eab

Create an attestation at resource group scope for a policy assignment using the policy assignment resource ID

az policy attestation create -g myRg -n myAttestation \
  --policy-assignment "/subscriptions/fff10b27-fff3-fff5-fff8-fffbe01e86a5/providers/Microsoft.Authorization/policyAssignments/myPa"

Create an attestation at subscription scope for a policy set assignment

az policy attestation create -n myAttestation \
  --policy-assignment eeb18edc813c42d0ad5a9eab \
  --definition-reference-id auditVMPolicyReference

Create an attestation for a specific resource using the resource ID

az policy attestation create \
  --resource "/subscriptions/fff10b27-fff3-fff5-fff8-fffbe01e86a5/resourceGroups/myRg/providers/Microsoft.Compute/virtualMachines/myVm" \
  -n myAttestation --policy-assignment eeb18edc813c42d0ad5a9eab

Create an attestation at resource group scope using all properties

az policy attestation create --attestation-name myAttestation -g myRg -a eeb18edc813c42d0ad5a9eab \
 --compliance-state Compliant --assessment-date 2023-01-01T08:29:18Z \
 --evidence source-uri= description="Sample description for the sample uri" \
 --evidence source-uri= description="Sample description 2 for the sample uri 2" \
 --expires-on 2024-08-01T05:29:18Z --owner --metadata Location=NYC Dept=ACC \
 --definition-reference-id auditVMPolicyReference

Required Parameters

--attestation-name --name -n

The name of the attestation.

--policy-assignment --policy-assignment-id -a

The resource ID of the policy assignment that the attestation is setting the state for.

Optional Parameters


The time the evidence was assessed.


Comments describing why this attestation was created.


The compliance state that should be set on the resource.

Accepted values: Compliant, NonCompliant, Unknown

The policy definition reference ID from a policy set definition that the attestation is setting the state for. If the policy assignment assigns a policy set definition the attestation can choose a definition within the set definition with this property or omit this and set the state for the entire set definition.


The evidence supporting the compliance state set in this attestation.


The time the compliance state should expire.


Additional metadata in space-separated key=value pairs for an attestation. This overwrites any existing metadata for the attestation.


Provider namespace (Ex: Microsoft.Provider).


The person responsible for setting the state of the resource. This value is typically an Azure Active Directory object ID.


The parent path (Ex: resourceTypeA/nameA/resourceTypeB/nameB).

--resource --resource-id

Resource ID or resource name. If a name is given, please provide the resource group and other relevant resource id arguments.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.


Resource type (Ex: resourceTypeC).

Global Parameters

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.


Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json

JMESPath query string. See for more information and examples.


Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.


Increase logging verbosity. Use --debug for full debug logs.

az policy attestation delete

Delete an existing policy attestation.

az policy attestation delete --attestation-name


Delete an attestation at resource group scope

az policy attestation delete -g myRg -n myAttestation

Required Parameters

--attestation-name --name -n

The name of the attestation.

Optional Parameters


Provider namespace (Ex: Microsoft.Provider).


The parent path (Ex: resourceTypeA/nameA/resourceTypeB/nameB).

--resource --resource-id

Resource ID or resource name. If a name is given, please provide the resource group and other relevant resource id arguments.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.


Resource type (Ex: resourceTypeC).

Global Parameters

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.


Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json

JMESPath query string. See for more information and examples.


Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.


Increase logging verbosity. Use --debug for full debug logs.

az policy attestation list

List all attestations for a resource.

az policy attestation list [--filter]


List all policy attestations at subscription scope

az policy attestation list

List the top two policy attestations at resource group scope

az policy attestation list -g myRg --top 2

List all attestations that has the policy assignment id of myPolicyAssignment

az policy attestation list --filter "PolicyAssignmentId eq '/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/providers/microsoft.authorization/policyassignments/b101830944f246d8a14088c5'"

Optional Parameters


OData filter expression.

--resource --resource-id

Resource ID.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.


Maximum number of records to return.

Global Parameters

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.


Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json

JMESPath query string. See for more information and examples.


Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.


Increase logging verbosity. Use --debug for full debug logs.

az policy attestation show

Get a policy attestation.

az policy attestation show --attestation-name


Show an attestation at subscription.

az policy attestation show --attestation-name myAttestation

Required Parameters

--attestation-name --name -n

The name of the attestation.

Optional Parameters


Provider namespace (Ex: Microsoft.Provider).


The parent path (Ex: resourceTypeA/nameA/resourceTypeB/nameB).

--resource --resource-id

Resource ID or resource name. If a name is given, please provide the resource group and other relevant resource id arguments.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.


Resource type (Ex: resourceTypeC).

Global Parameters

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.


Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json

JMESPath query string. See for more information and examples.


Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.


Increase logging verbosity. Use --debug for full debug logs.

az policy attestation update

Update an existing policy attestation.

az policy attestation update --attestation-name
                             [--compliance-state {Compliant, NonCompliant, Unknown}]


Update an attestation at resource scope

az policy attestation update --attestation-name myAttestation \
  --resource "/subscriptions/fff10b27-fff3-fff5-fff8-fffbe01e86a5/resourceGroups/myRg/providers/Microsoft.Compute/virtualMachines/myVm" \
  --comments "Adding comments for this attestation"

Required Parameters

--attestation-name --name -n

The name of the attestation.

Optional Parameters


The time the evidence was assessed.


Comments describing why this attestation was created.


The compliance state that should be set on the resource.

Accepted values: Compliant, NonCompliant, Unknown

The policy definition reference ID from a policy set definition that the attestation is setting the state for. If the policy assignment assigns a policy set definition the attestation can choose a definition within the set definition with this property or omit this and set the state for the entire set definition.


The evidence supporting the compliance state set in this attestation.


The time the compliance state should expire.


Additional metadata in space-separated key=value pairs for an attestation. This overwrites any existing metadata for the attestation.


Provider namespace (Ex: Microsoft.Provider).


The person responsible for setting the state of the resource. This value is typically an Azure Active Directory object ID.


The parent path (Ex: resourceTypeA/nameA/resourceTypeB/nameB).

--policy-assignment --policy-assignment-id -a

The resource ID of the policy assignment that the attestation is setting the state for.

--resource --resource-id

Resource ID or resource name. If a name is given, please provide the resource group and other relevant resource id arguments.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.


Resource type (Ex: resourceTypeC).

Global Parameters

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.


Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json

JMESPath query string. See for more information and examples.


Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.


Increase logging verbosity. Use --debug for full debug logs.