azure_ad_groupazure_ad_service_principalazure_ad_userazure_alert_managementazure_api_managementazure_api_management_backendazure_app_configurationazure_app_service_environmentazure_app_service_function_appazure_app_service_planazure_app_service_web_appazure_app_service_web_app_slotazure_application_gatewayazure_application_insightazure_application_security_groupazure_automation_accountazure_automation_variableazure_backup_policyazure_bastion_hostazure_batch_accountazure_cdn_frontdoor_profileazure_cognitive_accountazure_compute_availability_setazure_compute_diskazure_compute_disk_accessazure_compute_disk_encryption_setazure_compute_disk_metric_read_opsazure_compute_disk_metric_read_ops_dailyazure_compute_disk_metric_read_ops_hourlyazure_compute_disk_metric_write_opsazure_compute_disk_metric_write_ops_dailyazure_compute_disk_metric_write_ops_hourlyazure_compute_imageazure_compute_resource_skuazure_compute_snapshotazure_compute_ssh_keyazure_compute_virtual_machineazure_compute_virtual_machine_metric_available_memoryazure_compute_virtual_machine_metric_available_memory_dailyazure_compute_virtual_machine_metric_available_memory_hourlyazure_compute_virtual_machine_metric_cpu_utilizationazure_compute_virtual_machine_metric_cpu_utilization_dailyazure_compute_virtual_machine_metric_cpu_utilization_hourlyazure_compute_virtual_machine_scale_setazure_compute_virtual_machine_scale_set_network_interfaceazure_compute_virtual_machine_scale_set_vmazure_consumption_usageazure_container_groupazure_container_registryazure_cosmosdb_accountazure_cosmosdb_mongo_collectionazure_cosmosdb_mongo_databaseazure_cosmosdb_restorable_database_accountazure_cosmosdb_sql_databaseazure_data_factoryazure_data_factory_datasetazure_data_factory_pipelineazure_data_lake_analytics_accountazure_data_lake_storeazure_data_protection_backup_jobazure_data_protection_backup_vaultazure_databox_edge_deviceazure_databricks_workspaceazure_diagnostic_settingazure_dns_zoneazure_eventgrid_domainazure_eventgrid_topicazure_eventhub_namespaceazure_express_route_circuitazure_firewallazure_firewall_policyazure_frontdoorazure_hdinsight_clusterazure_healthcare_serviceazure_hpc_cacheazure_hybrid_compute_machineazure_hybrid_kubernetes_connected_clusterazure_iothubazure_iothub_dpsazure_key_vaultazure_key_vault_certificateazure_key_vault_deleted_vaultazure_key_vault_keyazure_key_vault_key_versionazure_key_vault_managed_hardware_security_moduleazure_key_vault_secretazure_kubernetes_clusterazure_kubernetes_service_versionazure_kusto_clusterazure_lbazure_lb_backend_address_poolazure_lb_nat_ruleazure_lb_outbound_ruleazure_lb_probeazure_lb_ruleazure_lighthouse_assignmentazure_lighthouse_definitionazure_locationazure_log_alertazure_log_analytics_workspaceazure_log_profileazure_logic_app_workflowazure_machine_learning_workspaceazure_maintenance_configurationazure_management_groupazure_management_lockazure_mariadb_serverazure_monitor_activity_log_eventazure_monitor_log_profileazure_mssql_elasticpoolazure_mssql_managed_instanceazure_mssql_virtual_machineazure_mysql_flexible_serverazure_mysql_serverazure_nat_gatewayazure_network_interfaceazure_network_security_groupazure_network_watcherazure_network_watcher_flow_logazure_policy_assignmentazure_policy_definitionazure_postgresql_flexible_serverazure_postgresql_serverazure_private_dns_zoneazure_private_endpointazure_providerazure_public_ipazure_recovery_services_backup_jobazure_recovery_services_vaultazure_redis_cacheazure_resourceazure_resource_groupazure_resource_linkazure_role_assignmentazure_role_definitionazure_route_tableazure_search_serviceazure_security_center_auto_provisioningazure_security_center_automationazure_security_center_contactazure_security_center_jit_network_access_policyazure_security_center_settingazure_security_center_sub_assessmentazure_security_center_subscription_pricingazure_service_fabric_clusterazure_servicebus_namespaceazure_signalr_serviceazure_spring_cloud_serviceazure_sql_databaseazure_sql_serverazure_storage_accountazure_storage_blobazure_storage_blob_serviceazure_storage_containerazure_storage_queueazure_storage_share_fileazure_storage_syncazure_storage_tableazure_storage_table_serviceazure_stream_analytics_jobazure_subnetazure_subscriptionazure_synapse_workspaceazure_tenantazure_virtual_networkazure_virtual_network_gatewayazure_web_application_firewall_policy
Table: azure_policy_assignment - Query Azure Policy Assignments using SQL
A Policy Assignment in Azure is a security tool that enables operators to apply a policy definition to a resource or a set of resources. The assignment is the process of binding a policy definition to a specific scope. This scope could range from a management group to a resource group.
Table Usage Guide
The azure_policy_assignment table provides insights into Policy Assignments within Azure Policy. As a Security Analyst, explore specific details through this table, including policy definitions, scopes, and compliance statuses. Utilize it to uncover information about policy assignments, such as those associated with specific resources, the scope of these assignments, and their compliance status.
Examples
Basic info
Explore the policies assigned within your Azure environment to ensure adherence to your organization's governance and compliance requirements. This can help identify any instances where policies may not be correctly applied, potentially exposing your environment to risks.
select id, policy_definition_id, name, typefrom azure_policy_assignment;select id, policy_definition_id, name, typefrom azure_policy_assignment;Get SQL auditing and threat detection monitoring status for the subscription
Explore the status of SQL auditing and threat detection monitoring for your subscription. This query helps you assess whether these important security measures are active, promoting better risk management and data protection.
select id, policy_definition_id, display_name, parameters -> 'sqlAuditingMonitoringEffect' -> 'value' as sqlAuditingMonitoringEffectfrom azure_policy_assignment;select id, policy_definition_id, display_name, json_extract( json_extract(parameters, '$.sqlAuditingMonitoringEffect'), '$.value' ) as sqlAuditingMonitoringEffectfrom azure_policy_assignment;Get SQL encryption monitoring status for the subscription
Explore the status of SQL encryption monitoring for your subscription. This can help in maintaining the security of your data by keeping an eye on the encryption status.
select id, policy_definition_id, display_name, parameters -> 'sqlEncryptionMonitoringEffect' -> 'value' as sqlEncryptionMonitoringEffectfrom azure_policy_assignment;select id, policy_definition_id, display_name, json_extract( json_extract(parameters, '$.sqlEncryptionMonitoringEffect'), '$.value' ) as sqlEncryptionMonitoringEffectfrom azure_policy_assignment;Control examples
- All Controls > Security Center > Ensure any of the ASC Default policy setting is not set to "Disabled"
- CIS v1.3.0 > 2 Security Center > 2.12 Ensure any of the ASC Default policy setting is not set to "Disabled"
- CIS v1.4.0 > 2 Microsoft Defender for Cloud > 2.12 Ensure Any of the ASC Default Policy Setting is Not Set to 'Disabled'
- CIS v1.5.0 > 2 Microsoft Defender for Cloud > 2.6 Ensure Any of the ASC Default Policy Settings are Not Set to 'Disabled'
- CIS v2.0.0 > 2 Microsoft Defender > 2.1 Microsoft Defender for Cloud > 2.1.14 Ensure Any of the ASC Default Policy Settings are Not Set to 'Disabled'
Schema for azure_policy_assignment
| Name | Type | Operators | Description |
|---|---|---|---|
| _ctx | jsonb | Steampipe context in JSON form. | |
| akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
| cloud_environment | text | The Azure Cloud Environment. | |
| description | text | This message will be part of response in case of policy violation. | |
| display_name | text | The display name of the policy assignment. | |
| enforcement_mode | text | The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. | |
| id | text | = | The ID of the policy assignment. |
| identity | jsonb | The managed identity associated with the policy assignment. | |
| metadata | jsonb | The policy assignment metadata. | |
| name | text | The name of the policy assignment. | |
| not_scopes | jsonb | The policy's excluded scopes. | |
| parameters | jsonb | The parameter values for the assigned policy rule. | |
| policy_definition_id | text | The ID of the policy definition or policy set definition being assigned. | |
| scope | text | The scope for the policy assignment. | |
| sku_name | text | The name of the policy sku. | |
| sku_tier | text | The policy sku tier. | |
| sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
| sp_ctx | jsonb | Steampipe context in JSON form. | |
| subscription_id | text | =, !=, ~~, ~~*, !~~, !~~* | The Azure Subscription ID in which the resource is located. |
| title | text | Title of the resource. | |
| type | text | The type of the policy assignment. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- azureYou can pass the configuration to the command with the --config argument:
steampipe_export_azure --config '<your_config>' azure_policy_assignment