azure / enterprise-azure-policy-as-code Goto Github PK

View Code? Open in Web Editor NEW

395.0 20.0 199.0 22.5 MB

Enterprise-ready Azure Policy-as-Code (PaC) solution (includes Az DevOps pipeline)

Home Page: https://azure.github.io/enterprise-azure-policy-as-code/

License: MIT License

PowerShell 100.00%

azure-policy azure-pipeline azure devops infrastructure-as-code

enterprise-azure-policy-as-code's Introduction

Enterprise Azure Policy as Code

This repository contains the source code for the Enterprise Azure Policy as Code (EPAC) solution. EPAC is a solution that allows you to manage Azure Policy as code in a git repository. For an overview see the EPAC documentation.

Contributing

This project welcomes contributions and suggestions. Contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.

When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.

Trademarks

This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft's Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies.

enterprise-azure-policy-as-code's People

Contributors

Stargazers

Watchers

Forkers

rnwahiri naveensushanth moquadri jagocki rhaug77 jonathan-vella chrisking81 arvindmits anilkumar15 cloud365admin kennethbess jamelachahbar-zz secplayer kameshpudi juliansprt mbarry-gh leilatazi wetwicky rtmtfiallos gecoet nielsophey aionic lishuo18 marenskoetter esrobinsoniii fasere75 dinishkr ryd-dev lromano72 boulosdib shivanandsingh adammontlake isabella232 micksear sujith0408 anwather joush jeremiahhoward swathialuganti cspe toyman19 elyusubov torivara wesmacdonald jsariol garylirocks lcholewa nellyontour dfw1n amrik2309 hyundonk adiazcan kevinlprd haflidif chanakanissanka billybenz darrenturchiarelli shankarvrp withholm cdouny-insight jose-ceschiatti jstromecs mimozar guidovbrakelnl techch01 vienleidl dguzzip gokhankoc acenl12 patchfox artisticcheese fslef krowlandson mzarglis russellds rafelorente19 martyh888 skaylink lecampusazure kristinekhl jks05c qsparktest invisibleaxm andbron singhravipratap gummigroda rowbot-99 spiderman0016 aaron-cohee gjonn pcsprashanth s4parke mavericksurfer aktapaz jeffpeacock npawar2020 finndegner kevball2 robbiemueller alexanderrijnbeek

enterprise-azure-policy-as-code's Issues

Feature: User-assigned managed identity of Azure Policy Assignments

Currently, when planning the deployment (i.e. generating the plan files), we receive an error message regarding policies in policysets with user-assigned managed identities.

When debugging, we discovered that the principalId field for user-assigned managed identities is a nested object and is therefore not handled as expected in the script (like system assigned managed identities).
Could this be a bug or did we forget something for v.6.

Document Policy Assignments better

additionalRoleDefinitionIds
scopes
notScopes
definitionEntryList
New advancedProperties
- additionalRoleDefinitionIds
- overrides
- resourceSelector
- complianceMessages`
CSV files

Child MG does not contain a scope property when evaluating globalNotScope on AssignmentsPlan

Running the Build-AzPoliciesInitiativesAssignmentsPlan, Get-NotScope fails to find a value for the property scope on the currentMg or the child objects.

Similar to a previous issue, this is occurring on an empty management group that contains multiple child management groups.

Question Feature: Always Assign Policy to Dev or Test PacEnv

I am not sure if this is possible or maybe the documentation doesn't explain this option to me but I have been looking through the code to see how to make it mandatory that a policy is assigned to an EPAC-dev Environment even if the user forgot to add a scope defined in the policyAssignments.

This feature or need is to make sure the Assignment has been passed through Dev / Test before it can reach production in the pipeline stages

Management Group scopeTreeInfo type property mistmatch on Assignment notScope evaluation

While executing Build-AzPoliciesInitiativesAssignmentsPlan.ps1, I find that the scopeTreeInfo object contains a type property prepended with /providers/, while the Get-NotScope helper function expects a string that evaluates with exactly Microsoft.Management/managementGroups.

This causes the Build-AzPoliciesInitiativesAssignmentsPlan.ps1 to fail with the error output Traversal of scopeTree to find notScopes in scope '$scope' yielded an unknown type '$($child.type)' name='$($child.name)'

Feature: Assignment Parameter definitions in Excel or CSV instead of JSON for easier maintainability.

Parameters and their values will be stored in a separate CSV file. The current style of using JSON will continue to work.

Are environments supposed to be automatically created during YAML run?

Hello,

I run YAML and it did create PAC-DEV environment but none of the other environments mentioned were created and instead following errors were thrown Job deployPolicyJob: Environment PAC-POLICY could not be found. The environment does not exist or has not been authorized for use.

Using the documentation feature for policy assignments

Hello there,

I'm having trouble using the assignment documentation feature to document policy assignments (for both built-in and custom policies). It is able to document initiative assignments without a problem, pulling the correct name, description and effect(s). However, if I add an assignment of definition type policy to the assignment ID in the representativeAssignments block, the result looks like this:

I couldn't find anywhere in the documentation that it is meant to be used only with initiative assignments, so I wanted to confirm if this is working as expected or whether this is an error on my end.

Here is the assignment in question, should it be helpful in debugging this issue.

{
    "nodeName": "parentNode",
    "parameters": {
        "resourceGroupLocation": "canadacentral"
    },
    "definitionEntry": {
        "policyName": "ffb6f416-7bd2-4488-8828-56585fef2be9",
        "friendlyNameToDocumentIfGuid": "Deploy export to Log Analytics workspace for Microsoft Defender for Cloud data"
    },
    "assignment": {
        "Name": "exportDefenderLogs",
        "displayName": "Deploy export to Log Analytics workspace for Microsoft Defender for Cloud data",
        "description": "Enable export to Log Analytics workspace of Microsoft Defender for Cloud data. This policy deploys an export to Log Analytics workspace configuration with your conditions and target workspace on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task."
    },
    "children": [
        {
            "nodeName": "PRD",
            "parameters": {
                "resourceGroupName": "<rg-name>",
                "workspaceResourceId": "/subscriptions/<subscription-id>/resourceGroups/<rg-name>/providers/Microsoft.OperationalInsights/workspaces/<workspace-id>"
            },
            "scope": {
                "prod": [
                    "/providers/Microsoft.Management/managementGroups/<management-group-id>"
                ]
            }
        }
    ]
}

Thanks for the hard work put in this project!

Error message when parameter names in Initiatives are misspelled is not useful.

Multi-tenant pipelines has possible syntax error in naming

It does not look like that Azure DevOps Pipelines allow - as part of pipeline dependency name. Getting following error trying to run https://github.com/Azure/enterprise-azure-policy-as-code/blob/main/StarterKit/Pipelines/AzureDevOps/multi-tenant-pipeline.yml

An error occurred while loading the YAML build pipeline. Unexpected symbol: 'tenantPlanMainStage-1'. Located at position 53 within expression: and(not(failed()), not(canceled()), eq(dependencies.tenantPlanMainStage-2.outputs['planJob.planStep.deployPolicyChanges'], 'yes'), in(variables['Build.Reason'], 'Manual', 'IndividualCI', 'BatchedCI'), contains(variables['Build.SourceBranch'], 'refs/heads/main')). For more help, refer to https://go.microsoft.com/fwlink/?linkid=842996

I think stages and dependencies should not have -

Question about additionalRoleAssignments structure

Hello,

I am trying to deploy policy with additionalRoleAssignments, which requires roleDefinitionId and scope. Unfortunately, do not know why the assignment of additional roles does not work. Assigment applies to custom policy, could I ask for guidance on what the correct definition should look like.
Below is my definition of assignment, The policy works correctly but the additional role no longer.
I will mention that I have one tenant.

`
{

"nodeName": "/7-DN-VMS-DeployRhelDscExtension/",
"assignment": {
    "name": "7-DN-VMS-DeployRhelDscExtension",
    "displayName": "7-DN-VMS-DeployRhelDscExtension",
    "description": "Deploy DSC configuration for RHEL servers."
},
"definitionEntry": {
    "policyName": "7-DN-VMS-DeployRhelDscExtension",
    "friendlyNameToDocumentIfGuid": "7-DN-VMS-DeployRhelDscExtension"
},
"parameters": {
    "automationAccountSubscriptionId": "xxxxxxxxxxxxxxxx",
    "automationAccountRg": "scb-core-mgt-devdlp-rg",
    "automationAccountName": "scb-core-mgt-devdlp-aac",
    "nodeConfigurationName": "DSCforRHEL.localhost"
},
"scope": {
    "dev": [
        "/subscriptions/xxxxxxxxxxxxxxxxxxxxxx"
    ]
},
"additionalRoleAssignments": [
    {
        "roleDefinitionId": "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
        "scope": "/subscriptions/xxxxxxxxxxxxxxxxxxxxxxxx"
    }
]

}
`
thanks in advance for your answer,
Aleksander

Set-AzPolicyDefinition with the module Az-Resource version 6.5 removes all space in assignment

a bug was discovered in azure-powerhell that impact the function Set-AzPolicyDefinition
Azure/azure-powershell#20444

this bug removes all space in the displayName and Parameters of the assignments

a possible enhancement could be to check that a minimum version is installed to avoid this.

$moduleName = 'Az.Resource'
$requiredVersion = '6.5.1'

# Check if the module is already installed
$module = Get-Module -Name $moduleName -ListAvailable

# If the module is not installed or the installed version is less than the required version
if ($module -eq $null -or ($module.Version.CompareTo([version]$requiredVersion) -lt 0)) {
    Write-Host "Installing $moduleName version $requiredVersion"
    Install-Module -Name $moduleName -RequiredVersion $requiredVersion -Force
    Import-Module -Name $moduleName -RequiredVersion $requiredVersion -Force
}

Documentation: User Administrator vs User Access Administrator Permissions

Hey, the documentation is somewhat unclear about the permissions needed for the role assignment service principal when it comes to DevOps Service Connections, the documentation states here:
Service Connections for DevOps cicd

"User Administrator for assigning roles to the Assignments' Managed Identities (for remediation tasks) in the EPAC prod environment"

and here: Service Connections and Roles

Connection	Stages	PAC-DEV-001	PAC-TEST-001	Tenant 1	Tenant 2
sc-pac-roles-1	prodRolesStage-1			User Administrator Security Reader
sc-pac-roles-2	prodRolesStage-2				User Administrator Security Reader

That a User Administrator role is needed, and that might be somewhat confusing with the User Administrator Azure AD role, instead of the User Access Administrator RBAC Role that these service connections at least need to be able to create the role assignments for the Managed Identities that are used for the remediation tasks.

Support for EnforcementMode on policy assignments

Hello,

I am trying to make the EnforcementMode property working on policy assignment but it does not seem to be supported from the examples in this repository.

I would like to be able to assign the same policy with different EnforcementMode per environment. For instance, I would like to assign a 'DeployIfNoExists' policy with EnforcementMode ='Default' in development and EnforcementMode ='DoNotEnforce' in production.

I have investigated the PowerShell deployment code and my finding is the following : The parameter is passed to the New-AzPolicyAssigment and Set-AzPolicyAssigment commands, but the actual EnforcementMode is not defined in the deployment plan and it looks like it is ignored.

I would expect something similar to the assigment file below to take the enforcementMode property into account during the assigment :

{
  "nodeName": "ParentNode",
  },
  "definitionEntry": {
    "policyName": "{policyGuid}",
    "friendlyNameToDocumentIfGuid": "Sets allowed location for CosmosDB"
  },
  "children": [
    {
      "nodeName": "ChildNode",
      "enforcementMode": "doNotEnforce",
      "parameters": {
        "policyEffect": "deny"
      },
      "assignment": {
        "Name": "Allowed Locations - DEV",
        "displayName": "Allowed Locations for CosmosDB",
        "description": "Sets the allowed locations for Cosmos DB"
      },
      "scope": {
        "PAC-DEV-001": ["/subscriptions/{subscriptionId}"]
      }
    }

Here is an example of the deployment plan for the assigment above, note that the EnforcementMode is not stored in the newAssigments collection :

  "replacedAssignments": {},
  "replacedInitiativeDefinitions": {},
  "updatedInitiativeDefinitions": {},
  "createdOn": "2022-02-03 16:41:19Z",
  "removedIdentities": {},
  "rootScope": "/subscriptions/{subscriptionGuid}",
  "updatedPolicyDefinitions": {},
  "newAssignments": {
    "/subscriptions/{subscriptionGuid}/providers/Microsoft.Authorization/policyAssignments/Allowed Locations - DEV": {
      "Scope": "/subscriptions/{subscriptionGuid}",
      "Metadata": {},
      "policyId": "/subscriptions/{subscriptionGuid}/providers/Microsoft.Authorization/policyDefinitions/{policyGuid}",
      "DefinitionEntry": {
        "policyName": "{policyGuid}",
        "friendlyNameToDocumentIfGuid": "Sets allowed location for CosmosDB"
      },
      "Description": "Sets the allowed locations for Cosmos DB",
      "DisplayName": "Allowed Locations for CosmosDB",
      "identityRequired": false,
      "managedIdentityLocation": "eastus2",
      "PolicyParameterObject": {
        "policyEffect": "deny",
        "listOfAllowedLocations": [
          "centralus",
          "eastus",
          "eastus2",
          "southcentralus"
        ]
      },
      "Id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/policyAssignments/Allowed Locations - DEV",
      "Name": "Allowed Locations - DEV"
    }
  },
  "noChanges": false,
  "newPolicyDefinitions": {}

Add a test to see if Az.ResourceGraph module is already installed

Issue with StarterKit Files

Issues with StarterKit files where name of definition has spaces

policyDefinitions/Defender/azure-defender-enroll.json

This following throws the error due to spaces and not using "-" instead

New-AzPolicyDefinition: /home/vsts/work/1/s/Scripts/Deploy/Deploy-PolicyPlan.ps1:208
Line |
 208 |              $null = New-AzPolicyDefinition @policyDefinition
     |                      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | MismatchedPolicyDefinitionName : The policy definition name
     | 'EnableAzureDefenderforResourceType' in the request body does not match
     | the policy definition name 'Enable Azure Defender for Resource Type' in
     | the request uri. CorrelationId: f6e0eade-9bfd-4df6-9863-514d6a534d12

Need to fix this

"name": "Enable Azure Defender for Resource Type",

And also fix file Definitions/policySetDefinitions/defender-dine-enable-for-subscription-initiative.jsonc to be the same as what the name is changed to above

Additional Role Assignment does not work as expected

However, if the additionalRoleAssignments parameter is set in the assignment.json file, no additional role assignment will be scheduled.
This is how the section in the assignment file looks like:

...
 "additionalRoleAssignments": [
        {
            "roleDefinitionId" : "/subscriptions/1111-1111-1111-1111-11111/providers/Microsoft.Authorization/roleDefinitions/11111-1111-1111-1111-111111111",
            "scope": "/subscriptions/11111-1111-1111-1111-111111111"
        }
        
    ]
...

When i am in debug mode the following selectors (roleDefinitionId and scope) are used in file Build-AssignmentDefinitionNode.ps1 in line 220:
E.g:

The further statements are not executed anymore, because the first if statement in the foreach loop already returns a false. thus no additional role assignment is created.

Should that be so?

Maybe I am doing something wrong.

Feature: Compliance messages are not supported by EPAC.

Policy Assignments may define custom messages for non-compliant resources. EPAC does not currently support this capability. The contributors are investigating ways to include this. We plan to add this capability no later than September 2022.

Not specifying a pac environment causes it to return an array not a hashtable

If you run Build-DeploymentPlans and don't specify a PAC Environment - and you only have a single entry in the global-settings.json - the $pacEnvironment variable is returned as an array. This breaks Get-AzScopeTree and causes an error.

If you specify a value for that parameter it returns a hash table correctly.

Add "ASC":"true" to metadata

Add "ASC":"true" to metadata to enable the policy to be used as regulatory compliance in cloud defender.

https://learn.microsoft.com/en-us/azure/defender-for-cloud/custom-security-policies?pivots=rest-api#api-examples

Getting error when obsolete role assignment need to be removed

When running the pipeline we get the following error whenever an obsolete role assignment need deletion,

ERROR: Please run 'az login' to setup account.
 ##[error]Command exited with error
 ##[error]PowerShell exited with code '1'.

We think it might be related to the fact that Invoke-AzCli is used in this specific section:

enterprise-azure-policy-as-code/Scripts/Deploy/Set-AzPolicyRolesFromPlan.ps1

Line 74 in 406ccce

Invoke-AzCli role assignment delete --ids $roleAssignment.id -SuppressOutput

We are currently using a service principal and we obviously want it to be used in this case also

Feature: collect all existing Policy Resources into EPAC format

Create an operational script which collects existing Policy resources to populate Definitions folder:

Policy definitions
Policy Set definitions
Policy Assignments

Deploy-policyplan.ps1 seems to be removing spaces from during policy assignments

My assignment file is below and here is how actual assignment looks like

{
   // Modify Policies for required tags --- use this comment to trigger deployment
   "nodeName": "/Tags/",
   "parameters": {},
   "children": [
      {
         "nodeName": "required-and-inherit/",
         "scope": {
            "epac-dev": [
               "/providers/Microsoft.Management/managementGroups/EPAC-Dev"
            ],
            "dev-environment": [
               "/providers/Microsoft.Management/managementGroups/DevOps-mg"
            ],
            "prod-environment": [
               "/providers/Microsoft.Management/managementGroups/DevOps-mg"
            ]
         },
         "definitionEntryList": [
            {
               "initiativeName": "31fa76b5-77f6-4dda-b061-324aced74fdc",
               "assignment": {
                  "name": "tagassignment",
                  "displayName": "Require Tags Assignment",
                  "description": "Assignment for all tags"
               }
            }
         ]
      }
   ]
}

Bug: When Service Connection is configured at the Management Group Level the pipeline throws an error in the Prod Plan - Feature Branch / Main Branch

After following the required permissions for the sc-pac-plan

Connection	Stages	PAC-DEV-001	PAC-TEST-001	Tenant 1	Tenant 2
sc-pac-plan	prodPlanFeatureStage prodPlanMainStage			EPAC Policy Reader Security Reader

Per Azure tenant at your highest Management Group (called rootScope in EPAC vernacular)
- Security Reader and EPAC Policy Reader (custom) or Policy Contributor roles for planning the EPAC prod deployment

And configuring the Service Connection at the Management Group Level

I got this DevOps Error when running the Prod Plan - Feature Branch and Prod Plan - Main Branch Stage in the DevOps Pipeline.

Message: The client '1111111e-b222-c333-d444-ab123456789c' with object id '1111111e-b222-c333-d444-ab123456789c' does not have authorization to perform action 'Microsoft.Management/register/action' over scope '/subscriptions/1111111e-b222-c333-d444-ab123456789c' or the scope is invalid. If access was recently granted, please refresh your credentials.
Command 'az account management-group show --name d-mg-sandboxes --expand --recurse ' command exited with error

It looks like when the Service Connection is configured at the Management Group level there is one Action Permission additionally needed in the custom role for it to work and that is Microsoft.Management/register/action

At least when I added this permission within the Policy Reader Custom Role the error went away.

I've not tested this with a Service Connection on Subscription Scope in DevOps, as I just assumed that the Service Connection should be configured on Management Group scope as we are dealing with multiple subscriptions right?

At least it's not clear if you should configure the Service Connection based on Subscription or Management Group Scope in the documentation.

And to add more context to what this action permission does is that it's allowing the Service Principal to register a resource provider within the Management Group scope.

Is it possible to add built-in policy definition into custom initiative?

Hello,

I'm a little confused since there is no example (or at least I did not find one) showing how to add built-in policy definition into custom initiative definition. Example is below of what I would like to be inside custom policy definition.

 {
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66",
      "parameters": {
        "effect": {
          "value": "Deny"
        }
      },
      "policyDefinitionReferenceId": "Enforce use of WAF on application gateways",
      "groupNames": []
    }

Feature: Strategy to include Keeping Policy / Definitions For Dev Test

I have a use case where we have multiple teams working in 1 repo on a policy change feature branch for a single tenant and for dev/test purposes it would be helpful to keep policies deployed so that they are not destroyed whilst testing policies (especially with the time it can take for a policy to action along with remediation actions)

My thought for adding this type of feature would be

in Global-settings.jsonc allowing

"desiredState": {
        // [optional]
        "strategy": "keep",
        

in Get-GlobalSettings.ps1 - Adding "keep" as an option

            $strategy = $desired.strategy
            if ($null -ne $strategy) {
                $valid = @("full", "ownedOnly", "keep")

in Confirm-DeleteForStrategy.ps1 Add if else or something like below

    if($strategy -eq "keep"){
        $shallDelete = $false
    }
    else {
        $shallDelete = switch ($pacOwner) {
            "thisPaC" {
                $true
                break
            }
            "otherPaC" {
                $false
                break
            }
            "unknownOwner" {
                $strategy -eq "full"
                break
            }
        }
    }

I can some issue with this above

How to delete them (Manually or running a cleanup PacEnv where it will remove them using strategy full)
This could probably be also achieved by Merge Requests to a Branch which may be the correct way to do this

Feature: Operational guidance for longer-term lifecycle management of policies

As organizations implement and operate policy-as-code, lifecycle operations will be needed. It would be helpful to have guidance and examples of those lifecycle operations and how to manage them. As examples, these are situations likely to arise as policy-as-code is used longer term:

Onboarding a new Azure service that requires additional policy
Changes in an Azure service that invalidates or requires expansion of policy checks
The organization refreshes their compliance standards and requires new/updated/removed policy checks
Versioning where older resources are subject to older policy versions while new resources are subject to a newer version
Policy that no longer applies to any resources can be retired
Policy exemptions need to be managed over time as the reasons for the exemptions are addressed

Documentation update: Role Permissions

Add new roles as defined in New-AzPolicyReaderRole.ps1
"/read",
"Microsoft.Authorization/policyassignments/read",
"Microsoft.Authorization/policydefinitions/read",
"Microsoft.Authorization/policyexemptions/read",
"Microsoft.Authorization/policysetdefinitions/read",
"Microsoft.PolicyInsights/",
"Microsoft.Support/*"

Bug: desired state for Exemptions scoped at individual resource when resource is removed

Exemption management handles resource containers (Management Groups, subscriptions, and Resource Groups).

Exemptions at resource scope do not detect a resource which has been deleted causing a deployment failure.

Workaround: remove the Exemption from the definition.

Feature: Support decentralized and brownfield Policy management

Co-existing of Policy/PolicySet definition at the same scope managed by multiple teams utilizing separate repositories
Reusing read-only Policy/PolicySet definitions from scopes higher in the tree (MGs)
Excluding scopes or specific assignments from desired state management for Assignments and Exemptions

Question about the format of the policies

Hello,
Since we are working mainly with data services (Synapse, Cosmos, Purview) etc. We re-use some policies published here:
https://github.com/Azure/data-management-zone/tree/main/infra/Policies/PolicyDefinitions/SqlManagedInstance

This is one of the repos from Azure Cloud Scale analytics.
The policies here are in a different format that the one in the starter kit. Is there an automated way to "translate" the format?
Thanks,
Miguel

Document Policy Set inclusion of built-in Policies

Help users to better understand the ways of adding Policies to Policy Sets, see #130

Set default az output settings to JSON

Need to run az config set core.output=json - as the default output from az cli is table format.

Breaking changes document is hard to read

explicitely set output to json instead of relying on prefered user output

enterprise-azure-policy-as-code/Scripts/Helpers/Set-AzCloudTenantSubscription.ps1

Line 30 in 406ccce

$accountJson = az account show

Since converting from json, it should be no matter what is the default output format configure by the users

$accountJson = az account show --output json

Exception handling enhancement for role assignments

Hello,

I am trying to deploy a policy assignment with the effect deployIfNotExists, which requires assigning a role definition Id to the policy assignment. The first deployment went through without issues but the subsequent deployments fail with the below error message.

Please note that I am using the suppressDeletes flag in the pipeline because I am not in a greenfield environment.

Here is the error I am getting from the pipeline (using Microsoft Hosted Agent with the latest PS version):

New-AzRoleAssignment: /home/vsts/work/1/s/Scripts/Deploy/Deploy-AzPoliciesInitiativesAssignmentsFromPlan.ps1:310
Line |
 310 |  …     $null = New-AzRoleAssignment -Scope $scope -ObjectId $identity.Pr …
     |                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | Operation returned an invalid status code 'Conflict'

My understanding is that the below code extract from the Deploy-AzPoliciesInitiativesAssignmentsFromPlan.ps1 script is not catching properly the error above.

 try {
                    $null = New-AzRoleAssignment -Scope $scope -ObjectId $identity.PrincipalId -RoleDefinitionId $roleDefinitionId
                    $needToRetry = $false
                }
                catch {
                    If ($_.Exception.Message.Contains("role assignment already exists")) {
                        # Write-Host "##[warning] Role assignment already existed: New-AzRoleAssignment -Scope $($scope) -ObjectId $($identity.PrincipalId) -RoleDefinitionId $roleDefinitionId"
                        $needToRetry = $false
                    }

I reproduced the error on my side and here is what I found. When the role assignment already exists, the New-AzRoleAssignment command returns the following when using -Debug:

DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
Conflict

Headers:
Cache-Control                 : no-cache
Pragma                        : no-cache
x-ms-request-id               : 18bab13e-6f34-4db0-9c63-577b528e381c
X-Content-Type-Options        : nosniff
Strict-Transport-Security     : max-age=31536000; includeSubDomains
Set-Cookie                    : x-ms-gateway-slice=Production; path=/; secure; samesite=none; httponly
x-ms-ratelimit-remaining-subscription-writes: 1199
x-ms-correlation-request-id   : 8971e555-a448-4cc6-8954-e3994e71692f
x-ms-routing-request-id       : EASTUS:20220218T135107Z:8971e555-a448-4cc6-8954-e3994e71692f
Date                          : Fri, 18 Feb 2022 13:51:06 GMT

Body:
{
  "error": {
    "code": "RoleAssignmentExists",
    "message": "The role assignment already exists."
  }
}

---------------------------------------------------------------------------------------------------------------------------

When looking at the exception message this returned:

PS /home/leila> $error.Exception.Message
Operation returned an invalid status code 'Conflict'

When looking at the error specified in the body of the exception, this is returned:

PS /home/leila> $error.Exception.Body.Error.Message
The role assignment already exists.

I replaced the exception catch in my version of the code and it works properly.

I am new on GitHub, should I submit a PR to fix the bug or should I let your team push the fix?

Thank you
Very happy with your policy deployment framework so far!

Wrong references for service connections in multi-tenant pipeline

References are using non-existent variables
https://github.com/Azure/enterprise-azure-policy-as-code/blob/main/StarterKit/Pipelines/AzureDevOps/multi-tenant-pipeline.yml

There was a resource authorization issue: "The pipeline is not valid. Job planJob: Step planStep input ConnectedServiceNameARM references service connection $(tenantPlanServiceConnection) which could not be found. The service connection does not exist or has not been authorized for use. For authorization details, refer to https://aka.ms/yamlauthz. Job planJob: Step planStep input ConnectedServiceNameARM references service connection $(tenantPlanServiceConnection) which could not be found. The service connection does not exist or has not been authorized for use. For authorization details, refer to https://aka.ms/yamlauthz."

I assume those shall be refering to tenant $(tenantXPlanServiceConnection) instead

Quesion about parameters for built-in policies

I recently upgraded to the latest version and encountered a problem that did not pass the parameters that have been defined for the built-in policies. I will mention that for custom policies everything works correctly. I will try to explain all this. I use a lot of built-in policies an example is the inheritance of tags from RG (have several such policies). I defined the assignment in the following format and each time the PolicyParameterObject parameter." {} was empty

`
{

"nodeName": "/SP1-MO-000-InheritTag8FromResourceGroup",
"managedIdentityLocation": {
    "*": "westeurope"
},
"assignment": {
    "name": "SP1-MO-000-InheritTag8FromResourceGroup",
    "displayName": "SP1-MO-000-InheritTag8FromResourceGroup",
    "description": "Adds or replaces."
},
"definitionEntry": {
    "policyName": "cd3aa116-8754-49c9-a813-ad46512ece54",
    "friendlyNameToDocumentIfGuid": "SP1-MO-000-InheritTag8FromResourceGroup"
},
"parameters": {
    "tagName": "cost"
},
"scope": {
    "dev": [
        "/subscriptions/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
    ]
}

excerpt from policy-plan file:

"/subscriptions/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/providers/Microsoft.Authorization/policyAssignments/SP1-MO-000-InheritTag8FromResourceGroup": {
"Id": "/subscriptions/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/providers/Microsoft.Authorization/policyAssignments/SP1-MO-000-InheritTag8FromResourceGroup",
"EnforcementMode": "Default",
"PolicyParameterObject": {},
"managedIdentityLocation": "westeurope",
"Description": "Adds or replaces the specified tag and value from the parent resource group when any resource is created or updated. Existing resources can be remediated by triggering a remediation task.",
"DisplayName": "SP1-MO-000-InheritTag8FromResourceGroup",
"Metadata": {
"roles": [
{
"roleDefinitionId": "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
"roleDisplayName": "Contributor",
"scope": "/subscriptions/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}
]
},
"identityRequired": true,
"Name": "SP1-MO-000-InheritTag8FromResourceGroup",
"Scope": "/subscriptions/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"policyId": "/providers/Microsoft.Authorization/policyDefinitions/cd3aa116-8754-49c9-a813-ad46512ece54"
},
`

after hours of troubleshooting and researching how the whole solution works, I found out that the "Build-AzPolicyAssignmentsPlan.ps1" file has been updated and he following 4 lines of code have been replaced by these two

$parametersInDefinition = $initiativeDefinition.Parameter
$parametersInDefinition = $initiativeDefinition.parameters
$parametersInDefinition = $policyDefinition.Parameter
$parametersInDefinition = $policyDefinition.parameters

$parametersInDefinition = $initiativeDefinition.Parameter (line 133)
$parametersInDefinition = $policyDefinition.Parameter (line 162)

            if ($policyAssignmentEntry.initiativeName) {
                    $name = $policyAssignmentEntry.initiativeName
                    if ($friendlyName) {
                        $policySpecText = "Initiative '$name' - '$friendlyName'"
                    }
                    else {
                        $policySpecText = "Initiative '$name'"
                    }
                    $result = Confirm-InitiativeDefinitionUsedExists -allInitiativeDefinitions $allInitiativeDefinitions -replacedInitiativeDefinitions $replacedInitiativeDefinitions -initiativeNameRequired $name
                    if ($result.usingUndefinedReference) {
                        continue
                    }
                    else {
                        $initiativeDefinition = $allInitiativeDefinitions[$name]
                        $parametersInDefinition = $initiativeDefinition.Parameter
                        if ($customInitiativeDefinitions.ContainsKey($name)) {
                            # is custom
                            $policyDefinitionId = $rootScopeId + "/providers/Microsoft.Authorization/policySetDefinitions/" + $name
                        }
                        else {
                            # is built in
                            $policyDefinitionId = "/providers/Microsoft.Authorization/policySetDefinitions/" + $name
                        }
                        $policySpec = @{ initiativeId = $policyDefinitionId }
                        if ($initiativeNeededRoleDefinitionIds.ContainsKey($name)) {
                            $roleDefinitionIds = $initiativeNeededRoleDefinitionIds.$name
                        }
                    }
                }
                elseif ($policyAssignmentEntry.policyName) {
                    $name = $policyAssignmentEntry.policyName
                    if ($friendlyName) {
                        $policySpecText = "Policy '$name' - '$friendlyName'"
                    }
                    else {
                        $policySpecText = "Policy '$($name)'"
                    }
                    $result = Confirm-PolicyDefinitionUsedExists -allPolicyDefinitions $allPolicyDefinitions -replacedPolicyDefinitions $replacedPolicyDefinitions -policyNameRequired $name
                    if ($result.usingUndefinedReference) {
                        continue
                    }
                    else {
                        $policyDefinition = $allPolicyDefinitions[$name]
                        $parametersInDefinition = $policyDefinition.Parameter
                        if ($customPolicyDefinitions.ContainsKey($name)) {
                            # is custom
                            $policyDefinitionId = $rootScopeId + "/providers/Microsoft.Authorization/policyDefinitions/" + $name
                        }
                        else {
                            # is built in
                            $policyDefinitionId = "/providers/Microsoft.Authorization/policyDefinitions/" + $name
                        }
                        $policySpec = @{ policyId = $policyDefinitionId }
                        if ($policyNeededRoleDefinitionIds.ContainsKey($name)) {
                            $roleDefinitionIds = $policyNeededRoleDefinitionIds.$name
                        }
                    }
                }
                else {
                    Write-Error "Neither policyName nor initiativeName specified for Assignment `'$($def.assignment.DisplayName)`' ($($def.assignment.Name))  - must specify exactly one"
                    continue
                }

after the changes I made below everything returned to normal

             if ($policyAssignmentEntry.initiativeName) {
                    $name = $policyAssignmentEntry.initiativeName
                    if ($friendlyName) {
                        $policySpecText = "Initiative '$name' - '$friendlyName'"
                    }
                    else {
                        $policySpecText = "Initiative '$name'"
                    }
                    $result = Confirm-InitiativeDefinitionUsedExists -allInitiativeDefinitions $allInitiativeDefinitions -replacedInitiativeDefinitions $replacedInitiativeDefinitions -initiativeNameRequired $name
                    if ($result.usingUndefinedReference) {
                        continue
                    }
                    else {
                        $initiativeDefinition = $allInitiativeDefinitions[$name]
                        if ($customInitiativeDefinitions.ContainsKey($name)) {
                            # is custom
                            $policyDefinitionId = $rootScopeId + "/providers/Microsoft.Authorization/policySetDefinitions/" + $name
                            $parametersInDefinition = $initiativeDefinition.Parameter
                        }
                        else {
                            # is built in
                            $policyDefinitionId = "/providers/Microsoft.Authorization/policySetDefinitions/" + $name
                            $parametersInDefinition = $policyDefinition.parameters
                        }
                        $policySpec = @{ initiativeId = $policyDefinitionId }
                        if ($initiativeNeededRoleDefinitionIds.ContainsKey($name)) {
                            $roleDefinitionIds = $initiativeNeededRoleDefinitionIds.$name
                        }
                    }
                }
                elseif ($policyAssignmentEntry.policyName) {
                    $name = $policyAssignmentEntry.policyName
                    if ($friendlyName) {
                        $policySpecText = "Policy '$name' - '$friendlyName'"
                    }
                    else {
                        $policySpecText = "Policy '$($name)'"
                    }
                    $result = Confirm-PolicyDefinitionUsedExists -allPolicyDefinitions $allPolicyDefinitions -replacedPolicyDefinitions $replacedPolicyDefinitions -policyNameRequired $name
                    if ($result.usingUndefinedReference) {
                        continue
                    }
                    else {
                        $policyDefinition = $allPolicyDefinitions[$name]
                        if ($customPolicyDefinitions.ContainsKey($name)) {
                            # is custom
                            $policyDefinitionId = $rootScopeId + "/providers/Microsoft.Authorization/policyDefinitions/" + $name
                            $parametersInDefinition = $policyDefinition.Parameter
                        }
                        else {
                            # is built in
                            $policyDefinitionId = "/providers/Microsoft.Authorization/policyDefinitions/" + $name
                            $parametersInDefinition = $policyDefinition.parameters
                        }
                        $policySpec = @{ policyId = $policyDefinitionId }
                        if ($policyNeededRoleDefinitionIds.ContainsKey($name)) {
                            $roleDefinitionIds = $policyNeededRoleDefinitionIds.$name
                        }
                    }
                }

Did a similar problem occur for you?
Whether changing 'Parameter' and 'parameters' for 'Parameter' was intentional?
br,
Aleksander

Error on Deploy Policies, Initiatives, Policy Assignments step

Hello,
This is REPO is great! We have waiting for this for so long! Congrats and cheers!

I'm trying to deploy a very basic policy, and I get this error:

Delete obsolete and replaced Assignments (0)
Delete obsolete and replaced Initiative definitions (0)
Delete replaced Policy definitions (0)
---------------------------------------------------------------------------------------------------
Create new and replaced (create) Policy definitions (1)
    "emailalerts" - "EPACemailalerts"
Loaded Module 'Az.Accounts'
Loaded Module 'Az.MSGraph'
Loaded Module 'Az.Accounts'
Loaded Module 'Az.Authorization'
New-AzPolicyDefinition: /home/vsts/work/1/s/Scripts/Deploy/Deploy-AzPoliciesInitiativesAssignmentsFromPlan.ps1:195
Line |
 195 |          $null = New-AzPolicyDefinition @policyDefinition
     |                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | Unexpected character encountered while parsing value: T. Path
     | '', line 0, position 0.

##[error]PowerShell exited with code '1'.

Attached is my policy and assignment.
Can you please let me know what is missing?
Thanks,
Miguel

{
    "nodeName": "/Loc/",
    "assignment": {
        "name": "epacsqlalert",
        "displayName": "epac sql alerts",
        "description": "epac sql alerts"
    },
    "definitionEntry": {
        "policyName": "emailalerts",
        "friendlyNameToDocumentIfGuid": ""
    },
    "parameters": {
        "securityAlertPolicyEmail": {
            "value": "[email protected]"
        }
    },
    "scope": {
        "epac-dev": [
            "/subscriptions/xxxxxxxxxxxx"
        ]
    }
}

{
    "nodeName": "/Loc/",
    "assignment": {
        "name": "epacsqlalert",
        "displayName": "epac sql alerts",
        "description": "epac sql alerts"
    },
    "definitionEntry": {
        "policyName": "emailalerts",
        "friendlyNameToDocumentIfGuid": ""
    },
    "parameters": {
        "securityAlertPolicyEmail": {
            "value": "[email protected]"
        }
    },
    "scope": {
        "epac-dev": [
            "/subscriptions/xxxxxxxxxxxx"
        ]
    }
}

{
    "name": "emailalerts",
    "properties": {
        "displayName": "EPACemailalerts",
        "description": "EPACemailalerts",
        "assigmentName": "EPACemailalerts"
    },
        "parameters": {
        "securityAlertPolicyEmail": {
            "type": "String",
            "metadata": {
                "description": "The email address to send alerts",
                "displayName": "Email Address"
            }
        }
    },
    "policyRule": {
        "if": {
            "allOf": [
                {
                    "field": "type",
                    "equals": "Microsoft.Sql/managedInstances"
                }
            ]
        },
        "then": {
            "effect": "DeployIfNotExists",
            "details": {
                "type": "Microsoft.Sql/managedInstances/databases/securityAlertPolicies",
                "name": "default",
                "existenceCondition": {
                    "allOf": [
                        {
                            "field": "Microsoft.Sql/managedInstances/databases/securityAlertPolicies/state",
                            "equals": "Enabled"
                        }
                    ]
                },
                "roleDefinitionIds": [
                    "/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3"
                ],
                "deployment": {
                    "properties": {
                        "mode": "incremental",
                        "template": {
                            "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                            "contentVersion": "1.0.0.0",
                            "parameters": {
                                "location": {
                                    "type": "string"
                                },
                                "sqlManagedInstanceName": {
                                    "type": "string"
                                },
                                "sqlManagedInstanceDataBaseName": {
                                    "type": "string"
                                },
                                "securityAlertPolicyEmail": {
                                    "type": "string"
                                }
                            },
                            "variables": {},
                            "resources": [
                                {
                                    "type": "Microsoft.Sql/managedInstances/databases/securityAlertPolicies",
                                    "apiVersion": "2017-03-01-preview",
                                    "name": "[concat(parameters('sqlManagedInstanceName'), '/', parameters('sqlManagedInstanceDataBaseName'), '/default')]",
                                    "properties": {
                                        "state": "Enabled",
                                        "disabledAlerts": [
                                            ""
                                        ],
                                        "emailAddresses": [
                                            "[parameters('securityAlertPolicyEmail')]"
                                        ],
                                        "emailAccountAdmins": true,
                                        "storageEndpoint": null,
                                        "storageAccountAccessKey": "",
                                        "retentionDays": 0
                                    }
                                }
                            ],
                            "outputs": {}
                        },
                        "parameters": {
                            "location": {
                                "value": "[field('location')]"
                            },
                            "sqlManagedInstanceName": {
                                "value": "[first(split(field('fullname'),'/'))]"
                            },
                            "sqlManagedInstanceDataBaseName": {
                                "value": "[field('name')]"
                            },
                            "securityAlertPolicyEmail": {
                                "value": "[parameters('securityAlertPolicyEmail')]"
                            }
                        }
                    }
                }
            }
        }
    }    
}

Pull request instructions

I created a pull request with a small fix, but I don't think it worked (at least I can't see any evidence of it!) Are there any instructions to follow to successfully do this?

Least privilege improvement for the planning stage of the deployments

Hi,
in the documentation of epac the permission
Microsoft.Management/register/action
is required for the custom role EPAC Policy Reader role.
According to our current testing and knowledge, the Reader Role would be sufficient for the planning stage.
However, this would require to add a --no-register parameter in the scripts for the command
az account management-group show --name LH_Management_Group --expand --recurse
Like this:
az account management-group show --name LH_Management_Group --expand --recurse --no-register

Is there some unknown reason to keep this permission in the custom role?

Documentation wrongly states non-existent AZ Nodule version 9.3.1

Change Role Name

By adding the unique prefix "EPAC" to the existing role name, we can help to prevent collisions.

Folder selection naming is incorrect pipeline

Getting following error in https://github.com/Azure/enterprise-azure-policy-as-code/blob/main/StarterKit/Pipelines/AzureDevOps/multi-tenant-pipeline.yml

Encountered error(s) while parsing pipeline YAML: /pipeline.yml: (Line: 25, Col: 9, Idx: 861) - (Line: 25, Col: 10, Idx: 862): While scanning an anchor or alias, did not find expected alphabetic or numeric character.

I assume it shall be /*, not *

Why this condition is even there if it's wildcard

Feature: Support policyResourceSelector in Policy Assignments

Getting `Operation returned an invalid status code 'Conflict'` on second run for Role Assignment

Hello

My policy is as below. First run of pipeline works fine and policy assignment is created but on second run exception is thrown (log is below). It seems that script does not recognize existing assignment and trying to create a new one despite one already existing.

      "policyRule": {
         "if": {
            "field": "[concat('tags[', parameters('tagName'), ']')]",
            "exists": "false"
         },
         "then": {
            "effect": "modify",
            "details": {
               "roleDefinitionIds": [
                  "/providers/microsoft.authorization/roleDefinitions/4a9ae827-6dc8-4573-8ac7-8239d42aa03f"
               ],
               "operations": [
                  {
                     "operation": "add",
                     "field": "[concat('tags[', parameters('tagName'), ']')]",
                     "value": "[utcNow()]"
                  }
               ]
            }
         }
      },

2023-01-26T14:29:46.9707155Z ##[section]Starting: Deploy PAC-DEV Role Assignments
2023-01-26T14:29:46.9924755Z ==============================================================================
2023-01-26T14:29:46.9925031Z Task         : Azure PowerShell
2023-01-26T14:29:46.9925187Z Description  : Run a PowerShell script within an Azure environment
2023-01-26T14:29:46.9925376Z Version      : 5.209.0
2023-01-26T14:29:46.9925518Z Author       : Microsoft Corporation
2023-01-26T14:29:46.9925669Z Help         : https://aka.ms/azurepowershelltroubleshooting
2023-01-26T14:29:46.9925859Z ==============================================================================
2023-01-26T14:29:48.6152651Z Generating script.
2023-01-26T14:29:48.6327275Z ========================== Starting Command Output ===========================
2023-01-26T14:29:48.6681257Z ##[command]"C:\Program Files\PowerShell\7\pwsh.exe" -NoLogo -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -Command ". 'D:\a\_temp\97b293be-d6f9-4ba8-9bd8-e713c528a799.ps1'"
2023-01-26T14:29:49.9611502Z Added TLS 1.2 in session.
2023-01-26T14:29:50.1715119Z ##[command]Import-Module -Name C:\Modules\az_9.2.0\Az.Accounts\2.11.1\Az.Accounts.psd1 -Global
2023-01-26T14:29:50.3752887Z �[33;1mWARNING: Both Az and AzureRM modules were detected on this machine. Az and AzureRM modules cannot be imported in the same session or used in the same script or runbook. If you are running PowerShell in an environment you control you can use the 'Uninstall-AzureRm' cmdlet to remove all AzureRm modules from your machine. If you are running in Azure Automation, take care that none of your runbooks import both Az and AzureRM modules. More information can be found here: https://aka.ms/azps-migration-guide�[0m
2023-01-26T14:29:50.7457417Z ##[command]Clear-AzContext -Scope CurrentUser -Force -ErrorAction SilentlyContinue
2023-01-26T14:29:51.0189093Z ##[command]Clear-AzContext -Scope Process
2023-01-26T14:29:51.1218301Z ##[command]Connect-AzAccount -ServicePrincipal -Tenant 79c33897-1d6c-45d6-92ad-8c26b93e2199 -Credential System.Management.Automation.PSCredential -Environment AzureCloud @processScope
2023-01-26T14:29:52.9496266Z 
2023-01-26T14:29:52.9497499Z ===================================================================================================
2023-01-26T14:29:52.9500492Z Read global settings from './Definitions/global-settings.jsonc'.
2023-01-26T14:29:52.9501181Z ===================================================================================================
2023-01-26T14:29:53.0193874Z PAC Environments: epac-dev, dev-environment, prod-environment
2023-01-26T14:29:53.0196382Z Definitions root folder: ./Definitions
2023-01-26T14:29:53.0196979Z Input folder: ./Output
2023-01-26T14:29:53.0200157Z Output folder: ./Output
2023-01-26T14:29:53.0201908Z 
2023-01-26T14:29:53.0284347Z Environment Selected: epac-dev
2023-01-26T14:29:53.0286370Z     cloud      = AzureCloud
2023-01-26T14:29:53.0289151Z     tenant     = 79c33897-1d6c-45d6-92ad-8c26b93e2199
2023-01-26T14:29:53.0291255Z     root scope = /providers/Microsoft.Management/managementGroups/EPAC-Dev
2023-01-26T14:29:53.0292500Z 
2023-01-26T14:29:53.0559947Z �[33;1mVERBOSE: Populating RepositorySourceLocation property for module Az.ResourceGraph.�[0m
2023-01-26T14:29:53.0809525Z PowerShell Versions: 7.2.8
2023-01-26T14:29:53.1070000Z ***************************************************************************************************
2023-01-26T14:29:53.1071059Z Deploy Role assignments from plan in file './Output/plans-epac-dev/roles-plan.json'
2023-01-26T14:29:53.1085308Z Plan created on 2023-01-26 14:29:41Z.
2023-01-26T14:29:53.1086193Z ***************************************************************************************************
2023-01-26T14:29:53.1150278Z ===================================================================================================
2023-01-26T14:29:53.1151085Z Add (1) new Role assignments
2023-01-26T14:29:53.1151765Z ---------------------------------------------------------------------------------------------------
2023-01-26T14:29:53.1224138Z : Tag Contributor(4a9ae827-6dc8-4573-8ac7-8239d42aa03f) at /providers/Microsoft.Management/managementGroups/EPAC-Dev
2023-01-26T14:29:53.3741027Z Loaded Module 'Az.Accounts'
2023-01-26T14:29:53.3750043Z �[33;1mVERBOSE: Loading module from path 'C:\Modules\az_9.2.0\Az.Resources\6.5.0\MSGraph.Autorest\bin\Az.MSGraph.private.dll'.�[0m


2023-01-26T14:29:54.9810830Z Loaded Module 'Az.MSGraph'
2023-01-26T14:29:54.9982342Z Loaded Module 'Az.Accounts'
2023-01-26T14:29:54.9990696Z �[33;1mVERBOSE: Loading module from path 'C:\Modules\az_9.2.0\Az.Resources\6.5.0\Authorization.Autorest\bin\Az.Authorization.private.dll'.�[0m
2023-01-26T14:29:55.0147480Z �[33;1mVERBOSE: Importing cmdlet 'Export-CmdletSurface'.�[0m
2023-01-26T14:29:55.0148381Z �[33;1mVERBOSE: Importing cmdlet 'Export-ExampleStub'.�[0m
2023-01-26T14:29:55.0149044Z �[33;1mVERBOSE: Importing cmdlet 'Export-FormatPs1xml'.�[0m
2023-01-26T14:29:55.0149674Z �[33;1mVERBOSE: Importing cmdlet 'Export-HelpMarkdown'.�[0m
2023-01-26T14:29:55.0150295Z �[33;1mVERBOSE: Importing cmdlet 'Export-ModelSurface'.�[0m
2023-01-26T14:29:55.0150894Z �[33;1mVERBOSE: Importing cmdlet 'Export-ProxyCmdlet'.�[0m
2023-01-26T14:29:55.0151465Z �[33;1mVERBOSE: Importing cmdlet 'Export-Psd1'.�[0m
2023-01-26T14:29:55.0152083Z �[33;1mVERBOSE: Importing cmdlet 'Export-TestStub'.�[0m
2023-01-26T14:29:55.0153103Z �[33;1mVERBOSE: Importing cmdlet 'Get-CommonParameter'.�[0m
2023-01-26T14:29:55.0153596Z �[33;1mVERBOSE: Importing cmdlet 'Get-ModuleGuid'.�[0m
2023-01-26T14:29:55.0153998Z �[33;1mVERBOSE: Importing cmdlet 'Get-ScriptCmdlet'.�[0m
2023-01-26T14:29:55.0154432Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleAssignmentScheduleInstance_Get'.�[0m
2023-01-26T14:29:55.0154961Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleAssignmentScheduleInstance_GetViaIdentity'.�[0m
2023-01-26T14:29:55.0155477Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleAssignmentScheduleInstance_List'.�[0m
2023-01-26T14:29:55.0156158Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleAssignmentScheduleRequest_Get'.�[0m
2023-01-26T14:29:55.0157781Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleAssignmentScheduleRequest_GetViaIdentity'.�[0m
2023-01-26T14:29:55.0158660Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleAssignmentScheduleRequest_List'.�[0m
2023-01-26T14:29:55.0159359Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleAssignmentSchedule_Get'.�[0m
2023-01-26T14:29:55.0159910Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleAssignmentSchedule_GetViaIdentity'.�[0m
2023-01-26T14:29:55.0160383Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleAssignmentSchedule_List'.�[0m
2023-01-26T14:29:55.0160874Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleEligibilityScheduleInstance_Get'.�[0m
2023-01-26T14:29:55.0162263Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleEligibilityScheduleInstance_GetViaIdentity'.�[0m
2023-01-26T14:29:55.0162774Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleEligibilityScheduleInstance_List'.�[0m
2023-01-26T14:29:55.0163269Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleEligibilityScheduleRequest_Get'.�[0m
2023-01-26T14:29:55.0164703Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleEligibilityScheduleRequest_GetViaIdentity'.�[0m
2023-01-26T14:29:55.0166662Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleEligibilityScheduleRequest_List'.�[0m
2023-01-26T14:29:55.0167650Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleEligibilitySchedule_Get'.�[0m
2023-01-26T14:29:55.0173968Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleEligibilitySchedule_GetViaIdentity'.�[0m
2023-01-26T14:29:55.0174625Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleEligibilitySchedule_List'.�[0m
2023-01-26T14:29:55.0175109Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleEligibleChildResource_Get'.�[0m
2023-01-26T14:29:55.0175591Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleEligibleChildResource_GetViaIdentity'.�[0m
2023-01-26T14:29:55.0176112Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleManagementPolicyAssignment_Get'.�[0m
2023-01-26T14:29:55.0176621Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleManagementPolicyAssignment_GetViaIdentity'.�[0m
2023-01-26T14:29:55.0177678Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleManagementPolicyAssignment_List'.�[0m
2023-01-26T14:29:55.0178164Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleManagementPolicy_Get'.�[0m
2023-01-26T14:29:55.0178640Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleManagementPolicy_GetViaIdentity'.�[0m
2023-01-26T14:29:55.0179119Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleManagementPolicy_List'.�[0m
2023-01-26T14:29:55.0179612Z �[33;1mVERBOSE: Importing cmdlet 'New-AzRoleAssignmentScheduleRequest_CreateExpanded'.�[0m
2023-01-26T14:29:55.0180127Z �[33;1mVERBOSE: Importing cmdlet 'New-AzRoleEligibilityScheduleRequest_CreateExpanded'.�[0m
2023-01-26T14:29:55.0180657Z �[33;1mVERBOSE: Importing cmdlet 'New-AzRoleManagementPolicyAssignment_CreateExpanded'.�[0m
2023-01-26T14:29:55.0181187Z �[33;1mVERBOSE: Importing cmdlet 'Remove-AzRoleManagementPolicyAssignment_Delete'.�[0m
2023-01-26T14:29:55.0181703Z �[33;1mVERBOSE: Importing cmdlet 'Remove-AzRoleManagementPolicyAssignment_DeleteViaIdentity'.�[0m
2023-01-26T14:29:55.0182692Z �[33;1mVERBOSE: Importing cmdlet 'Remove-AzRoleManagementPolicy_Delete'.�[0m
2023-01-26T14:29:55.0183201Z �[33;1mVERBOSE: Importing cmdlet 'Remove-AzRoleManagementPolicy_DeleteViaIdentity'.�[0m
2023-01-26T14:29:55.0183851Z �[33;1mVERBOSE: Importing cmdlet 'Stop-AzRoleAssignmentScheduleRequest_Cancel'.�[0m
2023-01-26T14:29:55.0184671Z �[33;1mVERBOSE: Importing cmdlet 'Stop-AzRoleAssignmentScheduleRequest_CancelViaIdentity'.�[0m
2023-01-26T14:29:55.0185180Z �[33;1mVERBOSE: Importing cmdlet 'Stop-AzRoleEligibilityScheduleRequest_Cancel'.�[0m
2023-01-26T14:29:55.0185712Z �[33;1mVERBOSE: Importing cmdlet 'Stop-AzRoleEligibilityScheduleRequest_CancelViaIdentity'.�[0m
2023-01-26T14:29:55.0186327Z �[33;1mVERBOSE: Importing cmdlet 'Update-AzRoleManagementPolicy_UpdateExpanded'.�[0m
2023-01-26T14:29:55.0187347Z �[33;1mVERBOSE: Importing cmdlet 'Update-AzRoleManagementPolicy_UpdateViaIdentityExpanded'.�[0m
2023-01-26T14:29:55.0264795Z �[33;1mVERBOSE: Loading module from path 'C:\Modules\az_9.2.0\Az.Resources\6.5.0\Authorization.Autorest\custom\Az.Authorization.custom.psm1'.�[0m
2023-01-26T14:29:55.0424212Z �[33;1mVERBOSE: Importing cmdlet 'Export-CmdletSurface'.�[0m
2023-01-26T14:29:55.0426058Z �[33;1mVERBOSE: Importing cmdlet 'Export-ExampleStub'.�[0m
2023-01-26T14:29:55.0426779Z �[33;1mVERBOSE: Importing cmdlet 'Export-FormatPs1xml'.�[0m
2023-01-26T14:29:55.0427481Z �[33;1mVERBOSE: Importing cmdlet 'Export-HelpMarkdown'.�[0m
2023-01-26T14:29:55.0428114Z �[33;1mVERBOSE: Importing cmdlet 'Export-ModelSurface'.�[0m
2023-01-26T14:29:55.0428772Z �[33;1mVERBOSE: Importing cmdlet 'Export-ProxyCmdlet'.�[0m
2023-01-26T14:29:55.0429383Z �[33;1mVERBOSE: Importing cmdlet 'Export-Psd1'.�[0m
2023-01-26T14:29:55.0430367Z �[33;1mVERBOSE: Importing cmdlet 'Export-TestStub'.�[0m
2023-01-26T14:29:55.0431020Z �[33;1mVERBOSE: Importing cmdlet 'Get-CommonParameter'.�[0m
2023-01-26T14:29:55.0431571Z �[33;1mVERBOSE: Importing cmdlet 'Get-ModuleGuid'.�[0m
2023-01-26T14:29:55.0432200Z �[33;1mVERBOSE: Importing cmdlet 'Get-ScriptCmdlet'.�[0m
2023-01-26T14:29:55.0432894Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleAssignmentScheduleInstance_Get'.�[0m
2023-01-26T14:29:55.0433692Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleAssignmentScheduleInstance_GetViaIdentity'.�[0m
2023-01-26T14:29:55.0434297Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleAssignmentScheduleInstance_List'.�[0m
2023-01-26T14:29:55.0434797Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleAssignmentScheduleRequest_Get'.�[0m
2023-01-26T14:29:55.0435311Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleAssignmentScheduleRequest_GetViaIdentity'.�[0m
2023-01-26T14:29:55.0435824Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleAssignmentScheduleRequest_List'.�[0m
2023-01-26T14:29:55.0436289Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleAssignmentSchedule_Get'.�[0m
2023-01-26T14:29:55.0436829Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleAssignmentSchedule_GetViaIdentity'.�[0m
2023-01-26T14:29:55.0437313Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleAssignmentSchedule_List'.�[0m
2023-01-26T14:29:55.0437779Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleEligibilityScheduleInstance_Get'.�[0m
2023-01-26T14:29:55.0438296Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleEligibilityScheduleInstance_GetViaIdentity'.�[0m
2023-01-26T14:29:55.0438985Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleEligibilityScheduleInstance_List'.�[0m
2023-01-26T14:29:55.0439493Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleEligibilityScheduleRequest_Get'.�[0m
2023-01-26T14:29:55.0440008Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleEligibilityScheduleRequest_GetViaIdentity'.�[0m
2023-01-26T14:29:55.0440506Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleEligibilityScheduleRequest_List'.�[0m
2023-01-26T14:29:55.0440986Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleEligibilitySchedule_Get'.�[0m
2023-01-26T14:29:55.0441450Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleEligibilitySchedule_GetViaIdentity'.�[0m
2023-01-26T14:29:55.0441918Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleEligibilitySchedule_List'.�[0m
2023-01-26T14:29:55.0442391Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleEligibleChildResource_Get'.�[0m
2023-01-26T14:29:55.0442889Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleEligibleChildResource_GetViaIdentity'.�[0m
2023-01-26T14:29:55.0443377Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleManagementPolicyAssignment_Get'.�[0m
2023-01-26T14:29:55.0444288Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleManagementPolicyAssignment_GetViaIdentity'.�[0m
2023-01-26T14:29:55.0445005Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleManagementPolicyAssignment_List'.�[0m
2023-01-26T14:29:55.0445717Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleManagementPolicy_Get'.�[0m
2023-01-26T14:29:55.0446219Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleManagementPolicy_GetViaIdentity'.�[0m
2023-01-26T14:29:55.0446684Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleManagementPolicy_List'.�[0m
2023-01-26T14:29:55.0447182Z �[33;1mVERBOSE: Importing cmdlet 'New-AzRoleAssignmentScheduleRequest_CreateExpanded'.�[0m
2023-01-26T14:29:55.0447707Z �[33;1mVERBOSE: Importing cmdlet 'New-AzRoleEligibilityScheduleRequest_CreateExpanded'.�[0m
2023-01-26T14:29:55.0448221Z �[33;1mVERBOSE: Importing cmdlet 'New-AzRoleManagementPolicyAssignment_CreateExpanded'.�[0m
2023-01-26T14:29:55.0448745Z �[33;1mVERBOSE: Importing cmdlet 'Remove-AzRoleManagementPolicyAssignment_Delete'.�[0m
2023-01-26T14:29:55.0449264Z �[33;1mVERBOSE: Importing cmdlet 'Remove-AzRoleManagementPolicyAssignment_DeleteViaIdentity'.�[0m
2023-01-26T14:29:55.0449777Z �[33;1mVERBOSE: Importing cmdlet 'Remove-AzRoleManagementPolicy_Delete'.�[0m
2023-01-26T14:29:55.0450275Z �[33;1mVERBOSE: Importing cmdlet 'Remove-AzRoleManagementPolicy_DeleteViaIdentity'.�[0m
2023-01-26T14:29:55.0450874Z �[33;1mVERBOSE: Importing cmdlet 'Stop-AzRoleAssignmentScheduleRequest_Cancel'.�[0m
2023-01-26T14:29:55.0451383Z �[33;1mVERBOSE: Importing cmdlet 'Stop-AzRoleAssignmentScheduleRequest_CancelViaIdentity'.�[0m
2023-01-26T14:29:55.0451910Z �[33;1mVERBOSE: Importing cmdlet 'Stop-AzRoleEligibilityScheduleRequest_Cancel'.�[0m
2023-01-26T14:29:55.0452424Z �[33;1mVERBOSE: Importing cmdlet 'Stop-AzRoleEligibilityScheduleRequest_CancelViaIdentity'.�[0m
2023-01-26T14:29:55.0452947Z �[33;1mVERBOSE: Importing cmdlet 'Update-AzRoleManagementPolicy_UpdateExpanded'.�[0m
2023-01-26T14:29:55.0453462Z �[33;1mVERBOSE: Importing cmdlet 'Update-AzRoleManagementPolicy_UpdateViaIdentityExpanded'.�[0m
2023-01-26T14:29:55.0454142Z �[33;1mVERBOSE: Loading module from path 'C:\Modules\az_9.2.0\Az.Resources\6.5.0\Authorization.Autorest\internal\Az.Authorization.internal.psm1'.�[0m
2023-01-26T14:29:55.0594754Z �[33;1mVERBOSE: Importing cmdlet 'Export-CmdletSurface'.�[0m
2023-01-26T14:29:55.0595671Z �[33;1mVERBOSE: Importing cmdlet 'Export-ExampleStub'.�[0m
2023-01-26T14:29:55.0596157Z �[33;1mVERBOSE: Importing cmdlet 'Export-FormatPs1xml'.�[0m
2023-01-26T14:29:55.0596576Z �[33;1mVERBOSE: Importing cmdlet 'Export-HelpMarkdown'.�[0m
2023-01-26T14:29:55.0596974Z �[33;1mVERBOSE: Importing cmdlet 'Export-ModelSurface'.�[0m
2023-01-26T14:29:55.0597433Z �[33;1mVERBOSE: Importing cmdlet 'Export-ProxyCmdlet'.�[0m
2023-01-26T14:29:55.0598056Z �[33;1mVERBOSE: Importing cmdlet 'Export-Psd1'.�[0m
2023-01-26T14:29:55.0598543Z �[33;1mVERBOSE: Importing cmdlet 'Export-TestStub'.�[0m
2023-01-26T14:29:55.0598967Z �[33;1mVERBOSE: Importing cmdlet 'Get-CommonParameter'.�[0m
2023-01-26T14:29:55.0599593Z �[33;1mVERBOSE: Importing cmdlet 'Get-ModuleGuid'.�[0m
2023-01-26T14:29:55.0600220Z �[33;1mVERBOSE: Importing cmdlet 'Get-ScriptCmdlet'.�[0m
2023-01-26T14:29:55.0600903Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleAssignmentScheduleInstance_Get'.�[0m
2023-01-26T14:29:55.0601685Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleAssignmentScheduleInstance_GetViaIdentity'.�[0m
2023-01-26T14:29:55.0602503Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleAssignmentScheduleInstance_List'.�[0m
2023-01-26T14:29:55.0603092Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleAssignmentScheduleRequest_Get'.�[0m
2023-01-26T14:29:55.0603606Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleAssignmentScheduleRequest_GetViaIdentity'.�[0m
2023-01-26T14:29:55.0604117Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleAssignmentScheduleRequest_List'.�[0m
2023-01-26T14:29:55.0604579Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleAssignmentSchedule_Get'.�[0m
2023-01-26T14:29:55.0605399Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleAssignmentSchedule_GetViaIdentity'.�[0m
2023-01-26T14:29:55.0605883Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleAssignmentSchedule_List'.�[0m
2023-01-26T14:29:55.0606350Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleEligibilityScheduleInstance_Get'.�[0m
2023-01-26T14:29:55.0606865Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleEligibilityScheduleInstance_GetViaIdentity'.�[0m
2023-01-26T14:29:55.0607370Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleEligibilityScheduleInstance_List'.�[0m
2023-01-26T14:29:55.0607872Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleEligibilityScheduleRequest_Get'.�[0m
2023-01-26T14:29:55.0608390Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleEligibilityScheduleRequest_GetViaIdentity'.�[0m
2023-01-26T14:29:55.0608886Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleEligibilityScheduleRequest_List'.�[0m
2023-01-26T14:29:55.0609361Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleEligibilitySchedule_Get'.�[0m
2023-01-26T14:29:55.0609848Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleEligibilitySchedule_GetViaIdentity'.�[0m
2023-01-26T14:29:55.0610324Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleEligibilitySchedule_List'.�[0m
2023-01-26T14:29:55.0610795Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleEligibleChildResource_Get'.�[0m
2023-01-26T14:29:55.0611335Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleEligibleChildResource_GetViaIdentity'.�[0m
2023-01-26T14:29:55.0611921Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleManagementPolicyAssignment_Get'.�[0m
2023-01-26T14:29:55.0612437Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleManagementPolicyAssignment_GetViaIdentity'.�[0m
2023-01-26T14:29:55.0612934Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleManagementPolicyAssignment_List'.�[0m
2023-01-26T14:29:55.0613411Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleManagementPolicy_Get'.�[0m
2023-01-26T14:29:55.0613890Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleManagementPolicy_GetViaIdentity'.�[0m
2023-01-26T14:29:55.0614351Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleManagementPolicy_List'.�[0m
2023-01-26T14:29:55.0614849Z �[33;1mVERBOSE: Importing cmdlet 'New-AzRoleAssignmentScheduleRequest_CreateExpanded'.�[0m
2023-01-26T14:29:55.0615379Z �[33;1mVERBOSE: Importing cmdlet 'New-AzRoleEligibilityScheduleRequest_CreateExpanded'.�[0m
2023-01-26T14:29:55.0615897Z �[33;1mVERBOSE: Importing cmdlet 'New-AzRoleManagementPolicyAssignment_CreateExpanded'.�[0m
2023-01-26T14:29:55.0616427Z �[33;1mVERBOSE: Importing cmdlet 'Remove-AzRoleManagementPolicyAssignment_Delete'.�[0m
2023-01-26T14:29:55.0616944Z �[33;1mVERBOSE: Importing cmdlet 'Remove-AzRoleManagementPolicyAssignment_DeleteViaIdentity'.�[0m
2023-01-26T14:29:55.0617460Z �[33;1mVERBOSE: Importing cmdlet 'Remove-AzRoleManagementPolicy_Delete'.�[0m
2023-01-26T14:29:55.0617959Z �[33;1mVERBOSE: Importing cmdlet 'Remove-AzRoleManagementPolicy_DeleteViaIdentity'.�[0m
2023-01-26T14:29:55.0618451Z �[33;1mVERBOSE: Importing cmdlet 'Stop-AzRoleAssignmentScheduleRequest_Cancel'.�[0m
2023-01-26T14:29:55.0618974Z �[33;1mVERBOSE: Importing cmdlet 'Stop-AzRoleAssignmentScheduleRequest_CancelViaIdentity'.�[0m
2023-01-26T14:29:55.0619505Z �[33;1mVERBOSE: Importing cmdlet 'Stop-AzRoleEligibilityScheduleRequest_Cancel'.�[0m
2023-01-26T14:29:55.0620013Z �[33;1mVERBOSE: Importing cmdlet 'Stop-AzRoleEligibilityScheduleRequest_CancelViaIdentity'.�[0m
2023-01-26T14:29:55.0620536Z �[33;1mVERBOSE: Importing cmdlet 'Update-AzRoleManagementPolicy_UpdateExpanded'.�[0m
2023-01-26T14:29:55.0621052Z �[33;1mVERBOSE: Importing cmdlet 'Update-AzRoleManagementPolicy_UpdateViaIdentityExpanded'.�[0m
2023-01-26T14:29:55.2297812Z �[33;1mVERBOSE: Exporting function 'Get-AzRoleAssignmentScheduleInstance'.�[0m
2023-01-26T14:29:55.2298967Z �[33;1mVERBOSE: Exporting function 'Get-AzRoleAssignmentScheduleRequest'.�[0m
2023-01-26T14:29:55.2299667Z �[33;1mVERBOSE: Exporting function 'Get-AzRoleAssignmentSchedule'.�[0m
2023-01-26T14:29:55.2300137Z �[33;1mVERBOSE: Exporting function 'Get-AzRoleEligibilityScheduleInstance'.�[0m
2023-01-26T14:29:55.2300963Z �[33;1mVERBOSE: Exporting function 'Get-AzRoleEligibilityScheduleRequest'.�[0m
2023-01-26T14:29:55.2301416Z �[33;1mVERBOSE: Exporting function 'Get-AzRoleEligibilitySchedule'.�[0m
2023-01-26T14:29:55.2301884Z �[33;1mVERBOSE: Exporting function 'Get-AzRoleEligibleChildResource'.�[0m
2023-01-26T14:29:55.2302359Z �[33;1mVERBOSE: Exporting function 'Get-AzRoleManagementPolicyAssignment'.�[0m
2023-01-26T14:29:55.2302829Z �[33;1mVERBOSE: Exporting function 'Get-AzRoleManagementPolicy'.�[0m
2023-01-26T14:29:55.2303301Z �[33;1mVERBOSE: Exporting function 'New-AzRoleAssignmentScheduleRequest'.�[0m
2023-01-26T14:29:55.2303781Z �[33;1mVERBOSE: Exporting function 'New-AzRoleEligibilityScheduleRequest'.�[0m
2023-01-26T14:29:55.2304244Z �[33;1mVERBOSE: Exporting function 'New-AzRoleManagementPolicyAssignment'.�[0m
2023-01-26T14:29:55.2304728Z �[33;1mVERBOSE: Exporting function 'Remove-AzRoleManagementPolicyAssignment'.�[0m
2023-01-26T14:29:55.2305190Z �[33;1mVERBOSE: Exporting function 'Remove-AzRoleManagementPolicy'.�[0m
2023-01-26T14:29:55.2305665Z �[33;1mVERBOSE: Exporting function 'Stop-AzRoleAssignmentScheduleRequest'.�[0m
2023-01-26T14:29:55.2306147Z �[33;1mVERBOSE: Exporting function 'Stop-AzRoleEligibilityScheduleRequest'.�[0m
2023-01-26T14:29:55.2306599Z �[33;1mVERBOSE: Exporting function 'Update-AzRoleManagementPolicy'.�[0m
2023-01-26T14:29:55.2336213Z Loaded Module 'Az.Authorization'
2023-01-26T14:29:55.2615108Z �[33;1mVERBOSE: Loading module from path 'C:\Modules\az_9.2.0\Az.Resources\6.5.0\Microsoft.Azure.PowerShell.Cmdlets.Resources.dll'.�[0m
2023-01-26T14:29:55.2672949Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzDenyAssignment'.�[0m
2023-01-26T14:29:55.2673834Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzProviderOperation'.�[0m
2023-01-26T14:29:55.2674443Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleAssignment'.�[0m
2023-01-26T14:29:55.2675088Z �[33;1mVERBOSE: Importing cmdlet 'New-AzRoleAssignment'.�[0m
2023-01-26T14:29:55.2675728Z �[33;1mVERBOSE: Importing cmdlet 'Remove-AzRoleAssignment'.�[0m
2023-01-26T14:29:55.2676292Z �[33;1mVERBOSE: Importing cmdlet 'Set-AzRoleAssignment'.�[0m
2023-01-26T14:29:55.2676725Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzRoleDefinition'.�[0m
2023-01-26T14:29:55.2677139Z �[33;1mVERBOSE: Importing cmdlet 'New-AzRoleDefinition'.�[0m
2023-01-26T14:29:55.2677548Z �[33;1mVERBOSE: Importing cmdlet 'Remove-AzRoleDefinition'.�[0m
2023-01-26T14:29:55.2677978Z �[33;1mVERBOSE: Importing cmdlet 'Set-AzRoleDefinition'.�[0m
2023-01-26T14:29:55.2678400Z �[33;1mVERBOSE: Importing cmdlet 'Remove-AzPrivateLinkAssociation'.�[0m
2023-01-26T14:29:55.2678872Z �[33;1mVERBOSE: Importing cmdlet 'Remove-AzResourceManagementPrivateLink'.�[0m
2023-01-26T14:29:55.2679333Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzPrivateLinkAssociation'.�[0m
2023-01-26T14:29:55.2679777Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzResourceManagementPrivateLink'.�[0m
2023-01-26T14:29:55.2680233Z �[33;1mVERBOSE: Importing cmdlet 'New-AzPrivateLinkAssociation'.�[0m
2023-01-26T14:29:55.2680692Z �[33;1mVERBOSE: Importing cmdlet 'New-AzResourceManagementPrivateLink'.�[0m
2023-01-26T14:29:55.2681145Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzManagementGroupEntity'.�[0m
2023-01-26T14:29:55.2681575Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzManagementGroup'.�[0m
2023-01-26T14:29:55.2682124Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzTenantBackfillStatus'.�[0m
2023-01-26T14:29:55.2682716Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzManagementGroupHierarchySetting'.�[0m
2023-01-26T14:29:55.2683392Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzManagementGroupNameAvailability'.�[0m
2023-01-26T14:29:55.2683858Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzManagementGroupSubscription'.�[0m
2023-01-26T14:29:55.2684333Z �[33;1mVERBOSE: Importing cmdlet 'New-AzManagementGroup'.�[0m
2023-01-26T14:29:55.2684770Z �[33;1mVERBOSE: Importing cmdlet 'New-AzManagementGroupHierarchySetting'.�[0m
2023-01-26T14:29:55.2685239Z �[33;1mVERBOSE: Importing cmdlet 'New-AzManagementGroupSubscription'.�[0m
2023-01-26T14:29:55.2685685Z �[33;1mVERBOSE: Importing cmdlet 'Remove-AzManagementGroup'.�[0m
2023-01-26T14:29:55.2686400Z �[33;1mVERBOSE: Importing cmdlet 'Remove-AzManagementGroupHierarchySetting'.�[0m
2023-01-26T14:29:55.2686882Z �[33;1mVERBOSE: Importing cmdlet 'Remove-AzManagementGroupSubscription'.�[0m
2023-01-26T14:29:55.2687331Z �[33;1mVERBOSE: Importing cmdlet 'Start-AzTenantBackfill'.�[0m
2023-01-26T14:29:55.2687748Z �[33;1mVERBOSE: Importing cmdlet 'Update-AzManagementGroup'.�[0m
2023-01-26T14:29:55.2688213Z �[33;1mVERBOSE: Importing cmdlet 'Update-AzManagementGroupHierarchySetting'.�[0m
2023-01-26T14:29:55.2688663Z �[33;1mVERBOSE: Importing alias 'Get-AzResourceProviderAction'.�[0m
2023-01-26T14:29:55.2689239Z �[33;1mVERBOSE: Loading module from path 'C:\Modules\az_9.2.0\Az.Resources\6.5.0\Microsoft.Azure.PowerShell.Cmdlets.ResourceManager.dll'.�[0m
2023-01-26T14:29:55.2783750Z �[33;1mVERBOSE: Importing cmdlet 'Remove-AzResourceGroup'.�[0m
2023-01-26T14:29:55.2784634Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzDeploymentScript'.�[0m
2023-01-26T14:29:55.2785356Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzDeploymentScriptLog'.�[0m
2023-01-26T14:29:55.2786038Z �[33;1mVERBOSE: Importing cmdlet 'Save-AzDeploymentScriptLog'.�[0m
2023-01-26T14:29:55.2786687Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzManagementGroupDeployment'.�[0m
2023-01-26T14:29:55.2787383Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzManagementGroupDeploymentOperation'.�[0m
2023-01-26T14:29:55.2788555Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzManagementGroupDeploymentWhatIfResult'.�[0m
2023-01-26T14:29:55.2789223Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzDeployment'.�[0m
2023-01-26T14:29:55.2789885Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzDeploymentOperation'.�[0m
2023-01-26T14:29:55.2790582Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzDeploymentWhatIfResult'.�[0m
2023-01-26T14:29:55.2791037Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzTenantDeployment'.�[0m
2023-01-26T14:29:55.2791478Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzTenantDeploymentOperation'.�[0m
2023-01-26T14:29:55.2792070Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzTenantDeploymentWhatIfResult'.�[0m
2023-01-26T14:29:55.2792718Z �[33;1mVERBOSE: Importing cmdlet 'New-AzManagementGroupDeployment'.�[0m
2023-01-26T14:29:55.2793362Z �[33;1mVERBOSE: Importing cmdlet 'New-AzDeployment'.�[0m
2023-01-26T14:29:55.2794071Z �[33;1mVERBOSE: Importing cmdlet 'New-AzTenantDeployment'.�[0m
2023-01-26T14:29:55.2794659Z �[33;1mVERBOSE: Importing cmdlet 'Remove-AzManagementGroupDeployment'.�[0m
2023-01-26T14:29:55.2795350Z �[33;1mVERBOSE: Importing cmdlet 'Remove-AzDeployment'.�[0m
2023-01-26T14:29:55.2796027Z �[33;1mVERBOSE: Importing cmdlet 'Remove-AzTenantDeployment'.�[0m
2023-01-26T14:29:55.2796774Z �[33;1mVERBOSE: Importing cmdlet 'Save-AzManagementGroupDeploymentTemplate'.�[0m
2023-01-26T14:29:55.2797414Z �[33;1mVERBOSE: Importing cmdlet 'Save-AzDeploymentTemplate'.�[0m
2023-01-26T14:29:55.2798088Z �[33;1mVERBOSE: Importing cmdlet 'Save-AzTenantDeploymentTemplate'.�[0m
2023-01-26T14:29:55.2798765Z �[33;1mVERBOSE: Importing cmdlet 'Stop-AzManagementGroupDeployment'.�[0m
2023-01-26T14:29:55.2799350Z �[33;1mVERBOSE: Importing cmdlet 'Stop-AzDeployment'.�[0m
2023-01-26T14:29:55.2799773Z �[33;1mVERBOSE: Importing cmdlet 'Stop-AzTenantDeployment'.�[0m
2023-01-26T14:29:55.2800307Z �[33;1mVERBOSE: Importing cmdlet 'Test-AzManagementGroupDeployment'.�[0m
2023-01-26T14:29:55.2800979Z �[33;1mVERBOSE: Importing cmdlet 'Test-AzDeployment'.�[0m
2023-01-26T14:29:55.2801655Z �[33;1mVERBOSE: Importing cmdlet 'Test-AzTenantDeployment'.�[0m
2023-01-26T14:29:55.2802322Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzProviderFeature'.�[0m
2023-01-26T14:29:55.2802913Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzProviderPreviewFeature'.�[0m
2023-01-26T14:29:55.2803369Z �[33;1mVERBOSE: Importing cmdlet 'Register-AzProviderFeature'.�[0m
2023-01-26T14:29:55.2804046Z �[33;1mVERBOSE: Importing cmdlet 'Register-AzProviderPreviewFeature'.�[0m
2023-01-26T14:29:55.2804511Z �[33;1mVERBOSE: Importing cmdlet 'Unregister-AzProviderFeature'.�[0m
2023-01-26T14:29:55.2804958Z �[33;1mVERBOSE: Importing cmdlet 'Unregister-AzProviderPreviewFeature'.�[0m
2023-01-26T14:29:55.2805886Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzLocation'.�[0m
2023-01-26T14:29:55.2806489Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzResourceLock'.�[0m
2023-01-26T14:29:55.2807151Z �[33;1mVERBOSE: Importing cmdlet 'New-AzResourceLock'.�[0m
2023-01-26T14:29:55.2807814Z �[33;1mVERBOSE: Importing cmdlet 'Remove-AzResourceLock'.�[0m
2023-01-26T14:29:55.2808481Z �[33;1mVERBOSE: Importing cmdlet 'Set-AzResourceLock'.�[0m
2023-01-26T14:29:55.2809141Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzManagedApplication'.�[0m
2023-01-26T14:29:55.2809840Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzManagedApplicationDefinition'.�[0m
2023-01-26T14:29:55.2810356Z �[33;1mVERBOSE: Importing cmdlet 'New-AzManagedApplication'.�[0m
2023-01-26T14:29:55.2810805Z �[33;1mVERBOSE: Importing cmdlet 'New-AzManagedApplicationDefinition'.�[0m
2023-01-26T14:29:55.2811247Z �[33;1mVERBOSE: Importing cmdlet 'Remove-AzManagedApplication'.�[0m
2023-01-26T14:29:55.2811716Z �[33;1mVERBOSE: Importing cmdlet 'Remove-AzManagedApplicationDefinition'.�[0m
2023-01-26T14:29:55.2812509Z �[33;1mVERBOSE: Importing cmdlet 'Set-AzManagedApplication'.�[0m
2023-01-26T14:29:55.2813111Z �[33;1mVERBOSE: Importing cmdlet 'Set-AzManagedApplicationDefinition'.�[0m
2023-01-26T14:29:55.2813555Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzPolicyAlias'.�[0m
2023-01-26T14:29:55.2814096Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzPolicyAssignment'.�[0m
2023-01-26T14:29:55.2814524Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzPolicyDefinition'.�[0m
2023-01-26T14:29:55.2814946Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzPolicyExemption'.�[0m
2023-01-26T14:29:55.2815553Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzPolicySetDefinition'.�[0m
2023-01-26T14:29:55.2815982Z �[33;1mVERBOSE: Importing cmdlet 'New-AzPolicyAssignment'.�[0m
2023-01-26T14:29:55.2816406Z �[33;1mVERBOSE: Importing cmdlet 'New-AzPolicyDefinition'.�[0m
2023-01-26T14:29:55.2816818Z �[33;1mVERBOSE: Importing cmdlet 'New-AzPolicyExemption'.�[0m
2023-01-26T14:29:55.2817250Z �[33;1mVERBOSE: Importing cmdlet 'New-AzPolicySetDefinition'.�[0m
2023-01-26T14:29:55.2817668Z �[33;1mVERBOSE: Importing cmdlet 'Remove-AzPolicyAssignment'.�[0m
2023-01-26T14:29:55.2818100Z �[33;1mVERBOSE: Importing cmdlet 'Remove-AzPolicyDefinition'.�[0m
2023-01-26T14:29:55.2818671Z �[33;1mVERBOSE: Importing cmdlet 'Remove-AzPolicyExemption'.�[0m
2023-01-26T14:29:55.2819266Z �[33;1mVERBOSE: Importing cmdlet 'Remove-AzPolicySetDefinition'.�[0m
2023-01-26T14:29:55.2820371Z �[33;1mVERBOSE: Importing cmdlet 'Set-AzPolicyAssignment'.�[0m
2023-01-26T14:29:55.2821015Z �[33;1mVERBOSE: Importing cmdlet 'Set-AzPolicyDefinition'.�[0m
2023-01-26T14:29:55.2821475Z �[33;1mVERBOSE: Importing cmdlet 'Set-AzPolicyExemption'.�[0m
2023-01-26T14:29:55.2822152Z �[33;1mVERBOSE: Importing cmdlet 'Set-AzPolicySetDefinition'.�[0m
2023-01-26T14:29:55.2822584Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzResourceProvider'.�[0m
2023-01-26T14:29:55.2823028Z �[33;1mVERBOSE: Importing cmdlet 'Register-AzResourceProvider'.�[0m
2023-01-26T14:29:55.2823481Z �[33;1mVERBOSE: Importing cmdlet 'Unregister-AzResourceProvider'.�[0m
2023-01-26T14:29:55.2823935Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzResourceGroupDeployment'.�[0m
2023-01-26T14:29:55.2824403Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzResourceGroupDeploymentOperation'.�[0m
2023-01-26T14:29:55.2824886Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzResourceGroupDeploymentWhatIfResult'.�[0m
2023-01-26T14:29:55.2825427Z �[33;1mVERBOSE: Importing cmdlet 'New-AzResourceGroupDeployment'.�[0m
2023-01-26T14:29:55.2825880Z �[33;1mVERBOSE: Importing cmdlet 'Remove-AzResourceGroupDeployment'.�[0m
2023-01-26T14:29:55.2826337Z �[33;1mVERBOSE: Importing cmdlet 'Save-AzResourceGroupDeploymentTemplate'.�[0m
2023-01-26T14:29:55.2827035Z �[33;1mVERBOSE: Importing cmdlet 'Stop-AzResourceGroupDeployment'.�[0m
2023-01-26T14:29:55.2827490Z �[33;1mVERBOSE: Importing cmdlet 'Test-AzResourceGroupDeployment'.�[0m
2023-01-26T14:29:55.2827929Z �[33;1mVERBOSE: Importing cmdlet 'Export-AzResourceGroup'.�[0m
2023-01-26T14:29:55.2829148Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzResourceGroup'.�[0m
2023-01-26T14:29:55.2829617Z �[33;1mVERBOSE: Importing cmdlet 'New-AzResourceGroup'.�[0m
2023-01-26T14:29:55.2830260Z �[33;1mVERBOSE: Importing cmdlet 'Set-AzResourceGroup'.�[0m
2023-01-26T14:29:55.2830697Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzResource'.�[0m
2023-01-26T14:29:55.2831325Z �[33;1mVERBOSE: Importing cmdlet 'Invoke-AzResourceAction'.�[0m
2023-01-26T14:29:55.2831962Z �[33;1mVERBOSE: Importing cmdlet 'Move-AzResource'.�[0m
2023-01-26T14:29:55.2832563Z �[33;1mVERBOSE: Importing cmdlet 'New-AzResource'.�[0m
2023-01-26T14:29:55.2833173Z �[33;1mVERBOSE: Importing cmdlet 'Remove-AzResource'.�[0m
2023-01-26T14:29:55.2833894Z �[33;1mVERBOSE: Importing cmdlet 'Set-AzResource'.�[0m
2023-01-26T14:29:55.2834291Z �[33;1mVERBOSE: Importing cmdlet 'Export-AzTemplateSpec'.�[0m
2023-01-26T14:29:55.2834710Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzTemplateSpec'.�[0m
2023-01-26T14:29:55.2835124Z �[33;1mVERBOSE: Importing cmdlet 'New-AzTemplateSpec'.�[0m
2023-01-26T14:29:55.2835542Z �[33;1mVERBOSE: Importing cmdlet 'Remove-AzTemplateSpec'.�[0m
2023-01-26T14:29:55.2835960Z �[33;1mVERBOSE: Importing cmdlet 'Set-AzTemplateSpec'.�[0m
2023-01-26T14:29:55.2836767Z �[33;1mVERBOSE: Importing cmdlet 'Remove-AzDeploymentScript'.�[0m
2023-01-26T14:29:55.2837600Z �[33;1mVERBOSE: Importing cmdlet 'Publish-AzBicepModule'.�[0m
2023-01-26T14:29:55.2838023Z �[33;1mVERBOSE: Importing alias 'Get-AzSubscriptionDeployment'.�[0m
2023-01-26T14:29:55.2838487Z �[33;1mVERBOSE: Importing alias 'Get-AzSubscriptionDeploymentOperation'.�[0m
2023-01-26T14:29:55.2838976Z �[33;1mVERBOSE: Importing alias 'Get-AzSubscriptionDeploymentWhatIfResult'.�[0m
2023-01-26T14:29:55.2839426Z �[33;1mVERBOSE: Importing alias 'New-AzSubscriptionDeployment'.�[0m
2023-01-26T14:29:55.2839873Z �[33;1mVERBOSE: Importing alias 'Remove-AzSubscriptionDeployment'.�[0m
2023-01-26T14:29:55.2840341Z �[33;1mVERBOSE: Importing alias 'Save-AzSubscriptionDeploymentTemplate'.�[0m
2023-01-26T14:29:55.2840797Z �[33;1mVERBOSE: Importing alias 'Stop-AzSubscriptionDeployment'.�[0m
2023-01-26T14:29:55.2841243Z �[33;1mVERBOSE: Importing alias 'Test-AzSubscriptionDeployment'.�[0m
2023-01-26T14:29:55.2842009Z �[33;1mVERBOSE: Loading module from path 'C:\Modules\az_9.2.0\Az.Resources\6.5.0\Microsoft.Azure.PowerShell.Cmdlets.Tags.dll'.�[0m
2023-01-26T14:29:55.2842611Z �[33;1mVERBOSE: Importing cmdlet 'Get-AzTag'.�[0m
2023-01-26T14:29:55.2842994Z �[33;1mVERBOSE: Importing cmdlet 'New-AzTag'.�[0m
2023-01-26T14:29:55.2843365Z �[33;1mVERBOSE: Importing cmdlet 'Remove-AzTag'.�[0m
2023-01-26T14:29:55.2843758Z �[33;1mVERBOSE: Importing cmdlet 'Update-AzTag'.�[0m
2023-01-26T14:29:56.4800090Z ##[error]Operation returned an invalid status code 'Conflict'
2023-01-26T14:29:56.6573731Z ##[error]PowerShell exited with code '1'.
2023-01-26T14:29:57.6355248Z ##[section]Finishing: Deploy PAC-DEV Role Assignments

Feature: Override support in Policy Assignments

Parameter override feature: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/assignment-structure#overrides-preview and https://learn.microsoft.com/en-us/azure/governance/policy/concepts/assignment-structure#resource-selectors-preview.

Plan: January 2023

Question about versioning

How would one introduce versioning to the framework of Definitions, Assignments, and initiatives?

Missing parameter in definition causes error - Confirm-ParametersMatch

    This bug also occurs when there are no parameters and is omitted from the json which does occur so can we handle for this or if not then add some better error messages on the Confirm-ParametersMatch call

Currently fix is to add the line into the definition being blank

{
    "name": "Newly created GUID",
    "properties": {
        "displayName": "Policy Display Name",
        "policyType": "Custom",
        "mode": "All",
        "description": "Policy Description",
        "metadata": {
            "version": "1.0.0",
            "category": "Your Category"
        },
        "parameters": {},
        "policyRule": {
            "if": {
                "Insert Logic Here"
            },
            "then": {
                "effect": "Audit, Deny, Modify, etc.",
                "details": {
                    "roleDefinitionIds": [],
                    "operations": []
                }
            }
        }
    }
}

Originally posted by @martyh888 in #58 (comment)

Empty globalNotScopes property for pacEnvironment fails parameter validation

Running Build-AzPoliciesInitiativesAssignmentsPlan on an epac environment that does not include values for the globalNotScopes causes the internal Get-AzAssignmentsAtScopeRecursive function to fail due to the Mandatory attribute on the notScopeIn parameter.

azure / enterprise-azure-policy-as-code Goto Github PK

enterprise-azure-policy-as-code's Introduction

Enterprise Azure Policy as Code

Contributing

Trademarks

enterprise-azure-policy-as-code's People

Contributors

Stargazers

Watchers

Forkers

enterprise-azure-policy-as-code's Issues

Bug: When Service Connection is configured at the Management Group Level the pipeline throws an error in the Prod Plan - Feature Branch / Main Branch

Recommend Projects

Recommend Topics

Recommend Org