Skip to content

technicalandcloud/AzurePolicyWatch

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

3 Commits
assets
assets
Β 
Β 
docs
docs
Β 
Β 
src
src
Β 
Β 
LICENSE.txt
LICENSE.txt
Β 
Β 
README.md
README.md
Β 
Β 

Repository files navigation

πŸ›°οΈ AzurePolicyWatch

Automated Azure Policy Compliance Monitoring
Monitor and compare your Azure Policy initiatives (Management Group) with Microsoft baselines (ALZ & MCSB). Generate monthly HTML reports with visual analysis and actionable CSV exports.

PowerShell Azure License

⚠️ Disclaimer

AzurePolicyWatch is based on references published by AzAdvertizer and the Microsoft Cloud Security Benchmark (MCSB) to provide recommendations aligned with Microsoft best practices.

We are not responsible for content published by these third-party sources. AzurePolicyWatch is an analysis and comparison tool that aggregates this public information for Azure compliance and governance purposes.

🌍 Overview

AzurePolicyWatch is a modular and tested PowerShell tool that automates Azure Policy governance by:

  • πŸ“₯ Aggregating public baselines (ALZ via AzAdvertizer + MCSB via Azure)
  • πŸ” Comparing these baselines with your actually assigned initiatives
  • πŸ“Š Generating interactive HTML reports and hierarchical CSV exports
  • πŸ€– Committing results automatically to monthly dated folders
  • 🎯 Identifying missing, extra, or version-mismatched policies

Perfect for: Compliance audits, ALZ alignment, MCSB tracking, continuous governance.

✨ Key Features

πŸ“Š Reports & Visualization

  • Interactive HTML report with dynamic filters (status, deprecated, preview)
  • Color-coded tables by effect (Deny=red, DeployIfNotExists=green, Audit=blue)
  • Hierarchical CSV (Initiative β†’ Policies) for Excel/PowerBI
  • Monthly snapshots archived in inventory/YYYY_MM/
  • Animated logo watermark with breathing effect in hero section
  • Modern design with clean light gray background and responsive layout

πŸ” Compliance Analysis

  • βœ… Matched: Policies compliant with baseline
  • ❌ Missing: Recommended policies not deployed
  • ℹ️ Extra: Custom policies outside baseline
  • ⚠️ Version Mismatch: Policies with incorrect version
  • 🏷️ Lifecycle: Detection of Deprecated/Preview status
  • πŸ“ˆ Scoring: Global, ALZ and MCSB scores with detailed metrics

πŸ“Έ Report Preview

AzurePolicyWatch Report

Displayed KPIs

  • 🟒 Matched β€” Policies deployed and matching the ALZ/MCSB baseline
  • πŸ”΄ Missing β€” Baseline policies not deployed in your environment
  • 🟑 Version Mismatch β€” Policies with different version than baseline
  • πŸ”΅ Extra β€” Custom initiatives/policies not in ALZ/MCSB baseline (no impact on score)

Report Columns

My Environment Tab (Initiatives & Individual Policies)

Column Description
AssignmentDisplayName Display name of the policy assignment
AssignmentName Technical name of the assignment
AssignmentScope Scope where the assignment is applied (MG/Subscription)
InitiativeDefinitionId ID of the initiative definition (or "N/A" for individual policies)
TotalPolicies_Assignment Total number of policies in the initiative
InCommon Policies that match the ALZ/MCSB baseline (counted in score)
ExtraInAssignment_Count Policies not in baseline (not counted in score)
VersionDiffs_Count Policies with version mismatch vs baseline
AssignmentStatus Status: Matched (green) or Extra (blue)

Recommendations Tab (ALZ & MCSB Baseline)

Column Description
PolicyDisplayName Display name of the baseline policy
PolicyDefinitionId Azure resource ID of the policy definition
Version Version of the policy in baseline
PolicyType Type: BuiltIn or Custom
BaselineSources Source baseline: ALZ, MCSB, or both
AssignmentStatus Status: Matched (deployed) or Missing (not deployed)
Effect Policy effect (Audit, Deny, DeployIfNotExists, etc.)

Compliance Scores

  • πŸ›οΈ ALZ Score: 36.7% (190/510 policies)
  • πŸ”’ MCSB Score: 89.4% (202/234 policies)
  • 🎯 Global Score: 52.7% (392/744 policies)

Interactive Features

  • πŸ”Ž Global search (name / ID / text) β€” full-text search with debounce (180ms for fluidity)
  • 🎯 Status filters β€” filter views on All/ Matched / Missing / Extra
  • 🏷️ Lifecycle masking β€” hide policies marked Deprecated or Preview
  • 🎨 Contextual coloring β€” rows and badges colored by effect and lifecycle for instant visual recognition
  • πŸ“± Responsive design β€” optimized for desktop, tablet, and mobile

βš™οΈ Installation & Configuration

πŸ“‹ Prerequisites

Component Version Usage
PowerShell 7.0+ Script execution
Az.Accounts Latest Azure connection
Az.Resources Latest Policy retrieval

πŸ’» Local Execution

Quick Start (Recommended)

#Import Powershell Gallery
Install-Module -Name AzurePolicyWatch -AllowPrerelease

# Connect to Azure
Connect-AzAccount -TenantId "<TENANT_ID>"

# Run with Management Group (recommended)
Invoke-AzPolicyWatch -ManagementGroupId "MyMG" -HtmlReport

# Or with Subscription
Invoke-AzPolicyWatch -SubscriptionId "SubID" -HtmlReport

# Custom output folder
Invoke-AzPolicyWatch `
    -ManagementGroupId "MyMG" `
    -OutputFolder "C:\Reports\PolicyCompliance" `
    -HtmlReport `
    -Verbose

Available Parameters

Invoke-AzPolicyWatch [
    # Scope (choose one)
    -ManagementGroupId <String>       # Management Group ID
    -SubscriptionId <String>          # Subscription ID
    
    # Output options
    -OutputFolder <String>            # Default: C:\Temp\Policy-Compare
    -HtmlReport                       # Generate HTML report
    
    # Baseline filtering
    -ExcludeBaselineTypes <String[]>  # Exclude baselines: @("ALZ"), @("MCSB"), or @("ALZ","MCSB")
    
    # Branding (optional)
    -ProjectName <String>             # Default: AzurePolicyWatch
    -ProjectVersion <String>          # Default: 1.0.1
    -LogoPath <String>                # Path to logo image
    
    # Execution options
    -Quiet                            # Suppress progress messages
    -Verbose                          # Show detailed logs
]

Examples

#Import Powershell Gallery
Install-Module -Name AzurePolicyWatch -AllowPrerelease

# Example 1: Basic usage with HTML report
Invoke-AzPolicyWatch -ManagementGroupId "MyMG" -HtmlReport

# Example 2: Subscription scope with custom output
Invoke-AzPolicyWatch `
    -SubscriptionId "SubID" `
    -OutputFolder ".\reports\$(Get-Date -Format 'yyyy-MM')" `
    -HtmlReport `
    -Verbose

# Example 3: Quiet mode (minimal output)
Invoke-AzPolicyWatch -ManagementGroupId "MyMG" -HtmlReport -Quiet

# Example 4: Exclude ALZ baseline from subscription analysis
Invoke-AzPolicyWatch `
    -SubscriptionId "SubID" `
    -HtmlReport `
    -ExcludeBaselineTypes @("ALZ") `
    -Quiet

# Example 5: Exclude MCSB baseline from subscription analysis
Invoke-AzPolicyWatch `
    -SubscriptionId "SubID" `
    -HtmlReport `
    -ExcludeBaselineTypes @("MCSB")

# Example 6: Exclude ALZ baseline from Management Group analysis
Invoke-AzPolicyWatch `
    -ManagementGroupId "MyMG" `
    -HtmlReport `
    -ExcludeBaselineTypes @("ALZ")

# Example 7: Exclude MCSB baseline from Management Group analysis (quiet mode)
Invoke-AzPolicyWatch `
    -ManagementGroupId "MyMG" `
    -HtmlReport `
    -ExcludeBaselineTypes @("MCSB") `
    -Quiet

# Example 8: Compare only against ALZ (exclude MCSB)
Invoke-AzPolicyWatch `
    -ManagementGroupId "MyMG" `
    -HtmlReport `
    -ExcludeBaselineTypes @("MCSB") `
    -Verbose

πŸ“Š Report Output

Generated Files

After execution, you'll find these files in the output folder:

C:\Temp\Policy-Compare\
└── reports\
    β”œβ”€β”€ πŸ“„ Baseline_ALZ_MCSB_Policies.csv          
    β”œβ”€β”€ πŸ“‹ Baseline_Compare_Summary.csv            
    β”œβ”€β”€ πŸ“ Baseline_Compare_Details.csv            
    β”œβ”€β”€ πŸ—οΈ Hierarchical_Initiatives_Policies.csv  
    └── 🌐 Baseline_Compare_Report.html

Console Output

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
πŸ›°οΈ AzurePolicyWatch v1.0.1
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
πŸ“₯ Step 1/4: Loading baseline policies...
   βœ… ALZ baseline loaded: 510 policies
   βœ… MCSB baseline loaded: 234 policies
   βœ… Combined baseline: 744 unique policies

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
πŸ” Step 2/4: Scanning Azure assignments...
   βœ… Found 26 initiatives
   βœ… Found 741 individual policies

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
βš–οΈ Step 3/4: Comparing policies...
   βœ… Comparison completed

   πŸ“Š Global Score: 33.1%
      β”œβ”€ πŸ›οΈ ALZ Score: 17.0% (87/510 policies)
      └─ πŸ”’ MCSB Score: 69.9% (159/234 policies)

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
πŸ“„ Step 4/4: Generating reports...
   βœ… Baseline exported: Baseline_ALZ_MCSB_Policies.csv
   βœ… Summary exported: Baseline_Compare_Summary.csv
   βœ… Details exported: Baseline_Compare_Details.csv
βœ… Hierarchical CSV exported: Hierarchical_Initiatives_Policies.csv
   β”œβ”€ Total rows: 746
   β”œβ”€ Initiatives: 5
   └─ Policies: 741

πŸ“„ Generating HTML report...
   βœ… HTML report generated: Baseline_Compare_Report.html

  βœ… Reports generated successfully

  πŸ“‚ Location: C:\Temp\Policy-Compare

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✨ Analysis completed successfully!

πŸ”— Useful Links

Resource Link
Architecture docs/architecture.md
Usage Guide docs/usage-guide.md
Tests tests/README.md
Azure Landing Zones aka.ms/alz
MCSB Baseline Microsoft Cloud Security Benchmark
AzAdvertizer www.azadvertizer.net
Azure Policy Docs learn.microsoft.com/azure/governance/policy

πŸ“ License

This project is licensed under the MIT License - see the LICENSE file for details.

⭐ Star this project if you find it useful! ⭐

Made with ❀️ for Azure Governance

About

AzurePolicyWatch Production Environnement

Resources

Readme

License

MIT license
Activity

Stars

3 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages