Skip to article
Management and Governance Azure Policy

Compliance scan

an Azure Policy evaluation run that checks resources against assigned policy and initiative definitions so their current compliance results can be refreshed

Source: Microsoft Learn - Get compliance data of Azure resources Reviewed 2026-05-12

Exam trap
Assuming compliance state updates instantly after a resource change.
Production check
Confirm owner, scope, resource IDs, region, tags, and environment before accepting the current state.
Article details and learning context
Aliases
None listed
Difficulty
Intermediate
CLI mappings
3
Last verified
2026-05-12

Understand the concept

In plain English

Compliance scan means an Azure Policy evaluation run that checks resources against assigned policy and initiative definitions so their current compliance results can be refreshed. Teams use it to verify governance drift, produce audit evidence, confirm remediation results, and update compliance dashboards after policy, resource, or exemption changes. In Azure work, operators usually see it in portal settings, deployment output, metrics, logs, and runbooks. The practical question is who owns it, what scope it affects, and what evidence proves it is working.

Why it matters

Compliance scan matters because stale compliance results can make teams believe drift is fixed when resources have not yet been evaluated or remediated. The business impact is rarely abstract: users see slower workflows, missing data, failed automation, audit gaps, support delays, or unexpected cost when the term is misunderstood. A strong glossary entry gives architects, developers, security reviewers, and operators the same language for design reviews and incident handoffs. It connects Azure configuration to measurable objectives, ownership, rollback paths, and evidence, so teams treat it as an operational control rather than a portal label. That discipline helps teams make safer changes under pressure.

Official wording and source

A compliance scan is an Azure Policy evaluation that checks resources in a subscription or resource group against assigned policies and updates compliance data.

Open Microsoft Learn

Technical context

Technically, Compliance scan is a Policy Insights evaluation process that can run automatically or be triggered on demand for subscription or resource group scope. Engineers verify it with service configuration, IDs, logs, metrics, request records, and deployment evidence. Important configuration includes evaluation scope, policy assignment, initiative parameters, exemptions, resource selectors, remediation identity, effect type, and scan trigger timing. Production reviews should capture owner, scope, region, identity, limits, recent changes, and diagnostics before changing behavior. Those details make troubleshooting repeatable across portal, CLI, SDK, and pipeline evidence.

Exam context

Compare with

Where it is used

Where you see it

  1. You see Compliance scan in Defender for Cloud, Policy assignments, regulatory dashboards, and assessment records when confirming scan target, rule, evidence, severity, and last evaluation time for release, audit, or incident evidence.
  2. You see Compliance scan during troubleshooting when a resource unexpectedly appears noncompliant before audit review and operators must connect portal state, CLI output, logs, metrics, owners, and rollback notes.
  3. You see Compliance scan in architecture reviews when teams decide which controls are measured automatically versus manually, how evidence is gathered, and how it affects security, reliability, operations, cost, and performance.

Common situations

  • Trigger a fresh scan before a regulated deployment approval.
  • Collect policy state evidence for an audit review.
  • Verify remediation progress after fixing noncompliant resources.

Illustrative Azure scenarios

These examples show how the concept can affect design and operations. They are illustrative scenarios, not customer claims.

Scenario 01 Bank encryption remediation Scenario, objectives, solution, measured impact, and takeaway.
Scenario

Litware Bank remediated storage encryption policy failures but auditors needed proof that the environment was reevaluated after changes.

Goals
  • Refresh compliance evidence after remediation
  • Reduce stale noncompliance records
  • Prove scope for the audit trail
  • Avoid scanning unrelated subscriptions
Approach using Compliance scan

Governance engineers triggered compliance scans only for the remediated resource groups, then queried Policy Insights for updated policy states. The runbook captured assignment IDs, resource IDs, trigger timestamps, remediation task IDs, and before-and-after counts. Exemptions required expiry dates and approval links. A dashboard separated fixed resources from resources still waiting on evaluation, preventing audit teams from reading stale data as active risk. Operators kept the scan command read-only except for the evaluation trigger. The runbook captured owner, environment, approval link, rollback condition, and the exact Azure evidence operators had to collect before and after each change. A dashboard tracked adoption, exceptions, and operational signals so support, security, and finance teams could review outcomes without relying on informal notes. The team reviewed results after the pilot and kept the design in the standard platform checklist for future deployments.

Potential outcomes
  • Stale noncompliance records fell 88 percent
  • Audit evidence identified exact scanned scopes
  • Encryption compliance reached 99 percent
  • Unrelated subscriptions were not included
What to learn

A compliance scan turns remediation work into current governance evidence when scope and timestamps are captured clearly.

Scenario 02 Healthcare policy rollout Scenario, objectives, solution, measured impact, and takeaway.
Scenario

Northstar Clinics deployed a new initiative for private endpoints and needed confidence that production resources had been evaluated before enforcement.

Goals
  • Evaluate all production resources before deny effects
  • Identify exceptions requiring architecture review
  • Refresh dashboards within one business day
  • Reduce manual policy-status emails
Approach using Compliance scan

The platform team assigned the initiative in audit mode, waited for baseline evaluation, then triggered compliance scans by resource group after each remediation wave. Resource Graph queries summarized noncompliant services, owners, and exception reasons. Architects reviewed workloads that could not use private endpoints, while automation created remediation tickets for straightforward fixes. The scan process became a release gate before changing selected policies from audit to deny. The runbook captured owner, environment, approval link, rollback condition, and the exact Azure evidence operators had to collect before and after each change. A dashboard tracked adoption, exceptions, and operational signals so support, security, and finance teams could review outcomes without relying on informal notes. The team reviewed results after the pilot and kept the design in the standard platform checklist for future deployments.

Potential outcomes
  • Production evaluation finished in one day
  • Manual status emails dropped by 70 percent
  • Approved exceptions were documented with expiry
  • No deny policy blocked unreviewed workloads
What to learn

Compliance scans help teams move from audit to enforcement without guessing which resources have been evaluated.

Scenario 03 Retail tag governance recovery Scenario, objectives, solution, measured impact, and takeaway.
Scenario

Fabrikam Retail lost cost-center tag compliance after a merger and needed updated evidence for hundreds of subscriptions.

Goals
  • Refresh tag policy status after bulk fixes
  • Map noncompliance to new business units
  • Prioritize subscriptions with billing impact
  • Create repeatable monthly governance checks
Approach using Compliance scan

Governance operations triggered scans after the tag remediation pipeline updated resource groups and subscriptions. Policy-state queries grouped results by management group, assignment, cost-center tag, and business owner. Cost Management exports were joined with compliance state so finance could prioritize high-spend resources that remained noncompliant. The team scheduled monthly evidence snapshots and documented how to distinguish newly created resources from resources awaiting evaluation. The runbook captured owner, environment, approval link, rollback condition, and the exact Azure evidence operators had to collect before and after each change. A dashboard tracked adoption, exceptions, and operational signals so support, security, and finance teams could review outcomes without relying on informal notes. The team reviewed results after the pilot and kept the design in the standard platform checklist for future deployments.

Potential outcomes
  • Tag compliance improved from 61 percent to 94 percent
  • High-spend exceptions were reviewed first
  • Monthly evidence snapshots replaced ad hoc reports
  • Finance could trace drift to business units
What to learn

Compliance scans are strongest when governance evidence is joined to ownership and financial impact.

Azure CLI

Use CLI scan and policy-state commands when auditors or incident teams need current compliance evidence at a known scope.

Useful for

  • Trigger an on-demand compliance scan after a remediation deployment.
  • List latest policy states for a resource or subscription.
  • Compare noncompliant resources before and after a policy assignment change.

Before you run a command

  • Confirm the active tenant, subscription, resource group, workspace, account, or region before running commands.
  • Use least-privileged access and avoid storing secrets, prompts, certificates, tokens, or personal data in command output.
  • Know whether the command is read-only, mutating, cost-impacting, security-impacting, or destructive before production use.

What the output tells you

  • Output confirms whether the live Azure configuration exists at the expected scope and matches the approved design.
  • Returned IDs, settings, metrics, timestamps, or logs help separate configuration drift from application behavior.
  • Differences between expected and actual state create evidence for rollback, escalation, audit, or owner follow-up.

Mapped commands

Azure Policy CLI commands

direct
az policy definition list --output table
az policy definitiondiscoverManagement and Governance
az policy assignment list --scope <scope> --output table
az policy assignmentdiscoverManagement and Governance
az policy state list --resource <resource-id> --output table
az policy statediscoverManagement and Governance
az policy remediation list --scope <scope> --output table
az policy remediationdiscoverManagement and Governance

Architecture context

Technically, Compliance scan is a Policy Insights evaluation process that can run automatically or be triggered on demand for subscription or resource group scope. Engineers verify it with service configuration, IDs, logs, metrics, request records, and deployment evidence. Important configuration includes evaluation scope, policy assignment, initiative parameters, exemptions, resource selectors, remediation identity, effect type, and scan trigger timing. Production reviews should capture owner, scope, region, identity, limits, recent changes, and diagnostics before changing behavior. Those details make troubleshooting repeatable across portal, CLI, SDK, and pipeline evidence.

Security
Security for Compliance scan starts with understanding who can assign policy, trigger scans, read compliance data, create exemptions, remediate resources, and modify identities used by remediation tasks. Review identities, roles, secrets, network paths, data classification, logs, and who can change the setting. Prefer least privilege, private access when available, managed identity or protected credentials, and audit evidence. Watch for broad permissions, sensitive data in logs, shared keys, public endpoints, stale owners, and exceptions without expiry. Production use should include an approved owner, access boundary, alert routing, and a revocation process operators can execute during an incident. Security reviewers should tie every exception to risk acceptance and expiry.
Cost
Cost for Compliance scan comes from operator time, remediation activity, Resource Graph queries, monitoring, automation runs, and policy changes that can drive resource reconfiguration. Direct costs may be obvious, but indirect costs can appear as retries, duplicate processing, idle capacity, data movement, investigation time, or support effort. Review budgets, tags, usage metrics, quota, retention, SKU, and forecasts before enabling or scaling it. Connect spend to business-unit ownership and expected workload value. Define normal usage, alert thresholds, cleanup rules, and exception approval before the feature becomes a hidden default across environments. Finance teams need evidence that the cost aligns to real demand, not leftover experiments.
Reliability
Reliability for Compliance scan depends on evaluation freshness, Policy Insights availability, scope correctness, remediation sequencing, assignment propagation, and accurate timestamps for audit evidence. Operators should know the expected failure mode, dependency chain, recovery target, and whether retries, failover, reprocessing, or manual approval are required. Monitor health, latency, quota, backlog, error rates, stale state, and downstream failures. Test behavior during maintenance, regional incidents, expired credentials, schema changes, and burst traffic. Runbooks should explain how to validate current state, preserve evidence, reduce blast radius, and restore service without duplicate work or data loss. Reliability reviews should include the human handoff path, not only platform health.
Performance
Performance for Compliance scan is about scan scope size, number of assignments, resource count, evaluation latency, query complexity, and time required for compliance dashboards to refresh. Measure signals that reflect user or workload experience, such as latency, throughput, request units, node startup time, model response time, queue depth, cache behavior, or throttled operations. Avoid tuning one setting in isolation when identity, network path, partitioning, model size, region, or downstream capacity may be the real bottleneck. Compare baseline and peak results after changes, then document which limit would be reached first as demand grows. Keep tests close to production patterns. That evidence helps teams scale intentionally instead of guessing during incidents.
Operations
Operationally, Compliance scan needs clear ownership, naming, tagging, change records, and repeatable verification. Teams should know where it appears, which commands or queries prove state, which dashboard shows health, and what is safe to change during business hours. Keep examples, approvals, rollback notes, and exception records with the service runbook rather than personal notes. For production changes, capture before-and-after evidence, including resource IDs, region, tenant, policy assignment, deployment version, and linked services. Review stale resources and permissions regularly. Escalation contacts should stay current as teams reorganize. This prevents tribal knowledge from becoming the only support path. It also helps new operators support the service with confidence.

Common mistakes

  • Assuming compliance state updates instantly after a resource change.
  • Triggering broad scans without confirming the intended subscription or resource group.
  • Treating a scan as remediation instead of evidence collection and evaluation.