az resource list --resource-group <resource-group> --output tableCompliance state
Compliance state is the Azure Policy evaluation result that indicates whether a resource complies with assigned policy rules, is noncompliant, exempt, conflicted, or not yet evaluated.
Source: Microsoft Learn - Azure Policy glossary Reviewed 2026-05-12
- Exam trap
- Treating a compliance dashboard color as current truth without checking evaluation time and scope.
- Production check
- Query the specific resource and assignment before relying on a broad compliance dashboard.
Article details and learning context
- Aliases
- None listed
- Difficulty
- Intermediate
- CLI mappings
- 3
- Last verified
- 2026-05-12
- Review level
- top250-pre130-priority
- Article depth
- field-manual-complete
Understand the concept
In plain English
Compliance state is the status Azure Policy reports for a resource after evaluating assigned rules. It tells teams whether a resource is compliant, noncompliant, exempt, conflicted, protected, or not yet evaluated, depending on the policy result and timing. People use it in dashboards, audit reports, remediation planning, and deployment troubleshooting. In plain English, it is the governance answer Azure gives for a resource at a point in time, not a permanent guarantee that the environment is healthy.
Why it matters
Compliance state matters because governance decisions, audit reports, and remediation work depend on interpreting it correctly. A noncompliant result can point to a real risk, a stale evaluation, a missing exemption, an incorrect assignment, or a policy rule that no longer matches the business intent. If teams treat the dashboard as absolute truth, they may fix the wrong resource or ignore a serious control gap. Strong operating practice connects compliance state with policy scope, evaluation time, resource owner, exemption approval, and remediation evidence. That turns a colored status into accountable governance action. Reviewers should tie each decision to a named owner, approved scope, expected evidence, and rollback path.
Official wording and source
Compliance state describes a resource’s adherence to applicable Azure Policy rules, such as compliant, non-compliant, exempt, conflict, not started, or protected.
Technical context
Technically, Compliance state comes from Azure Policy and Policy Insights evaluation data. It is tied to a resource, policy assignment, policy definition or initiative reference, scope, timestamp, effect, and evaluation details. Results can lag after assignment, exemption, remediation, or resource changes. Operators validate policy state queries, compliance scan timing, assignment scope, exemption records, remediation tasks, and Resource Graph results. The state should be interpreted with policy metadata and timestamps, not as a standalone truth without context.
Exam context
Compare with
Where it is used
Where you see it
- In Azure Policy, Compliance state appears in compliance dashboards, policy state records, initiative results, resource details, exemptions, and remediation views for assigned scopes for named production owners.
- In Azure CLI and Resource Graph output, it appears as compliant, noncompliant, exempt, conflict, protected, not started, timestamps, policy IDs, and assignment references for named production owners.
- In governance reports and audit runbooks, it appears beside resource owners, control mappings, remediation tasks, exception approvals, due dates, and evidence snapshots for named production owners.
Common situations
- Explain why a resource is reported compliant, noncompliant, exempt, conflicted, or not started.
- Prioritize remediation work by assignment, initiative, business owner, and risk level.
- Validate audit evidence with policy state timestamps, exemptions, and remediation records.
- Troubleshoot failed deployments that were blocked or modified by Azure Policy evaluation.
- Measure governance baseline health across management groups, subscriptions, and resource owners.
Illustrative Azure scenarios
These examples show how the concept can affect design and operations. They are illustrative scenarios, not customer claims.
Scenario 01 Compliance state in governance office operations Scenario, objectives, solution, measured impact, and takeaway.
Redwood Bank, a governance office team, had a concrete Azure challenge: quarterly reports showed thousands of noncompliant resources, but teams could not separate real risk from stale evaluations. Leaders needed a practical design that platform, security, operations, and business owners could validate with live Azure evidence.
- Identify current noncompliance
- Separate exemptions from failures
- Attach owners to findings
- Reduce audit preparation time
The governance team rebuilt its review process around Compliance state evidence. Analysts queried policy state records with assignment IDs and timestamps, then matched results with exemptions, remediation tasks, and resource owners. Platform teams added a dashboard filter for stale evaluations and not-started states. Security reviewed the remaining high-risk findings and required each accepted exception to include expiry, justification, and compensating control. The final audit package included command output, report snapshots, and ownership records. Operators also kept a validation packet with command output, timestamped screenshots, affected scopes, owner names, business acceptance criteria, and rollback notes. That packet let later reviewers repeat the evidence trail instead of relying on memory, chat history, or portal views captured during the original incident.
- False follow-ups dropped by 57 percent
- Every sampled exception had approval
- Report preparation fell from nine days to four
- High-risk findings were prioritized
Compliance state became useful when the team treated it as timestamped evidence that needed scope and exception context.
Scenario 02 Compliance state in store technology operations Scenario, objectives, solution, measured impact, and takeaway.
Greenfield Retail, a store technology team, had a concrete Azure challenge: store subscriptions showed noncompliant diagnostic settings after a policy assignment update. Leaders needed a practical design that platform, security, operations, and business owners could validate with live Azure evidence.
- Confirm affected stores
- Avoid duplicate remediation
- Restore required diagnostics
- Document policy timing
Operators investigated Compliance state before launching remediation across every subscription. They checked assignment scope, policy definition reference, evaluation timestamp, exemptions, and remediation job history. The evidence showed that some stores had already been fixed but had not refreshed in the dashboard. The team triggered targeted scans, ran remediation only for confirmed resources, and captured updated policy state records for store owners. Finance also reviewed monitoring ingestion changes before broad rollout. Operators also kept a validation packet with command output, timestamped screenshots, affected scopes, owner names, business acceptance criteria, and rollback notes. That packet let later reviewers repeat the evidence trail instead of relying on memory, chat history, or portal views captured during the original incident. Operators also kept a validation packet with command output, timestamped screenshots, affected scopes, owner names, business acceptance criteria, and rollback notes. That packet let later reviewers repeat the evidence trail instead of relying on memory, chat history, or portal views captured during the original incident.
- Scope was narrowed to 310 resources
- Duplicate remediation deployments were avoided
- Diagnostics reached 99 percent coverage
- Support tickets included policy timestamps
Timestamped compliance evidence helped operations fix missing diagnostics without creating duplicate resources or confusing owners.
Scenario 03 Compliance state in campus cloud operations Scenario, objectives, solution, measured impact, and takeaway.
Cobalt University, a campus cloud team, had a concrete Azure challenge: research workloads were reported noncompliant even after approved exemptions were granted. Leaders needed a practical design that platform, security, operations, and business owners could validate with live Azure evidence.
- Show exemption status clearly
- Protect research deadlines
- Improve owner communication
- Close audit findings accurately
The cloud office traced each Compliance state result to its policy assignment, initiative reference, exemption record, and timestamp. They found that several reports ignored exemption categories and treated all noncompliant states equally. The reporting workbook was updated to show exempt, conflict, not-started, and noncompliant states separately. Operators added CLI checks to support tickets and required resource owners to confirm business justification before exemptions were extended. The process kept real violations visible while respecting approved research exceptions. Operators also kept a validation packet with command output, timestamped screenshots, affected scopes, owner names, business acceptance criteria, and rollback notes. That packet let later reviewers repeat the evidence trail instead of relying on memory, chat history, or portal views captured during the original incident.
- Approved exemptions appeared in reports
- Researchers stopped receiving duplicate tickets
- Audit findings closed with evidence
- Governance reviews became monthly
Compliance state reporting improved when exemptions and evaluation timing were shown instead of hidden behind one red status.
Azure CLI
CLI checks make Compliance state actionable by showing policy state records, timestamps, assignment scope, exemptions, and remediation evidence behind dashboard summaries.
Useful for
- Query noncompliant resources for a policy assignment before opening remediation tickets.
- Confirm whether an exemption or assignment change has affected a resource's reported state.
- Collect timestamped governance evidence for audit reports, incident reviews, or control owners.
Before you run a command
- Confirm the management group, subscription, assignment, initiative, and resource scope under review.
- Use read-only policy state queries first because remediation commands can modify many resources.
- Record the evaluation timestamp so stale or not-started results are not treated as current truth.
What the output tells you
- Policy state output shows the resource, assignment, definition reference, compliance state, and evaluation timestamp.
- Exemption output shows accepted exceptions, categories, expiry dates, and justification fields.
- Remediation output shows deployment progress, failed tasks, and whether policy-driven fixes completed.
Mapped commands
Adjacent discovery commands
adjacentaz resource show --ids <resource-id>Architecture context
Technically, Compliance state is a Policy Insights result associated with a resource, assignment, definition, initiative reference, timestamp, and evaluation outcome. Engineers verify it through resource ID, assignment ID, definition ID, compliance state, timestamp, reason, exemption ID, effect, remediation status, and initiative control mapping. Important configuration includes policy definition, assignment scope, parameters, exemptions, resource selectors, effect type, remediation identity, and evaluation timing. It commonly integrates with Azure Policy, Policy Insights, Azure Resource Graph, Defender for Cloud, management groups, remediation tasks, dashboards, and audit reporting. For production reviews, capture ID, scope, identity, region, limits, changes, and diagnostics before changing behavior.
- Security
- Security for Compliance state starts with protecting who can view, change, exempt, or remediate policy results. Compliance data can expose resource names, control gaps, regulatory posture, and security misconfigurations. Limit exemption authority, audit assignment changes, and monitor remediation identities because they may modify resources at scale. Review whether noncompliant resources represent active exposure, missing diagnostics, insecure networking, weak encryption, or unsupported configuration. Sensitive reports should avoid unnecessary details in tickets or screenshots. A secure process ties every accepted exception to approval, expiry, compensating control, and evidence that the risk is understood. Reviewers should tie each decision to a named owner, approved scope, expected evidence, and rollback path.
- Cost
- Cost for Compliance state comes from remediation work, repeated investigations, generated resources, reporting pipelines, and the consequences of unresolved governance gaps. A deployIfNotExists remediation may create diagnostic settings, security agents, or backup resources, while a deny policy may delay deployments and consume engineering time. Stale or misunderstood compliance state can trigger unnecessary cleanup or audit effort. FinOps teams should connect noncompliance trends with budgets, resource tags, remediation automation, and business priority. The goal is not to make every dashboard green at any cost, but to fix risks with proportional effort. Reviewers should tie each decision to a named owner, approved scope, expected evidence, and rollback path.
- Reliability
- Reliability for Compliance state depends on evaluation freshness, correct scope, stable policy definitions, and clear handling of not-started or conflicted results. A resource can move between states after deployment, assignment changes, exemptions, or remediation jobs. Operators should know when evaluation data last refreshed and whether a manual scan is needed. Dashboards should show timestamps and distinguish true noncompliance from stale or unknown state. During incidents, compare policy events, resource changes, and remediation history before assuming the workload itself failed. Reliable reporting keeps teams from chasing outdated governance signals. Reviewers should tie each decision to a named owner, approved scope, expected evidence, and rollback path.
- Performance
- Performance for Compliance state is about evaluation scale, query responsiveness, dashboard refresh time, and remediation throughput. Large management groups with many assignments and resources can take time to evaluate, and broad queries may be slow or incomplete if filters are weak. Operators should use scoped queries, Resource Graph, and meaningful time windows when investigating. Monitor policy evaluation delays, remediation job duration, and reporting pipeline failures. If governance reporting becomes noisy or slow, simplify assignments, split unrelated initiatives, tune queries, and archive evidence without hiding current risk. Reviewers should tie each decision to a named owner, approved scope, expected evidence, and rollback path.
- Operations
- Operationally, Compliance state needs ownership, triage rules, and repeatable evidence collection. Teams should define who reviews noncompliant resources, who approves exemptions, who runs remediation, and when status changes are reported. Runbooks should include queries for policy states, assignments, initiatives, exemptions, and remediation tasks. Each ticket should capture the resource ID, policy assignment, current state, timestamp, owner, expected fix, and due date. Good operations separate platform baseline issues from application-team fixes and close the loop when policy state changes after remediation. Reviewers should tie each decision to a named owner, approved scope, expected evidence, and rollback path. Evidence should include current settings, timestamped output, business impact, and the team responsible for follow-up.
Common mistakes
- Treating a compliance dashboard color as current truth without checking evaluation time and scope.
- Ignoring exemptions, conflicts, and not-started states while counting only compliant versus noncompliant.
- Running broad remediation before confirming resource ownership, policy intent, and expected side effects.