az policy state list --resource <resource-id> --select "timestamp,resourceId,policyAssignmentId,policyDefinitionId,complianceState" --output jsonPolicy compliance state
Policy compliance state is the status Azure Policy reports after evaluating a resource against an assigned rule. It tells you whether the resource appears compliant, non-compliant, exempt, conflicting, or not fully known for that evaluation. This is not just a dashboard color. It is the evidence operators use to decide whether a deployment broke a rule, whether a remediation task is needed, or whether an exemption is hiding risk. A learner should connect compliance state to a specific resource, policy assignment, definition, timestamp, and scope.
Source: Microsoft Learn - az policy state Reviewed 2026-05-19
- Exam trap
- Reporting compliance without checking whether the assignment scope matches the environment being audited.
- Production check
- Does the state record include the resource ID, assignment ID, definition ID, complianceState, and timestamp?
Article details and learning context
- Aliases
- None listed
- Difficulty
- fundamentals
- CLI mappings
- 5
- Last verified
- 2026-05-19
Understand the concept
Why it matters
Policy compliance state matters because it is the operational truth table for governance. A policy definition describes intent, and an assignment describes coverage, but compliance state shows what Azure actually observed. Without it, teams argue from assumptions: security thinks a control is enforced, developers think a resource is valid, and auditors cannot see current evidence. Compliance state supports remediation priorities, exception reviews, incident response, and release troubleshooting. It also prevents false confidence. A compliant count may hide exemptions or scope mistakes, while a non-compliant count may reflect stale evaluation until a scan completes. Good operators read the state, timestamp, scope, and assignment together.
Official wording and source
Policy compliance state is the Azure Policy evaluation result for a resource, component, assignment, definition, or scope. It shows whether evaluated resources meet policy rules, are non-compliant, exempt, conflicting, or otherwise not currently proven compliant, and supports reporting, troubleshooting, remediation, and audit evidence.
Technical context
In Azure architecture, compliance state belongs to the governance observability layer. Azure Policy evaluates resources when they are created or updated, when assignments change, and during periodic scans. Policy Insights stores state records that can be queried by subscription, management group, resource, policy assignment, policy definition, or initiative. The state connects resource IDs, assignment IDs, effects, timestamps, compliance reasons, and sometimes component details for resource provider mode policies. Operators use it with dashboards, CLI, Resource Graph, activity records, remediation tasks, and audit reports.
Exam context
Compare with
Where it is used
Where you see it
- In Azure Policy Compliance, resources appear grouped by compliant, non-compliant, exempt, or other evaluation states, with drill-down views for assignments and definitions during governance reviews.
- In az policy state list output, fields such as complianceState, resourceId, policyAssignmentId, policyDefinitionId, timestamp, and policyDefinitionAction identify the evaluated result during incident triage and audit reviews.
- In audit workbooks or governance reports, compliance state trends show whether remediation, exemptions, or recent policy assignments changed the risk posture over time across subscriptions.
Common situations
- Identify which resources violated a new security or cost policy after a policy-as-code rollout.
- Prioritize remediation by filtering non-compliant states for high-risk effects, resource types, or production scopes.
- Prove audit posture by exporting policy state records with assignment IDs, resource IDs, timestamps, and compliance results.
- Investigate why a deployment failed by checking whether a deny or modify policy evaluated the resource.
- Trigger or wait for fresh policy evaluation before reporting that a remediated resource is now compliant.
Illustrative Azure scenarios
These examples show how the concept can affect design and operations. They are illustrative scenarios, not customer claims.
Scenario 01 Prioritizing remediation for airline operations systems Scenario, objectives, solution, measured impact, and takeaway.
SkyTrail Airways operated Azure systems for crew scheduling, baggage telemetry, and disruption communications. Compliance dashboards showed many findings, but teams could not separate urgent production issues from low-risk development drift.
- Identify non-compliant production resources tied to operational systems.
- Separate exemptions and stale evaluations from active risk.
- Create daily remediation lists for application owners.
- Prove improvements with timestamped policy state evidence.
The cloud operations team queried policy states with Azure CLI using subscription, assignment, and resource group filters. Output included complianceState, resourceId, policyAssignmentId, policyDefinitionAction, and timestamp. Findings were grouped by production owner and policy effect. Exempt resources were removed from the urgent queue but reviewed weekly for expiration. After remediation, operators triggered a policy scan and compared before-and-after state summaries. The team integrated the daily report into its operations board so flight-supporting systems received priority over sandbox findings. The report also flagged findings older than seven days for manager review.
- Critical production non-compliance fell by 72 percent in one month.
- Stale or exempt findings were removed from daily incident-style queues.
- Average time to assign a finding owner dropped from two days to four hours.
- Audit reports included policy state timestamps instead of manually captured screenshots.
Compliance state becomes useful when teams connect each finding to scope, owner, timestamp, and operational priority.
Scenario 02 Cleaning up insurance audit evidence Scenario, objectives, solution, measured impact, and takeaway.
HarborStone Insurance prepared for an annual technology controls audit. Previous evidence packets mixed portal screenshots, old spreadsheets, and unclear policy names, creating repeated follow-up questions.
- Provide consistent evidence for encryption, diagnostic logging, and region controls.
- Tie every reported result to an assignment, resource, and timestamp.
- Distinguish non-compliant resources from approved exemptions.
- Reduce audit preparation effort for platform engineers.
The governance team built a CLI-based evidence script that queried policy states by management group and selected only required fields. The export included complianceState, resourceId, policyAssignmentId, policyDefinitionId, policyDefinitionAction, and timestamp. Exemption data was reviewed separately and linked to risk acceptance records. For remediation controls, the team triggered scans after fixes so the final export reflected current state. Evidence was stored in a secure workspace and mapped to audit control IDs. The dashboard showed summary counts, but auditors received the detailed state export for sampling. A dry run verified that sampled resources matched portal drill-down details.
- Audit evidence preparation time dropped from 12 days to 5.
- Follow-up questions about unclear policy screenshots decreased by 64 percent.
- Expired exemptions were identified before evidence was submitted.
- Control owners could show remediation progress with updated state timestamps.
Policy compliance state provides audit-ready evidence when it is exported with the IDs and timestamps that explain the result.
Scenario 03 Finding hidden risk in mining analytics workloads Scenario, objectives, solution, measured impact, and takeaway.
TerraCobalt Mining used Azure analytics for equipment telemetry from remote sites. Monthly governance reports showed acceptable percentages, but incidents revealed missing diagnostics on several production resources.
- Move beyond summary percentages to resource-level findings.
- Identify non-compliant diagnostics and backup policies in operations subscriptions.
- Validate that remediation changed the latest compliance state.
- Create trend reporting that highlighted recurring ownership gaps.
The platform team stopped relying only on portal percentages and began querying policy state records for production resource groups. They filtered by policyDefinitionAction and policy assignment to identify missing diagnostics and backup settings. Resource IDs were joined with ownership tags and incident impact categories. After remediation scripts updated diagnostic settings, operators triggered a compliance scan and compared timestamps. Findings that remained non-compliant for more than seven days were escalated to site technology leads. Exemptions required a written reason and expiration date. Weekly trend reviews compared recurring findings with subscription vending changes and backlog ownership. Site engineers received the same filtered evidence.
- Unremediated diagnostic findings dropped from 148 to 29 in six weeks.
- Backup-related non-compliance for production databases fell by 58 percent.
- Recurring owner gaps were traced to three subscription vending templates.
- Incident reviews gained policy state evidence for missing telemetry controls.
Compliance state trends help operators find real governance risk that summary percentages can hide.
Azure CLI
As an Azure engineer with ten years of operations experience, I use Azure CLI for compliance state because dashboards hide too much context. CLI lets me ask precise questions: which resources are non-compliant, under which assignment, since what timestamp, and for which effect. I can filter by management group, subscription, resource group, definition, assignment, or resource ID, then export evidence. That is critical during audits and deployment incidents. CLI also lets me trigger scans and compare before-and-after results, which is much cleaner than asking teams to refresh portal blades and interpret different screens. under real incident and audit pressure.
Useful for
- List latest policy states for a resource or scope after a deployment or assignment change.
- Summarize non-compliant resources by assignment, definition, effect, or management group.
- Trigger a compliance scan after remediation or policy rollout to refresh evidence.
- Export state records with selected fields for audit, security, or platform review.
Before you run a command
- Confirm tenant, subscription, management group, resource group, assignment, and definition filters before querying large policy state sets.
- Check permissions for Microsoft.PolicyInsights reads and remember state queries can span many resources at high scopes.
- Use time filters and selected fields when exporting evidence so results stay focused and understandable.
- Do not assume a missing or old state means compliance; verify scan timing, scope, exemptions, and assignment status.
What the output tells you
- complianceState shows the evaluated result, while timestamp shows when Azure Policy recorded that result.
- resourceId, policyAssignmentId, policyDefinitionId, and policySetDefinitionId connect the finding to the resource and governance object.
- policyDefinitionAction helps operators understand whether the relevant effect was deny, audit, modify, deployIfNotExists, or another action.
- Expanded evaluation details or component results can explain why a resource provider mode policy produced a specific state.
Mapped commands
Policy compliance state CLI commands
directaz policy state summarize --scope <scope> --output jsonaz policy state list --filter "complianceState eq 'NonCompliant'" --top 100 --output jsonaz policy state trigger-scan --resource-group <resource-group>az policy assignment show --name <assignment-name> --scope <scope> --output jsonArchitecture context
A seasoned Azure architect treats compliance state as governance telemetry, not merely a report. The architecture should define which scopes are reported, how often scans are triggered, which states require action, and how exceptions are represented. Dashboards should separate non-compliance from exemptions, conflicts, and assignments still in evaluation-only rollout. Compliance state should feed platform reviews, security scorecards, and remediation queues, but it must be interpreted with deployment timing and policy mode in mind. For resource provider modes, component states may matter more than the parent resource summary. The design should connect state records to owners, policy-as-code changes, and corrective automation.
- Security
- Security impact is direct because compliance state reveals whether protective controls are currently met. Non-compliant resources may expose public endpoints, weak encryption, missing diagnostic logs, disallowed regions, or unmanaged identities. Exempt resources are also security-relevant because they represent accepted risk, not automatic safety. Access to policy state is generally read-oriented, but changing assignments, exemptions, or remediations requires stronger control. Security teams should review stale scans, unknown states, conflicts, and sudden drops in compliance. They should also ensure dashboards do not present DoNotEnforce assignments or exempted resources as fully enforced protection without context. Findings should be reviewed by named control owners.
- Cost
- Cost impact is indirect but important. Compliance state can reveal resources missing required cost-center tags, using disallowed SKUs, running in expensive regions, or lacking lifecycle controls. It can also drive remediation work that adds cost, such as enabling logging, backup retention, or redundancy. FinOps teams need to separate policy non-compliance that creates spend leakage from policy non-compliance that indicates intentional investment in reliability or security. Large non-compliance backlogs consume engineering time and can delay migrations. Cost reports are stronger when they connect spend anomalies to policy states, assignment scopes, owner tags, and remediation progress. Budget owners should review exceptions monthly.
- Reliability
- Reliability impact is indirect. Compliance state can indicate whether reliability requirements such as backup, zone redundancy, diagnostics, minimum SKUs, and health logging are present. It can also show whether a remediation backlog threatens operational readiness. The risk is interpreting state without timing: a newly deployed resource may not appear in summaries immediately, and a scan may be needed after a large assignment change. Reliable operations include triggering scans after planned rollouts, recording timestamps, and prioritizing non-compliance that affects recovery or failover. Compliance dashboards should guide action rather than become static reports no one validates. Teams should record scan completion evidence.
- Performance
- Runtime performance impact is usually indirect, but compliance state improves diagnostic performance. When a deployment fails or a resource behaves unexpectedly, state records show whether Azure Policy evaluated the resource, which assignment applied, and which effect was involved. Querying huge scopes without filters can be slow and noisy, so operators should filter by assignment, definition, resource group, timestamp, or non-compliant state. Compliance state can also indirectly govern performance by identifying resources outside approved SKU, region, or diagnostics standards. Fast, targeted state queries shorten incident review and reduce time spent guessing whether policy was involved. Targeted filters keep evidence collection fast.
- Operations
- Operators use compliance state to inspect current governance posture, investigate non-compliant resources, trigger evaluations, start remediation, and provide evidence. CLI can list policy states, summarize counts, filter by assignment or effect, and expand evaluation details. Typical work includes checking the resource ID, assignment ID, policy definition ID, complianceState, timestamp, effect, and any component details. Operators also compare state before and after a deployment or policy change. Good runbooks explain when to trigger a scan, when to open a remediation task, when to create an exemption, and when to escalate a false positive. Operators should preserve query filters with evidence exports.
Common mistakes
- Reporting compliance without checking whether the assignment scope matches the environment being audited.
- Treating exempt resources as risk-free instead of accepted exceptions with owners and expiration dates.
- Ignoring scan timing and assuming a recently remediated resource should already show compliant.
- Looking only at summary percentages and missing a small number of high-risk non-compliant production resources.