az policy state summarize --management-group <mg-id> --output jsonPolicy Insights
Policy Insights is where Azure Policy compliance evidence becomes queryable. Azure Policy definitions and assignments describe what should happen, but Policy Insights shows what Azure observed after evaluation. It stores state records that show current compliance and event records that show recent evaluation activity. Operators use it to answer questions such as which resources are non-compliant, which assignment is responsible, when the state changed, and whether remediation improved results. It turns policy from a static rule set into operational telemetry.
Source: Microsoft Learn - Get compliance data of Azure resources Reviewed 2026-05-19
- Exam trap
- Assuming Policy Insights updates instantly after every fix, then declaring remediation failed before the next evaluation completes.
- Production check
- Run a state summary at the exact scope before opening a compliance incident.
Article details and learning context
- Aliases
- Policy Insights, policy-insights
- Difficulty
- intermediate
- CLI mappings
- 5
- Last verified
- 2026-05-19
Understand the concept
Why it matters
Policy Insights matters because governance decisions need evidence, not just definitions. A policy assignment says what should be checked, but Policy Insights shows the compliance result, affected resource, assignment, definition, effect, timestamp, and evaluation details. Without it, teams argue from screenshots or assumptions when a deployment is denied or an audit fails. Policy Insights supports dashboards, remediation tracking, release gates, incident review, and audit exports. It also helps platform teams detect noisy rules, broad exceptions, and ownership gaps. When used well, it becomes the shared source for policy posture across security, operations, architecture, and application teams. It reduces arguments during stressful governance decisions. It also prevents governance decisions from relying on memory.
Official wording and source
Policy Insights is the Azure capability exposed through Microsoft.PolicyInsights that stores and exposes policy evaluation data. It provides policy states and policy events for portal views, Azure CLI, REST APIs, Azure Monitor logs, Resource Graph queries, dashboards, and automation.
Technical context
In Azure architecture, Policy Insights is a governance observability layer under the Microsoft.PolicyInsights resource provider. It exposes PolicyStates and PolicyEvents operations used by Azure portal compliance pages, Azure CLI, REST, PowerShell, Azure Resource Graph, and reporting workflows. It connects management group, subscription, resource group, assignment, initiative, definition, and resource data. Policy Insights depends on Azure Policy evaluation cycles and does not replace Resource Manager deployment validation. It is the evidence store operators query after policy evaluation completes.
Exam context
Compare with
Where it is used
Where you see it
- In Azure Policy compliance pages, Policy Insights data powers assignment summaries, resource compliance lists, non-compliant counts, exemption views, and evaluation details by owner scope. Owners use it for review.
- In az policy state summarize or list output, records show compliance state, resource ID, assignment, definition, effect, timestamp, and scope for triage evidence. Operators use it for evidence.
- In Resource Graph queries, PolicyResources rows aggregate compliance percentages, non-compliant resources, assignment-level findings, exemptions, and ownership tags across subscriptions for dashboards. Leaders use it for reporting.
Common situations
- Build compliance dashboards that summarize non-compliant resources by management group, assignment, initiative, owner tag, or control family.
- Investigate a denied deployment by finding the assignment, definition, effect, and resource state that caused the failure.
- Export policy state evidence before an audit instead of relying on screenshots from the Azure portal.
- Measure whether remediation tasks actually reduced non-compliance after a modify or deployIfNotExists rollout.
- Use Resource Graph and CLI queries to prioritize policy findings that affect high-risk or high-cost subscriptions first.
Illustrative Azure scenarios
These examples show how the concept can affect design and operations. They are illustrative scenarios, not customer claims.
Scenario 01 Fintech compliance evidence hub Scenario, objectives, solution, measured impact, and takeaway.
LedgerNova operated payment APIs, fraud models, and customer reporting services across many Azure subscriptions. Quarterly audits required proof of encryption, diagnostics, private networking, and approved-region controls.
- Produce repeatable policy evidence without manual portal screenshots.
- Prioritize non-compliant resources by control owner and subscription.
- Show remediation progress after each monthly platform sprint.
- Reduce audit preparation time by at least 40 percent.
The governance team built a Policy Insights evidence workflow around az policy state summarize, az policy state list, and Resource Graph PolicyResources queries. Queries grouped findings by assignment, initiative member, subscription, owner tag, and compliance state. Results were exported as JSON and summarized in an internal workbook. The workflow separated current policy states from policy events, so auditors saw present compliance while engineers used events to explain change history. Remediation tasks were tracked against the same assignment IDs, and a scheduled scan was triggered before final audit evidence was generated. The report owner archived every export for renewal reviews.
- Audit preparation time fell 52 percent after screenshot collection was removed.
- Owner-tag grouping assigned 91 percent of findings to the correct engineering team.
- Monthly remediation reports showed a 37 percent reduction in high-priority non-compliance.
- Auditors accepted exported query evidence because scope, timestamp, and assignment IDs were preserved.
Policy Insights turns Azure Policy compliance into repeatable evidence that teams can query, assign, and audit.
Scenario 02 University HPC compliance triage Scenario, objectives, solution, measured impact, and takeaway.
Peak Valley University ran high-performance computing clusters, student labs, and grant-funded research environments in Azure. Policy dashboards showed thousands of findings, but many were low-risk experimentation issues.
- Identify non-compliance that affected sensitive research data first.
- Avoid overwhelming researchers with low-value tickets.
- Group findings by grant code and principal investigator.
- Confirm fixes before closing monthly governance reviews.
Research IT built Resource Graph queries over PolicyResources and combined Policy Insights records with subscription tags for grant code, data sensitivity, and principal investigator. High-sensitivity subscriptions were reviewed first, especially findings for public network access, diagnostics, and encryption. Low-risk student lab findings stayed in dashboard-only mode. CLI state queries checked individual resources before closing tickets, while event queries explained whether a finding appeared during a cluster deployment or a periodic scan. The team documented the exact query set in the university cloud operations repository. The same workbook highlighted owners missing required tags. for final review. The daily review queue stayed tied to assignment ownership.
- High-sensitivity findings were triaged within two business days instead of two weeks.
- Ticket volume sent to researchers dropped 58 percent after risk-based filtering.
- Grant-code grouping improved monthly owner accountability across fourteen research programs.
- Closed findings had confirmed fresh state records, reducing reopened tickets by 31 percent.
Policy Insights becomes more valuable when compliance data is filtered by business risk and ownership, not just counted.
Scenario 03 Aviation maintenance governance telemetry Scenario, objectives, solution, measured impact, and takeaway.
AeroSpanner managed maintenance scheduling, parts inventory, and inspection records in Azure. Reliability engineers needed to know whether backup, diagnostics, and region policies were actually improving operational posture.
- Measure reliability control compliance across maintenance applications.
- Track remediation outcomes for diagnostics and backup policies.
- Correlate policy findings with incident review actions.
- Give service owners a weekly, scoped backlog instead of a generic dashboard.
The platform reliability team queried Policy Insights state records for assignments related to diagnostics, backup, allowed regions, and approved SKUs. Findings were grouped by service owner and application tag, then exported into a weekly backlog. Policy events were used after major releases to explain new findings, but latest state summaries controlled the backlog. Remediation results for deployIfNotExists policies were reviewed with CLI output showing resource IDs, assignment IDs, and timestamps. Incident review templates added a Policy Insights section so teams checked whether missing governance controls contributed to detection or recovery delays. Monthly leadership reviews used the same evidence.
- Diagnostics compliance rose from 74 percent to 95 percent across maintenance applications.
- Backup policy findings dropped 42 percent after owner-specific backlogs were introduced.
- Incident reviews identified three recurring template issues tied to missing diagnostic settings.
- Weekly service-owner reports reduced platform follow-up time by 33 percent.
Policy Insights connects governance telemetry to reliability work when teams use it to drive specific backlogs and incident learning.
Azure CLI
As an Azure engineer with ten years of compliance operations experience, I use Azure CLI for Policy Insights because it turns compliance from a dashboard into evidence I can filter, export, and automate. CLI can summarize states at management group, subscription, resource group, assignment, definition, or resource scope. It can also list policy events for a time window when I need change history. That speed matters during deployment failures, audits, and remediation reviews. Portal views are useful for exploration, but CLI output gives repeatable JSON that scripts, workbooks, ticket systems, and governance repositories can consume. That discipline turns disagreement into evidence. That consistency improves audit trust.
Useful for
- Summarize non-compliant policy states at management group scope before a governance review.
- List latest policy states for one resource to explain why an application deployment failed compliance.
- Filter Policy Insights output by policyDefinitionAction to separate deny failures from audit findings.
- Run Resource Graph queries over PolicyResources to group compliance by assignment, owner tag, or subscription.
- Export policy events from a time window to explain what changed after a baseline rollout or remediation campaign.
Before you run a command
- Confirm the query scope and subscription context because Policy Insights output changes significantly by management group, subscription, or resource group.
- Verify Microsoft.PolicyInsights provider access and reader permissions before assuming missing output means there are no findings.
- Use filters, top limits, and selected fields when querying large environments to avoid noisy evidence.
- Understand that policy state data depends on evaluation timing and may need an on-demand scan or reconciliation window.
- Use JSON output for automation and archive the exact query when results support audit or incident conclusions.
What the output tells you
- State summaries show non-compliant resource and policy counts, grouped by assignment, initiative, definition, and scope.
- State records identify resource ID, compliance state, policy assignment, policy definition, effect, timestamp, and evaluation context.
- Event records show recent evaluation activity and can explain when a resource’s compliance state was created, changed, or removed.
- Resource Graph output can correlate policy findings with subscriptions, tags, locations, resource types, and ownership metadata.
- Expanded evaluation details help operators determine which rule condition or alias contributed to a non-compliant result.
Mapped commands
Policy Insights CLI Commands
directaz policy state list --resource <resource-id> --expand PolicyEvaluationDetails --output jsonaz policy state list --filter "ComplianceState eq 'NonCompliant'" --top 100 --output jsonaz policy event list --from <utc-start> --to <utc-end> --output jsonaz graph query -q "PolicyResources | summarize count() by tostring(properties.complianceState)" --output tableArchitecture context
A seasoned Azure architect designs Policy Insights into the operating model from the start. Policy definitions and initiatives are only half the governance system; Policy Insights provides the feedback loop. Dashboards should summarize compliance by management group, assignment, initiative, control family, and resource owner. Automation should query current policy states before creating tickets and query policy events when explaining recent changes. Resource Graph can aggregate across subscriptions, while CLI gives precise incident evidence. The architecture should define evaluation cadence expectations, data consumers, evidence retention, and reconciliation between event-driven handlers and latest state summaries. Those trends guide smarter governance investment. This feedback loop is essential for scalable governance. Trends inform platform investment.
- Security
- Security impact is direct because Policy Insights reveals whether protective controls are actually met. It can expose resources missing encryption, diagnostics, private endpoints, approved regions, secure transfer, or tag-based ownership. Access to Policy Insights data should be controlled because it reveals resource IDs, scopes, policy assignments, and weaknesses. Security Reader or policy-specific roles may be enough for viewers; remediation operators need additional permissions. Query output should not be posted into unmanaged channels without review. Security teams should monitor stale scans, broad exemptions, and non-compliance trends rather than only checking one dashboard snapshot. Access reviews should confirm readers see only appropriate scopes. Evidence should be protected like audit material.
- Cost
- Cost impact is mostly indirect. Policy Insights can reveal missing cost-center tags, disallowed SKUs, expensive regions, excessive diagnostic requirements, or resources that escaped lifecycle controls. The query capability itself is usually not the largest cost, but downstream logging, workbooks, exports, automation, and remediation can add expense. Better evidence reduces manual audit time and prevents waste from unmanaged resources. FinOps teams should use Policy Insights with Resource Graph and Cost Management to connect compliance findings to owners and spend. The key cost risk is treating non-compliance as a report instead of a prioritized backlog. Better prioritization reduces wasteful review cycles. Prioritized findings keep remediation labor tied to value. Track review effort.
- Reliability
- Reliability impact is indirect but important. Policy Insights can show whether reliability controls such as backup, diagnostics, zone redundancy, allowed regions, and required SKUs are present. It also helps detect policy changes that suddenly increase deployment failures or remediation backlog. The data depends on evaluation cycles, so operators should understand that it may not update instantly after every fix. Reliable operations combine on-demand scans, scheduled summaries, and event reconciliation. During incidents, Policy Insights helps separate current configuration risk from old compliance debt, which prevents teams from chasing the wrong resources. This distinction prevents false incident conclusions. Fresh evidence keeps reliability work focused on current operational risk. Review timestamps before escalation.
- Performance
- Runtime performance impact is indirect. Policy Insights does not normally affect application latency, but it strongly affects operational performance. A precise state query can find the non-compliant resource, assignment, effect, and timestamp faster than browsing portal blades. Resource Graph can summarize compliance across many subscriptions, while CLI can narrow results during incidents. Poor query design can produce slow, noisy evidence and overwhelm ticket workflows. Teams should filter by scope, assignment, compliance state, and time range. The performance gain is faster triage, faster audit preparation, and faster confirmation that remediation worked. Saved query templates make repeated investigations faster. Saved queries make repeated investigations faster and less error-prone. Reusable filters reduce operator wait time.
- Operations
- Operators use Policy Insights for compliance triage, evidence export, remediation planning, and drift detection. They run state summaries, list non-compliant resources, filter by assignment or effect, expand evaluation details, and aggregate results through Resource Graph. They also query policy events to understand recent changes. Daily operations include checking whether scans are fresh, validating remediation results, grouping findings by owner, and explaining deployment failures to application teams. Good runbooks define which queries support audits, which support incident triage, and which feed recurring dashboards or ticket automation. Scheduled evidence capture keeps major rollouts accountable. Operators should keep a small library of approved queries for repeatable investigations, audits, and reviews. Evidence exports should follow retention standards.
Common mistakes
- Assuming Policy Insights updates instantly after every fix, then declaring remediation failed before the next evaluation completes.
- Reading only initiative-level compliance and missing the member policy definition that actually caused the finding.
- Exporting broad compliance data without filtering sensitive resource IDs or ownership metadata for the audience.
- Treating event history as current state instead of using latest policy states for present-tense decisions.
- Ignoring stale or scoped query context, which makes a subscription look healthy while a management group still has findings.