az policy state summarize --management-group <mg-id> --output jsonPolicy state
Policy state is the evidence record behind an Azure Policy compliance result. It answers practical questions such as which resource was evaluated, which policy assignment applied, whether the resource was compliant, and when Azure last knew that result. The portal summarizes these states, but operators often query them directly through Azure CLI, REST, or Resource Graph when they need proof. Policy state is especially useful when a dashboard says “non-compliant” and the team needs to locate the exact resource, policy, scope, and reason.
Source: Microsoft Learn - Azure Policy compliance states Reviewed 2026-05-19
- Exam trap
- Treating policy state as real-time monitoring even though evaluation cycles and data refresh can lag changes.
- Production check
- Run a state summary for the intended scope and confirm the assignment count matches the policy inventory.
Article details and learning context
- Aliases
- Policy state, policy-state
- Difficulty
- intermediate
- CLI mappings
- 5
- Last verified
- 2026-05-19
Understand the concept
Why it matters
Policy state matters because governance decisions should be based on evidence, not screenshots or assumptions. A platform team needs to know whether a resource is non-compliant because of a real configuration issue, a stale evaluation, a missing provider registration, an exemption, or the wrong assignment scope. Policy states provide the raw material for compliance dashboards, audit exports, remediation targeting, and deployment gates. They also help separate policy authoring problems from resource-owner problems. Without state data, teams may remediate the wrong resource, argue over conflicting views, or enable enforcement before understanding current drift. That evidence is essential when enforcement or exception decisions affect production teams.
Official wording and source
Policy state is the evaluated compliance record produced by Azure Policy and exposed through Microsoft.PolicyInsights PolicyStates operations. It connects a resource, assignment, definition, compliance result, timestamps, and policy metadata so teams can query current and historical governance evidence across Azure scopes.
Technical context
In Azure architecture, policy state lives in the governance observability layer provided by the Microsoft.PolicyInsights resource provider. It is produced after policy evaluation and can be queried at management group, subscription, resource group, assignment, definition, initiative, or resource scope. State records include identifiers and metadata for resources, assignments, definitions, policy actions, compliance states, and timestamps. They do not change resources; they expose evaluation results that dashboards, reports, automation, audit evidence, and remediation workflows depend on.
Exam context
Compare with
Where it is used
Where you see it
- In the Azure Policy Compliance page, state records drive compliant, non-compliant, exempt, and unknown counts for assignments and resources during dashboard filtering and review cycles.
- In az policy state list output, fields such as resourceId, complianceState, policyAssignmentId, policyDefinitionId, and timestamp describe evaluated results for resource-level troubleshooting and evidence exports. workflows
- In Azure Resource Graph or governance workbooks, PolicyResources queries aggregate policy state to show trends, hotspots, owners, and remediation backlogs for executive reporting and planning.
Common situations
- Export non-compliant resources for one assignment so owners receive exact resource IDs instead of broad dashboard percentages.
- Confirm whether a remediation task changed compliance state after the next evaluation cycle completes.
- Build cross-subscription compliance workbooks that group policy states by assignment, resource type, region, or owner tag.
- Investigate whether a deployment failure reflects a current deny policy or an older stale compliance result.
- Provide auditors with timestamped policy evidence tied to resource IDs, assignment IDs, and compliance states.
Illustrative Azure scenarios
These examples show how the concept can affect design and operations. They are illustrative scenarios, not customer claims.
Scenario 01 Turning compliance dashboards into owner-specific action lists Scenario, objectives, solution, measured impact, and takeaway.
WindGrid Insights managed Azure subscriptions for turbine telemetry, forecasting models, and customer reporting. Executives saw low compliance percentages, but engineering teams needed exact resources and responsible owners.
- Identify non-compliant resources by assignment, owner tag, and resource type.
- Reduce time spent manually interpreting portal compliance dashboards.
- Prioritize security and diagnostics findings before cost hygiene findings.
- Provide weekly progress evidence without changing policy definitions.
Using Policy state, platform engineers built CLI and Resource Graph queries that grouped NonCompliant records by assignment ID, resource type, owner tag, and subscription. The query output was exported to a workbook and a ticket queue, with severity derived from the policy action and initiative category. Operators checked timestamps so recently remediated resources were not reopened before the next evaluation cycle. Each weekly report linked resources to the responsible product team and showed whether the state was new, repeated, exempt, or resolved. Policy definitions stayed unchanged; the improvement came from better use of state evidence. The workbook also highlighted findings older than seven days so owners could distinguish stale evidence from active drift.
- Manual compliance triage time dropped from twelve hours to three hours per week.
- Owner-tagged action lists increased remediation completion from 46 percent to 81 percent.
- Security diagnostic findings were resolved two reporting cycles earlier than planned.
- Executive reports shifted from percentages to timestamped resource-level evidence.
Policy state turns governance dashboards into concrete work when teams query it with ownership and priority in mind.
Scenario 02 Producing control evidence for a legal e-discovery platform Scenario, objectives, solution, measured impact, and takeaway.
Lexora Evidence Services hosted case-review workspaces for law firms handling sensitive discovery data. Clients asked for evidence that encryption, diagnostic, and public-access controls were evaluated across every workspace.
- Produce resource-level compliance evidence for client workspaces.
- Separate true non-compliance from approved exemptions and stale states.
- Document query scope, timestamps, and assignment IDs for repeatability.
- Avoid asking case teams to capture portal screenshots during legal deadlines.
Using Policy state, the governance team queried Microsoft.PolicyInsights data for the client-workspace management group and filtered results to storage, Key Vault, and database controls. CLI output was saved as JSON with query time, scope, assignment filters, and evidence owner. Exempt states were linked to approved client risk records, while NonCompliant records were routed to platform engineers for remediation. The team compared policy state timestamps with recent deployment history to avoid mislabeling resources that had been corrected but not yet re-evaluated. The final evidence package included summaries and representative state records for each control family.
- Evidence preparation fell from eight working days to three.
- Twenty-nine stale findings were removed after evaluation timestamps were reviewed.
- Approved exemptions were traceable to client risk records instead of appearing as unexplained gaps.
- Case teams avoided manual evidence collection during two active litigation deadlines.
Policy state is audit-ready only when scope, filters, timestamps, and exception context are captured with the data.
Scenario 03 Improving release gates for an insurance analytics platform Scenario, objectives, solution, measured impact, and takeaway.
Meridian Actuarial Systems deployed pricing models through Azure DevOps into several analytics subscriptions. Release gates were failing because old compliance snapshots treated resolved policy issues as current blockers.
- Gate releases on current high-severity policy states, not stale exports.
- Reduce false release failures caused by already remediated resources.
- Record assignment and resource IDs for every blocked deployment.
- Keep lower-risk cost findings visible without blocking urgent model updates.
Using Policy state, DevOps engineers added a pre-release CLI check that queried the target subscription for current NonCompliant records tied to security and diagnostics assignments. The script filtered by assignment IDs maintained in source control and ignored cost hygiene policies that were tracked separately. Each blocked release produced a JSON artifact showing resource ID, compliance state, policy action, assignment ID, and timestamp. After remediation, the pipeline reran the state query and required an updated evaluation before release. Platform owners reviewed recurring blockers monthly to decide whether policy definitions or templates needed adjustment. The review also compared findings with resource inventory to detect assets not represented in state output.
- False policy-gate failures decreased by 67 percent after timestamp filtering was added.
- Critical model releases still stopped when missing diagnostics or encryption controls were current.
- Every blocked release included exact resource and assignment evidence for the owning team.
- Monthly blocker reviews identified three deployment templates that needed baseline fixes.
Policy state makes release governance fairer when gates use fresh, scoped, and severity-aware compliance evidence.
Azure CLI
Azure CLI is one of the best ways to work with policy state because it turns compliance from a portal screenshot into queryable evidence. With a decade of Azure operations experience, I want to filter by assignment, resource, time range, action, and compliance state, then export the result in a format other systems can consume. The CLI helps during incident response because engineers can check one resource quickly without portal navigation. For governance programs, repeatable state queries are the backbone of dashboards, remediation lists, and audit packages. It gives teams a shared scriptable language for compliance evidence. during audits too.
Useful for
- Summarize non-compliant policy states at a management group or subscription before a governance review.
- List recent policy states for a specific resource to understand which assignments are affecting it.
- Filter state records by policy action, resource type, or location to prioritize remediation work.
- Export grouped policy state data into workbooks, ticket queues, or audit evidence repositories.
Before you run a command
- Confirm the Azure Policy resource provider and Policy Insights access are available for the target scope.
- Set the correct tenant and subscription, or use management group arguments when querying inherited governance results.
- Choose json output for evidence exports and table output only for quick human review.
- Remember that policy states reflect completed evaluations and may lag recent resource changes or remediation tasks.
What the output tells you
- ComplianceState indicates whether Azure Policy evaluated the resource as Compliant, NonCompliant, Exempt, Conflict, or another state.
- Policy assignment, definition, and set definition IDs identify which rule and scope produced the record.
- Resource ID, location, type, and timestamp fields show what was evaluated and when the state was recorded.
- Policy action fields, such as audit or deny, help operators connect the state to enforcement behavior and remediation options.
Mapped commands
Policy state CLI Commands
directaz policy state list --top 20 --order-by "timestamp desc" --output jsonaz policy state list --resource <resource-id> --expand PolicyEvaluationDetails --output jsonaz policy state list --filter "ComplianceState eq 'NonCompliant'" --top 100 --output jsonaz graph query -q "PolicyResources | summarize count() by tostring(properties.complianceState)" --output tableArchitecture context
As an Azure architect, I treat policy state as a governance telemetry source. It should feed dashboards, exception review, remediation planning, and security evidence, but it should not be mistaken for real-time application monitoring. Evaluation cycles, resource changes, and permissions affect what operators see. Good architecture defines who can query Policy Insights, which scopes are summarized, how historical evidence is retained, and how state data is correlated with deployments and activity logs. For large estates, state summaries and Resource Graph queries are better than manual portal review because they make compliance trends measurable. Dashboards should expose freshness and scope so leaders do not overread summary numbers. State review should be owned like monitoring, not treated as occasional audit work. I also expect ownership mapping so findings become assigned engineering work quickly. Without that context, numbers mislead.
- Security
- Security impact is observational but important. Policy state data can expose resource IDs, names, locations, compliance posture, policy assignments, exemptions, and security control failures. Access should be limited to teams that need governance evidence. Attackers or careless insiders could use state data to find weakly governed resources, such as public storage accounts or missing diagnostic settings. On the positive side, security teams use states to prioritize remediation and verify enforcement. State queries should be logged where appropriate, and exported evidence should be protected because it can reveal sensitive infrastructure patterns. Security programs should classify exports like control evidence, not casual inventory data.
- Cost
- Policy state has no direct SKU charge in normal use, but it influences cost management through the controls it reveals. States can show missing cost tags, disallowed SKUs, resources outside approved regions, or diagnostic policies that increase logging spend. Exporting and storing compliance evidence can create storage, query, or workspace costs depending on the reporting pipeline. The larger cost impact is operational: accurate states reduce time spent chasing false findings and help FinOps teams target the resources that actually violate cost policy. Stale or poorly filtered reports waste review cycles. Good state data keeps cost conversations focused on actual policy violations.
- Reliability
- Reliability impact is indirect. Policy state does not make a workload fail over or retry, but it helps identify missing controls that affect resilience, such as absent diagnostics, backup gaps, unsupported regions, or nonstandard SKUs. Operators must remember that state data may lag resource changes until evaluation completes. Reliable governance processes include rechecking states after remediation, correlating timestamps with deployments, and treating stale or NotRegistered results carefully. For critical controls, policy states should complement Azure Monitor, Resource Health, deployment history, and service-specific health checks. This avoids mistaking governance telemetry for service health signals needed during live incidents. during production incidents.
- Performance
- Policy state does not directly affect application latency or throughput. Its performance value is diagnostic and operational. Summaries let teams evaluate compliance across thousands of resources faster than manual inspection. Poorly designed queries, excessive time ranges, or unfiltered exports can slow reporting and overwhelm dashboards. For large estates, operators should use targeted filters, top counts, grouping, and Resource Graph samples rather than pulling every state record repeatedly. Fast access to the right state data improves remediation planning, release gating, and audit response time. Well-scoped queries reduce waiting time during change windows when teams need confidence fast. during urgent production reviews.
- Operations
- Operators use policy state to inspect, filter, summarize, and export compliance results. Common jobs include listing non-compliant resources by assignment, checking one resource before a change window, producing audit evidence, and identifying targets for remediation. CLI and Resource Graph make this practical at scale because portal views become slow and inconsistent across many subscriptions. Operations teams should document query filters, expected compliance states, and timestamp interpretation. They should also know when to trigger or wait for evaluation instead of assuming a recently changed resource will immediately show a new state. Good operators save query scope and output format so reviewers can reproduce results.
Common mistakes
- Treating policy state as real-time monitoring even though evaluation cycles and data refresh can lag changes.
- Querying the wrong scope and missing assignments inherited from a management group or applied at a resource group.
- Ignoring Exempt, Conflict, or NotRegistered states when building compliance reports that only count Compliant and NonCompliant.
- Using stale exported states as audit evidence without recording query time, scope, filters, and evaluation context.