Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Azure CLI shows a policyDefinitionReferenceId that does not exist in the policySetDefinition #31028

Open
gbmdia1 opened this issue Mar 13, 2025 · 1 comment
Open

Azure CLI shows a policyDefinitionReferenceId that does not exist in the policySetDefinition #31028

gbmdia1 opened this issue Mar 13, 2025 · 1 comment
Assignees
@zhoxing-ms
Labels
ARM az resource/group/lock/tag/deployment/policy/managementapp/account management-group Auto-Assign Auto assign by bot Azure CLI Team The command of the issue is owned by Azure CLI team customer-reported Issues that are reported by GitHub users external to the Azure organization. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that
Milestone
Backlog

Comments

@gbmdia1
Copy link

gbmdia1 commented Mar 13, 2025
edited
Loading

Describe the bug

There is a discrepancy between the information displayed in Azure CLI and Azure Portal regarding a specific policy exemption reference ID.

Azure Portal shows the policy reference as:
functionAppsShouldHaveClientCertificatesEnabledMonitoring
The policy set definition (initiative) also lists:
functionAppsShouldHaveClientCertificatesEnabledMonitoring
Azure CLI, when retrieving an existing exemption, returns:
functionAppsShouldHaveClientCertificatesEnabledMonitoringEffect

Related command

✔ az version
{
"azure-cli": "2.70.0",
"azure-cli-core": "2.70.0",
"azure-cli-telemetry": "1.1.0",
"extensions": {
"account": "0.2.5",
"managementpartner": "1.0.0",
"resource-graph": "2.1.1"
}
}

Steps to Reproduce

Check the initiative's policy set definition (in Azure Portal and CLI):

az policy set-definition show --name ""
--query "policyDefinitions[*].policyDefinitionReferenceId" -o json | grep -i functionAppsShouldHaveClientCertificatesEnabledMonitoringEffect

Expected: Should return functionAppsShouldHaveClientCertificatesEnabledMonitoringEffect
Actual Result: The policy set definition does not contain the reference ID "functionAppsShouldHaveClientCertificatesEnabledMonitoringEffect".

List the existing policy exemptions via Azure CLI:

az policy exemption list --scope "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" \
  --query "[?policyAssignmentId=='/providers/microsoft.management/managementgroups/xxxxx/providers/microsoft.authorization/policyassignments/yyyyy']" -o json

    Expected: The reference ID should match what is in the policy set.
    Actual Result: The exemption lists functionAppsShouldHaveClientCertificatesEnabledMonitoringEffect, which is not present in the initiative anymore.

Verify in Azure Portal:
    Go to Policy → Assignments → Edit Exemption → Policies.
    Searching for "Function Apps" shows functionAppsShouldHaveClientCertificatesEnabledMonitoring, but not functionAppsShouldHaveClientCertificatesEnabledMonitoringEffect.

Expected Behavior

Azure CLI should return the same policy reference ID as the one listed in the initiative and the Azure Portal UI.
Actual Behavior

Azure CLI returns functionAppsShouldHaveClientCertificatesEnabledMonitoringEffect, which does not exist in the initiative anymore.
Possible Cause

The reference ID may have been renamed or removed from the policy set, but Azure CLI is still referencing the old version.
The exemption was originally created when the reference ID included "Effect", but now that the initiative has changed, CLI is not updating its output correctly.

Errors

Issue Summary

There is a discrepancy between the information displayed in Azure CLI and Azure Portal regarding a specific policy exemption reference ID in the initiative:
📌 Policy Set Definition (Initiative) ID:

/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8

Azure Portal shows the policy reference as:
functionAppsShouldHaveClientCertificatesEnabledMonitoring
The policy set definition (initiative) also lists:
functionAppsShouldHaveClientCertificatesEnabledMonitoring
Azure CLI, when retrieving an existing exemption, returns:
functionAppsShouldHaveClientCertificatesEnabledMonitoringEffect

Issue script & Debug output

Steps to Reproduce

Check the initiative's policy set definition (in Azure Portal and CLI):

az policy set-definition show --name "1f3afdf9-d0c9-4c3d-847f-89da613e70a8"
--query "policyDefinitions[*].policyDefinitionReferenceId" -o json | grep -i functionAppsShouldHaveClientCertificatesEnabledMonitoring

Expected: Should return functionAppsShouldHaveClientCertificatesEnabledMonitoring.
Actual Result: The policy set definition does not contain the reference ID "functionAppsShouldHaveClientCertificatesEnabledMonitoringEffect".

List the existing policy exemptions via Azure CLI:

az policy exemption list --scope "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
--query "[?policyAssignmentId=='/providers/microsoft.management/managementgroups/xxxxx/providers/microsoft.authorization/policyassignments/yyyyy']" -o json

Expected: The reference ID should match what is in the policy set.
Actual Result: The exemption lists functionAppsShouldHaveClientCertificatesEnabledMonitoringEffect, which is not present in the initiative anymore.

Verify in Azure Portal:

Go to Policy → Assignments → Edit Exemption → Policies.
Searching for "Function Apps" shows functionAppsShouldHaveClientCertificatesEnabledMonitoring, but not functionAppsShouldHaveClientCertificatesEnabledMonitoringEffect.

Expected behavior

Azure CLI should return the same policy reference ID as the one listed in the initiative and the Azure Portal UI.
Actual Behavior

Azure CLI returns functionAppsShouldHaveClientCertificatesEnabledMonitoringEffect, which does not exist in the initiative anymore.
Possible Cause

The reference ID may have been renamed or removed from the policy set, but Azure CLI is still referencing the old version.
The exemption was originally created when the reference ID included "Effect", but now that the initiative has changed, CLI is not updating its output correctly.

Environment Summary

{
"azure-cli": "2.70.0",
"azure-cli-core": "2.70.0",
"azure-cli-telemetry": "1.1.0",
"extensions": {
"account": "0.2.5",
"managementpartner": "1.0.0",
"resource-graph": "2.1.1"
}
}

Additional context

No response
@gbmdia1 gbmdia1 added the bug This issue requires a change to an existing behavior in the product in order to be resolved. label Mar 13, 2025
@yonzhan
Copy link
Collaborator

yonzhan commented Mar 13, 2025

Thank you for opening this issue, we will look into it.

@microsoft-github-policy-service microsoft-github-policy-service bot added customer-reported Issues that are reported by GitHub users external to the Azure organization. Auto-Assign Auto assign by bot ARM az resource/group/lock/tag/deployment/policy/managementapp/account management-group labels Mar 13, 2025
@microsoft-github-policy-service microsoft-github-policy-service bot added Azure CLI Team The command of the issue is owned by Azure CLI team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Mar 13, 2025
@yonzhan yonzhan removed the bug This issue requires a change to an existing behavior in the product in order to be resolved. label Mar 13, 2025
@yonzhan yonzhan added this to the Backlog milestone Mar 13, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zhoxing-ms zhoxing-ms

Labels
ARM az resource/group/lock/tag/deployment/policy/managementapp/account management-group Auto-Assign Auto assign by bot Azure CLI Team The command of the issue is owned by Azure CLI team customer-reported Issues that are reported by GitHub users external to the Azure organization. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests
3 participants
@zhoxing-ms @yonzhan @gbmdia1