Loading...

Quickstart: Manual Effect in Azure Policy

Quickstart: Manual Effect in Azure Policy

Recently, a new feature called “Manual effect” popped out to users and it is still in the PREVIEW stage. It allows users to self-attest the compliance of resources or scopes. In another word, it gives users a chance to determine the compliance result of the specific resource and the reason. Currently, it is mostly used inside the Security related built-in policies and initiatives. In this post, I will briefly introduce what it looks like and how it works.

 

There are multiple built-in policies under the Security category to check the subscription level compliance results with manual effect. For the built-in example, you may check “Issue public key certificates” (policy definition ID: /providers/Microsoft.Authorization/policyDefinitions/97d91b33-7050-237b-3e23-a77d57d84e13). This policy only scans the target subscriptions but does not make any additional evaluation. It gives the control to users to change the compliance results for each target subscription.

 

Following is a custom policy example to illustrate how to use the manual effect and what is the result.

 

  • Policy definition with manual effect

To illustrate the whole steps clearly, I created a custom policy which is checking the cloud services with “Prod” tag value. I set this custom policy with manual effect whose defaultState value is “Unknown”.

 

Yi_Yang_0-1672108707964.png

 

You can also use “Compliant” or “Non-compliant” as the defaultState.  All applicable resources will be set to the default state specified in the definition.

 

The following screenshot is the evaluation results after this policy was assigned to my subscription. You can see the cloud service with “Prod” tag is marked as “Unknown”, the defaultState mentioned with the manual effect.

 

Yi_Yang_0-1672046084739.png

 

Yi_Yang_1-1672044943629.png

 

  • Setting the compliance status by creating an attestation with REST API

You need to create attestations for each resource to change the compliance results of a resource or scope targeted by a manual policy. Currently, the only supported way to operate the attestation is through REST API.

 

In this example, I changed this cloud service compliance from the “Unknown” status to “Compliant” with the following REST API:

Attestations - Create Or Update At Resource - REST API (Azure Policy) | Microsoft Learn

 

You need to fill in the target resource information and the required evaluation result in the request body. The completed parameter list and their explanation can be found in the above doc link.


Following is an example to change the resource status from “Unknown” to “Compliant” with REST API.

 

Yi_Yang_0-1672109262810.png

 

Below is the request body being used for the example above: 

 

{
"properties": {
"policyAssignmentId": "/subscriptions/xx",
"complianceState": "Compliant",
"expiresOn": "2023-06-15T00:00:00Z",
"owner": "the owner principal ID",
"comments": "test one cses to Compliant from Unknown",
"evidence": [
{
"description": "test one CSESto Compliant from Unknown",
"sourceUri": "https://gist.github.com/contoso/9573e238762c60166c090ae16b814011"
}
],
"assessmentDate": "2022-12-26T06:25:00Z",
}
}

 

  • Updated compliance result

After the new assessment is completed, you will see the target resource has been changed to the required compliant result.

 

Yi_Yang_2-1672045044051.png

 

 

Reference Doc: Understand how effects work - Azure Policy | Microsoft Learn

 

 

 

Published on:

Learn more
Azure PaaS Blog articles
Azure PaaS Blog articles

Azure PaaS Blog articles

Share post:

Related posts

Building on Vercel’s eve + Azure Cosmos DB: An Agent That Remembers

Most “AI agent” demos forget everything the moment the process exits. That’s fine for a toy project, but useless for anythin...

4 hours ago

Copilot Studio – Environment-level agent telemetry export to Azure Application Insights (Preview)

We are announcing the ability for administrators to export Copilot Studio agent telemetry at the environment level to Azure Application Insigh...

1 day ago

See our new Azure Cosmos DB Design Patterns

Design patterns are where good data modeling lives or dies. In a NoSQL database like Azure Cosmos DB, the difference between a schema that sca...

1 day ago

Need a different partition key in Azure Cosmos DB? Pick the right approach

Once you create a container, its partition key is fixed at creation, and you can’t change it in place. However, if your original key starts ca...

2 days ago

Azure SDK Release (June 2026)

Azure SDK releases every month. In this post, you'll find this month's highlights and release notes. The post Azure SDK Release (June 2026) ap...

2 days ago

Fundamentals of Azure DevOps with SQL projects

Building automated pipelines with your SQL database projects enables you to build a rich CI/CD ecosystem to ensure that your application is be...

6 days ago

Upcoming Change: NTLM Removal in Git (libcurl) – Impact to Azure DevOps Server Customers

Overview In September 2026, NTLM support will be removed from libcurl, which is used by Git for HTTP(S) operations. As a result, Git operation...

6 days ago

What’s new across Microsoft SQL in 2026 so far (SQL Server, Azure SQL, and SQL database in Fabric)

We’re halfway through 2026, and Microsoft SQL has not slowed down. Since SQLCon/FabCon in March (where we released a ton of things, and those ...

7 days ago

Power Automate Flow — HTTP Trigger to Azure OpenAI

Build the secure Power Automate HTTP trigger flow that receives free text from the portal, calls Azure OpenAI using your smart-form-extract de...

9 days ago

Spring AI 2.0 is GA: Vector Search, Memory, and Agents on Azure Cosmos DB

The wait is over. Spring AI 2.0 is generally available, and Azure Cosmos DB is right there with it. With this release, Spring AI graduates int...

9 days ago
Stay up to date with latest Microsoft Dynamics 365 and Power Platform news!
* Yes, I agree to the privacy policy