Share via

azure automation runbook cannot read properties of azure policy definition or assignment

Seekell, Roger 66 Reputation points
2025-06-23T16:15:17.77+00:00

I have an Azure Automation Account. In my Runbook, I want to read the properties of a certain Policy Definition. Unfortunately, when the AA runs the PowerShell Runbook, it can only read the definition name, not its description or policy rule. My Automation Account ID has Reader on the management group. The script sees that there is an object, but only the name comes back with any value.

Please let me know how I can read properties of a policy definition like DisplayName and policyRule. Thanks.

I wrote this script to illustrate the problem. See the output below:

Connect-AzAccount -Identity | Out-Null

$policyDefs = Get-AzPolicyDefinition | Select-Object -First 3

if ($null -eq $policyDefs) {
    Write-Error "Policy definition named '$policyName' was not found."
    return $null
}

foreach ($policyDef in $policyDefs) {
    $propCount = ($policyDef.PsObject.Properties | Measure-Object).count
    Write-Output ("Property count:  " + $propCount)

    Write-Output ("ID:  " + $policyDef.Id)
    Write-Output ("name:  " + $policyDef.Name)
    Write-Output ("displayname:  " + $policyDef.DisplayName)
    Write-Output ("Policy Type:  " + $policyDef.PolicyType)

    Write-Output ("Policy if:  " + $policyDef.PolicyRule.if)
    Write-Output ("Policy then:  " + $policyDef.PolicyRule.then)

    Write-Output ("Policy if count:  " + $policyDef.PolicyRule.if.count)
    Write-Output ("Policy if equals:  " + $policyDef.PolicyRule.if.equals)

    $policyDef.PolicyRule.if.count.value | ForEach-Object {
        Write-Output ("Policy if count value:  " + $_)
    }

}

6/23/2025, 12:09:46 PM - Output: Property count: 7

6/23/2025, 12:09:46 PM - Output: ID:

6/23/2025, 12:09:46 PM - Output: name: 0004bbf0-5099-4179-869e-e9ffe5fb0945

6/23/2025, 12:09:46 PM - Output: displayname:

6/23/2025, 12:09:47 PM - Output: Policy Type:

6/23/2025, 12:09:47 PM - Output: Policy if:

6/23/2025, 12:09:47 PM - Output: Policy then:

6/23/2025, 12:09:47 PM - Output: Policy if count: 0

6/23/2025, 12:09:47 PM - Output: Policy if equals:

6/23/2025, 12:09:47 PM - Output: Policy if count value:

6/23/2025, 12:09:47 PM - Output: Property count: 7

6/23/2025, 12:09:47 PM - Output: ID:

6/23/2025, 12:09:47 PM - Output: name: 0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56

6/23/2025, 12:09:47 PM - Output: displayname:

6/23/2025, 12:09:47 PM - Output: Policy Type:

6/23/2025, 12:09:47 PM - Output: Policy if:

6/23/2025, 12:09:47 PM - Output: Policy then:

6/23/2025, 12:09:47 PM - Output: Policy if count: 0

6/23/2025, 12:09:47 PM - Output: Policy if equals:

6/23/2025, 12:09:47 PM - Output: Policy if count value:

6/23/2025, 12:09:47 PM - Output: Property count: 7

6/23/2025, 12:09:47 PM - Output: ID:

6/23/2025, 12:09:47 PM - Output: name: 001802d1-4969-4c82-a700-c29c6c6f9bbd

6/23/2025, 12:09:47 PM - Output: displayname:

6/23/2025, 12:09:47 PM - Output: Policy Type:

6/23/2025, 12:09:47 PM - Output: Policy if:

6/23/2025, 12:09:47 PM - Output: Policy then:

6/23/2025, 12:09:47 PM - Output: Policy if count: 0

6/23/2025, 12:09:47 PM - Output: Policy if equals:

6/23/2025, 12:09:47 PM - Output: Policy if count value:

Azure Automation
Azure Automation
An Azure service that is used to automate, configure, and install updates across hybrid environments.
1,366 questions
Accepted answer
  1. hossein jalilian 10,905 Reputation points Volunteer Moderator
    2025-06-23T17:15:43.62+00:00

    Thanks for posting your question in the Microsoft Q&A forum

    What you can do to fix it:

    Check permissions: Give the managed identity the Directory Readers role in Azure AD if you need user info, Make sure it has Reader or a custom role that allows reading policy definitions.

    Select properties explicitly: Instead of using Select-Object by itself, try specifying exactly which fields you want to see, such as:

    Get-AzPolicyDefinition | Select-Object Id, Name, DisplayName, Description, PolicyType, PolicyRule, Metadata | Format-List

    Specify the management group: If your Automation Account is in a different scope, include the -ManagementGroupName parameter.

    Update your PowerShell module: Make sure the Az.Resources module is version 7.3.0 or newer. Older versions might not show all properties.

    Try fetching by ID: Sometimes it's better to get the policy definition by its ID directly. This may return the full object with all fields.

    Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful

    1 person found this answer helpful.

2 additional answers

Sort by: Newest
Most helpful Newest Oldest
  1. Seekell, Roger 66 Reputation points
    2025-06-25T12:56:41.2433333+00:00

    Thanks to the clue by @hossein jalilian I realized that the PowerShell72 runtime includes an old version of the Get-AzPolicyDefinition. I worked around the problem by creating my own runtime env with the latest version of Az.Resources and Az.Accounts.

    Also, I worked around the problem by using: 

    (az policy definition show --name "name" --management-group "name" | ConvertFrom-Json)

    to get the information without changing the runtime environment.

  2. Rahul Jorrigala 655 Reputation points Microsoft External Staff Moderator
    2025-06-25T09:08:18.5566667+00:00

    Hello Seekell, Roger,

    I hope this helps! Please let me know if you need any modifications or additional details.

    
Connect-AzAccount -Identity | Out-Null
$subscriptions = Get-AzSubscription

foreach ($subscription in $subscriptions) {
    Set-AzContext -SubscriptionId $subscription.Id
    $policyComplianceData = Get-AzPolicyState
    $policyDefinitions = Get-AzPolicyDefinition
    $initiatives = Get-AzPolicySetDefinition

    foreach ($policy in $policyComplianceData) {
        $resourceName = $policy.ResourceId -split '/' | Select-Object -Last 1

        $policyDefinition = $policyDefinitions | Where-Object { $_.Id -eq $policy.PolicyDefinitionId }
        $initiativeDefinition = $initiatives | Where-Object { $_.Id -eq $policy.PolicyDefinitionId }

        $policyType = ""
        $policyName = ""
        $policyId = ""

        if ($policyDefinition) {
            $policyType = "Policy Definition"
            $policyName = $policyDefinition.DisplayName
            $policyId = $policyDefinition.Id
        } elseif ($initiativeDefinition) {
            $policyType = "Initiative"
            $policyName = $initiativeDefinition.DisplayName
            $policyId = $initiativeDefinition.Id
        }

        $obj = [PSCustomObject]@{
            SubscriptionName        = $subscription.Name
            ComplianceState         = $policy.ComplianceState
            ResourceGroup           = $policy.ResourceGroup
            ResourceName            = $resourceName
            ResourceType            = $policy.ResourceType
            ResourceLocation        = $policy.ResourceLocation
            Timestamp               = $policy.Timestamp
            ResourceId              = $policy.ResourceId
            IsCompliant             = $policy.IsCompliant
            PolicyDefinitionAction  = $policy.PolicyDefinitionAction
            PolicyType              = $policyType
            PolicyName              = $policyName
            PolicyId                = $policyId
        }

        Write-Output $obj
    }
}

    Output Reference:

    User's image

    Please let me know if you face any challenge here, I can help you to resolve this issue further

    Provide your valuable Comments.

    Please do not forget to "Accept the answer" and “upvote it” wherever the information provided helps you, this can be beneficial to other community members.it would be greatly appreciated and helpful to others.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.