{"id":1376,"library":"azure-mgmt-policyinsights","title":"Azure Management - Policy Insights","description":"The Azure Management Policy Insights client library for Python (version 1.0.0) provides functionality to query and analyze Azure Policy compliance. It allows retrieving policy states, events, and remediation details to understand resource compliance with defined policies. As part of the broader Azure SDK for Python, it follows a regular release cadence, primarily focusing on stability for 1.x versions and aligning with Azure API updates.","status":"active","version":"1.0.0","language":"en","source_language":"en","source_url":"https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/policyinsights/azure-mgmt-policyinsights","tags":["Azure","Cloud","Management","Policy","Compliance","Monitoring"],"install":[{"cmd":"pip install azure-mgmt-policyinsights azure-identity","lang":"bash","label":"Install with identity for authentication"}],"dependencies":[{"reason":"Commonly used for authenticating with Azure services.","package":"azure-identity","optional":true},{"reason":"Core dependency for REST client operations.","package":"msrest","optional":false},{"reason":"Core dependency for Azure-specific REST client operations.","package":"msrestazure","optional":false}],"imports":[{"symbol":"PolicyInsightsClient","correct":"from azure.mgmt.policyinsights import PolicyInsightsClient"},{"note":"Standard way to authenticate with Azure services.","symbol":"DefaultAzureCredential","correct":"from azure.identity import DefaultAzureCredential"}],"quickstart":{"code":"import os\nfrom azure.identity import DefaultAzureCredential\nfrom azure.mgmt.policyinsights import PolicyInsightsClient\n\n# Get subscription ID from environment variable\n# Ensure AZURE_SUBSCRIPTION_ID is set, e.g., in your shell or .env file.\nsubscription_id = os.environ.get(\"AZURE_SUBSCRIPTION_ID\", \"YOUR_SUBSCRIPTION_ID\")\n\nif subscription_id == \"YOUR_SUBSCRIPTION_ID\":\n print(\"WARNING: Please set the AZURE_SUBSCRIPTION_ID environment variable for actual API calls.\")\n print(\"Using a dummy subscription ID for client initialization. API calls will likely fail.\")\n subscription_id = \"00000000-0000-0000-0000-000000000000\"\n\ntry:\n # Authenticate using DefaultAzureCredential\n # This tries various methods: environment variables, managed identity, Azure CLI, etc.\n credential = DefaultAzureCredential()\n\n # Create a PolicyInsights client\n client = PolicyInsightsClient(credential, subscription_id)\n print(f\"\\nPolicyInsightsClient initialized for subscription: {subscription_id}\")\n\n # Example: Attempt to list a few policy events\n # For actual data, you would typically add more filters (e.g., by time, resource).\n print(\"\\nAttempting to list first few policy events (may require permissions and valid subscription ID)...\\n\")\n events_iterator = client.policy_events.list_query_results_for_subscription(\n scope=f\"/subscriptions/{subscription_id}\",\n policy_events_resource=\"latest\",\n top=1 # Limit to 1 for quickstart output\n )\n\n found_event = False\n for event in events_iterator:\n print(f\" Policy Assignment ID: {event.policy_assignment_id}\")\n print(f\" Policy Definition ID: {event.policy_definition_id}\")\n print(f\" Resource ID: {event.resource_id}\")\n found_event = True\n break # Only show the first one\n\n if not found_event:\n print(\" No policy events found or unable to retrieve. Check your AZURE_SUBSCRIPTION_ID and Azure RBAC permissions.\")\n\nexcept Exception as e:\n print(f\"\\nAn error occurred during client initialization or API call: {e}\")\n print(\"Please ensure you have authenticated with Azure (e.g., `az login` or environment variables) and have the necessary permissions (e.g., 'Reader' role).\")\n","lang":"python","description":"Initializes the PolicyInsightsClient using DefaultAzureCredential and attempts to list the first policy event for the given subscription scope. This demonstrates client setup and a basic API interaction."},"warnings":[{"fix":"Authenticate via `az login` or configure environment variables for service principal. Assign appropriate RBAC roles via Azure portal or Azure CLI (e.g., `az role assignment create --role \"Reader\" --scope /subscriptions/ --assignee `).","message":"Authentication and Permissions: Ensure your environment is set up for DefaultAzureCredential (e.g., `az login`, environment variables like AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_TENANT_ID) and the authenticated identity has the necessary Azure RBAC permissions (e.g., 'Reader' or 'Policy Insights Data Reader' role at the subscription/resource group scope) to query policy data. Authorization errors (401/403) are common if permissions are missing.","severity":"gotcha","affected_versions":"All"},{"fix":"Use `azure-mgmt-policy` for creating, updating, or deleting policy definitions, sets, and assignments.","message":"Policy Insights vs. Policy Management: This library (`azure-mgmt-policyinsights`) is strictly for *querying* policy states, events, and remediation. It is NOT for *defining* or *assigning* Azure Policies. For policy definition and assignment, use `azure-mgmt-policy`.","severity":"gotcha","affected_versions":"All"},{"fix":"Ensure the `scope` parameter follows Azure Resource Manager ID format (e.g., `/subscriptions/{subscription_id}`, `/subscriptions/{subscription_id}/resourceGroups/{resource_group_name}`). Verify permissions for the specified scope.","message":"Correct Scope for Queries: All policy insights queries (e.g., `list_query_results_for_subscription`, `list_query_results_for_resource_group`) require a correctly formatted 'scope' parameter. Common mistakes include malformed scope strings or attempting to query a scope for which the authenticated identity lacks permissions.","severity":"gotcha","affected_versions":"All"}],"env_vars":null,"last_verified":"2026-04-09T00:00:00.000Z","next_check":"2026-07-08T00:00:00.000Z"}