Edit

Share via

View Machine Configuration Compliance Reporting

Once you've deployed your configuration, compliance results are available across three key surfaces in Azure: Policy Assignments, Guest Assignments, and Azure Resource Graph (ARG). Each surface serves a distinct purpose — from high-level policy compliance to deep machine-level evidence and large-scale reporting.

Policy Compliance Page

Use this view to validate which policies are deployed, where they're scoped, and how they're performing at a policy level.

View Assigned Policies

  1. Navigate to Azure Policy → Compliance.

  2. View each entry, which shows a deployed assignment and its target scope (subscription, management group, or resource group).

  3. If needed, use filters such as Policy definition equals all, or Subscription ID equals all to narrow the list.

Screenshot of Azure Policy Compliance page showing policy assignments with filters and export options.

Use Export to CSV to generate quick audit reports or share assignment inventories with your compliance team.

View Compliance Summary

Open Azure Policy → Compliance to monitor compliance by initiative or policy definition.
The Overall resource compliance chart summarizes compliant vs. non-compliant resources at a glance. Select any initiative or policy assignment to view resource-level results.

Drill Down to Machine-Level Evidence

From the Compliance view:

  1. Select a policy assignment.

Screenshot of policy assignment selection showing compliance status and resource details.

  1. In the Resource compliance tab, click "Details" next to the resource name.

  2. In the details pane, select Last evaluated resource.

Screenshot of resource compliance details pane with Last evaluated resource link highlighted.

This opens the corresponding Guest Assignment, providing traceability between the Azure Policy rule and on-machine configuration evidence.

This connection bridges policy intent (defined in Azure Policy) with real machine state (reported by the Machine Configuration agent).

Guest Assignments

Use this view to investigate machine-level compliance for each assigned policy and pinpoint exactly which rules are passing or failing.

View All Guest Assignments

  1. Navigate to Machine Configuration → Guest Assignments.

  2. View each row represents a machine's evaluation against an assigned policy.

  3. Observe the Status column, which indicates whether the machine is Compliant, NonCompliant, or Pending.

Screenshot of Guest Assignments list showing machines with compliance status indicators.

Explore Rule-Level Results

Click a Guest Assignment name (e.g., AzureLinuxBaseline) to open detailed results.
The results table includes:

  • Configuration item name and benchmark reference

  • Compliance state (✅ Compliant / ❌ Non-compliant)

  • Reason for non-compliance (for example, missing configuration, audit failure, or file mismatch)

Use this view to perform root-cause analysis and prepare evidence for internal or external security audits.

Screenshot of detailed rule-level compliance results showing configuration items and benchmark references.

Relationship to Azure Policy

Every Machine Configuration Azure Policy assignment creates a Guest Assignment for each machine within the scope of the policy. This ensures that machines inherit their baseline definitions consistently from the assigned policy, maintaining alignment between governance intent and technical enforcement.

Azure Resource Graph (ARG)

For large-scale reporting and automation, you can query Machine Configuration results directly using Azure Resource Graph (ARG).
This enables you to build dashboards, automate compliance summaries, and integrate Machine Configuration insights into existing compliance tooling.

View All Guest Assignments in ARG

  1. Open Resource Graph Explorer in the Azure portal.

  2. Select a scope (management group or subscription).

  3. Search for the guestconfigurationresources table.

Screenshot of Azure Resource Graph Explorer showing guestconfigurationresources table selection.

Example Query: Identify Non-Compliant Machines

guestconfigurationresources  
| where type =~ "microsoft.guestconfiguration/guestconfigurationassignments"  
| project properties.targetResourceId, name, properties.complianceStatus, properties.policyAssignmentId  
| where properties_complianceStatus =~ "NonCompliant"

This query lists:

  • Target Resource ID – the VM or Arc-enabled server evaluated

  • Assignment Name – the applied baseline or configuration

  • Compliance Status – the result of the most recent audit

  • Policy Assignment ID – the Azure Policy that triggered the Guest Assignment

Filter and Extend

You can extend your queries by filtering for:

  • Compliance state (Compliant, NonCompliant, or Pending)

  • Assignment name or machine type (Microsoft.Compute, Microsoft.HybridCompute)

  • Subscription, region, or policy assignment

Results can be exported to CSV or integrated into Power BI dashboards for organizational compliance tracking.

Other Programmatic Access

While this guide focuses on portal-based experiences, all compliance and assignment data can also be accessed programmatically through the following APIs, SDKs, and reference guides.

Surface Documentation Reference
Azure Policy Azure Policy documentation overview
az policy CLI reference
Azure Policy REST API reference
Machine Configuration / Guest Assignments Azure Machine Configuration documentation
Guest Configuration REST API reference
az guestconfig CLI reference
Get-AzGuestConfigurationAssignment PowerShell cmdlet
Azure Resource Graph (ARG) Azure Resource Graph overview
Query examples and schema reference
az graph CLI reference
Azure Resource Graph REST API reference

These APIs enable you to automate compliance data collection, integrate results with existing reporting pipelines, and build dashboards that combine policy-level visibility, machine-level detail, and cross-environment trends.

Next Steps

  • Last updated on