Update-AzPolicyAttestation
Modifies a policy attestation.
Syntax
UpdateBySubscriptionId (Default)
Update-AzPolicyAttestation
-Name <String>
[-SubscriptionId <String>]
[-AssessmentDate <DateTime>]
[-Comment <String>]
[-ComplianceState <String>]
[-Evidence <IAttestationEvidence[]>]
[-ExpiresOn <DateTime>]
[-Metadata <String>]
[-Owner <String>]
[-PolicyAssignmentId <String>]
[-PolicyDefinitionReferenceId <String>]
[-DefaultProfile <PSObject>]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
UpdateByResourceGroup
Update-AzPolicyAttestation
-Name <String>
-ResourceGroupName <String>
[-SubscriptionId <String>]
[-AssessmentDate <DateTime>]
[-Comment <String>]
[-ComplianceState <String>]
[-Evidence <IAttestationEvidence[]>]
[-ExpiresOn <DateTime>]
[-Metadata <String>]
[-Owner <String>]
[-PolicyAssignmentId <String>]
[-PolicyDefinitionReferenceId <String>]
[-DefaultProfile <PSObject>]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
UpdateByResourceId
Update-AzPolicyAttestation
-ResourceId <String>
[-Name <String>]
[-AssessmentDate <DateTime>]
[-Comment <String>]
[-ComplianceState <String>]
[-Evidence <IAttestationEvidence[]>]
[-ExpiresOn <DateTime>]
[-Metadata <String>]
[-Owner <String>]
[-PolicyAssignmentId <String>]
[-PolicyDefinitionReferenceId <String>]
[-DefaultProfile <PSObject>]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
UpdateByScope
Update-AzPolicyAttestation
-Name <String>
-Scope <String>
[-AssessmentDate <DateTime>]
[-Comment <String>]
[-ComplianceState <String>]
[-Evidence <IAttestationEvidence[]>]
[-ExpiresOn <DateTime>]
[-Metadata <String>]
[-Owner <String>]
[-PolicyAssignmentId <String>]
[-PolicyDefinitionReferenceId <String>]
[-DefaultProfile <PSObject>]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
UpdateViaIdentity
Update-AzPolicyAttestation
-InputObject <IPolicyInsightsIdentity>
[-AssessmentDate <DateTime>]
[-Comment <String>]
[-ComplianceState <String>]
[-Evidence <IAttestationEvidence[]>]
[-ExpiresOn <DateTime>]
[-Metadata <String>]
[-Owner <String>]
[-PolicyAssignmentId <String>]
[-PolicyDefinitionReferenceId <String>]
[-DefaultProfile <PSObject>]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
Description
The Update-AzPolicyAttestation cmdlet modifies a policy attestation.
>Note:
>An existing policy attestation's policyAssignmentId or policyDefinitionReferenceId cannot be modified.
Examples
Example 1: Update an attestation by name
# Update the existing attestation by resource name at subscription scope (default)
$comment = "Setting the state to non compliant"
$attestationName = "Attestation-SubscriptionScope-Crud"
$policyAssignmentId = "/subscriptions/e5a130f3-57fd-46b6-9c55-03d21a853935/providers/Microsoft.Authorization/policyAssignments/PSAttestationSubAssignment"
Update-AzPolicyAttestation -PolicyAssignmentId $policyAssignmentId -Name $attestationName -ComplianceState "NonCompliant" -Comment $comment
AssessmentDate :
Comment : Setting the state to non compliant
ComplianceState : NonCompliant
Evidence :
ExpiresOn :
Id : /subscriptions/e5a130f3-57fd-46b6-9c55-03d21a853935/providers/microsoft.policyinsights/attestations/attestation-subscriptionscope-crud
LastComplianceStateChangeAt : 3/27/2026 6:50:22 PM
Metadata : {
}
Name : Attestation-SubscriptionScope-Crud
Owner :
PolicyAssignmentId : /subscriptions/e5a130f3-57fd-46b6-9c55-03d21a853935/providers/microsoft.authorization/policyassignments/psattestationsubassignment
PolicyDefinitionReferenceId :
ProvisioningState : Succeeded
ResourceGroupName :
SystemDataCreatedAt : 3/26/2026 9:01:05 PM
SystemDataCreatedBy : username@microsoft.com
SystemDataCreatedByType : User
SystemDataLastModifiedAt : 3/27/2026 6:50:22 PM
SystemDataLastModifiedBy : username@microsoft.com
SystemDataLastModifiedByType : User
Type : Microsoft.PolicyInsights/attestations
The command here sets the compliance state and adds a comment to an existing attestation with name 'Attestation-SubscriptionScope-Crud'.
Example 2: Update an attestation by ResourceId
# Get an attestation
$rgName = "ps-attestation-test-rg"
$attestationName = "Attestation-RGScope-Crud"
$attestation = Get-AzPolicyAttestation -ResourceGroupName $rgName -Name $attestationName
# Update the existing attestation by resource ID at RG scope
$expiresOn = [System.DateTime]::UtcNow.AddYears(1)
Update-AzPolicyAttestation -Id $attestation.Id -ExpiresOn $expiresOn
AssessmentDate :
Comment :
ComplianceState : Compliant
Evidence :
ExpiresOn : 3/27/2027 6:54:11 PM
Id : /subscriptions/e5a130f3-57fd-46b6-9c55-03d21a853935/resourcegroups/ps-attestation-test-rg/providers/microsoft.policyinsights/attestations/attestation-rgscope-crud
LastComplianceStateChangeAt : 3/26/2026 9:28:05 PM
Metadata : {
}
Name : attestation-rgscope-crud
Owner :
PolicyAssignmentId : /subscriptions/e5a130f3-57fd-46b6-9c55-03d21a853935/providers/microsoft.authorization/policyassignments/psattestationrgassignment
PolicyDefinitionReferenceId :
ProvisioningState : Succeeded
ResourceGroupName : ps-attestation-test-rg
SystemDataCreatedAt : 3/26/2026 9:28:05 PM
SystemDataCreatedBy : username@microsoft.com
SystemDataCreatedByType : User
SystemDataLastModifiedAt : 3/27/2026 6:54:39 PM
SystemDataLastModifiedBy : username@microsoft.com
SystemDataLastModifiedByType : User
Type : Microsoft.PolicyInsights/attestations
The first command gets an existing attestation at the resource group 'ps-attestation-test-rg' with the name 'attestation-rgscope-crud'.
The final command updates the expiry time of the policy attestation by the ResourceId property of the existing attestation.
# Get an attestation
$attestationName = "Attestation-ResourceScope-Crud"
$scope = "/subscriptions/e5a130f3-57fd-46b6-9c55-03d21a853935/resourceGroups/ps-attestation-test-rg/providers/Microsoft.Network/networkSecurityGroups/pstests0"
$attestation = Get-AzPolicyAttestation -Name $attestationName -Scope $scope
# Update attestation by input object
$newOwner = "Test Owner 2"
$attestation | Update-AzPolicyAttestation -Owner $newOwner
AssessmentDate :
Comment :
ComplianceState : Compliant
Evidence :
ExpiresOn :
Id : /subscriptions/e5a130f3-57fd-46b6-9c55-03d21a853935/resourcegroups/ps-attestation-test-rg/providers/microsoft.network/networksecuritygroups/pstests0/providers/microsoft.policyins
ights/attestations/attestation-resourcescope-crud
LastComplianceStateChangeAt : 3/26/2026 9:28:50 PM
Metadata : {
}
Name : attestation-resourcescope-crud
Owner : Test Owner 2
PolicyAssignmentId : /subscriptions/e5a130f3-57fd-46b6-9c55-03d21a853935/providers/microsoft.authorization/policyassignments/psattestationresourceassignment
PolicyDefinitionReferenceId :
ProvisioningState : Succeeded
ResourceGroupName : ps-attestation-test-rg
SystemDataCreatedAt : 3/26/2026 9:28:50 PM
SystemDataCreatedBy : username@microsoft.com
SystemDataCreatedByType : User
SystemDataLastModifiedAt : 3/27/2026 6:59:14 PM
SystemDataLastModifiedBy : username@microsoft.com
SystemDataLastModifiedByType : User
Type : Microsoft.PolicyInsights/attestations
The first command gets an existing attestation with name 'attestation-resourcescope-crud' for the given resource using its resource id as the scope.
The final command updates the owner of the policy attestation by using piping.
Parameters
-AssessmentDate
The time the evidence was assessed
Parameter properties
Type: DateTime
Default value: None Supports wildcards: False DontShow: False
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
Comments describing why this attestation was created.
Type: String
Default value: None Supports wildcards: False DontShow: False
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-ComplianceState
The Compliance State of the resource.
E.g.
'Compliant', 'NonCompliant', 'Unknown'
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-Confirm
Prompts you for confirmation before running the cmdlet.
Parameter properties
Type: SwitchParameter
Default value: None Supports wildcards: False DontShow: False Aliases: cf
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-DefaultProfile
The DefaultProfile parameter is not functional.
Use the SubscriptionId parameter when available if executing the cmdlet against a different subscription.
Parameter properties
Type: PSObject
Default value: None Supports wildcards: False DontShow: False Aliases: AzureRMContext, AzureCredential
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-Evidence
The evidence supporting the compliance state set in this attestation.
Parameter properties
Type: Microsoft.Azure.PowerShell.Cmdlets.PolicyInsights.Models.IAttestationEvidence [ ]
Default value: None Supports wildcards: False DontShow: False
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-ExpiresOn
The time the compliance state should expire.
Parameter properties
Type: DateTime
Default value: None Supports wildcards: False DontShow: False
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
Identity Parameter
Type: Microsoft.Azure.PowerShell.Cmdlets.PolicyInsights.Models.IPolicyInsightsIdentity
Default value: None Supports wildcards: False DontShow: False
UpdateViaIdentity
Position: Named Mandatory: True Value from pipeline: True Value from pipeline by property name: False Value from remaining arguments: False
Additional metadata for this attestation
Type: String
Default value: None Supports wildcards: False DontShow: False
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-Name
The name of the attestation.
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False Aliases: AttestationName
Parameter sets
UpdateBySubscriptionId
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
UpdateByResourceGroup
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
UpdateByScope
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-Owner
The person responsible for setting the state of the resource.
This value is typically a Microsoft Entra object ID.
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-PolicyAssignmentId
The resource ID of the policy assignment that the attestation is setting the state for.
E.g.
'/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/policyAssignments/{assignmentName}'.
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-PolicyDefinitionReferenceId
The policy definition reference ID from a policy set definition that the attestation is setting the state for.
If the policy assignment assigns a policy set definition the attestation can choose a definition within the set definition with this property or omit this and set the state for the entire set definition.
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-ResourceGroupName
The name of the resource group.
The name is case insensitive.
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False
Parameter sets
UpdateByResourceGroup
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-ResourceId
ID of the resource that the attestation was made against or the full Resource ID of the attestation.
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False Aliases: Id
Parameter sets
UpdateByResourceId
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-Scope
Scope of the resource.
E.g.
'/subscriptions/{subscriptionId}/resourceGroups/{rgName}'.
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False
Parameter sets
UpdateByScope
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-SubscriptionId
The ID of the target subscription.
Uses current subscription if one isn't provided.
Parameter properties
Type: String
Default value: (Get-AzContext).Subscription.Id Supports wildcards: False DontShow: False
Parameter sets
UpdateBySubscriptionId
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
UpdateByResourceGroup
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-WhatIf
Shows what would happen if the cmdlet runs.
The cmdlet is not run.
Parameter properties
Type: SwitchParameter
Default value: None Supports wildcards: False DontShow: False Aliases: wi
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable,
-InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable,
-ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see
about_CommonParameters .
Microsoft.Azure.PowerShell.Cmdlets.PolicyInsights.Models.IPolicyInsightsIdentity
Outputs
Microsoft.Azure.PowerShell.Cmdlets.PolicyInsights.Models.IAttestation
Notes
ALIASES
Set-AzPolicyAttestation
