At Microsoft Ignite 2023 MS was discussing a soon-to-be-released ability for an Azure Resource Policy definition to be allowed to invoke a Graph API query and use the results as part of the Policy evaluation.
A year later and I'm struggling to find the documentation and/or ability to do this. Specifically I need to inspect our Virtual Network Peerings to ensure they are peered to VNets within the same Tenant.
Since I don't believe the Peering resource actually includes a tenant id I suspect querying Graph would be the practical option to determine if the peers reside within the current tenant.
How do I write an Azure Resource Graph query within the definition of an Azure Resource Policy, and use the results of the query to inform the outcome of the policy?
Note that: Azure Policy cannot directly invoke Graph API or Resource Graph queries for tenant-level validation in its policy evaluation.
For sample, Use Azure Resource Graph to query for your Virtual Network Peering's and retrieve necessary data about the VNets involved.
Resources
| where type == "Microsoft.Network/virtualNetworkPeerings"
| project name, resourceGroup, location, properties
You can use the tenantId from Microsoft Graph to compare with your current tenant.
Azure Policy can be set to evaluate certain conditions (such as whether the peering is within the allowed subscription or resource group), but the final validation against the tenant requires external automation (e.g., Azure Functions or Logic Apps).
As for the feature discussed at Microsoft Ignite 2023, it relates to graphing connections outside the tenant rather than allowing Azure Policy to query the Graph API directly.