Hi All,
When managing exemptions across multiple tenants, a common workflow is to create exemptions directly in the Azure Portal (either yourself or via colleagues), then import them back into the EPAC source repository.
Get-AzExemptions currently outputs the full Azure resource representation, which includes several fields that are not valid in an EPAC policyExemptions JSON file — such as deployedBy, status, expiresInDays, provisioningState, and others. This requires a manual cleanup step on every export before the output can be committed to the repo.
Proposed solution
Add an optional switch parameter -ExportForEpac (or similar) to Get-AzExemptions that:
Strips all fields not recognised by EPAC's exemption schema
Outputs JSON that can be copied directly into the appropriate policyExemptions folder without modification.
Optionally writes output to the correct EPAC folder structure (e.g. mirroring -OutputFolder behaviour elsewhere in the toolset)
Current workaround
Manually remove fields like deployedBy, status, expiresInDays, provisioningState etc. after every export. This is error-prone and friction-heavy, especially when running the script as part of a daily sync routine.
Impact
This would significantly improve the portal-to-repo exemption lifecycle for teams where exemptions are sometimes created outside of EPAC (e.g. by platform consumers or during incidents), which is a realistic operational pattern in enterprise environments.
Feel free to adjust the proposed flag name — -ExportForEpac is descriptive but something like -EpacFormat or -Clean might also fit the existing naming conventions in the script surface. Worth checking what similar export flags look like in the rest of the toolset before implementing this.
Hope this comes soon 🥇
Hi All,
When managing exemptions across multiple tenants, a common workflow is to create exemptions directly in the Azure Portal (either yourself or via colleagues), then import them back into the EPAC source repository.
Get-AzExemptions currently outputs the full Azure resource representation, which includes several fields that are not valid in an EPAC policyExemptions JSON file — such as deployedBy, status, expiresInDays, provisioningState, and others. This requires a manual cleanup step on every export before the output can be committed to the repo.
Proposed solution
Add an optional switch parameter -ExportForEpac (or similar) to Get-AzExemptions that:
Strips all fields not recognised by EPAC's exemption schema
Outputs JSON that can be copied directly into the appropriate policyExemptions folder without modification.
Optionally writes output to the correct EPAC folder structure (e.g. mirroring -OutputFolder behaviour elsewhere in the toolset)
Current workaround
Manually remove fields like deployedBy, status, expiresInDays, provisioningState etc. after every export. This is error-prone and friction-heavy, especially when running the script as part of a daily sync routine.
Impact
This would significantly improve the portal-to-repo exemption lifecycle for teams where exemptions are sometimes created outside of EPAC (e.g. by platform consumers or during incidents), which is a realistic operational pattern in enterprise environments.
Feel free to adjust the proposed flag name — -ExportForEpac is descriptive but something like -EpacFormat or -Clean might also fit the existing naming conventions in the script surface. Worth checking what similar export flags look like in the rest of the toolset before implementing this.
Hope this comes soon 🥇