Azure CLI shows a policyDefinitionReferenceId that does not exist in the policySetDefinition

[gbmdia1]

Describe the bug

There is a discrepancy between the information displayed in Azure CLI and Azure Portal regarding a specific policy exemption reference ID.

Azure Portal shows the policy reference as:
functionAppsShouldHaveClientCertificatesEnabledMonitoring
The policy set definition (initiative) also lists:
functionAppsShouldHaveClientCertificatesEnabledMonitoring
Azure CLI, when retrieving an existing exemption, returns:
functionAppsShouldHaveClientCertificatesEnabledMonitoringEffect

Related command

✔ az version
{
"azure-cli": "2.70.0",
"azure-cli-core": "2.70.0",
"azure-cli-telemetry": "1.1.0",
"extensions": {
"account": "0.2.5",
"managementpartner": "1.0.0",
"resource-graph": "2.1.1"
}
}

Steps to Reproduce

Check the initiative's policy set definition (in Azure Portal and CLI):

az policy set-definition show --name ""
--query "policyDefinitions[*].policyDefinitionReferenceId" -o json | grep -i functionAppsShouldHaveClientCertificatesEnabledMonitoringEffect

Expected: Should return functionAppsShouldHaveClientCertificatesEnabledMonitoringEffect
Actual Result: The policy set definition does not contain the reference ID "functionAppsShouldHaveClientCertificatesEnabledMonitoringEffect".

List the existing policy exemptions via Azure CLI:

az policy exemption list --scope "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" \
  --query "[?policyAssignmentId=='/providers/microsoft.management/managementgroups/xxxxx/providers/microsoft.authorization/policyassignments/yyyyy']" -o json

    Expected: The reference ID should match what is in the policy set.
    Actual Result: The exemption lists functionAppsShouldHaveClientCertificatesEnabledMonitoringEffect, which is not present in the initiative anymore.

Verify in Azure Portal:
    Go to Policy → Assignments → Edit Exemption → Policies.
    Searching for "Function Apps" shows functionAppsShouldHaveClientCertificatesEnabledMonitoring, but not functionAppsShouldHaveClientCertificatesEnabledMonitoringEffect.

Expected Behavior

Azure CLI should return the same policy reference ID as the one listed in the initiative and the Azure Portal UI.
Actual Behavior

Azure CLI returns functionAppsShouldHaveClientCertificatesEnabledMonitoringEffect, which does not exist in the initiative anymore.
Possible Cause

The reference ID may have been renamed or removed from the policy set, but Azure CLI is still referencing the old version.
The exemption was originally created when the reference ID included "Effect", but now that the initiative has changed, CLI is not updating its output correctly.

Errors

Issue Summary

There is a discrepancy between the information displayed in Azure CLI and Azure Portal regarding a specific policy exemption reference ID in the initiative:
📌 Policy Set Definition (Initiative) ID:

/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8

Azure Portal shows the policy reference as:
functionAppsShouldHaveClientCertificatesEnabledMonitoring
The policy set definition (initiative) also lists:
functionAppsShouldHaveClientCertificatesEnabledMonitoring
Azure CLI, when retrieving an existing exemption, returns:
functionAppsShouldHaveClientCertificatesEnabledMonitoringEffect

Issue script & Debug output

Steps to Reproduce

Check the initiative's policy set definition (in Azure Portal and CLI):

az policy set-definition show --name "1f3afdf9-d0c9-4c3d-847f-89da613e70a8"
--query "policyDefinitions[*].policyDefinitionReferenceId" -o json | grep -i functionAppsShouldHaveClientCertificatesEnabledMonitoring

Expected: Should return functionAppsShouldHaveClientCertificatesEnabledMonitoring.
Actual Result: The policy set definition does not contain the reference ID "functionAppsShouldHaveClientCertificatesEnabledMonitoringEffect".

List the existing policy exemptions via Azure CLI:

az policy exemption list --scope "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
--query "[?policyAssignmentId=='/providers/microsoft.management/managementgroups/xxxxx/providers/microsoft.authorization/policyassignments/yyyyy']" -o json

Expected: The reference ID should match what is in the policy set.
Actual Result: The exemption lists functionAppsShouldHaveClientCertificatesEnabledMonitoringEffect, which is not present in the initiative anymore.

Verify in Azure Portal:

Go to Policy → Assignments → Edit Exemption → Policies.
Searching for "Function Apps" shows functionAppsShouldHaveClientCertificatesEnabledMonitoring, but not functionAppsShouldHaveClientCertificatesEnabledMonitoringEffect.

Expected behavior

Azure CLI should return the same policy reference ID as the one listed in the initiative and the Azure Portal UI.
Actual Behavior

Azure CLI returns functionAppsShouldHaveClientCertificatesEnabledMonitoringEffect, which does not exist in the initiative anymore.
Possible Cause

The reference ID may have been renamed or removed from the policy set, but Azure CLI is still referencing the old version.
The exemption was originally created when the reference ID included "Effect", but now that the initiative has changed, CLI is not updating its output correctly.

Environment Summary

{
"azure-cli": "2.70.0",
"azure-cli-core": "2.70.0",
"azure-cli-telemetry": "1.1.0",
"extensions": {
"account": "0.2.5",
"managementpartner": "1.0.0",
"resource-graph": "2.1.1"
}
}

Additional context

No response

[yonzhan]

Thank you for opening this issue, we will look into it.