Adding the policy definition version to the reconstructed policy definition object and check for the version element in 4 places.

Scripts/Helpers/Build-PolicyPlan.ps1

@@ -49,12 +49,13 @@ function Build-PolicyPlan {
 
         $definitionProperties = Get-PolicyResourceProperties -PolicyResource $definitionObject
         $name = $definitionObject.name
-            
+
         $id = "$deploymentRootScope/providers/Microsoft.Authorization/policyDefinitions/$name"
         $displayName = $definitionProperties.displayName
         $description = $definitionProperties.description
         $metadata = Get-DeepCloneAsOrderedHashtable $definitionProperties.metadata
         $mode = $definitionProperties.mode
+        $version = $definitionProperties.version
         $parameters = $definitionProperties.parameters
         $policyRule = $definitionProperties.policyRule
         if ($null -ne $metadata) {
@@ -114,6 +115,7 @@ function Build-PolicyPlan {
             displayName = $displayName
             description = $description
             mode        = $mode
+            version     = $version
             metadata    = $metadata
             parameters  = $parameters
             policyRule  = $policyRule
@@ -193,7 +195,7 @@ function Build-PolicyPlan {
             Write-Information "New '$($displayName)'"
         }
     }
-       
+
 
     $strategy = $PacEnvironment.desiredState.strategy
     foreach ($id in $deleteCandidates.Keys) {

Scripts/Helpers/Build-PolicySetPlan.ps1

@@ -49,6 +49,7 @@ function Build-PolicySetPlan {
         $displayName = $definitionProperties.displayName
         $description = $definitionProperties.description
         $metadata = Get-DeepCloneAsOrderedHashtable $definitionProperties.metadata
+        $version = $definitionProperties.version
         $parameters = $definitionProperties.parameters
         $policyDefinitions = $definitionProperties.policyDefinitions
         $policyDefinitionGroups = $definitionProperties.policyDefinitionGroups
@@ -182,6 +183,7 @@ function Build-PolicySetPlan {
             displayName            = $displayName
             description            = $description
             metadata               = $metadata
+            version                = $version
             parameters             = $parameters
             policyDefinitions      = $policyDefinitionsFinal
             policyDefinitionGroups = $policyDefinitionGroupsFinal

Scripts/Helpers/Confirm-PolicyDefinitionsInPolicySetMatch.ps1

@@ -41,15 +41,21 @@ function Confirm-PolicyDefinitionsInPolicySetMatch {
             }
             if ($null -ne $item2.definitionVersion) {
                 # ignore auto-generated definitionVersion, only compare if Policy definition entry has a definitionVersion
-                $deployedPolicyDefinitionVersion = $Definitions[$item1.policyDefinitionId].properties.version
-                if ($null -eq $deployedPolicyDefinitionVersion) {
-                    # Custom policy definition - version is in a different place
-                    $deployedPolicyDefinitionVersion = $Definitions[$item1.policyDefinitionId].metadata.version
+                if ($null -eq $Definitions[$item1.policyDefinitionId].properties) {
+                    # The properties object does not exist, it probably has been splatted
+                    $deployedPolicyDefinitionVersion = $Definitions[$item1.policyDefinitionId].version
+                    if ($null -eq $deployedPolicyDefinitionVersion) {
+                        # If the version is not found it could be in metadata.version
+                        $deployedPolicyDefinitionVersion = $Definitions[$item1.policyDefinitionId].metadata.version
+                    }
+                }
+                else {
+                    $deployedPolicyDefinitionVersion = $Definitions[$item1.policyDefinitionId].properties.version
+                    if ($null -eq $deployedPolicyDefinitionVersion) {
+                        # Policy definition entry does not have a properties.version, it could be in properties.metadata.version
+                        $deployedPolicyDefinitionVersion = $Definitions[$item1.policyDefinitionId].properties.metadata.version
+                    }
                 }
-                # $definitionVersionMatches = $item1.definitionVersion -eq $item2.definitionVersion
-                # if (!$definitionVersionMatches) {
-                #     return $false
-                # }
                 $definitionVersionMatches = Compare-SemanticVersion -Version1 $deployedPolicyDefinitionVersion -Version2 $item2.definitionVersion
                 if ($definitionVersionMatches -ne 0) {
                     Write-Verbose "Definition Id: $($item1.policyDefinitionId)"
@@ -79,7 +85,7 @@ function Confirm-PolicyDefinitionsInPolicySetMatch {
                     return $false
                 }
             }
-            
+
             $parametersUsageMatches = Confirm-ParametersUsageMatches `
                 -ExistingParametersObj $item1.parameters `
                 -DefinedParametersObj $item2.parameters `