Get-NonCompliantNetworks.ps1

$policyName = "DDoS"
$roleToNotify = "Owner"

$policy = Get-AzPolicyDefinition | Where-Object { $_.Properties.displayname -eq $policyName }
$nonCompliantNetworks = Get-AzPolicyState | Where-Object { $_.ComplianceState -eq "NonCompliant" -and $_.PolicyDefinitionName -eq $policy.Name } | Group-Object SubscriptionId

foreach($group in $nonCompliantNetworks) {
    $subscriptionId = $group.Name
    $networks = $group.Group

    $users = @()
    $assignments = Get-AzRoleAssignment -Scope "/subscriptions/$($subscriptionId)" | Where-Object RoleDefinitionName -eq $roleToNotify
    foreach($assignment in $assignments) {
        $user = Get-AzADUser -ObjectId $assignment.ObjectId
        if($user.Mail) {
            $users += $user
        }
    }

    Write-Host -ForegroundColor Yellow "Subscription $($subscriptionId) contains $($networks.Count) non-compliant networks:"
    foreach($network in $networks) {
        $network = Get-AzResource -ResourceId $network.ResourceId
        " * $($network.Name) (Resoure Group: $($network.ResourceGroupName))"
    }

    Write-Host -ForegroundColor Yellow "`nUsers in role $($roleToNotify) to notify:"
    foreach($user in $users) {
        "   * $($user.DisplayName) ($($user.Mail))"
    }
    "----------------------------------------------------------------------------------------------`n`n"
}