az policy assignment
Manage policy assignments.
Policy assignments are used to apply a policy definition or policy set definition to a given resource scope.
Commands
| Name | Description | Type | Status |
|---|---|---|---|
| az policy assignment create |
Create a policy assignment. |
Core | GA |
| az policy assignment delete |
Delete a policy assignment. |
Core | GA |
| az policy assignment identity |
Managed identity of the policy assignment. |
Core | GA |
| az policy assignment identity assign |
Assign a managed identity. |
Core | GA |
| az policy assignment identity remove |
Remove the managed identity. |
Core | GA |
| az policy assignment identity show |
Retrieve the managed identity. |
Core | GA |
| az policy assignment list |
Retrieve all applicable policy assignments. |
Core | GA |
| az policy assignment non-compliance-message |
Non-compliance message used by the policy assignment. |
Core | GA |
| az policy assignment non-compliance-message create |
Create a non-compliance message. |
Core | GA |
| az policy assignment non-compliance-message delete |
Delete a non-compliance message. |
Core | GA |
| az policy assignment non-compliance-message list |
Retrieve non-compliance messages. |
Core | GA |
| az policy assignment non-compliance-message show |
Retrieve a non-compliance message. |
Core | GA |
| az policy assignment non-compliance-message update |
Update a non-compliance message. |
Core | GA |
| az policy assignment show |
Retrieve a policy assignment. |
Core | GA |
| az policy assignment update |
Update a policy assignment. |
Core | GA |
az policy assignment create
Create a policy assignment.
Create a policy assignment with the given scope and name. Policy assignments apply to all resources contained within their scope. For example, when you assign a policy at resource group scope, that policy applies to all resources in the group.
az policy assignment create [--assign-identity --mi-system-assigned --system-assigned]
[--definition-version]
[--description]
[--display-name]
[--enforcement-mode {Default, DoNotEnforce}]
[--identity-scope]
[--___location]
[--metadata]
[--mi-user-assigned --user-assigned]
[--name]
[--non-compliance-messages]
[--not-scopes]
[--overrides]
[--params]
[--policy]
[--policy-set-definition]
[--resource-group]
[--resource-selectors]
[--role]
[--scope]Examples
Create a resource policy assignment at scope
az policy assignment create --scope "/providers/Microsoft.Management/managementGroups/{managementGroupName}" --policy {policyName} -p "{ 'allowedLocations': { 'value': [ 'australiaeast', 'eastus', 'japaneast' ] } }"Create a resource policy assignment and provide rule parameter values
az Create a resource policy assignment and provide rule parameter values policy assignment create --policy {policyName} -p "{ 'allowedLocations': { 'value': [ 'australiaeast', 'eastus', 'japaneast' ] } }"Create a resource policy assignment with a system assigned identity
az policy assignment create --name myPolicy --policy {policyName} --mi-system-assigned --___location eastusCreate a resource policy assignment with a system assigned identity with Contributor role access to the subscription
az policy assignment create --name myPolicy --policy {policyName} --mi-system-assigned --identity-scope /subscriptions/{subscriptionId} --role Contributor --___location eastusCreate a resource policy assignment with a user assigned identity
az policy assignment create --name myPolicy --policy {policyName} -g MyResourceGroup --mi-user-assigned myAssignedId --___location westusCreate a resource policy assignment with an enforcement mode
az policy assignment create --name myPolicy --policy {policyName} --enforcement-mode DoNotEnforceOptional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
Sets the system assigned managed identity.
| Property | Value |
|---|---|
| Parameter group: | Identity Arguments |
The policy version to assign.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
Policy assignment description.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
The display name of the policy assignment.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
The policy assignment enforcement mode.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
| Default value: | Default |
| Accepted values: | Default, DoNotEnforce |
Scope that the system assigned identity can access.
The ___location of the policy assignment.
| Property | Value |
|---|---|
| Parameter group: | Parameters Arguments |
The policy assignment metadata. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
Sets the user assigned managed identity. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
| Property | Value |
|---|---|
| Parameter group: | Identity Arguments |
The name of the policy assignment.
The messages that describe why a resource is non-compliant with the policy. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
| Property | Value |
|---|---|
| Parameter group: | non-compliance-message Arguments |
The policy assignment excluded scopes. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
The policy override. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
The parameter values for the assigned policy rule. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
The name or resource ID of the policy definition or policy set definition to be assigned.
The policy definition or policy set definition to assign.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
The resource selectors list to filter policies by resource properties. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
Role name or id that will be assigned to the managed identity.
The scope of the policy assignment.
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value |
|---|---|
| Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value |
|---|---|
| Default value: | False |
Output format.
| Property | Value |
|---|---|
| Default value: | json |
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value |
|---|---|
| Default value: | False |
az policy assignment delete
Delete a policy assignment.
Delete the policy assignment with the given name and scope.
az policy assignment delete --name
[--resource-group]
[--scope]Examples
Delete a policy assignment at scope
az policy assignment delete --scope subscriptions/{subscriptionId} --name EnforceNamingDelete a policy assignment
az policy assignment delete --name MyPolicyAssignmentRequired Parameters
The name of the policy assignment.
Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
The scope of the policy assignment.
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value |
|---|---|
| Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value |
|---|---|
| Default value: | False |
Output format.
| Property | Value |
|---|---|
| Default value: | json |
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value |
|---|---|
| Default value: | False |
az policy assignment list
Retrieve all applicable policy assignments.
Retrieve the list of all policy assignments applicable to the given subscription or management group.
az policy assignment list [--disable-scope-strict-match {0, 1, f, false, n, no, t, true, y, yes}]
[--expand]
[--filter]
[--management-group]
[--max-items]
[--next-token]
[--resource-group]
[--scope]Examples
List policy assignments that apply to a resource group
az policy assignment list --resource-group TestResourceGroup --filter atScope() --expand LatestDefinitionVersion, EffectiveDefinitionVersionList policy assignments that apply to a management group
az policy assignment list --management-group TestManagementGroup --filter atScope()List policy assignments that apply to a subscription
az policy assignment list --filter atScope()Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
Include policy assignments either inherited from parent scopes or at child scopes.
| Property | Value |
|---|---|
| Accepted values: | 0, 1, f, false, n, no, t, true, y, yes |
Additional properties to include in output.
Filter list results.
The management group.
Total number of items to return in the command's output. If the total number of items available is more than the value specified, a token is provided in the command's output. To resume pagination, provide the token value in --next-token argument of a subsequent command.
| Property | Value |
|---|---|
| Parameter group: | Pagination Arguments |
Token to specify where to start paginating. This is the token value from a previously truncated response.
| Property | Value |
|---|---|
| Parameter group: | Pagination Arguments |
The resource group.
Scope at which to list applicable policy assignments. If scope is not provided, the scope will be the implied or specified subscription.
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value |
|---|---|
| Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value |
|---|---|
| Default value: | False |
Output format.
| Property | Value |
|---|---|
| Default value: | json |
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value |
|---|---|
| Default value: | False |
az policy assignment show
Retrieve a policy assignment.
Retrieve and show the details of a single policy assignment with the given name and scope.
az policy assignment show --name
[--expand]
[--resource-group]
[--scope]Examples
Show a resource policy assignment
az policy assignment show --name MyPolicyAssignmentRequired Parameters
The name of the policy assignment.
Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
Additional properties to include in output.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
The scope of the policy assignment.
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value |
|---|---|
| Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value |
|---|---|
| Default value: | False |
Output format.
| Property | Value |
|---|---|
| Default value: | json |
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value |
|---|---|
| Default value: | False |
az policy assignment update
Update a policy assignment.
Update the policy assignment with the given name and scope by applying the given property values.
az policy assignment update --name
[--add]
[--definition-version]
[--description]
[--display-name]
[--enforcement-mode {Default, DoNotEnforce}]
[--force-string {0, 1, f, false, n, no, t, true, y, yes}]
[--___location]
[--metadata]
[--non-compliance-messages]
[--not-scopes]
[--overrides]
[--params]
[--policy]
[--policy-set-definition]
[--remove]
[--resource-group]
[--resource-selectors]
[--scope]
[--set]Examples
Update a resource policy assignment's description
az policy assignment update --name myPolicy --description 'My policy description'Required Parameters
The name of the policy assignment.
Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
Add an object to a list of objects by specifying a path and key value pairs. Example: --add property.listProperty <key=value, string or JSON string>.
| Property | Value |
|---|---|
| Parameter group: | Generic Update Arguments |
The policy version to assign.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
Policy assignment description.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
The display name of the policy assignment.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
The policy assignment enforcement mode.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
| Accepted values: | Default, DoNotEnforce |
When using 'set' or 'add', preserve string literals instead of attempting to convert to JSON.
| Property | Value |
|---|---|
| Parameter group: | Generic Update Arguments |
| Accepted values: | 0, 1, f, false, n, no, t, true, y, yes |
The ___location of the policy assignment.
| Property | Value |
|---|---|
| Parameter group: | Parameters Arguments |
The policy assignment metadata. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
The messages that describe why a resource is non-compliant with the policy. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
| Property | Value |
|---|---|
| Parameter group: | non-compliance-message Arguments |
The policy assignment excluded scopes. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
The policy property value override. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
The parameter values for the assigned policy rule. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
The name or resource ID of the policy definition or policy set definition to be assigned.
The policy definition or policy set definition to assign.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
Remove a property or an element from a list. Example: --remove property.list <indexToRemove> OR --remove propertyToRemove.
| Property | Value |
|---|---|
| Parameter group: | Generic Update Arguments |
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
The resource selectors list to filter policies by resource properties. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
The scope of the policy assignment.
Update an object by specifying a property path and value to set. Example: --set property1.property2=<value>.
| Property | Value |
|---|---|
| Parameter group: | Generic Update Arguments |
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value |
|---|---|
| Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value |
|---|---|
| Default value: | False |
Output format.
| Property | Value |
|---|---|
| Default value: | json |
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value |
|---|---|
| Default value: | False |
