Deployments - What If At Management Group Scope
Returns changes that will be made by the deployment if executed at the scope of the management group.
POST https://management.azure.com/providers/Microsoft.Management/managementGroups/{groupId}/providers/Microsoft.Resources/deployments/{deploymentName}/whatIf?api-version=2025-04-01URI Parameters
| Name | In | Required | Type | Description |
|---|---|---|---|---|
|
deployment
|
path | True |
string minLength: 1maxLength: 64 pattern: ^[-\w\._\(\)]+$ |
The name of the deployment. |
|
group
|
path | True |
string minLength: 1maxLength: 90 |
The management group ID. |
|
api-version
|
query | True |
string |
The API version to use for this operation. |
Request Body
| Name | Required | Type | Description |
|---|---|---|---|
| ___location | True |
string |
The ___location to store the deployment data. |
| properties | True |
The deployment properties. |
Responses
| Name | Type | Description |
|---|---|---|
| 200 OK |
OK - Returns What-If operation status |
|
| 202 Accepted |
Accepted - Returns URL in Location header to query for long-running operation status. Headers
|
|
| Other Status Codes |
Error response describing why the operation failed. |
Security
azure_auth
Azure Active Directory OAuth2 Flow
Type:
oauth2
Flow:
implicit
Authorization URL:
https://login.microsoftonline.com/common/oauth2/authorize
Scopes
| Name | Description |
|---|---|
| user_impersonation | impersonate your user account |
Examples
Predict template changes at management group scope
Sample request
POST https://management.azure.com/providers/Microsoft.Management/managementGroups/myManagementGruop/providers/Microsoft.Resources/deployments/exampleDeploymentName/whatIf?api-version=2025-04-01
{
"___location": "eastus",
"properties": {
"templateLink": {
"uri": "https://example.com/exampleTemplate.json"
},
"parameters": {},
"mode": "Incremental"
}
}
Sample response
{
"status": "Succeeded",
"properties": {
"changes": [
{
"resourceId": "/providers/Microsoft.Management/managementGroups/myManagementGroup/providers/Microsoft.Authorization/policyAssignments/myPolicyAssignment",
"changeType": "Modify",
"before": {
"apiVersion": "2019-06-01",
"id": "/providers/Microsoft.Management/managementGroups/myManagementGroup/providers/Microsoft.Authorization/policyAssignments/myPolicyAssignment",
"type": "Microsoft.Authorization/policyAssignments",
"name": "myPolicyAssignment",
"___location": "westus2",
"properties": {
"policyDefinitionId": "/providers/Microsoft.Management/managementGroups/myManagementGroup/providers/Microsoft.Authorization/policyAssignments/myPolicyDefinition",
"scope": "/subscriptions/00000000-0000-0000-0000-000000000001",
"enforcementMode": "Default"
}
},
"after": {
"resourceId": "/providers/Microsoft.Management/managementGroups/myManagementGroup/providers/Microsoft.Authorization/policyAssignments/myPolicyAssignment",
"changeType": "Modify",
"before": {
"apiVersion": "2019-06-01",
"id": "/providers/Microsoft.Management/managementGroups/myManagementGroup/providers/Microsoft.Authorization/policyAssignments/myPolicyAssignment",
"type": "Microsoft.Authorization/policyAssignments",
"name": "myPolicyAssignment",
"___location": "westus2",
"properties": {
"policyDefinitionId": "/providers/Microsoft.Management/managementGroups/myManagementGroup/providers/Microsoft.Authorization/policyAssignments/myPolicyDefinition",
"scope": "/subscriptions/00000000-0000-0000-0000-000000000001",
"enforcementMode": "DoNotEnforce"
}
},
"delta": [
{
"path": "properties.enforcementMode",
"propertyChangeType": "Modify",
"before": "Default",
"after": "DoNotEnforce"
}
]
}
},
{
"resourceId": "/providers/Microsoft.Management/managementGroups/myManagementGroup/providers/Microsoft.Authorization/policyAssignments/myPolicyAssignment2",
"changeType": "Create",
"after": {
"apiVersion": "2019-06-01",
"id": "/providers/Microsoft.Management/managementGroups/myManagementGroup/providers/Microsoft.Authorization/policyAssignments/myPolicyAssignment2",
"type": "Microsoft.Authorization/policyAssignments",
"name": "myPolicyAssignment2",
"___location": "westus2",
"properties": {
"policyDefinitionId": "/providers/Microsoft.Management/managementGroups/myManagementGroup/providers/Microsoft.Authorization/policyAssignments/myPolicyDefinition",
"scope": "/subscriptions/00000000-0000-0000-0000-000000000002",
"enforcementMode": "Default"
}
}
}
]
}
}Location: /subscriptions/4d0ca63b-7939-4c9c-afbe-5fafae501724/operationresults/ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZDefinitions
| Name | Description |
|---|---|
|
Change |
Type of change that will be made to the resource when the deployment is executed. |
|
Cloud |
An error response for a resource management request. |
|
Debug |
The debug setting. |
|
Deployment |
|
|
Deployment |
|
|
Deployment |
|
|
Deployment |
Deployment external input for parameterization. |
|
Deployment |
Deployment external input definition for parameterization. |
|
Deployment |
The mode that is used to deploy resources. This value can be either Incremental or Complete. In Incremental mode, resources are deployed without deleting existing resources that are not included in the template. In Complete mode, resources are deployed and existing resources in the resource group that are not included in the template are deleted. Be careful when using Complete mode as you may unintentionally delete resources. |
|
Deployment |
Deployment parameter for the template. |
|
Deployment |
Deployment What-if properties. |
|
Deployment |
Deployment What-If operation settings. |
|
Error |
The resource management error additional info. |
|
Error |
Error Response |
|
Expression |
Specifies whether template expressions are evaluated within the scope of the parent template or nested template. |
|
Expression |
The scope to be used for evaluation of parameters, variables and functions in a nested template. |
|
Extension |
|
|
Key |
Azure Key Vault parameter reference. |
|
Key |
Azure Key Vault reference. |
| Level |
Denotes the additional response level. |
|
On |
Deployment on error behavior. |
|
On |
The deployment on error behavior type. Possible values are LastSuccessful and SpecificDeployment. |
|
Parameters |
Entity representing the reference to the deployment parameters. |
|
Property |
The type of property change. |
|
Scoped |
Deployment What-if operation parameters. |
|
Template |
Entity representing the reference to the template. |
|
Validation |
The level of validation performed on the deployment. |
|
What |
Information about a single resource change predicted by What-If operation. |
|
What |
Result of the What-If operation. Contains a list of predicted changes and a URL link to get to the next set of results. |
|
What |
The predicted change to the resource property. |
|
What |
The format of the What-If results |
ChangeType
Type of change that will be made to the resource when the deployment is executed.
| Value | Description |
|---|---|
| Create |
The resource does not exist in the current state but is present in the desired state. The resource will be created when the deployment is executed. |
| Delete |
The resource exists in the current state and is missing from the desired state. The resource will be deleted when the deployment is executed. |
| Ignore |
The resource exists in the current state and is missing from the desired state. The resource will not be deployed or modified when the deployment is executed. |
| Deploy |
The resource exists in the current state and the desired state and will be redeployed when the deployment is executed. The properties of the resource may or may not change. |
| NoChange |
The resource exists in the current state and the desired state and will be redeployed when the deployment is executed. The properties of the resource will not change. |
| Modify |
The resource exists in the current state and the desired state and will be redeployed when the deployment is executed. The properties of the resource will change. |
| Unsupported |
The resource is not supported by What-If. |
CloudError
An error response for a resource management request.
| Name | Type | Description |
|---|---|---|
| error |
Error Response |
DebugSetting
The debug setting.
| Name | Type | Description |
|---|---|---|
| detailLevel |
string |
Specifies the type of information to log for debugging. The permitted values are none, requestContent, responseContent, or both requestContent and responseContent separated by a comma. The default is none. When setting this value, carefully consider the type of information you are passing in during deployment. By logging information about the request or response, you could potentially expose sensitive data that is retrieved through the deployment operations. |
DeploymentDiagnosticsDefinition
| Name | Type | Description |
|---|---|---|
| additionalInfo |
The error additional info. |
|
| code |
string |
The error code. |
| level |
Denotes the additional response level. |
|
| message |
string |
The error message. |
| target |
string |
The error target. |
DeploymentExtensionConfigItem
| Name | Type | Description |
|---|---|---|
| keyVaultReference |
The Azure Key Vault reference used to retrieve the secret value of the extension config property. |
|
| type |
The value type of the extension config property. |
|
| value |
|
The value of the extension config property. |
DeploymentExtensionDefinition
| Name | Type | Description |
|---|---|---|
| alias |
string |
The alias of the extension as defined in the deployment template. |
| config |
<string,
Deployment |
The extension configuration. |
| configId |
string |
The extension configuration ID. It uniquely identifies a deployment control plane within an extension. |
| name |
string |
The extension name. |
| version |
string |
The extension version. |
DeploymentExternalInput
Deployment external input for parameterization.
| Name | Type | Description |
|---|---|---|
| value |
|
External input value. |
DeploymentExternalInputDefinition
Deployment external input definition for parameterization.
| Name | Type | Description |
|---|---|---|
| config |
|
Configuration for the external input. |
| kind |
string |
The kind of external input. |
DeploymentMode
The mode that is used to deploy resources. This value can be either Incremental or Complete. In Incremental mode, resources are deployed without deleting existing resources that are not included in the template. In Complete mode, resources are deployed and existing resources in the resource group that are not included in the template are deleted. Be careful when using Complete mode as you may unintentionally delete resources.
| Value | Description |
|---|---|
| Incremental | |
| Complete |
DeploymentParameter
Deployment parameter for the template.
| Name | Type | Description |
|---|---|---|
| expression |
string |
Input expression to the parameter. |
| reference |
Azure Key Vault parameter reference. |
|
| value |
|
Input value to the parameter . |
DeploymentWhatIfProperties
Deployment What-if properties.
| Name | Type | Description |
|---|---|---|
| debugSetting |
The debug setting of the deployment. |
|
| expressionEvaluationOptions |
Specifies whether template expressions are evaluated within the scope of the parent template or nested template. Only applicable to nested templates. If not specified, default value is outer. |
|
| extensionConfigs |
object |
The configurations to use for deployment extensions. The keys of this object are deployment extension aliases as defined in the deployment template. |
| externalInputDefinitions |
<string,
Deployment |
External input definitions, used by external tooling to define expected external input values. |
| externalInputs |
<string,
Deployment |
External input values, used by external tooling for parameter evaluation. |
| mode |
The mode that is used to deploy resources. This value can be either Incremental or Complete. In Incremental mode, resources are deployed without deleting existing resources that are not included in the template. In Complete mode, resources are deployed and existing resources in the resource group that are not included in the template are deleted. Be careful when using Complete mode as you may unintentionally delete resources. |
|
| onErrorDeployment |
The deployment on error behavior. |
|
| parameters |
<string,
Deployment |
Name and value pairs that define the deployment parameters for the template. You use this element when you want to provide the parameter values directly in the request rather than link to an existing parameter file. Use either the parametersLink property or the parameters property, but not both. It can be a JObject or a well formed JSON string. |
| parametersLink |
The URI of parameters file. You use this element to link to an existing parameters file. Use either the parametersLink property or the parameters property, but not both. |
|
| template |
object |
The template content. You use this element when you want to pass the template syntax directly in the request rather than link to an existing template. It can be a JObject or well-formed JSON string. Use either the templateLink property or the template property, but not both. |
| templateLink |
The URI of the template. Use either the templateLink property or the template property, but not both. |
|
| validationLevel |
The validation level of the deployment |
|
| whatIfSettings |
Optional What-If operation settings. |
DeploymentWhatIfSettings
Deployment What-If operation settings.
| Name | Type | Description |
|---|---|---|
| resultFormat |
The format of the What-If results |
ErrorAdditionalInfo
The resource management error additional info.
| Name | Type | Description |
|---|---|---|
| info |
object |
The additional info. |
| type |
string |
The additional info type. |
ErrorResponse
Error Response
| Name | Type | Description |
|---|---|---|
| additionalInfo |
The error additional info. |
|
| code |
string |
The error code. |
| details |
The error details. |
|
| message |
string |
The error message. |
| target |
string |
The error target. |
ExpressionEvaluationOptions
Specifies whether template expressions are evaluated within the scope of the parent template or nested template.
| Name | Type | Description |
|---|---|---|
| scope |
The scope to be used for evaluation of parameters, variables and functions in a nested template. |
ExpressionEvaluationOptionsScopeType
The scope to be used for evaluation of parameters, variables and functions in a nested template.
| Value | Description |
|---|---|
| NotSpecified | |
| Outer | |
| Inner |
ExtensionConfigPropertyType
| Value | Description |
|---|---|
| String |
Property type representing a string value. |
| Int |
Property type representing an integer value. |
| Bool |
Property type representing a boolean value. |
| Array |
Property type representing an array value. |
| Object |
Property type representing an object value. |
| SecureString |
Property type representing a secure string value. |
| SecureObject |
Property type representing a secure object value. |
KeyVaultParameterReference
Azure Key Vault parameter reference.
| Name | Type | Description |
|---|---|---|
| keyVault |
Azure Key Vault reference. |
|
| secretName |
string |
Azure Key Vault secret name. |
| secretVersion |
string |
Azure Key Vault secret version. |
KeyVaultReference
Azure Key Vault reference.
| Name | Type | Description |
|---|---|---|
| id |
string |
Azure Key Vault resource id. |
Level
Denotes the additional response level.
| Value | Description |
|---|---|
| Warning | |
| Info | |
| Error |
OnErrorDeployment
Deployment on error behavior.
| Name | Type | Description |
|---|---|---|
| deploymentName |
string |
The deployment to be used on error case. |
| type |
The deployment on error behavior type. Possible values are LastSuccessful and SpecificDeployment. |
OnErrorDeploymentType
The deployment on error behavior type. Possible values are LastSuccessful and SpecificDeployment.
| Value | Description |
|---|---|
| LastSuccessful | |
| SpecificDeployment |
ParametersLink
Entity representing the reference to the deployment parameters.
| Name | Type | Description |
|---|---|---|
| contentVersion |
string |
If included, must match the ContentVersion in the template. |
| uri |
string |
The URI of the parameters file. |
PropertyChangeType
The type of property change.
| Value | Description |
|---|---|
| Create |
The property does not exist in the current state but is present in the desired state. The property will be created when the deployment is executed. |
| Delete |
The property exists in the current state and is missing from the desired state. It will be deleted when the deployment is executed. |
| Modify |
The property exists in both current and desired state and is different. The value of the property will change when the deployment is executed. |
| Array |
The property is an array and contains nested changes. |
| NoEffect |
The property will not be set or updated. |
ScopedDeploymentWhatIf
Deployment What-if operation parameters.
| Name | Type | Description |
|---|---|---|
| ___location |
string |
The ___location to store the deployment data. |
| properties |
The deployment properties. |
TemplateLink
Entity representing the reference to the template.
| Name | Type | Description |
|---|---|---|
| contentVersion |
string |
If included, must match the ContentVersion in the template. |
| id |
string |
The resource id of a Template Spec. Use either the id or uri property, but not both. |
| queryString |
string |
The query string (for example, a SAS token) to be used with the templateLink URI. |
| relativePath |
string |
The relativePath property can be used to deploy a linked template at a ___location relative to the parent. If the parent template was linked with a TemplateSpec, this will reference an artifact in the TemplateSpec. If the parent was linked with a URI, the child deployment will be a combination of the parent and relativePath URIs |
| uri |
string |
The URI of the template to deploy. Use either the uri or id property, but not both. |
ValidationLevel
The level of validation performed on the deployment.
| Value | Description |
|---|---|
| Template |
Static analysis of the template is performed. |
| Provider |
Static analysis of the template is performed and resource declarations are sent to resource providers for semantic validation. Validates that the caller has RBAC write permissions on each resource. |
| ProviderNoRbac |
Static analysis of the template is performed and resource declarations are sent to resource providers for semantic validation. Skips validating that the caller has RBAC write permissions on each resource. |
WhatIfChange
Information about a single resource change predicted by What-If operation.
| Name | Type | Description |
|---|---|---|
| after |
object |
The predicted snapshot of the resource after the deployment is executed. |
| before |
object |
The snapshot of the resource before the deployment is executed. |
| changeType |
Type of change that will be made to the resource when the deployment is executed. |
|
| delta |
The predicted changes to resource properties. |
|
| deploymentId |
string |
The resource id of the Deployment responsible for this change. |
| extension |
The extension the resource was deployed with. |
|
| identifiers |
object |
A subset of properties that uniquely identify a Bicep extensible resource because it lacks a resource id like an Azure resource has. |
| resourceId |
string |
Resource ID |
| symbolicName |
string |
The symbolic name of the resource responsible for this change. |
| unsupportedReason |
string |
The explanation about why the resource is unsupported by What-If. |
WhatIfOperationResult
Result of the What-If operation. Contains a list of predicted changes and a URL link to get to the next set of results.
| Name | Type | Description |
|---|---|---|
| error |
Error Response |
|
| properties.changes |
List of resource changes predicted by What-If operation. |
|
| properties.diagnostics |
List of resource diagnostics detected by What-If operation. |
|
| properties.potentialChanges |
List of resource changes predicted by What-If operation. |
|
| status |
string |
Status of the What-If operation. |
WhatIfPropertyChange
The predicted change to the resource property.
| Name | Type | Description |
|---|---|---|
| after |
object |
The value of the property after the deployment is executed. |
| before |
object |
The value of the property before the deployment is executed. |
| children |
Nested property changes. |
|
| path |
string |
The path of the property. |
| propertyChangeType |
The type of property change. |
WhatIfResultFormat
The format of the What-If results
| Value | Description |
|---|---|
| ResourceIdOnly | |
| FullResourcePayloads |