Bicep resource definition
The policyAssignments resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
To create a Microsoft.Authorization/policyAssignments resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.Authorization/policyAssignments@2022-06-01' = {
scope: resourceSymbolicName or scope
identity: {
type: 'string'
userAssignedIdentities: {
{customized property}: {}
}
}
___location: 'string'
name: 'string'
properties: {
description: 'string'
displayName: 'string'
enforcementMode: 'string'
metadata: any(...)
nonComplianceMessages: [
{
message: 'string'
policyDefinitionReferenceId: 'string'
}
]
notScopes: [
'string'
]
overrides: [
{
kind: 'string'
selectors: [
{
in: [
'string'
]
kind: 'string'
notIn: [
'string'
]
}
]
value: 'string'
}
]
parameters: {
{customized property}: {
value: any(...)
}
}
policyDefinitionId: 'string'
resourceSelectors: [
{
name: 'string'
selectors: [
{
in: [
'string'
]
kind: 'string'
notIn: [
'string'
]
}
]
}
]
}
}
Property Values
Identity
Name |
Description |
Value |
type |
The identity type. This is the only required field when adding a system or user assigned identity to a resource. |
'None' 'SystemAssigned' 'UserAssigned' |
userAssignedIdentities |
The user identity associated with the policy. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. |
IdentityUserAssignedIdentities |
IdentityUserAssignedIdentities
Microsoft.Authorization/policyAssignments
Name |
Description |
Value |
identity |
The managed identity associated with the policy assignment. |
Identity |
___location |
The ___location of the policy assignment. Only required when utilizing managed identity. |
string |
name |
The resource name |
string (required) |
properties |
Properties for the policy assignment. |
PolicyAssignmentProperties |
scope |
Use when creating a resource at a scope that is different than the deployment scope. |
Set this property to the symbolic name of a resource to apply the extension resource. |
NonComplianceMessage
Name |
Description |
Value |
message |
A message that describes why a resource is non-compliant with the policy. This is shown in 'deny' error messages and on resource's non-compliant compliance results. |
string (required) |
policyDefinitionReferenceId |
The policy definition reference ID within a policy set definition the message is intended for. This is only applicable if the policy assignment assigns a policy set definition. If this is not provided the message applies to all policies assigned by this policy assignment. |
string |
Override
Name |
Description |
Value |
kind |
The override kind. |
'policyEffect' |
selectors |
The list of the selector expressions. |
Selector[] |
value |
The value to override the policy property. |
string |
ParameterValues
ParameterValuesValue
Name |
Description |
Value |
value |
The value of the parameter. |
any |
PolicyAssignmentProperties
Name |
Description |
Value |
description |
This message will be part of response in case of policy violation. |
string |
displayName |
The display name of the policy assignment. |
string |
enforcementMode |
The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. |
'Default' 'DoNotEnforce' |
metadata |
The policy assignment metadata. Metadata is an open ended object and is typically a collection of key value pairs. |
any |
nonComplianceMessages |
The messages that describe why a resource is non-compliant with the policy. |
NonComplianceMessage[] |
notScopes |
The policy's excluded scopes. |
string[] |
overrides |
The policy property value override. |
Override[] |
parameters |
The parameter values for the assigned policy rule. The keys are the parameter names. |
ParameterValues |
policyDefinitionId |
The ID of the policy definition or policy set definition being assigned. |
string |
resourceSelectors |
The resource selector list to filter policies by resource properties. |
ResourceSelector[] |
ResourceSelector
Name |
Description |
Value |
name |
The name of the resource selector. |
string |
selectors |
The list of the selector expressions. |
Selector[] |
Selector
Name |
Description |
Value |
in |
The list of values to filter in. |
string[] |
kind |
The selector kind. |
'policyDefinitionReferenceId' 'resourceLocation' 'resourceType' 'resourceWithoutLocation' |
notIn |
The list of values to filter out. |
string[] |
UserAssignedIdentitiesValue
Usage Examples
Azure Quickstart Samples
The following Azure Quickstart templates contain Bicep samples for deploying this resource type.
ARM template resource definition
The policyAssignments resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
To create a Microsoft.Authorization/policyAssignments resource, add the following JSON to your template.
{
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2022-06-01",
"name": "string",
"identity": {
"type": "string",
"userAssignedIdentities": {
"{customized property}": {
}
}
},
"___location": "string",
"properties": {
"description": "string",
"displayName": "string",
"enforcementMode": "string",
"metadata": {},
"nonComplianceMessages": [
{
"message": "string",
"policyDefinitionReferenceId": "string"
}
],
"notScopes": [ "string" ],
"overrides": [
{
"kind": "string",
"selectors": [
{
"in": [ "string" ],
"kind": "string",
"notIn": [ "string" ]
}
],
"value": "string"
}
],
"parameters": {
"{customized property}": {
"value": {}
}
},
"policyDefinitionId": "string",
"resourceSelectors": [
{
"name": "string",
"selectors": [
{
"in": [ "string" ],
"kind": "string",
"notIn": [ "string" ]
}
]
}
]
}
}
Property Values
Identity
Name |
Description |
Value |
type |
The identity type. This is the only required field when adding a system or user assigned identity to a resource. |
'None' 'SystemAssigned' 'UserAssigned' |
userAssignedIdentities |
The user identity associated with the policy. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. |
IdentityUserAssignedIdentities |
IdentityUserAssignedIdentities
Microsoft.Authorization/policyAssignments
Name |
Description |
Value |
apiVersion |
The api version |
'2022-06-01' |
identity |
The managed identity associated with the policy assignment. |
Identity |
___location |
The ___location of the policy assignment. Only required when utilizing managed identity. |
string |
name |
The resource name |
string (required) |
properties |
Properties for the policy assignment. |
PolicyAssignmentProperties |
type |
The resource type |
'Microsoft.Authorization/policyAssignments' |
NonComplianceMessage
Name |
Description |
Value |
message |
A message that describes why a resource is non-compliant with the policy. This is shown in 'deny' error messages and on resource's non-compliant compliance results. |
string (required) |
policyDefinitionReferenceId |
The policy definition reference ID within a policy set definition the message is intended for. This is only applicable if the policy assignment assigns a policy set definition. If this is not provided the message applies to all policies assigned by this policy assignment. |
string |
Override
Name |
Description |
Value |
kind |
The override kind. |
'policyEffect' |
selectors |
The list of the selector expressions. |
Selector[] |
value |
The value to override the policy property. |
string |
ParameterValues
ParameterValuesValue
Name |
Description |
Value |
value |
The value of the parameter. |
any |
PolicyAssignmentProperties
Name |
Description |
Value |
description |
This message will be part of response in case of policy violation. |
string |
displayName |
The display name of the policy assignment. |
string |
enforcementMode |
The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. |
'Default' 'DoNotEnforce' |
metadata |
The policy assignment metadata. Metadata is an open ended object and is typically a collection of key value pairs. |
any |
nonComplianceMessages |
The messages that describe why a resource is non-compliant with the policy. |
NonComplianceMessage[] |
notScopes |
The policy's excluded scopes. |
string[] |
overrides |
The policy property value override. |
Override[] |
parameters |
The parameter values for the assigned policy rule. The keys are the parameter names. |
ParameterValues |
policyDefinitionId |
The ID of the policy definition or policy set definition being assigned. |
string |
resourceSelectors |
The resource selector list to filter policies by resource properties. |
ResourceSelector[] |
ResourceSelector
Name |
Description |
Value |
name |
The name of the resource selector. |
string |
selectors |
The list of the selector expressions. |
Selector[] |
Selector
Name |
Description |
Value |
in |
The list of values to filter in. |
string[] |
kind |
The selector kind. |
'policyDefinitionReferenceId' 'resourceLocation' 'resourceType' 'resourceWithoutLocation' |
notIn |
The list of values to filter out. |
string[] |
UserAssignedIdentitiesValue
Usage Examples
Azure Quickstart Templates
The following Azure Quickstart templates deploy this resource type.
The policyAssignments resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
To create a Microsoft.Authorization/policyAssignments resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
type = "Microsoft.Authorization/policyAssignments@2022-06-01"
name = "string"
parent_id = "string"
identity {
type = "string"
identity_ids = [
"string"
]
}
___location = "string"
body = {
properties = {
description = "string"
displayName = "string"
enforcementMode = "string"
metadata = ?
nonComplianceMessages = [
{
message = "string"
policyDefinitionReferenceId = "string"
}
]
notScopes = [
"string"
]
overrides = [
{
kind = "string"
selectors = [
{
in = [
"string"
]
kind = "string"
notIn = [
"string"
]
}
]
value = "string"
}
]
parameters = {
{customized property} = {
value = ?
}
}
policyDefinitionId = "string"
resourceSelectors = [
{
name = "string"
selectors = [
{
in = [
"string"
]
kind = "string"
notIn = [
"string"
]
}
]
}
]
}
}
}
Property Values
Identity
Name |
Description |
Value |
type |
The identity type. This is the only required field when adding a system or user assigned identity to a resource. |
'None' 'SystemAssigned' 'UserAssigned' |
userAssignedIdentities |
The user identity associated with the policy. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. |
IdentityUserAssignedIdentities |
IdentityUserAssignedIdentities
Microsoft.Authorization/policyAssignments
Name |
Description |
Value |
identity |
The managed identity associated with the policy assignment. |
Identity |
___location |
The ___location of the policy assignment. Only required when utilizing managed identity. |
string |
name |
The resource name |
string (required) |
parent_id |
The ID of the resource to apply this extension resource to. |
string (required) |
properties |
Properties for the policy assignment. |
PolicyAssignmentProperties |
type |
The resource type |
"Microsoft.Authorization/policyAssignments@2022-06-01" |
NonComplianceMessage
Name |
Description |
Value |
message |
A message that describes why a resource is non-compliant with the policy. This is shown in 'deny' error messages and on resource's non-compliant compliance results. |
string (required) |
policyDefinitionReferenceId |
The policy definition reference ID within a policy set definition the message is intended for. This is only applicable if the policy assignment assigns a policy set definition. If this is not provided the message applies to all policies assigned by this policy assignment. |
string |
Override
Name |
Description |
Value |
kind |
The override kind. |
'policyEffect' |
selectors |
The list of the selector expressions. |
Selector[] |
value |
The value to override the policy property. |
string |
ParameterValues
ParameterValuesValue
Name |
Description |
Value |
value |
The value of the parameter. |
any |
PolicyAssignmentProperties
Name |
Description |
Value |
description |
This message will be part of response in case of policy violation. |
string |
displayName |
The display name of the policy assignment. |
string |
enforcementMode |
The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. |
'Default' 'DoNotEnforce' |
metadata |
The policy assignment metadata. Metadata is an open ended object and is typically a collection of key value pairs. |
any |
nonComplianceMessages |
The messages that describe why a resource is non-compliant with the policy. |
NonComplianceMessage[] |
notScopes |
The policy's excluded scopes. |
string[] |
overrides |
The policy property value override. |
Override[] |
parameters |
The parameter values for the assigned policy rule. The keys are the parameter names. |
ParameterValues |
policyDefinitionId |
The ID of the policy definition or policy set definition being assigned. |
string |
resourceSelectors |
The resource selector list to filter policies by resource properties. |
ResourceSelector[] |
ResourceSelector
Name |
Description |
Value |
name |
The name of the resource selector. |
string |
selectors |
The list of the selector expressions. |
Selector[] |
Selector
Name |
Description |
Value |
in |
The list of values to filter in. |
string[] |
kind |
The selector kind. |
'policyDefinitionReferenceId' 'resourceLocation' 'resourceType' 'resourceWithoutLocation' |
notIn |
The list of values to filter out. |
string[] |
UserAssignedIdentitiesValue