Share via


az policy assignment identity

Managed identity of the policy assignment.

The system or user assigned managed identity used by the enclosing policy assignment for remediation tasks.

Commands

Name Description Type Status
az policy assignment identity assign

Assign a managed identity.

Core GA
az policy assignment identity remove

Remove the managed identity.

Core GA
az policy assignment identity show

Retrieve the managed identity.

Core GA

az policy assignment identity assign

Breaking change

Replacing an existing identity will change in a future release of the resource commands. It will require first removing the existing identity.

Assign a managed identity.

Assign the system or user assigned managed identity to the policy assignment matching the given name and scope.

az policy assignment identity assign --name
                                     [--identity-scope]
                                     [--mi-system-assigned --system-assigned]
                                     [--mi-user-assigned --user-assigned]
                                     [--resource-group]
                                     [--role]
                                     [--scope]

Examples

Add a system assigned managed identity to a policy assignment

az policy assignment identity assign --system-assigned -g MyResourceGroup -n MyPolicyAssignment

Add a system assigned managed identity to a policy assignment and grant it the Contributor role for a resource group

az policy assignment identity assign --system-assigned -g MyResourceGroup -n MyPolicyAssignment --role Contributor --identity-scope /subscriptions/{subscriptionId}/resourceGroups/MyResourceGroup

Add a user assigned managed identity to a policy assignment

az policy assignment identity assign --user-assigned MyAssignedId -g MyResourceGroup -n MyPolicyAssignment

Required Parameters

--name -n

The name of the policy assignment.

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--identity-scope

Scope that the system assigned identity can access.

--mi-system-assigned --system-assigned

Set the system managed identity.

Property Value
Parameter group: Parameters.identity Arguments
--mi-user-assigned --user-assigned

Set the user managed identity. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

Property Value
Parameter group: Parameters.identity Arguments
--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--role

Role name or id that will be assigned to the managed identity.

--scope

The scope of the policy assignment.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

Property Value
Default value: False
--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property Value
Default value: False
--output -o

Output format.

Property Value
Default value: json
Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property Value
Default value: False

az policy assignment identity remove

Breaking change

Removing a user assigned identity will change in a future release of the resource commands. It will require providing the --mi-user-assigned switch.

Remove the managed identity.

Remove the system or user assigned managed identity from the policy assignment matching the given name and scope.

az policy assignment identity remove --name
                                     [--mi-system-assigned --system-assigned]
                                     [--mi-user-assigned --user-assigned]
                                     [--resource-group]
                                     [--scope]

Examples

Remove user assigned managed identity from a policy assignment

az policy assignment identity remove --name MyPolicyAssignment --user-assigned

Required Parameters

--name -n

The name of the policy assignment.

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--mi-system-assigned --system-assigned

Remove the system managed identity.

Property Value
Parameter group: Parameters.identity Arguments
--mi-user-assigned --user-assigned

Remove the user managed identity. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

Property Value
Parameter group: Parameters.identity Arguments
--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--scope

The scope of the policy assignment.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

Property Value
Default value: False
--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property Value
Default value: False
--output -o

Output format.

Property Value
Default value: json
Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property Value
Default value: False

az policy assignment identity show

Retrieve the managed identity.

Retrieve and show the details of the system or user assigned managed identity of the policy assignment matching the given name and scope.

az policy assignment identity show --name
                                   [--resource-group]
                                   [--scope]

Examples

Show a policy assignment's managed identity

az policy assignment identity show --name MyPolicyAssignment --scope '/providers/Microsoft.Management/managementGroups/{managementGroupName}'

Required Parameters

--name -n

The name of the policy assignment.

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--scope

The scope of the policy assignment.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

Property Value
Default value: False
--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property Value
Default value: False
--output -o

Output format.

Property Value
Default value: json
Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property Value
Default value: False