az policy definition
Manage policy definitions.
Policy definitions are rules that specify allowed or disallowed Azure resource configurations.
Commands
| Name | Description | Type | Status |
|---|---|---|---|
| az policy definition create |
Create a policy definition. |
Core | GA |
| az policy definition delete |
Delete a policy definition. |
Core | GA |
| az policy definition list |
Retrieve policy definitions. |
Core | GA |
| az policy definition show |
Retrieves a policy definition. |
Core | GA |
| az policy definition update |
Update a policy definition. |
Core | GA |
az policy definition create
Create a policy definition.
Create a policy definition in the given subscription or management group with the given name and other properties.
az policy definition create --name
[--description]
[--display-name]
[--management-group]
[--metadata]
[--mode]
[--params]
[--rule --rules]
[--version]Examples
Create a read-only storage policy
az policy definition create --name readOnlyStorage --rules "{ 'if': { 'field': 'type', 'equals': 'Microsoft.Storage/storageAccounts/write' }, 'then': { 'effect': 'deny' } }"Create a policy definition with parameters
az policy definition create --name allowedLocations --rules "{ 'if': { 'allOf': [{ 'field': '___location','notIn': '[parameters(\'listOfAllowedLocations\')]' }, { 'field': '___location', 'notEquals': 'global' }, { 'field': 'type', 'notEquals': 'Microsoft.AzureActiveDirectory/b2cDirectories'}] }, 'then': { 'effect': 'deny' } }" --params "{ 'allowedLocations': {'type': 'array', 'metadata': { 'description': 'The list of locations that can be specified when deploying resources', 'strongType': '___location', 'displayName': 'Allowed locations' } } }"Create a read-only storage policy that can be applied within a management group
az policy definition create -n readOnlyStorage --management-group "MyManagementGroup" --rules "{ 'if': { 'field': 'type', 'equals': 'Microsoft.Storage/storageAccounts/write' }, 'then': { 'effect': 'deny' } }"Create a policy definition with mode
az policy definition create --name TagsPolicyDefinition --subscription "MySubscription" --mode Indexed --rules "{ 'if': { 'field': 'tags', 'exists': 'false' }, 'then': { 'effect': 'deny' } }"Required Parameters
The name of the policy definition.
Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
Policy definition description.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
The display name of the policy definition.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
The management group.
The policy definition metadata. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
The policy definition mode.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
| Default value: | Indexed |
The policy rule parameter definitions. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
The policy rule. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
The policy definition version.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value |
|---|---|
| Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value |
|---|---|
| Default value: | False |
Output format.
| Property | Value |
|---|---|
| Default value: | json |
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value |
|---|---|
| Default value: | False |
az policy definition delete
Behavior will change in a future release of the resource commands. Bypassing the confirmation prompt will require providing the -y switch.
Delete a policy definition.
Delete the policy definition in the given subscription or management group with the given name and other properties.
az policy definition delete --name
[--management-group]Examples
Delete a policy definition
az policy definition delete --name MyPolicyDefinitionRequired Parameters
The name of the policy definition.
Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
The management group.
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value |
|---|---|
| Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value |
|---|---|
| Default value: | False |
Output format.
| Property | Value |
|---|---|
| Default value: | json |
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value |
|---|---|
| Default value: | False |
az policy definition list
Retrieve policy definitions.
Retrieve the list of all policy definitions in the given subscription or management group.
az policy definition list [--filter]
[--management-group]
[--max-items]
[--next-token]Examples
List built-in policy definitions
az policy definition list --filter atScopeAndBelow()List policy definitions by management group
az policy definition list --management-group MyManagementGroupList policy definitions by subscription
az policy definition listOptional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
Filter list results.
The management group.
Total number of items to return in the command's output. If the total number of items available is more than the value specified, a token is provided in the command's output. To resume pagination, provide the token value in --next-token argument of a subsequent command.
| Property | Value |
|---|---|
| Parameter group: | Pagination Arguments |
Token to specify where to start paginating. This is the token value from a previously truncated response.
| Property | Value |
|---|---|
| Parameter group: | Pagination Arguments |
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value |
|---|---|
| Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value |
|---|---|
| Default value: | False |
Output format.
| Property | Value |
|---|---|
| Default value: | json |
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value |
|---|---|
| Default value: | False |
az policy definition show
Retrieves a policy definition.
Retrieve and show the details of the policy definition in the given subscription or management group with the given name.
az policy definition show --name
[--management-group]Examples
Retrieve a policy definition at management group level
az policy definition show --management-group MyManagementGroup --name ResourceNamingRetrieve a policy definition
az policy definition show --name ResourceNamingRequired Parameters
The name of the policy definition.
Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
The management group.
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value |
|---|---|
| Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value |
|---|---|
| Default value: | False |
Output format.
| Property | Value |
|---|---|
| Default value: | json |
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value |
|---|---|
| Default value: | False |
az policy definition update
Update a policy definition.
Update the policy definition in the given subscription or management group with the given name by applying the given properties.
az policy definition update --name
[--add]
[--description]
[--display-name]
[--force-string {0, 1, f, false, n, no, t, true, y, yes}]
[--management-group]
[--metadata]
[--mode]
[--params]
[--remove]
[--rule --rules]
[--set]
[--version]Examples
Update a policy definition display name
az policy definition update --name MyPolicyDefinition --display-name "Updated display name goes here"Required Parameters
The name of the policy definition.
Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
Add an object to a list of objects by specifying a path and key value pairs. Example: --add property.listProperty <key=value, string or JSON string>.
| Property | Value |
|---|---|
| Parameter group: | Generic Update Arguments |
Policy definition description.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
The display name of the policy definition.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
When using 'set' or 'add', preserve string literals instead of attempting to convert to JSON.
| Property | Value |
|---|---|
| Parameter group: | Generic Update Arguments |
| Accepted values: | 0, 1, f, false, n, no, t, true, y, yes |
The management group.
The policy definition metadata. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
The policy definition mode.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
The policy rule parameter definitions. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
Remove a property or an element from a list. Example: --remove property.list <indexToRemove> OR --remove propertyToRemove.
| Property | Value |
|---|---|
| Parameter group: | Generic Update Arguments |
The policy rule. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
Update an object by specifying a property path and value to set. Example: --set property1.property2=<value>.
| Property | Value |
|---|---|
| Parameter group: | Generic Update Arguments |
The policy definition version.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value |
|---|---|
| Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value |
|---|---|
| Default value: | False |
Output format.
| Property | Value |
|---|---|
| Default value: | json |
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value |
|---|---|
| Default value: | False |
