az policy exemption
Manage policy exemptions.
Policy exemptions specify resources that a policy assignment does not apply to.
Commands
| Name | Description | Type | Status |
|---|---|---|---|
| az policy exemption create |
Create a policy exemption. |
Core | GA |
| az policy exemption delete |
Delete a policy exemption. |
Core | GA |
| az policy exemption list |
Retrieve all applicable policy exemptions. |
Core | GA |
| az policy exemption show |
Retrieve a policy exemption. |
Core | GA |
| az policy exemption update |
Update a policy exemption. |
Core | GA |
az policy exemption create
Create a policy exemption.
Create a policy exemption with the given name and scope. Policy exemptions apply to all resources contained within their scope. For example, when you create a policy exemption at resource group scope for a policy assignment at the same or higher scope level, the exemption exempts all applicable resources in the resource group from applying to that policy assignment.
az policy exemption create --exemption-category {Mitigated, Waiver}
--policy-assignment
[--assignment-scope-validation {Default, DoNotValidate}]
[--description]
[--display-name]
[--expires-on]
[--metadata]
[--name]
[--policy-definition-reference-ids]
[--resource-group]
[--resource-selectors]
[--scope]Examples
Create a policy exemption in default subscription
az policy exemption create -n exemptTestVM --policy-assignment "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/policyAssignments/limitVMSku" --exemption-category "Waiver"Create a policy exemption in the resource group
az policy exemption create -n exemptTestVM --policy-assignment "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/policyAssignments/limitVMSku" --exemption-category "Waiver" --resource-group "myResourceGroup"Create a policy exemption in a management group
az policy exemption create -n exemptTestVM --policy-assignment "/providers/Microsoft.Management/managementGroups/{managementGroupName}/providers/Microsoft.Authorization/policyAssignments/limitVMSku" --exemption-category "Waiver" --scope "/providers/Microsoft.Management/managementGroups/{managementGroupName}"Required Parameters
The policy exemption category.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
| Accepted values: | Mitigated, Waiver |
The policy assignment to exempt.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
The assignment scope validation.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
| Default value: | Default |
| Accepted values: | Default, DoNotValidate |
Policy exemption description.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
The display name of the policy exemption.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
The expiration date and time.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
The policy exemption metadata. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
The name of the policy exemption.
The policy definition reference IDs. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
The resource selectors list to filter policies by resource properties. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
The scope of the policy assignment.
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value |
|---|---|
| Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value |
|---|---|
| Default value: | False |
Output format.
| Property | Value |
|---|---|
| Default value: | json |
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value |
|---|---|
| Default value: | False |
az policy exemption delete
Delete a policy exemption.
Delete the policy exemption with the given name and scope.
az policy exemption delete --name
[--resource-group]
[--scope]Examples
Delete a policy exemption
az policy exemption delete --name MyPolicyExemption --resource-group "myResourceGroup"Required Parameters
The name of the policy exemption.
Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
The scope of the policy assignment.
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value |
|---|---|
| Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value |
|---|---|
| Default value: | False |
Output format.
| Property | Value |
|---|---|
| Default value: | json |
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value |
|---|---|
| Default value: | False |
az policy exemption list
Retrieve all applicable policy exemptions.
Retrieve the list of all policy assignments applicable to the given subscription or management group.
az policy exemption list [--disable-scope-strict-match {0, 1, f, false, n, no, t, true, y, yes}]
[--filter]
[--management-group]
[--max-items]
[--next-token]
[--resource-group]
[--scope]Examples
List policy exemptions that apply to a management group
az policy exemption list --management-group DevOrg --filter atScopeAndBelow()List policy exemptions that apply to a resource group
az policy exemption list --resource-group TestResourceGroupList policy exemptions that apply to a subscription
az policy exemption listOptional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
Include policy exemptions either inherited from parent scopes or at child scopes.
| Property | Value |
|---|---|
| Accepted values: | 0, 1, f, false, n, no, t, true, y, yes |
Filter list results.
The management group.
Total number of items to return in the command's output. If the total number of items available is more than the value specified, a token is provided in the command's output. To resume pagination, provide the token value in --next-token argument of a subsequent command.
| Property | Value |
|---|---|
| Parameter group: | Pagination Arguments |
Token to specify where to start paginating. This is the token value from a previously truncated response.
| Property | Value |
|---|---|
| Parameter group: | Pagination Arguments |
The resource group.
Scope at which to list applicable policy exemptions. If scope is not provided, the scope will be the implied or specified subscription.
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value |
|---|---|
| Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value |
|---|---|
| Default value: | False |
Output format.
| Property | Value |
|---|---|
| Default value: | json |
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value |
|---|---|
| Default value: | False |
az policy exemption show
Retrieve a policy exemption.
Retrieve and show the details of the policy exemption with the given name and scope.
az policy exemption show --name
[--resource-group]
[--scope]Examples
Show a policy exemption
az policy exemption show --name MyPolicyExemption --resource-group "myResourceGroup"Required Parameters
The name of the policy exemption.
Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
The scope of the policy assignment.
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value |
|---|---|
| Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value |
|---|---|
| Default value: | False |
Output format.
| Property | Value |
|---|---|
| Default value: | json |
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value |
|---|---|
| Default value: | False |
az policy exemption update
Update a policy exemption.
Update the policy exemption with the given name and scope by applying the given property values.
az policy exemption update --name
[--add]
[--assignment-scope-validation {Default, DoNotValidate}]
[--description]
[--display-name]
[--exemption-category {Mitigated, Waiver}]
[--expires-on]
[--force-string {0, 1, f, false, n, no, t, true, y, yes}]
[--metadata]
[--policy-assignment]
[--policy-definition-reference-ids]
[--remove]
[--resource-group]
[--resource-selectors]
[--scope]
[--set]Examples
Update a policy exemption category
az policy exemption update -n exemptTestVM --exemption-category "Mitigated"Update a policy exemption in a resource group
az policy exemption update -n exemptTestVM --display-name "Updated display name" --resource-group myResourceGroupUpdate a policy exemption at scope
az policy exemption update -n exemptTestVM --description "This exemption is very cool." --scope "/providers/Microsoft.Management/managementGroups/{managementGroupName}"Required Parameters
The name of the policy exemption.
Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
Add an object to a list of objects by specifying a path and key value pairs. Example: --add property.listProperty <key=value, string or JSON string>.
| Property | Value |
|---|---|
| Parameter group: | Generic Update Arguments |
The assignment scope validation.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
| Accepted values: | Default, DoNotValidate |
Policy exemption description.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
The display name of the policy exemption.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
The policy exemption category.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
| Accepted values: | Mitigated, Waiver |
The expiration date and time.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
When using 'set' or 'add', preserve string literals instead of attempting to convert to JSON.
| Property | Value |
|---|---|
| Parameter group: | Generic Update Arguments |
| Accepted values: | 0, 1, f, false, n, no, t, true, y, yes |
The policy exemption metadata. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
The policy assignment to exempt.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
The policy definition reference IDs. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
Remove a property or an element from a list. Example: --remove property.list <indexToRemove> OR --remove propertyToRemove.
| Property | Value |
|---|---|
| Parameter group: | Generic Update Arguments |
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
The resource selectors list to filter policies by resource properties. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
The scope of the policy assignment.
Update an object by specifying a property path and value to set. Example: --set property1.property2=<value>.
| Property | Value |
|---|---|
| Parameter group: | Generic Update Arguments |
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value |
|---|---|
| Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value |
|---|---|
| Default value: | False |
Output format.
| Property | Value |
|---|---|
| Default value: | json |
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value |
|---|---|
| Default value: | False |
