az policy definition
Manage resource policy definitions.
Name | Description | Type | Status |
---|---|---|---|
az policy definition create |
Create a policy definition. |
Core | GA |
az policy definition delete |
Delete a policy definition. |
Core | GA |
az policy definition list |
List policy definitions. |
Core | GA |
az policy definition show |
Show a policy definition. |
Core | GA |
az policy definition update |
Update a policy definition. |
Core | GA |
Create a policy definition.
az policy definition create --name
[--description]
[--display-name]
[--management-group]
[--metadata]
[--mode]
[--params]
[--rules]
[--subscription]
Create a read-only policy.
az policy definition create --name readOnlyStorage --rules "{ \"if\": \
{ \"field\": \"type\", \"equals\": \"Microsoft.Storage/storageAccounts/write\" }, \
\"then\": { \"effect\": \"deny\" } }"
Create a policy parameter definition.
az policy definition create --name allowedLocations \
--rules "{ \"if\": { \"allOf\": [ \
{ \"field\": \"location\",\"notIn\": \"[parameters('listOfAllowedLocations')]\" }, \
{ \"field\": \"location\", \"notEquals\": \"global\" }, \
{ \"field\": \"type\", \"notEquals\": \
\"Microsoft.AzureActiveDirectory/b2cDirectories\"} \
] }, \"then\": { \"effect\": \"deny\" } }" \
--params "{ \"allowedLocations\": { \
\"type\": \"array\", \"metadata\": { \"description\": \
\"The list of locations that can be specified when deploying resources\", \
\"strongType\": \"location\", \"displayName\": \"Allowed locations\" } } }"
Create a read-only policy that can be applied within a management group.
az policy definition create -n readOnlyStorage --management-group "MyManagementGroup" \
--rules "{ \"if\": { \"field\": \"type\", \
\"equals\": \"Microsoft.Storage/storageAccounts/write\" }, \
\"then\": { \"effect\": \"deny\" } }"
Create a policy definition with mode. The mode 'Indexed' indicates the policy should be evaluated only for resource types that support tags and location.
az policy definition create --name TagsPolicyDefinition --subscription "MySubscription" \
--mode Indexed --rules "{ \"if\": { \"field\": \"tags\", \"exists\": \"false\" }, \
\"then\": { \"effect\": \"deny\" } }"
Name of the new policy definition.
Description of policy definition.
Display name of policy definition.
Name of the management group the new policy definition can be assigned in.
Metadata in space-separated key=value pairs.
Mode of the policy definition, e.g. All, Indexed. Please visit https://aka.ms/azure-policy-mode for more information.
JSON formatted string or a path to a file or uri with parameter definitions.
Policy rules in JSON format, or a path to a file containing JSON rules.
Name or id of the subscription the new policy definition can be assigned in.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
Delete a policy definition.
az policy definition delete --name
[--management-group]
[--subscription]
Delete a policy definition. (autogenerated)
az policy definition delete --name MyPolicyDefinition
The policy definition name.
The name of the management group of the policy [set] definition. This parameter is required if your policy set is scoped to a management group.
The subscription id of the policy [set] definition.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
List policy definitions.
az policy definition list [--management-group]
[--subscription]
The name of the management group of the policy [set] definition. This parameter is required if your policy set is scoped to a management group.
The subscription id of the policy [set] definition.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
Show a policy definition.
az policy definition show --name
[--management-group]
[--subscription]
Show a policy definition. (autogenerated)
az policy definition show --name MyPolicyDefinition
The policy definition name.
The name of the management group of the policy [set] definition. This parameter is required if your policy set is scoped to a management group.
The subscription id of the policy [set] definition.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
Update a policy definition.
az policy definition update --name
[--description]
[--display-name]
[--management-group]
[--metadata]
[--mode]
[--params]
[--rules]
[--subscription]
Update a policy definition. (autogenerated)
az policy definition update --name MyPolicyDefinition
The policy definition name.
Description of policy definition.
Display name of policy definition.
The name of the management group of the policy [set] definition. This parameter is required if your policy set is scoped to a management group.
Metadata in space-separated key=value pairs.
Mode of the policy definition, e.g. All, Indexed. Please visit https://aka.ms/azure-policy-mode for more information.
JSON formatted string or a path to a file or uri with parameter definitions.
JSON formatted string or a path to a file with such content.
The subscription id of the policy [set] definition.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
Azure CLI feedback
Azure CLI is an open source project. Select a link to provide feedback: