az policy definition
Manage resource policy definitions.
Commands
| Name | Description | Type | Status |
|---|---|---|---|
| az policy definition create |
Create a policy definition. |
Core | GA |
| az policy definition delete |
Delete a policy definition. |
Core | GA |
| az policy definition list |
List policy definitions. |
Core | GA |
| az policy definition show |
Show a policy definition. |
Core | GA |
| az policy definition update |
Update a policy definition. |
Core | GA |
az policy definition create
Create a policy definition.
az policy definition create --name
[--description]
[--display-name]
[--management-group]
[--metadata]
[--mode]
[--params]
[--rules]
[--subscription]Examples
Create a read-only policy.
az policy definition create --name readOnlyStorage --rules "{ \"if\": \
{ \"field\": \"type\", \"equals\": \"Microsoft.Storage/storageAccounts/write\" }, \
\"then\": { \"effect\": \"deny\" } }"Create a policy parameter definition.
az policy definition create --name allowedLocations \
--rules "{ \"if\": { \"allOf\": [ \
{ \"field\": \"location\",\"notIn\": \"[parameters('listOfAllowedLocations')]\" }, \
{ \"field\": \"location\", \"notEquals\": \"global\" }, \
{ \"field\": \"type\", \"notEquals\": \
\"Microsoft.AzureActiveDirectory/b2cDirectories\"} \
] }, \"then\": { \"effect\": \"deny\" } }" \
--params "{ \"allowedLocations\": { \
\"type\": \"array\", \"metadata\": { \"description\": \
\"The list of locations that can be specified when deploying resources\", \
\"strongType\": \"location\", \"displayName\": \"Allowed locations\" } } }"Create a read-only policy that can be applied within a management group.
az policy definition create -n readOnlyStorage --management-group "MyManagementGroup" \
--rules "{ \"if\": { \"field\": \"type\", \
\"equals\": \"Microsoft.Storage/storageAccounts/write\" }, \
\"then\": { \"effect\": \"deny\" } }"Create a policy definition with mode. The mode 'Indexed' indicates the policy should be evaluated only for resource types that support tags and location.
az policy definition create --name TagsPolicyDefinition --subscription "MySubscription" \
--mode Indexed --rules "{ \"if\": { \"field\": \"tags\", \"exists\": \"false\" }, \
\"then\": { \"effect\": \"deny\" } }"Required Parameters
Name of the new policy definition.
Optional Parameters
Description of policy definition.
Display name of policy definition.
Name of the management group the new policy definition can be assigned in.
Metadata in space-separated key=value pairs.
Mode of the policy definition, e.g. All, Indexed. Please visit https://aka.ms/azure-policy-mode for more information.
JSON formatted string or a path to a file or uri with parameter definitions.
Policy rules in JSON format, or a path to a file containing JSON rules.
Name or id of the subscription the new policy definition can be assigned in.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az policy definition delete
Delete a policy definition.
az policy definition delete --name
[--management-group]
[--subscription]Examples
Delete a policy definition. (autogenerated)
az policy definition delete --name MyPolicyDefinitionRequired Parameters
The policy definition name.
Optional Parameters
The name of the management group of the policy [set] definition. This parameter is required if your policy set is scoped to a management group.
The subscription id of the policy [set] definition.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az policy definition list
List policy definitions.
az policy definition list [--management-group]
[--subscription]Optional Parameters
The name of the management group of the policy [set] definition. This parameter is required if your policy set is scoped to a management group.
The subscription id of the policy [set] definition.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az policy definition show
Show a policy definition.
az policy definition show --name
[--management-group]
[--subscription]Examples
Show a policy definition. (autogenerated)
az policy definition show --name MyPolicyDefinitionRequired Parameters
The policy definition name.
Optional Parameters
The name of the management group of the policy [set] definition. This parameter is required if your policy set is scoped to a management group.
The subscription id of the policy [set] definition.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az policy definition update
Update a policy definition.
az policy definition update --name
[--description]
[--display-name]
[--management-group]
[--metadata]
[--mode]
[--params]
[--rules]
[--subscription]Examples
Update a policy definition. (autogenerated)
az policy definition update --name MyPolicyDefinitionRequired Parameters
The policy definition name.
Optional Parameters
Description of policy definition.
Display name of policy definition.
The name of the management group of the policy [set] definition. This parameter is required if your policy set is scoped to a management group.
Metadata in space-separated key=value pairs.
Mode of the policy definition, e.g. All, Indexed. Please visit https://aka.ms/azure-policy-mode for more information.
JSON formatted string or a path to a file or uri with parameter definitions.
JSON formatted string or a path to a file with such content.
The subscription id of the policy [set] definition.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
