List Azure deny assignments using the REST API
Azure deny assignments block users from performing specific Azure resource actions even if a role assignment grants them access. This article describes how to list deny assignments using the REST API.
Note
You can't directly create your own deny assignments. For more information, see Azure deny assignments.
Prerequisites
To get information about a deny assignment, you must have:
Microsoft.Authorization/denyAssignments/readpermission, which is included in most Azure built-in roles.
You must use the following version:
2018-07-01-previewor later2022-04-01is the first stable version
For more information, see API versions of Azure RBAC REST APIs.
List a single deny assignment
To list a single deny assignment, use the Deny Assignments - Get REST API.
Start with the following request:
GET https://management.azure.com/{scope}/providers/Microsoft.Authorization/denyAssignments/{deny-assignment-id}?api-version=2022-04-01Within the URI, replace {scope} with the scope for which you want to list the deny assignments.
Scope Type subscriptions/{subscriptionId}Subscription subscriptions/{subscriptionId}/resourceGroups/myresourcegroup1Resource group subscriptions/{subscriptionId}/resourceGroups/myresourcegroup1/providers/Microsoft.Web/sites/mysite1Resource Replace {deny-assignment-id} with the deny assignment identifier you want to retrieve.
List multiple deny assignments
To list multiple deny assignments, use the Deny Assignments - List REST API.
Start with one of the following requests:
GET https://management.azure.com/{scope}/providers/Microsoft.Authorization/denyAssignments?api-version=2022-04-01With optional parameters:
GET https://management.azure.com/{scope}/providers/Microsoft.Authorization/denyAssignments?api-version=2022-04-01&$filter={filter}Within the URI, replace {scope} with the scope for which you want to list the deny assignments.
Scope Type subscriptions/{subscriptionId}Subscription subscriptions/{subscriptionId}/resourceGroups/myresourcegroup1Resource group subscriptions/{subscriptionId}/resourceGroups/myresourcegroup1/providers/Microsoft.Web/sites/mysite1Resource Replace {filter} with the condition that you want to apply to filter the deny assignment list.
Filter Description (no filter) Lists all deny assignments at, above, and below the specified scope. $filter=atScope()Lists deny assignments for only the specified scope and above. Does not include the deny assignments at subscopes. $filter=assignedTo('{objectId}')Lists deny assignments for the specified user or service principal.
If the user is a member of a group that has a deny assignment, that deny assignment is also listed. This filter is transitive for groups which means that if the user is a member of a group and that group is a member of another group that has a deny assignment, that deny assignment is also listed.
This filter only accepts an object ID for a user or a service principal. You cannot pass an object ID for a group.$filter=atScope()+and+assignedTo('{objectId}')Lists deny assignments for the specified user or service principal and at the specified scope. $filter=denyAssignmentName+eq+'{deny-assignment-name}'Lists deny assignments with the specified name. $filter=principalId+eq+'{objectId}'Lists deny assignments for the specified user, group, or service principal.
List deny assignments at the root scope (/)
Elevate your access as described in Elevate access to manage all Azure subscriptions and management groups.
Use the following request:
GET https://management.azure.com/providers/Microsoft.Authorization/denyAssignments?api-version=2022-04-01&$filter={filter}Replace {filter} with the condition that you want to apply to filter the deny assignment list. A filter is required.
Filter Description $filter=atScope()List deny assignments for only the root scope. Does not include the deny assignments at subscopes. $filter=denyAssignmentName+eq+'{deny-assignment-name}'List deny assignments with the specified name. Remove elevated access.
Next steps
Feedback
Submit and view feedback for