Microsoft.Authorization policyAssignments

Bicep resource definition

The policyAssignments resource type is an extension resource, which means you can apply it to another resource.

Use the scope property on this resource to set the scope for this resource. See Set scope on extension resources in Bicep.

Valid deployment scopes for the policyAssignments resource are:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Authorization/policyAssignments resource, add the following Bicep to your template.

resource symbolicname 'Microsoft.Authorization/policyAssignments@2021-06-01' = {
  name: 'string'
  location: 'string'
  scope: resourceSymbolicName
  identity: {
    type: 'string'
    userAssignedIdentities: {}
  }
  properties: {
    description: 'string'
    displayName: 'string'
    enforcementMode: 'string'
    metadata: any()
    nonComplianceMessages: [
      {
        message: 'string'
        policyDefinitionReferenceId: 'string'
      }
    ]
    notScopes: [
      'string'
    ]
    parameters: {}
    policyDefinitionId: 'string'
  }
}

Property values

policyAssignments

Name Description Value
name The resource name string (required)

Character limit: 1-128 display name

1-64 resource name

1-24 resource name at management group scope

Valid characters:
Display name can contain any characters.

Resource name can't use:
<>*%&:\?.+/ or control characters.

Can't end with period or space.
location The location of the policy assignment. Only required when utilizing managed identity. string
scope Use when creating an extension resource at a scope that is different than the deployment scope. Target resource

For Bicep, set this property to the symbolic name of the resource to apply the extension resource.
identity The managed identity associated with the policy assignment. Identity
properties Properties for the policy assignment. PolicyAssignmentProperties

Identity

Name Description Value
type The identity type. This is the only required field when adding a system or user assigned identity to a resource. 'None'
'SystemAssigned'
'UserAssigned'
userAssignedIdentities The user identity associated with the policy. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. object

PolicyAssignmentProperties

Name Description Value
description This message will be part of response in case of policy violation. string
displayName The display name of the policy assignment. string
enforcementMode The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. 'Default'
'DoNotEnforce'
metadata The policy assignment metadata. Metadata is an open ended object and is typically a collection of key value pairs. For Bicep, you can use the any() function.
nonComplianceMessages The messages that describe why a resource is non-compliant with the policy. NonComplianceMessage[]
notScopes The policy's excluded scopes. string[]
parameters The parameter values for the assigned policy rule. The keys are the parameter names. object
policyDefinitionId The ID of the policy definition or policy set definition being assigned. string

NonComplianceMessage

Name Description Value
message A message that describes why a resource is non-compliant with the policy. This is shown in 'deny' error messages and on resource's non-compliant compliance results. string (required)
policyDefinitionReferenceId The policy definition reference ID within a policy set definition the message is intended for. This is only applicable if the policy assignment assigns a policy set definition. If this is not provided the message applies to all policies assigned by this policy assignment. string

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
Deploy a policy definition and assign to a management group

Deploy to Azure
This template is a management group level template that will create a policy definition and assign that policy to the target management group. Currently, this template cannot be deployed via the Azure Portal.
Deploy a Policy Def and Assign to Multiple Mgmt Groups

Deploy to Azure
This template is a management group level template that will create a policy definition and assign that policy to multiple management groups.
Assign a built-in policy to an existing resource group

Deploy to Azure
This template assigns a built-in policy to an existing resource group.

ARM template resource definition

The policyAssignments resource type is an extension resource, which means you can apply it to another resource.

Use the scope property on this resource to set the scope for this resource. See Set scope on extension resources in ARM templates.

Valid deployment scopes for the policyAssignments resource are:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Authorization/policyAssignments resource, add the following JSON to your template.

{
  "type": "Microsoft.Authorization/policyAssignments",
  "apiVersion": "2021-06-01",
  "name": "string",
  "location": "string",
  "scope": "string",
  "identity": {
    "type": "string",
    "userAssignedIdentities": {}
  },
  "properties": {
    "description": "string",
    "displayName": "string",
    "enforcementMode": "string",
    "metadata": {},
    "nonComplianceMessages": [
      {
        "message": "string",
        "policyDefinitionReferenceId": "string"
      }
    ],
    "notScopes": [ "string" ],
    "parameters": {},
    "policyDefinitionId": "string"
  }
}

Property values

policyAssignments

Name Description Value
type The resource type 'Microsoft.Authorization/policyAssignments'
apiVersion The resource api version '2021-06-01'
name The resource name string (required)

Character limit: 1-128 display name

1-64 resource name

1-24 resource name at management group scope

Valid characters:
Display name can contain any characters.

Resource name can't use:
<>*%&:\?.+/ or control characters.

Can't end with period or space.
location The location of the policy assignment. Only required when utilizing managed identity. string
scope Use when creating an extension resource at a scope that is different than the deployment scope. Target resource

For JSON, set the value to the full name of the resource to apply the extension resource to.
identity The managed identity associated with the policy assignment. Identity
properties Properties for the policy assignment. PolicyAssignmentProperties

Identity

Name Description Value
type The identity type. This is the only required field when adding a system or user assigned identity to a resource. 'None'
'SystemAssigned'
'UserAssigned'
userAssignedIdentities The user identity associated with the policy. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. object

PolicyAssignmentProperties

Name Description Value
description This message will be part of response in case of policy violation. string
displayName The display name of the policy assignment. string
enforcementMode The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. 'Default'
'DoNotEnforce'
metadata The policy assignment metadata. Metadata is an open ended object and is typically a collection of key value pairs.
nonComplianceMessages The messages that describe why a resource is non-compliant with the policy. NonComplianceMessage[]
notScopes The policy's excluded scopes. string[]
parameters The parameter values for the assigned policy rule. The keys are the parameter names. object
policyDefinitionId The ID of the policy definition or policy set definition being assigned. string

NonComplianceMessage

Name Description Value
message A message that describes why a resource is non-compliant with the policy. This is shown in 'deny' error messages and on resource's non-compliant compliance results. string (required)
policyDefinitionReferenceId The policy definition reference ID within a policy set definition the message is intended for. This is only applicable if the policy assignment assigns a policy set definition. If this is not provided the message applies to all policies assigned by this policy assignment. string

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
Deploy a policy definition and assign to a management group

Deploy to Azure
This template is a management group level template that will create a policy definition and assign that policy to the target management group. Currently, this template cannot be deployed via the Azure Portal.
Deploy a Policy Def and Assign to Multiple Mgmt Groups

Deploy to Azure
This template is a management group level template that will create a policy definition and assign that policy to multiple management groups.
Assign a built-in policy to an existing resource group

Deploy to Azure
This template assigns a built-in policy to an existing resource group.

Terraform (AzAPI provider) resource definition

The policyAssignments resource type is an extension resource, which means you can apply it to another resource.

Use the parent_id property on this resource to set the scope for this resource.

Valid deployment scopes for the policyAssignments resource are:

  • Resource groups
  • Subscriptions
  • Management groups

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Authorization/policyAssignments resource, add the following Terraform to your template.

resource "azapi_resource" "symbolicname" {
  type = "Microsoft.Authorization/policyAssignments@2021-06-01"
  name = "string"
  location = "string"
  parent_id = "string"
  identity {
    type = "string"
    identity_ids = []
  }
  body = jsonencode({
    properties = {
      description = "string"
      displayName = "string"
      enforcementMode = "string"
      nonComplianceMessages = [
        {
          message = "string"
          policyDefinitionReferenceId = "string"
        }
      ]
      notScopes = [
        "string"
      ]
      parameters = {}
      policyDefinitionId = "string"
    }
  })
}

Property values

policyAssignments

Name Description Value
type The resource type "Microsoft.Authorization/policyAssignments@2021-06-01"
name The resource name string (required)

Character limit: 1-128 display name

1-64 resource name

1-24 resource name at management group scope

Valid characters:
Display name can contain any characters.

Resource name can't use:
<>*%&:\?.+/ or control characters.

Can't end with period or space.
location The location of the policy assignment. Only required when utilizing managed identity. string
parent_id The ID of the resource to apply this extension resource to. string (required)
identity The managed identity associated with the policy assignment. Identity
properties Properties for the policy assignment. PolicyAssignmentProperties

Identity

Name Description Value
type The identity type. This is the only required field when adding a system or user assigned identity to a resource. "SystemAssigned"
"UserAssigned"
identity_ids The user identity associated with the policy. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. Array of user identity IDs.

PolicyAssignmentProperties

Name Description Value
description This message will be part of response in case of policy violation. string
displayName The display name of the policy assignment. string
enforcementMode The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. "Default"
"DoNotEnforce"
metadata The policy assignment metadata. Metadata is an open ended object and is typically a collection of key value pairs.
nonComplianceMessages The messages that describe why a resource is non-compliant with the policy. NonComplianceMessage[]
notScopes The policy's excluded scopes. string[]
parameters The parameter values for the assigned policy rule. The keys are the parameter names. object
policyDefinitionId The ID of the policy definition or policy set definition being assigned. string

NonComplianceMessage

Name Description Value
message A message that describes why a resource is non-compliant with the policy. This is shown in 'deny' error messages and on resource's non-compliant compliance results. string (required)
policyDefinitionReferenceId The policy definition reference ID within a policy set definition the message is intended for. This is only applicable if the policy assignment assigns a policy set definition. If this is not provided the message applies to all policies assigned by this policy assignment. string