Microsoft.Authorization policyAssignments
Bicep resource definition
The policyAssignments resource type is an extension resource, which means you can apply it to another resource.
Use the scope property on this resource to set the scope for this resource. See Set scope on extension resources in Bicep.
Valid deployment scopes for the policyAssignments resource are:
- Resource groups - See resource group deployment commands
- Subscriptions - See subscription deployment commands
- Management groups - See management group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Authorization/policyAssignments resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.Authorization/policyAssignments@2022-06-01' = {
name: 'string'
location: 'string'
scope: resourceSymbolicName
identity: {
type: 'string'
userAssignedIdentities: {}
}
properties: {
description: 'string'
displayName: 'string'
enforcementMode: 'string'
metadata: any()
nonComplianceMessages: [
{
message: 'string'
policyDefinitionReferenceId: 'string'
}
]
notScopes: [
'string'
]
overrides: [
{
kind: 'policyEffect'
selectors: [
{
in: [
'string'
]
kind: 'string'
notIn: [
'string'
]
}
]
value: 'string'
}
]
parameters: {}
policyDefinitionId: 'string'
resourceSelectors: [
{
name: 'string'
selectors: [
{
in: [
'string'
]
kind: 'string'
notIn: [
'string'
]
}
]
}
]
}
}
Property values
policyAssignments
| Name | Description | Value |
|---|---|---|
| name | The resource name | string (required) Character limit: 1-128 display name 1-64 resource name 1-24 resource name at management group scope Valid characters: Display name can contain any characters. Resource name can't use: <>*%&:\?.+/ or control characters. Can't end with period or space. |
| location | The location of the policy assignment. Only required when utilizing managed identity. | string |
| scope | Use when creating an extension resource at a scope that is different than the deployment scope. | Target resource For Bicep, set this property to the symbolic name of the resource to apply the extension resource. |
| identity | The managed identity associated with the policy assignment. | Identity |
| properties | Properties for the policy assignment. | PolicyAssignmentProperties |
Identity
| Name | Description | Value |
|---|---|---|
| type | The identity type. This is the only required field when adding a system or user assigned identity to a resource. | 'None' 'SystemAssigned' 'UserAssigned' |
| userAssignedIdentities | The user identity associated with the policy. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. | object |
PolicyAssignmentProperties
| Name | Description | Value |
|---|---|---|
| description | This message will be part of response in case of policy violation. | string |
| displayName | The display name of the policy assignment. | string |
| enforcementMode | The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. | 'Default' 'DoNotEnforce' |
| metadata | The policy assignment metadata. Metadata is an open ended object and is typically a collection of key value pairs. | For Bicep, you can use the any() function. |
| nonComplianceMessages | The messages that describe why a resource is non-compliant with the policy. | NonComplianceMessage[] |
| notScopes | The policy's excluded scopes. | string[] |
| overrides | The policy property value override. | Override[] |
| parameters | The parameter values for the assigned policy rule. The keys are the parameter names. | object |
| policyDefinitionId | The ID of the policy definition or policy set definition being assigned. | string |
| resourceSelectors | The resource selector list to filter policies by resource properties. | ResourceSelector[] |
NonComplianceMessage
| Name | Description | Value |
|---|---|---|
| message | A message that describes why a resource is non-compliant with the policy. This is shown in 'deny' error messages and on resource's non-compliant compliance results. | string (required) |
| policyDefinitionReferenceId | The policy definition reference ID within a policy set definition the message is intended for. This is only applicable if the policy assignment assigns a policy set definition. If this is not provided the message applies to all policies assigned by this policy assignment. | string |
Override
| Name | Description | Value |
|---|---|---|
| kind | The override kind. | 'policyEffect' |
| selectors | The list of the selector expressions. | Selector[] |
| value | The value to override the policy property. | string |
Selector
| Name | Description | Value |
|---|---|---|
| in | The list of values to filter in. | string[] |
| kind | The selector kind. | 'policyDefinitionReferenceId' 'resourceLocation' 'resourceType' 'resourceWithoutLocation' |
| notIn | The list of values to filter out. | string[] |
ResourceSelector
| Name | Description | Value |
|---|---|---|
| name | The name of the resource selector. | string |
| selectors | The list of the selector expressions. | Selector[] |
Quickstart templates
The following quickstart templates deploy this resource type.
| Template | Description |
|---|---|
Deploy a policy definition and assign to a management group |
This template is a management group level template that will create a policy definition and assign that policy to the target management group. Currently, this template cannot be deployed via the Azure Portal. |
| Deploy a Policy Def and Assign to Multiple Mgmt Groups |
This template is a management group level template that will create a policy definition and assign that policy to multiple management groups. |
| Assign a built-in policy to an existing resource group |
This template assigns a built-in policy to an existing resource group. |
| Create an Azure Virtual Network Manager and sample VNETs |
This template deploys an Azure Virtual Network Manager and sample virtual networks into the named resource group. It supports multiple connectivity topologies and network group membership types. |
ARM template resource definition
The policyAssignments resource type is an extension resource, which means you can apply it to another resource.
Use the scope property on this resource to set the scope for this resource. See Set scope on extension resources in ARM templates.
Valid deployment scopes for the policyAssignments resource are:
- Resource groups - See resource group deployment commands
- Subscriptions - See subscription deployment commands
- Management groups - See management group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Authorization/policyAssignments resource, add the following JSON to your template.
{
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2022-06-01",
"name": "string",
"location": "string",
"scope": "string",
"identity": {
"type": "string",
"userAssignedIdentities": {}
},
"properties": {
"description": "string",
"displayName": "string",
"enforcementMode": "string",
"metadata": {},
"nonComplianceMessages": [
{
"message": "string",
"policyDefinitionReferenceId": "string"
}
],
"notScopes": [ "string" ],
"overrides": [
{
"kind": "policyEffect",
"selectors": [
{
"in": [ "string" ],
"kind": "string",
"notIn": [ "string" ]
}
],
"value": "string"
}
],
"parameters": {},
"policyDefinitionId": "string",
"resourceSelectors": [
{
"name": "string",
"selectors": [
{
"in": [ "string" ],
"kind": "string",
"notIn": [ "string" ]
}
]
}
]
}
}
Property values
policyAssignments
| Name | Description | Value |
|---|---|---|
| type | The resource type | 'Microsoft.Authorization/policyAssignments' |
| apiVersion | The resource api version | '2022-06-01' |
| name | The resource name | string (required) Character limit: 1-128 display name 1-64 resource name 1-24 resource name at management group scope Valid characters: Display name can contain any characters. Resource name can't use: <>*%&:\?.+/ or control characters. Can't end with period or space. |
| location | The location of the policy assignment. Only required when utilizing managed identity. | string |
| scope | Use when creating an extension resource at a scope that is different than the deployment scope. | Target resource For JSON, set the value to the full name of the resource to apply the extension resource to. |
| identity | The managed identity associated with the policy assignment. | Identity |
| properties | Properties for the policy assignment. | PolicyAssignmentProperties |
Identity
| Name | Description | Value |
|---|---|---|
| type | The identity type. This is the only required field when adding a system or user assigned identity to a resource. | 'None' 'SystemAssigned' 'UserAssigned' |
| userAssignedIdentities | The user identity associated with the policy. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. | object |
PolicyAssignmentProperties
| Name | Description | Value |
|---|---|---|
| description | This message will be part of response in case of policy violation. | string |
| displayName | The display name of the policy assignment. | string |
| enforcementMode | The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. | 'Default' 'DoNotEnforce' |
| metadata | The policy assignment metadata. Metadata is an open ended object and is typically a collection of key value pairs. | |
| nonComplianceMessages | The messages that describe why a resource is non-compliant with the policy. | NonComplianceMessage[] |
| notScopes | The policy's excluded scopes. | string[] |
| overrides | The policy property value override. | Override[] |
| parameters | The parameter values for the assigned policy rule. The keys are the parameter names. | object |
| policyDefinitionId | The ID of the policy definition or policy set definition being assigned. | string |
| resourceSelectors | The resource selector list to filter policies by resource properties. | ResourceSelector[] |
NonComplianceMessage
| Name | Description | Value |
|---|---|---|
| message | A message that describes why a resource is non-compliant with the policy. This is shown in 'deny' error messages and on resource's non-compliant compliance results. | string (required) |
| policyDefinitionReferenceId | The policy definition reference ID within a policy set definition the message is intended for. This is only applicable if the policy assignment assigns a policy set definition. If this is not provided the message applies to all policies assigned by this policy assignment. | string |
Override
| Name | Description | Value |
|---|---|---|
| kind | The override kind. | 'policyEffect' |
| selectors | The list of the selector expressions. | Selector[] |
| value | The value to override the policy property. | string |
Selector
| Name | Description | Value |
|---|---|---|
| in | The list of values to filter in. | string[] |
| kind | The selector kind. | 'policyDefinitionReferenceId' 'resourceLocation' 'resourceType' 'resourceWithoutLocation' |
| notIn | The list of values to filter out. | string[] |
ResourceSelector
| Name | Description | Value |
|---|---|---|
| name | The name of the resource selector. | string |
| selectors | The list of the selector expressions. | Selector[] |
Quickstart templates
The following quickstart templates deploy this resource type.
| Template | Description |
|---|---|
| Deploy a policy definition and assign to a management group |
This template is a management group level template that will create a policy definition and assign that policy to the target management group. Currently, this template cannot be deployed via the Azure Portal. |
| Deploy a Policy Def and Assign to Multiple Mgmt Groups |
This template is a management group level template that will create a policy definition and assign that policy to multiple management groups. |
| Assign a built-in policy to an existing resource group |
This template assigns a built-in policy to an existing resource group. |
| Create an Azure Virtual Network Manager and sample VNETs |
This template deploys an Azure Virtual Network Manager and sample virtual networks into the named resource group. It supports multiple connectivity topologies and network group membership types. |
Terraform (AzAPI provider) resource definition
The policyAssignments resource type is an extension resource, which means you can apply it to another resource.
Use the parent_id property on this resource to set the scope for this resource.
Valid deployment scopes for the policyAssignments resource are:
- Resource groups
- Subscriptions
- Management groups
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Authorization/policyAssignments resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
type = "Microsoft.Authorization/policyAssignments@2022-06-01"
name = "string"
location = "string"
parent_id = "string"
identity {
type = "string"
identity_ids = []
}
body = jsonencode({
properties = {
description = "string"
displayName = "string"
enforcementMode = "string"
nonComplianceMessages = [
{
message = "string"
policyDefinitionReferenceId = "string"
}
]
notScopes = [
"string"
]
overrides = [
{
kind = "policyEffect"
selectors = [
{
in = [
"string"
]
kind = "string"
notIn = [
"string"
]
}
]
value = "string"
}
]
parameters = {}
policyDefinitionId = "string"
resourceSelectors = [
{
name = "string"
selectors = [
{
in = [
"string"
]
kind = "string"
notIn = [
"string"
]
}
]
}
]
}
})
}
Property values
policyAssignments
| Name | Description | Value |
|---|---|---|
| type | The resource type | "Microsoft.Authorization/policyAssignments@2022-06-01" |
| name | The resource name | string (required) Character limit: 1-128 display name 1-64 resource name 1-24 resource name at management group scope Valid characters: Display name can contain any characters. Resource name can't use: <>*%&:\?.+/ or control characters. Can't end with period or space. |
| location | The location of the policy assignment. Only required when utilizing managed identity. | string |
| parent_id | The ID of the resource to apply this extension resource to. | string (required) |
| identity | The managed identity associated with the policy assignment. | Identity |
| properties | Properties for the policy assignment. | PolicyAssignmentProperties |
Identity
| Name | Description | Value |
|---|---|---|
| type | The identity type. This is the only required field when adding a system or user assigned identity to a resource. | "SystemAssigned" "UserAssigned" |
| identity_ids | The user identity associated with the policy. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. | Array of user identity IDs. |
PolicyAssignmentProperties
| Name | Description | Value |
|---|---|---|
| description | This message will be part of response in case of policy violation. | string |
| displayName | The display name of the policy assignment. | string |
| enforcementMode | The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. | "Default" "DoNotEnforce" |
| metadata | The policy assignment metadata. Metadata is an open ended object and is typically a collection of key value pairs. | |
| nonComplianceMessages | The messages that describe why a resource is non-compliant with the policy. | NonComplianceMessage[] |
| notScopes | The policy's excluded scopes. | string[] |
| overrides | The policy property value override. | Override[] |
| parameters | The parameter values for the assigned policy rule. The keys are the parameter names. | object |
| policyDefinitionId | The ID of the policy definition or policy set definition being assigned. | string |
| resourceSelectors | The resource selector list to filter policies by resource properties. | ResourceSelector[] |
NonComplianceMessage
| Name | Description | Value |
|---|---|---|
| message | A message that describes why a resource is non-compliant with the policy. This is shown in 'deny' error messages and on resource's non-compliant compliance results. | string (required) |
| policyDefinitionReferenceId | The policy definition reference ID within a policy set definition the message is intended for. This is only applicable if the policy assignment assigns a policy set definition. If this is not provided the message applies to all policies assigned by this policy assignment. | string |
Override
| Name | Description | Value |
|---|---|---|
| kind | The override kind. | "policyEffect" |
| selectors | The list of the selector expressions. | Selector[] |
| value | The value to override the policy property. | string |
Selector
| Name | Description | Value |
|---|---|---|
| in | The list of values to filter in. | string[] |
| kind | The selector kind. | "policyDefinitionReferenceId" "resourceLocation" "resourceType" "resourceWithoutLocation" |
| notIn | The list of values to filter out. | string[] |
ResourceSelector
| Name | Description | Value |
|---|---|---|
| name | The name of the resource selector. | string |
| selectors | The list of the selector expressions. | Selector[] |
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for