az policy assignment
Manage resource policy assignments.
Commands
| Name | Description | Type | Status |
|---|---|---|---|
| az policy assignment create |
Create a resource policy assignment. |
Core | GA |
| az policy assignment delete |
Delete a resource policy assignment. |
Core | GA |
| az policy assignment identity |
Manage a policy assignment's managed identity. |
Core | GA |
| az policy assignment identity assign |
Add a system assigned identity or a user assigned identity to a policy assignment. |
Core | GA |
| az policy assignment identity remove |
Remove a managed identity from a policy assignment. |
Core | GA |
| az policy assignment identity show |
Show a policy assignment's managed identity. |
Core | GA |
| az policy assignment list |
List resource policy assignments. |
Core | GA |
| az policy assignment non-compliance-message |
Manage a policy assignment's non-compliance messages. |
Core | GA |
| az policy assignment non-compliance-message create |
Add a non-compliance message to a policy assignment. |
Core | GA |
| az policy assignment non-compliance-message delete |
Remove one or more non-compliance messages from a policy assignment. |
Core | GA |
| az policy assignment non-compliance-message list |
List the non-compliance messages for a policy assignment. |
Core | GA |
| az policy assignment show |
Show a resource policy assignment. |
Core | GA |
| az policy assignment update |
Update a resource policy assignment. |
Core | GA |
az policy assignment create
Create a resource policy assignment.
az policy assignment create [--assign-identity]
[--description]
[--display-name]
[--enforcement-mode {Default, DoNotEnforce}]
[--identity-scope]
[--location]
[--mi-system-assigned]
[--mi-user-assigned]
[--name]
[--not-scopes]
[--params]
[--policy]
[--policy-set-definition]
[--resource-group]
[--role]
[--scope]
[--sku {free, standard}]Examples
Create a resource policy assignment at scope
Valid scopes are management group, subscription, resource group, and resource, for example
management group: /providers/Microsoft.Management/managementGroups/MyManagementGroup
subscription: /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333
resource group: /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup
resource: /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM
az policy assignment create --scope \
"/providers/Microsoft.Management/managementGroups/MyManagementGroup" \
--policy {PolicyName} -p "{ \"allowedLocations\": \
{ \"value\": [ \"australiaeast\", \"eastus\", \"japaneast\" ] } }"Create a resource policy assignment and provide rule parameter values.
az policy assignment create --policy {PolicyName} -p "{ \"allowedLocations\": \
{ \"value\": [ \"australiaeast\", \"eastus\", \"japaneast\" ] } }"Create a resource policy assignment with a system assigned identity.
az policy assignment create --name myPolicy --policy {PolicyName} --mi-system-assigned --location eastusCreate a resource policy assignment with a system assigned identity. The identity will have 'Contributor' role access to the subscription.
az policy assignment create --name myPolicy --policy {PolicyName} --mi-system-assigned --identity-scope /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx --role Contributor --location eastusCreate a resource policy assignment with a user assigned identity.
az policy assignment create --name myPolicy --policy {PolicyName} -g MyResourceGroup --mi-user-assigned myAssignedId --location westusCreate a resource policy assignment with an enforcement mode. It indicates whether a policy effect will be enforced or not during assignment creation and update. Please visit https://aka.ms/azure-policyAssignment-enforcement-mode for more information.
az policy assignment create --name myPolicy --policy {PolicyName} --enforcement-mode 'DoNotEnforce'Optional Parameters
Argument 'assign_identity' has been deprecated and will be removed in a future release.
Assigns a system assigned identity to the policy assignment. This argument will be deprecated, please use --mi-system-assigned instead.
Description of the policy assignment.
Display name of the policy assignment.
Enforcement mode of the policy assignment, e.g. Default, DoNotEnforce. Please visit https://aka.ms/azure-policyAssignment-enforcement-mode for more information.
Scope that the system assigned identity can access.
The location of the policy assignment. Only required when utilizing managed identity.
Provide this flag to use system assigned identity for policy assignment. Check out help for more examples.
UserAssigned Identity Id to be used for policy assignment. Check out help for more examples.
Name of the new policy assignment.
Space-separated scopes where the policy assignment does not apply.
JSON formatted string or a path to a file or uri with parameter values of the policy rule.
Name or id of the policy definition. If not provided, a policy set definition parameter must be provided.
Name or id of the policy set definition. If not provided, a policy definition parameter must be provided.
The resource group where the policy will be applied.
Role name or id that will be assigned to the managed identity.
Scope to which this policy assignment applies.
Argument 'sku' has been deprecated and will be removed in a future release.
Policy sku.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az policy assignment delete
Delete a resource policy assignment.
az policy assignment delete --name
[--resource-group]
[--scope]Examples
Delete a resource policy assignment. (autogenerated)
az policy assignment delete --name MyPolicyAssignmentRequired Parameters
Name of the policy assignment.
Optional Parameters
The resource group where the policy will be applied.
Scope at which this policy assignment subcommand applies. Defaults to current context subscription.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az policy assignment list
List resource policy assignments.
az policy assignment list [--disable-scope-strict-match]
[--resource-group]
[--scope]Optional Parameters
Include policy assignments either inherited from parent scope or at child scope.
The resource group where the policy will be applied.
Scope at which this policy assignment subcommand applies. Defaults to current context subscription.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az policy assignment show
Show a resource policy assignment.
az policy assignment show --name
[--resource-group]
[--scope]Examples
Show a resource policy assignment. (autogenerated)
az policy assignment show --name MyPolicyAssignmentRequired Parameters
Name of the policy assignment.
Optional Parameters
The resource group where the policy will be applied.
Scope at which this policy assignment subcommand applies. Defaults to current context subscription.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az policy assignment update
Update a resource policy assignment.
az policy assignment update [--description]
[--display-name]
[--enforcement-mode {Default, DoNotEnforce}]
[--name]
[--not-scopes]
[--params]
[--resource-group]
[--scope]
[--sku {free, standard}]Examples
Update a resource policy assignment's description.
az policy assignment update --name myPolicy --description 'My policy description'Optional Parameters
Description of the policy assignment.
Display name of the policy assignment.
Enforcement mode of the policy assignment, e.g. Default, DoNotEnforce. Please visit https://aka.ms/azure-policyAssignment-enforcement-mode for more information.
Name of the policy assignment.
Space-separated scopes where the policy assignment does not apply.
JSON formatted string or a path to a file or uri with parameter values of the policy rule.
The resource group where the policy will be applied.
Scope at which this policy assignment subcommand applies. Defaults to current context subscription.
Argument 'sku' has been deprecated and will be removed in a future release.
Policy sku.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
