Share via


az policy assignment

Manage resource policy assignments.

Commands

Name Description Type Status
az policy assignment create

Create a resource policy assignment.

Core GA
az policy assignment delete

Delete a resource policy assignment.

Core GA
az policy assignment identity

Manage a policy assignment's managed identity.

Core GA
az policy assignment identity assign

Add a system assigned identity or a user assigned identity to a policy assignment.

Core GA
az policy assignment identity remove

Remove a managed identity from a policy assignment.

Core GA
az policy assignment identity show

Show a policy assignment's managed identity.

Core GA
az policy assignment list

List resource policy assignments.

Core GA
az policy assignment non-compliance-message

Manage a policy assignment's non-compliance messages.

Core GA
az policy assignment non-compliance-message create

Add a non-compliance message to a policy assignment.

Core GA
az policy assignment non-compliance-message delete

Remove one or more non-compliance messages from a policy assignment.

Core GA
az policy assignment non-compliance-message list

List the non-compliance messages for a policy assignment.

Core GA
az policy assignment show

Show a resource policy assignment.

Core GA
az policy assignment update

Update a resource policy assignment.

Core GA

az policy assignment create

Create a resource policy assignment.

az policy assignment create [--assign-identity]
                            [--description]
                            [--display-name]
                            [--enforcement-mode {Default, DoNotEnforce}]
                            [--identity-scope]
                            [--location]
                            [--mi-system-assigned]
                            [--mi-user-assigned]
                            [--name]
                            [--not-scopes]
                            [--params]
                            [--policy]
                            [--policy-set-definition]
                            [--resource-group]
                            [--role]
                            [--scope]
                            [--sku {free, standard}]

Examples

Create a resource policy assignment at scope

Valid scopes are management group, subscription, resource group, and resource, for example
   management group:  /providers/Microsoft.Management/managementGroups/MyManagementGroup
   subscription:      /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333
   resource group:    /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup
   resource:          /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM
     az policy assignment create --scope \
        "/providers/Microsoft.Management/managementGroups/MyManagementGroup" \
            --policy {PolicyName} -p "{ \"allowedLocations\": \
                { \"value\": [ \"australiaeast\", \"eastus\", \"japaneast\" ] } }"

Create a resource policy assignment and provide rule parameter values.

az policy assignment create --policy {PolicyName} -p "{ \"allowedLocations\": \
    { \"value\": [ \"australiaeast\", \"eastus\", \"japaneast\" ] } }"

Create a resource policy assignment with a system assigned identity.

az policy assignment create --name myPolicy --policy {PolicyName} --mi-system-assigned --location eastus

Create a resource policy assignment with a system assigned identity. The identity will have 'Contributor' role access to the subscription.

az policy assignment create --name myPolicy --policy {PolicyName} --mi-system-assigned --identity-scope /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx --role Contributor --location eastus

Create a resource policy assignment with a user assigned identity.

az policy assignment create --name myPolicy --policy {PolicyName} -g MyResourceGroup --mi-user-assigned myAssignedId --location westus

Create a resource policy assignment with an enforcement mode. It indicates whether a policy effect will be enforced or not during assignment creation and update. Please visit https://aka.ms/azure-policyAssignment-enforcement-mode for more information.

az policy assignment create --name myPolicy --policy {PolicyName} --enforcement-mode 'DoNotEnforce'

Optional Parameters

--assign-identity
Deprecated

Argument 'assign_identity' has been deprecated and will be removed in a future release.

Assigns a system assigned identity to the policy assignment. This argument will be deprecated, please use --mi-system-assigned instead.

--description

Description of the policy assignment.

--display-name

Display name of the policy assignment.

--enforcement-mode -e

Enforcement mode of the policy assignment, e.g. Default, DoNotEnforce. Please visit https://aka.ms/azure-policyAssignment-enforcement-mode for more information.

Accepted values: Default, DoNotEnforce
Default value: Default
--identity-scope

Scope that the system assigned identity can access.

--location -l

The location of the policy assignment. Only required when utilizing managed identity.

--mi-system-assigned

Provide this flag to use system assigned identity for policy assignment. Check out help for more examples.

--mi-user-assigned

UserAssigned Identity Id to be used for policy assignment. Check out help for more examples.

--name -n

Name of the new policy assignment.

--not-scopes

Space-separated scopes where the policy assignment does not apply.

--params -p

JSON formatted string or a path to a file or uri with parameter values of the policy rule.

--policy

Name or id of the policy definition. If not provided, a policy set definition parameter must be provided.

--policy-set-definition -d

Name or id of the policy set definition. If not provided, a policy definition parameter must be provided.

--resource-group -g

The resource group where the policy will be applied.

--role

Role name or id that will be assigned to the managed identity.

Default value: Contributor
--scope

Scope to which this policy assignment applies.

--sku -s
Deprecated

Argument 'sku' has been deprecated and will be removed in a future release.

Policy sku.

Accepted values: free, standard
Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az policy assignment delete

Delete a resource policy assignment.

az policy assignment delete --name
                            [--resource-group]
                            [--scope]

Examples

Delete a resource policy assignment. (autogenerated)

az policy assignment delete --name MyPolicyAssignment

Required Parameters

--name -n

Name of the policy assignment.

Optional Parameters

--resource-group -g

The resource group where the policy will be applied.

--scope

Scope at which this policy assignment subcommand applies. Defaults to current context subscription.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az policy assignment list

List resource policy assignments.

az policy assignment list [--disable-scope-strict-match]
                          [--resource-group]
                          [--scope]

Optional Parameters

--disable-scope-strict-match

Include policy assignments either inherited from parent scope or at child scope.

--resource-group -g

The resource group where the policy will be applied.

--scope

Scope at which this policy assignment subcommand applies. Defaults to current context subscription.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az policy assignment show

Show a resource policy assignment.

az policy assignment show --name
                          [--resource-group]
                          [--scope]

Examples

Show a resource policy assignment. (autogenerated)

az policy assignment show --name MyPolicyAssignment

Required Parameters

--name -n

Name of the policy assignment.

Optional Parameters

--resource-group -g

The resource group where the policy will be applied.

--scope

Scope at which this policy assignment subcommand applies. Defaults to current context subscription.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az policy assignment update

Update a resource policy assignment.

az policy assignment update [--description]
                            [--display-name]
                            [--enforcement-mode {Default, DoNotEnforce}]
                            [--name]
                            [--not-scopes]
                            [--params]
                            [--resource-group]
                            [--scope]
                            [--sku {free, standard}]

Examples

Update a resource policy assignment's description.

az policy assignment update --name myPolicy --description 'My policy description'

Optional Parameters

--description

Description of the policy assignment.

--display-name

Display name of the policy assignment.

--enforcement-mode -e

Enforcement mode of the policy assignment, e.g. Default, DoNotEnforce. Please visit https://aka.ms/azure-policyAssignment-enforcement-mode for more information.

Accepted values: Default, DoNotEnforce
--name -n

Name of the policy assignment.

--not-scopes

Space-separated scopes where the policy assignment does not apply.

--params -p

JSON formatted string or a path to a file or uri with parameter values of the policy rule.

--resource-group -g

The resource group where the policy will be applied.

--scope

Scope at which this policy assignment subcommand applies. Defaults to current context subscription.

--sku -s
Deprecated

Argument 'sku' has been deprecated and will be removed in a future release.

Policy sku.

Accepted values: free, standard
Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.