Share via


az policy set-definition

Manage resource policy set definitions.

Commands

Name Description Type Status
az policy set-definition create

Create a policy set definition.

Core GA
az policy set-definition delete

Delete a policy set definition.

Core GA
az policy set-definition list

List policy set definitions.

Core GA
az policy set-definition show

Show a policy set definition.

Core GA
az policy set-definition update

Update a policy set definition.

Core GA

az policy set-definition create

Create a policy set definition.

az policy set-definition create --definitions
                                --name
                                [--definition-groups]
                                [--description]
                                [--display-name]
                                [--management-group]
                                [--metadata]
                                [--params]
                                [--subscription]

Examples

Create a policy set definition.

az policy set-definition create -n readOnlyStorage \
    --definitions '[ { \"policyDefinitionId\": \"/subscriptions/mySubId/providers/ \
        Microsoft.Authorization/policyDefinitions/storagePolicy\" } ]'

Create a policy set definition with parameters.

az policy set-definition create -n readOnlyStorage \
    --definitions "[ { \"policyDefinitionId\": \"/subscriptions/mySubId/providers/ \
        Microsoft.Authorization/policyDefinitions/storagePolicy\", \"parameters\": \
            { \"storageSku\": { \"value\": \"[parameters(\\"requiredSku\\")]\" } } }]" \
    --params "{ \"requiredSku\": { \"type\": \"String\" } }"

Create a policy set definition in a subscription.

az policy set-definition create -n readOnlyStorage \
    --subscription '0b1f6471-1bf0-4dda-aec3-111122223333' \
    --definitions '[ { \"policyDefinitionId\": \"/subscriptions/ \
        0b1f6471-1bf0-4dda-aec3-111122223333/providers/Microsoft.Authorization/ \
            policyDefinitions/storagePolicy\" } ]'

Create a policy set definition with policy definition groups.

az policy set-definition create -n computeRequirements \
    --definitions "[ { \"policyDefinitionId \": \"/subscriptions/mySubId/providers/ \
        Microsoft.Authorization/policyDefinitions/storagePolicy\", \"groupNames\": \
            [ \"CostSaving\", \"Organizational\" ] }, { \"policyDefinitionId\": \
                \"/subscriptions/mySubId/providers/Microsoft.Authorization/ \
                    policyDefinitions/tagPolicy\", \"groupNames\": [ \
                        \"Organizational\" ] } ]" \
    --definition-groups "[{ \"name\": \"CostSaving\" }, { \"name\": \"Organizational\" } ]"

Required Parameters

--definitions

Policy definitions in JSON format, or a path to a file or URI containing JSON rules.

--name -n

Name of the new policy set definition.

Optional Parameters

--definition-groups

JSON formatted string or a path to a file or uri containing policy definition groups. Groups are used to organize policy definitions within a policy set.

--description

Description of policy set definition.

--display-name

Display name of policy set definition.

--management-group

Name of management group the new policy set definition can be assigned in.

--metadata

Metadata in space-separated key=value pairs.

--params

JSON formatted string or a path to a file or uri with parameter definitions.

--subscription

Name or id of the subscription the new policy set definition can be assigned in.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az policy set-definition delete

Delete a policy set definition.

az policy set-definition delete --name
                                [--management-group]
                                [--subscription]

Examples

Delete a policy set definition. (autogenerated)

az policy set-definition delete --management-group myMg --name MyPolicySetDefinition

Required Parameters

--name -n

The policy set definition name.

Optional Parameters

--management-group

The name of the management group of the policy [set] definition. This parameter is required if your policy set is scoped to a management group.

--subscription

The subscription id of the policy [set] definition.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az policy set-definition list

List policy set definitions.

az policy set-definition list [--management-group]
                              [--subscription]

Optional Parameters

--management-group

The name of the management group of the policy [set] definition. This parameter is required if your policy set is scoped to a management group.

--subscription

The subscription id of the policy [set] definition.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az policy set-definition show

Show a policy set definition.

az policy set-definition show --name
                              [--management-group]
                              [--subscription]

Examples

Show a policy set definition. If the policy set is scoped to a management group, then you must include the `--management-group` parameter and value.

az policy set-definition show --name MyPolicySetDefinition --management-group MyManagementGroup

Required Parameters

--name -n

The policy set definition name.

Optional Parameters

--management-group

The name of the management group of the policy [set] definition. This parameter is required if your policy set is scoped to a management group.

--subscription

The subscription id of the policy [set] definition.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az policy set-definition update

Update a policy set definition.

az policy set-definition update --name
                                [--definition-groups]
                                [--definitions]
                                [--description]
                                [--display-name]
                                [--management-group]
                                [--metadata]
                                [--params]
                                [--subscription]

Examples

Update a policy set definition.

az policy set-definition update \
    --definitions '[ { \"policyDefinitionId\": \"/subscriptions/mySubId/providers/ \
        Microsoft.Authorization/policyDefinitions/storagePolicy\" } ]' \
    --name MyPolicySetDefinition

Update the groups and definitions within a policy set definition.

az policy set-definition update -n computeRequirements \
    --definitions "[ { \"policyDefinitionId\": \"/subscriptions/mySubId/providers/ \
        Microsoft.Authorization/policyDefinitions/storagePolicy\", \"groupNames\": [ \
            \"CostSaving\", \"Organizational\" ] }, { \"policyDefinitionId\": \
                \"/subscriptions/mySubId/providers/Microsoft.Authorization/ \
                    policyDefinitions/tagPolicy\", \
                        \"groupNames\": [ \"Organizational\" ] } ]" \
    --definition-groups "[{ \"name\": \"CostSaving\" }, { \"name\": \"Organizational\" } ]"

Required Parameters

--name -n

The policy set definition name.

Optional Parameters

--definition-groups

JSON formatted string or a path to a file or uri containing policy definition groups. Groups are used to organize policy definitions within a policy set.

--definitions

JSON formatted string or a path to a file or uri containing definitions.

--description

Description of policy set definition.

--display-name

Display name of policy set definition.

--management-group

The name of the management group of the policy [set] definition. This parameter is required if your policy set is scoped to a management group.

--metadata

Metadata in space-separated key=value pairs.

--params

JSON formatted string or a path to a file or uri with parameter definitions.

--subscription

The subscription id of the policy [set] definition.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.