Edit

Share via


Get-AzDenyAssignment

Lists Azure RBAC deny assignments at the specified scope. By default it lists all deny assignments in the selected Azure subscription. Use respective parameters to list deny assignments to a specific user, or to list deny assignments on a specific resource group or resource.

The cmdlet may call below Microsoft Graph API according to input parameters:

  • GET /directoryObjects/{id}
  • POST /directoryObjects/getByIds

Syntax

EmptyParameterSet (Default)

Get-AzDenyAssignment
    [-Scope <String>]
    [-DefaultProfile <IAzureContextContainer>]
    [<CommonParameters>]

ObjectIdParameterSet

Get-AzDenyAssignment
    -ObjectId <Guid>
    [-ExpandPrincipalGroups]
    [-DefaultProfile <IAzureContextContainer>]
    [<CommonParameters>]

ResourceGroupWithObjectIdParameterSet

Get-AzDenyAssignment
    -ObjectId <Guid>
    -ResourceGroupName <String>
    [-DefaultProfile <IAzureContextContainer>]
    [<CommonParameters>]

ResourceWithObjectIdParameterSet

Get-AzDenyAssignment
    -ObjectId <Guid>
    -ResourceGroupName <String>
    -ResourceName <String>
    -ResourceType <String>
    [-ParentResource <String>]
    [-DefaultProfile <IAzureContextContainer>]
    [<CommonParameters>]

ScopeWithObjectIdParameterSet

Get-AzDenyAssignment
    -ObjectId <Guid>
    -Scope <String>
    [-DefaultProfile <IAzureContextContainer>]
    [<CommonParameters>]

ResourceGroupWithSignInNameParameterSet

Get-AzDenyAssignment
    -SignInName <String>
    -ResourceGroupName <String>
    [-DefaultProfile <IAzureContextContainer>]
    [<CommonParameters>]

ResourceWithSignInNameParameterSet

Get-AzDenyAssignment
    -SignInName <String>
    -ResourceGroupName <String>
    -ResourceName <String>
    -ResourceType <String>
    [-ParentResource <String>]
    [-DefaultProfile <IAzureContextContainer>]
    [<CommonParameters>]

ScopeWithSignInNameParameterSet

Get-AzDenyAssignment
    -SignInName <String>
    -Scope <String>
    [-DefaultProfile <IAzureContextContainer>]
    [<CommonParameters>]

SignInNameParameterSet

Get-AzDenyAssignment
    -SignInName <String>
    [-ExpandPrincipalGroups]
    [-DefaultProfile <IAzureContextContainer>]
    [<CommonParameters>]

ResourceGroupWithSPNParameterSet

Get-AzDenyAssignment
    -ServicePrincipalName <String>
    -ResourceGroupName <String>
    [-DefaultProfile <IAzureContextContainer>]
    [<CommonParameters>]

ResourceWithSPNParameterSet

Get-AzDenyAssignment
    -ServicePrincipalName <String>
    -ResourceGroupName <String>
    -ResourceName <String>
    -ResourceType <String>
    [-ParentResource <String>]
    [-DefaultProfile <IAzureContextContainer>]
    [<CommonParameters>]

ScopeWithSPNParameterSet

Get-AzDenyAssignment
    -ServicePrincipalName <String>
    -Scope <String>
    [-DefaultProfile <IAzureContextContainer>]
    [<CommonParameters>]

SPNParameterSet

Get-AzDenyAssignment
    -ServicePrincipalName <String>
    [-DefaultProfile <IAzureContextContainer>]
    [<CommonParameters>]

ResourceGroupParameterSet

Get-AzDenyAssignment
    -ResourceGroupName <String>
    [-DefaultProfile <IAzureContextContainer>]
    [<CommonParameters>]

ResourceParameterSet

Get-AzDenyAssignment
    -ResourceGroupName <String>
    -ResourceName <String>
    -ResourceType <String>
    [-ParentResource <String>]
    [-DefaultProfile <IAzureContextContainer>]
    [<CommonParameters>]

ScopeParameterSet

Get-AzDenyAssignment
    -Scope <String>
    [-DefaultProfile <IAzureContextContainer>]
    [<CommonParameters>]

DenyAssignmentIdParameterSet

Get-AzDenyAssignment
    -Id <String>
    [-Scope <String>]
    [-DefaultProfile <IAzureContextContainer>]
    [<CommonParameters>]

DenyAssignmentNameParameterSet

Get-AzDenyAssignment
    -DenyAssignmentName <String>
    [-Scope <String>]
    [-DefaultProfile <IAzureContextContainer>]
    [<CommonParameters>]

Description

Use the Get-AzDenyAssignment command to list all deny assignments that are effective on a scope. Without any parameters, this command returns all the deny assignments made under the subscription. This list can be filtered using filtering parameters for principal, deny assignment name and scope. To specify a user, use SignInName or Microsoft Entra ObjectId parameters. To specify a security group, use Microsoft Entra ObjectId parameter. And to specify a Microsoft Entra application, use ServicePrincipalName or ObjectId parameters. The scope at which access is being denied may be specified. It defaults to the selected subscription. The scope of the deny assignment can be specified using one of the following parameter combinations a. Scope - This is the fully qualified scope starting with /subscriptions/<subscriptionId>. This will filter deny assignments that are effective at that particular scope i.e. all deny assignments at that scope and above. b. ResourceGroupName - Name of any resource group under the subscription. This will filter assignments effective at the specified resource group i.e. all deny assignments at that scope and above. c. ResourceName, ResourceType, ResourceGroupName and (optionally) ParentResource - Identifies a particular resource under the subscription and will filter deny assignments effective at that resource scope. To determine what access is denied for a particular user in the subscription, use the ExpandPrincipalGroups switch. This will list all deny assignments assigned to the user, and to the groups that the user is member of.

Examples

Example 1

List all deny assignments in the subscription

Get-AzDenyAssignment
Id                      : /subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/providers/Microsoft.Authorization/denyAssignments/22704996-fbd0-4ab1-8625-722d897825d2
DenyAssignmentName      : Test deny assignment 1
Description             : Test deny assignment for PS cmdlets
Actions                 : {foo/*}
NotActions              : {foo/*/read}
DataActions             : {foo/*}
NotDataActions          : {}
Scope                   : /subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f
DoNotApplyToChildScopes : False
Principals              : {
                          DisplayName:  All Principals
                          ObjectType:   SystemDefined
                          ObjectId:     00000000-0000-0000-0000-000000000000
                          }
ExcludePrincipals       : {
                          DisplayName:  testuser
                          ObjectType:   User
                          ObjectId:     f8d526a0-54eb-4941-ae69-ebf4a334d0f0
                          }
IsSystemProtected       : True

Id                      : /subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourcegroups/testRG/providers/Microsoft.Authorization/denyAssignments/43af7d0c-0bf8-407f-96c0-96a29d076431
DenyAssignmentName      : Test deny assignment 2
Description             : Test deny assignment for PS cmdlets
Actions                 : {foo/*}
NotActions              : {foo/*/read}
DataActions             : {foo/*}
NotDataActions          : {}
Scope                   : /subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourcegroups/testRG
DoNotApplyToChildScopes : False
Principals              : {
                          DisplayName:  testuser
                          ObjectType:   User
                          ObjectId:     f8d526a0-54eb-4941-ae69-ebf4a334d0f0
                          ,
                          DisplayName:  PowershellTestingApp
                          ObjectType:   ServicePrincipal
                          ObjectId:     f2dc21ac-702a-4bde-a4ce-146edf751d81
                          }
ExcludePrincipals       : {}
IsSystemProtected       : True

Example 2

Gets all deny assignments made to user john.doe@contoso.com at the scope testRG and above.

Get-AzDenyAssignment -ResourceGroupName testRG -SignInName john.doe@contoso.com
Id                      : /subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/providers/Microsoft.Authorization/denyAssignments/22704996-fbd0-4ab1-8625-722d897825d2
DenyAssignmentName      : Test deny assignment 1
Description             : Test deny assignment for PS cmdlets
Actions                 : {foo/*}
NotActions              : {foo/*/read}
DataActions             : {foo/*}
NotDataActions          : {}
Scope                   : /subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f
DoNotApplyToChildScopes : False
Principals              : {
                          DisplayName:  john.doe
                          ObjectType:   User
                          ObjectId:     f8d526a0-54eb-4941-ae69-ebf4a334d0f0
                          }
ExcludePrincipals       : {}
IsSystemProtected       : True

Id                      : /subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourcegroups/testRG/providers/Microsoft.Authorization/denyAssignments/43af7d0c-0bf8-407f-96c0-96a29d076431
DenyAssignmentName      : Test deny assignment
Description             : Test deny assignment for PS cmdlets
Actions                 : {foo/*}
NotActions              : {foo/*/read}
DataActions             : {foo/*}
NotDataActions          : {}
Scope                   : /subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourcegroups/testRG
DoNotApplyToChildScopes : False
Principals              : {
                          DisplayName:  john.doe
                          ObjectType:   User
                          ObjectId:     f8d526a0-54eb-4941-ae69-ebf4a334d0f0
                          ,
                          DisplayName:  PowershellTestingApp
                          ObjectType:   ServicePrincipal
                          ObjectId:     f2dc21ac-702a-4bde-a4ce-146edf751d81
                          }
ExcludePrincipals       : {}
IsSystemProtected       : True

Example 3

Gets all deny assignments of the specified service principal

Get-AzDenyAssignment -ServicePrincipalName 'http://testapp1.com'
Id                      : /subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourcegroups/testRG/providers/Microsoft.Authorization/denyAssignments/43af7d0c-0bf8-407f-96c0-96a29d076431
DenyAssignmentName      : Test deny assignment 1
Description             : Test deny assignment for PS cmdlets
Actions                 : {foo/*}
NotActions              : {foo/*/read}
DataActions             : {foo/*}
NotDataActions          : {}
Scope                   : /subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourcegroups/testRG
DoNotApplyToChildScopes : False
Principals              : {
                          DisplayName:  TestApp
                          ObjectType:   ServicePrincipal
                          ObjectId:     f2dc21ac-702a-4bde-a4ce-146edf751d81
                          }
ExcludePrincipals       : {}
IsSystemProtected       : True

Id                      : /subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/testRG/providers/Microsoft.Web/sites/site1/providers/Microsoft.Authorization/denyAssignments/94e3d9da-3700-4113-aab4-15f6c173d794
DenyAssignmentName      : Test deny assignment 2
Description             : Test deny assignment for PS cmdlets
Actions                 : {foo/*}
NotActions              : {foo/*/read}
DataActions             : {foo/*}
NotDataActions          : {}
Scope                   : /subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/testRG/providers/Microsoft.Web/sites/site1
DoNotApplyToChildScopes : False
Principals              : {
                          DisplayName:  testuser
                          ObjectType:   User
                          ObjectId:     f8d526a0-54eb-4941-ae69-ebf4a334d0f0
                          ,
                          DisplayName:  TestApp
                          ObjectType:   ServicePrincipal
                          ObjectId:     f2dc21ac-702a-4bde-a4ce-146edf751d81
                          }
ExcludePrincipals       : {}
IsSystemProtected       : True

Example 4

Gets deny assignments at the 'site1' website scope.

Get-AzDenyAssignment -Scope '/subscriptions/96231a05-34ce-4eb4-aa6a-70759cbb5e83/resourcegroups/testRG/providers/Microsoft.Web/sites/site1'
Id                      : /subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourcegroups/testRG/providers/Microsoft.Authorization/denyAssignments/43af7d0c-0bf8-407f-96c0-96a29d076431
DenyAssignmentName      : Test deny assignment 1
Description             : Test deny assignment for PS cmdlets
Actions                 : {foo/*}
NotActions              : {foo/*/read}
DataActions             : {foo/*}
NotDataActions          : {}
Scope                   : /subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourcegroups/testRG
DoNotApplyToChildScopes : False
Principals              : {
                          DisplayName:  testuser
                          ObjectType:   User
                          ObjectId:     f8d526a0-54eb-4941-ae69-ebf4a334d0f0
                          }
ExcludePrincipals       : {}
IsSystemProtected       : True

Id                      : /subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/testRG/providers/Microsoft.Web/sites/site1/providers/Microsoft.Authorization/denyAssignments/594e3d9da-3700-4113-aab4-15f6c173d794
DenyAssignmentName      : Test deny assignment 2
Description             : Test deny assignment for PS cmdlets
Actions                 : {foo/*}
NotActions              : {foo/*/read}
DataActions             : {foo/*}
NotDataActions          : {}
Scope                   : /subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/testRG/providers/Microsoft.Web/sites/site1
DoNotApplyToChildScopes : False
Principals              : {
                          DisplayName:  testuser
                          ObjectType:   User
                          ObjectId:     f8d526a0-54eb-4941-ae69-ebf4a334d0f0
                          ,
                          DisplayName:  TestApp
                          ObjectType:   ServicePrincipal
                          ObjectId:     f2dc21ac-702a-4bde-a4ce-146edf751d81
                          }
ExcludePrincipals       : {}
IsSystemProtected       : True

Parameters

-DefaultProfile

The credentials, account, tenant, and subscription used for communication with azure

Parameter properties

Type:IAzureContextContainer
Default value:None
Supports wildcards:False
DontShow:False
Aliases:AzContext, AzureRmContext, AzureCredential

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-DenyAssignmentName

Name of the deny assignment.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

DenyAssignmentNameParameterSet
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False

-ExpandPrincipalGroups

If specified, returns deny assignments directly assigned to the user and to the groups of which the user is a member (transitively). Supported only for a user principal.

Parameter properties

Type:SwitchParameter
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

ObjectIdParameterSet
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False
SignInNameParameterSet
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-Id

Deny assignment fully qualified ID or GUID. When Id is provided as a GUID, will take current subscription as default scope.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

DenyAssignmentIdParameterSet
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False

-ObjectId

The Microsoft Entra ObjectId of the User, Group or Service Principal. Filters all deny assignments that are made to the specified principal.

Parameter properties

Type:

Nullable<T>[Guid]

Default value:None
Supports wildcards:False
DontShow:False
Aliases:PrincipalId

Parameter sets

ObjectIdParameterSet
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False
ResourceGroupWithObjectIdParameterSet
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False
ResourceWithObjectIdParameterSet
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False
ScopeWithObjectIdParameterSet
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False

-ParentResource

The parent resource in the hierarchy of the resource specified using ResourceName parameter. Must be used in conjunction with ResourceGroupName, ResourceType, and ResourceName parameters.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

ResourceWithObjectIdParameterSet
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False
ResourceWithSignInNameParameterSet
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False
ResourceWithSPNParameterSet
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False
ResourceParameterSet
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False

-ResourceGroupName

The resource group name. Lists deny assignments that are effective at the specified resource group. When used in conjunction with ResourceName, ResourceType, and ParentResource parameters, the command lists deny assignments effective at resources within the resource group.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

ResourceGroupWithObjectIdParameterSet
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False
ResourceWithObjectIdParameterSet
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False
ResourceGroupWithSignInNameParameterSet
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False
ResourceWithSignInNameParameterSet
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False
ResourceGroupWithSPNParameterSet
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False
ResourceWithSPNParameterSet
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False
ResourceGroupParameterSet
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False
ResourceParameterSet
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False

-ResourceName

The resource name. For e.g. storageaccountprod. Must be used in conjunction with ResourceGroupName, ResourceType, and (optionally)ParentResource parameters.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

ResourceWithObjectIdParameterSet
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False
ResourceWithSignInNameParameterSet
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False
ResourceWithSPNParameterSet
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False
ResourceParameterSet
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False

-ResourceType

The resource type. For e.g. Microsoft.Network/virtualNetworks. Must be used in conjunction with ResourceGroupName, ResourceName, and (optionally)ParentResource parameters.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

ResourceWithObjectIdParameterSet
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False
ResourceWithSignInNameParameterSet
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False
ResourceWithSPNParameterSet
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False
ResourceParameterSet
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False

-Scope

The Scope of the role assignment. In the format of relative URI. For e.g. /subscriptions/9004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/TestRG. It must start with "/subscriptions/{id}". The command filters all deny assignments that are effective at that scope.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

EmptyParameterSet
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False
DenyAssignmentIdParameterSet
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False
DenyAssignmentNameParameterSet
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False

-ServicePrincipalName

The ServicePrincipalName of the service principal. Filters all deny assignments that are made to the specified Microsoft Entra application.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False
Aliases:SPN

Parameter sets

ResourceGroupWithSPNParameterSet
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False
ResourceWithSPNParameterSet
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False
ScopeWithSPNParameterSet
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False
SPNParameterSet
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False

-SignInName

The email address or the user principal name of the user. Filters all deny assignments that are made to the specified user.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False
Aliases:Email, UserPrincipalName

Parameter sets

ResourceGroupWithSignInNameParameterSet
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False
ResourceWithSignInNameParameterSet
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False
ScopeWithSignInNameParameterSet
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False
SignInNameParameterSet
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False

CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

Inputs

Guid

String

Outputs

PSDenyAssignment

Notes

Keywords: azure, azurerm, arm, resource, management, manager, resource, group, template, deployment