Get-AzDenyAssignment
Lists Azure RBAC deny assignments at the specified scope.
By default it lists all deny assignments in the selected Azure subscription.
Use respective parameters to list deny assignments to a specific user, or to list deny assignments on a specific resource group or resource.
The cmdlet may call below Microsoft Graph API according to input parameters:
GET /directoryObjects/{id}
POST /directoryObjects/getByIds
Syntax
EmptyParameterSet (Default)
Get-AzDenyAssignment
[-Scope <String>]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>]
ObjectIdParameterSet
Get-AzDenyAssignment
-ObjectId <Guid>
[-ExpandPrincipalGroups]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>]
ResourceGroupWithObjectIdParameterSet
Get-AzDenyAssignment
-ObjectId <Guid>
-ResourceGroupName <String>
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>]
ResourceWithObjectIdParameterSet
Get-AzDenyAssignment
-ObjectId <Guid>
-ResourceGroupName <String>
-ResourceName <String>
-ResourceType <String>
[-ParentResource <String>]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>]
ScopeWithObjectIdParameterSet
Get-AzDenyAssignment
-ObjectId <Guid>
-Scope <String>
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>]
ResourceGroupWithSignInNameParameterSet
Get-AzDenyAssignment
-SignInName <String>
-ResourceGroupName <String>
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>]
ResourceWithSignInNameParameterSet
Get-AzDenyAssignment
-SignInName <String>
-ResourceGroupName <String>
-ResourceName <String>
-ResourceType <String>
[-ParentResource <String>]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>]
ScopeWithSignInNameParameterSet
Get-AzDenyAssignment
-SignInName <String>
-Scope <String>
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>]
SignInNameParameterSet
Get-AzDenyAssignment
-SignInName <String>
[-ExpandPrincipalGroups]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>]
ResourceGroupWithSPNParameterSet
Get-AzDenyAssignment
-ServicePrincipalName <String>
-ResourceGroupName <String>
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>]
ResourceWithSPNParameterSet
Get-AzDenyAssignment
-ServicePrincipalName <String>
-ResourceGroupName <String>
-ResourceName <String>
-ResourceType <String>
[-ParentResource <String>]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>]
ScopeWithSPNParameterSet
Get-AzDenyAssignment
-ServicePrincipalName <String>
-Scope <String>
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>]
SPNParameterSet
Get-AzDenyAssignment
-ServicePrincipalName <String>
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>]
ResourceGroupParameterSet
Get-AzDenyAssignment
-ResourceGroupName <String>
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>]
ResourceParameterSet
Get-AzDenyAssignment
-ResourceGroupName <String>
-ResourceName <String>
-ResourceType <String>
[-ParentResource <String>]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>]
ScopeParameterSet
Get-AzDenyAssignment
-Scope <String>
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>]
DenyAssignmentIdParameterSet
Get-AzDenyAssignment
-Id <String>
[-Scope <String>]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>]
DenyAssignmentNameParameterSet
Get-AzDenyAssignment
-DenyAssignmentName <String>
[-Scope <String>]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>]
Description
Use the Get-AzDenyAssignment command to list all deny assignments that are effective on a scope.
Without any parameters, this command returns all the deny assignments made under the subscription.
This list can be filtered using filtering parameters for principal, deny assignment name and scope.
To specify a user, use SignInName or Microsoft Entra ObjectId parameters.
To specify a security group, use Microsoft Entra ObjectId parameter.
And to specify a Microsoft Entra application, use ServicePrincipalName or ObjectId parameters.
The scope at which access is being denied may be specified.
It defaults to the selected subscription.
The scope of the deny assignment can be specified using one of the following parameter combinations
a.
Scope - This is the fully qualified scope starting with /subscriptions/<subscriptionId>.
This will filter deny assignments that are effective at that particular scope i.e.
all deny assignments at that scope and above.
b.
ResourceGroupName - Name of any resource group under the subscription.
This will filter assignments effective at the specified resource group i.e.
all deny assignments at that scope and above.
c.
ResourceName, ResourceType, ResourceGroupName and (optionally) ParentResource - Identifies a particular resource under the subscription and will filter deny assignments effective at that resource scope.
To determine what access is denied for a particular user in the subscription, use the ExpandPrincipalGroups switch.
This will list all deny assignments assigned to the user, and to the groups that the user is member of.
Examples
Example 1
List all deny assignments in the subscription
Get-AzDenyAssignment
Id : /subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/providers/Microsoft.Authorization/denyAssignments/22704996-fbd0-4ab1-8625-722d897825d2
DenyAssignmentName : Test deny assignment 1
Description : Test deny assignment for PS cmdlets
Actions : {foo/*}
NotActions : {foo/*/read}
DataActions : {foo/*}
NotDataActions : {}
Scope : /subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f
DoNotApplyToChildScopes : False
Principals : {
DisplayName: All Principals
ObjectType: SystemDefined
ObjectId: 00000000-0000-0000-0000-000000000000
}
ExcludePrincipals : {
DisplayName: testuser
ObjectType: User
ObjectId: f8d526a0-54eb-4941-ae69-ebf4a334d0f0
}
IsSystemProtected : True
Id : /subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourcegroups/testRG/providers/Microsoft.Authorization/denyAssignments/43af7d0c-0bf8-407f-96c0-96a29d076431
DenyAssignmentName : Test deny assignment 2
Description : Test deny assignment for PS cmdlets
Actions : {foo/*}
NotActions : {foo/*/read}
DataActions : {foo/*}
NotDataActions : {}
Scope : /subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourcegroups/testRG
DoNotApplyToChildScopes : False
Principals : {
DisplayName: testuser
ObjectType: User
ObjectId: f8d526a0-54eb-4941-ae69-ebf4a334d0f0
,
DisplayName: PowershellTestingApp
ObjectType: ServicePrincipal
ObjectId: f2dc21ac-702a-4bde-a4ce-146edf751d81
}
ExcludePrincipals : {}
IsSystemProtected : True
Example 2
Gets all deny assignments made to user john.doe@contoso.com at the scope testRG and above.
Get-AzDenyAssignment -ResourceGroupName testRG -SignInName john.doe@contoso.com
Id : /subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/providers/Microsoft.Authorization/denyAssignments/22704996-fbd0-4ab1-8625-722d897825d2
DenyAssignmentName : Test deny assignment 1
Description : Test deny assignment for PS cmdlets
Actions : {foo/*}
NotActions : {foo/*/read}
DataActions : {foo/*}
NotDataActions : {}
Scope : /subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f
DoNotApplyToChildScopes : False
Principals : {
DisplayName: john.doe
ObjectType: User
ObjectId: f8d526a0-54eb-4941-ae69-ebf4a334d0f0
}
ExcludePrincipals : {}
IsSystemProtected : True
Id : /subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourcegroups/testRG/providers/Microsoft.Authorization/denyAssignments/43af7d0c-0bf8-407f-96c0-96a29d076431
DenyAssignmentName : Test deny assignment
Description : Test deny assignment for PS cmdlets
Actions : {foo/*}
NotActions : {foo/*/read}
DataActions : {foo/*}
NotDataActions : {}
Scope : /subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourcegroups/testRG
DoNotApplyToChildScopes : False
Principals : {
DisplayName: john.doe
ObjectType: User
ObjectId: f8d526a0-54eb-4941-ae69-ebf4a334d0f0
,
DisplayName: PowershellTestingApp
ObjectType: ServicePrincipal
ObjectId: f2dc21ac-702a-4bde-a4ce-146edf751d81
}
ExcludePrincipals : {}
IsSystemProtected : True
Example 3
Gets all deny assignments of the specified service principal
Get-AzDenyAssignment -ServicePrincipalName 'http://testapp1.com'
Id : /subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourcegroups/testRG/providers/Microsoft.Authorization/denyAssignments/43af7d0c-0bf8-407f-96c0-96a29d076431
DenyAssignmentName : Test deny assignment 1
Description : Test deny assignment for PS cmdlets
Actions : {foo/*}
NotActions : {foo/*/read}
DataActions : {foo/*}
NotDataActions : {}
Scope : /subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourcegroups/testRG
DoNotApplyToChildScopes : False
Principals : {
DisplayName: TestApp
ObjectType: ServicePrincipal
ObjectId: f2dc21ac-702a-4bde-a4ce-146edf751d81
}
ExcludePrincipals : {}
IsSystemProtected : True
Id : /subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/testRG/providers/Microsoft.Web/sites/site1/providers/Microsoft.Authorization/denyAssignments/94e3d9da-3700-4113-aab4-15f6c173d794
DenyAssignmentName : Test deny assignment 2
Description : Test deny assignment for PS cmdlets
Actions : {foo/*}
NotActions : {foo/*/read}
DataActions : {foo/*}
NotDataActions : {}
Scope : /subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/testRG/providers/Microsoft.Web/sites/site1
DoNotApplyToChildScopes : False
Principals : {
DisplayName: testuser
ObjectType: User
ObjectId: f8d526a0-54eb-4941-ae69-ebf4a334d0f0
,
DisplayName: TestApp
ObjectType: ServicePrincipal
ObjectId: f2dc21ac-702a-4bde-a4ce-146edf751d81
}
ExcludePrincipals : {}
IsSystemProtected : True
Example 4
Gets deny assignments at the 'site1' website scope.
Get-AzDenyAssignment -Scope '/subscriptions/96231a05-34ce-4eb4-aa6a-70759cbb5e83/resourcegroups/testRG/providers/Microsoft.Web/sites/site1'
Id : /subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourcegroups/testRG/providers/Microsoft.Authorization/denyAssignments/43af7d0c-0bf8-407f-96c0-96a29d076431
DenyAssignmentName : Test deny assignment 1
Description : Test deny assignment for PS cmdlets
Actions : {foo/*}
NotActions : {foo/*/read}
DataActions : {foo/*}
NotDataActions : {}
Scope : /subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourcegroups/testRG
DoNotApplyToChildScopes : False
Principals : {
DisplayName: testuser
ObjectType: User
ObjectId: f8d526a0-54eb-4941-ae69-ebf4a334d0f0
}
ExcludePrincipals : {}
IsSystemProtected : True
Id : /subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/testRG/providers/Microsoft.Web/sites/site1/providers/Microsoft.Authorization/denyAssignments/594e3d9da-3700-4113-aab4-15f6c173d794
DenyAssignmentName : Test deny assignment 2
Description : Test deny assignment for PS cmdlets
Actions : {foo/*}
NotActions : {foo/*/read}
DataActions : {foo/*}
NotDataActions : {}
Scope : /subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/testRG/providers/Microsoft.Web/sites/site1
DoNotApplyToChildScopes : False
Principals : {
DisplayName: testuser
ObjectType: User
ObjectId: f8d526a0-54eb-4941-ae69-ebf4a334d0f0
,
DisplayName: TestApp
ObjectType: ServicePrincipal
ObjectId: f2dc21ac-702a-4bde-a4ce-146edf751d81
}
ExcludePrincipals : {}
IsSystemProtected : True
Parameters
-DefaultProfile
The credentials, account, tenant, and subscription used for communication with azure
Parameter properties
Type: IAzureContextContainer
Default value: None Supports wildcards: False DontShow: False Aliases: AzContext, AzureRmContext, AzureCredential
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-DenyAssignmentName
Name of the deny assignment.
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False
Parameter sets
DenyAssignmentNameParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
-ExpandPrincipalGroups
If specified, returns deny assignments directly assigned to the user and to the groups of which the user is a member (transitively).
Supported only for a user principal.
Parameter properties
Type: SwitchParameter
Default value: None Supports wildcards: False DontShow: False
Parameter sets
ObjectIdParameterSet
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
SignInNameParameterSet
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-Id
Deny assignment fully qualified ID or GUID. When Id is provided as a GUID, will take current subscription as default scope.
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False
Parameter sets
DenyAssignmentIdParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
-ObjectId
The Microsoft Entra ObjectId of the User, Group or Service Principal.
Filters all deny assignments that are made to the specified principal.
Parameter properties
Type: Nullable<T> [ Guid ]
Default value: None Supports wildcards: False DontShow: False Aliases: PrincipalId
Parameter sets
ObjectIdParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ResourceGroupWithObjectIdParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ResourceWithObjectIdParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ScopeWithObjectIdParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
-ParentResource
The parent resource in the hierarchy of the resource specified using ResourceName parameter.
Must be used in conjunction with ResourceGroupName, ResourceType, and ResourceName parameters.
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False
Parameter sets
ResourceWithObjectIdParameterSet
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ResourceWithSignInNameParameterSet
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ResourceWithSPNParameterSet
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ResourceParameterSet
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
-ResourceGroupName
The resource group name.
Lists deny assignments that are effective at the specified resource group.
When used in conjunction with ResourceName, ResourceType, and ParentResource parameters, the command lists deny assignments effective at resources within the resource group.
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False
Parameter sets
ResourceGroupWithObjectIdParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ResourceWithObjectIdParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ResourceGroupWithSignInNameParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ResourceWithSignInNameParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ResourceGroupWithSPNParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ResourceWithSPNParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ResourceGroupParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ResourceParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
-ResourceName
The resource name.
For e.g.
storageaccountprod.
Must be used in conjunction with ResourceGroupName, ResourceType, and (optionally)ParentResource parameters.
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False
Parameter sets
ResourceWithObjectIdParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ResourceWithSignInNameParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ResourceWithSPNParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ResourceParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
-ResourceType
The resource type.
For e.g.
Microsoft.Network/virtualNetworks.
Must be used in conjunction with ResourceGroupName, ResourceName, and (optionally)ParentResource parameters.
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False
Parameter sets
ResourceWithObjectIdParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ResourceWithSignInNameParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ResourceWithSPNParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ResourceParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
-Scope
The Scope of the role assignment.
In the format of relative URI.
For e.g.
/subscriptions/9004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/TestRG.
It must start with "/subscriptions/{id}".
The command filters all deny assignments that are effective at that scope.
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False
Parameter sets
EmptyParameterSet
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
DenyAssignmentIdParameterSet
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
DenyAssignmentNameParameterSet
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
-ServicePrincipalName
The ServicePrincipalName of the service principal.
Filters all deny assignments that are made to the specified Microsoft Entra application.
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False Aliases: SPN
Parameter sets
ResourceGroupWithSPNParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ResourceWithSPNParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ScopeWithSPNParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
SPNParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
-SignInName
The email address or the user principal name of the user.
Filters all deny assignments that are made to the specified user.
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False Aliases: Email, UserPrincipalName
Parameter sets
ResourceGroupWithSignInNameParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ResourceWithSignInNameParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ScopeWithSignInNameParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
SignInNameParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable,
-InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable,
-ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see
about_CommonParameters .
Outputs
Notes
Keywords: azure, azurerm, arm, resource, management, manager, resource, group, template, deployment
