New-AzDenyAssignment
Creates a user-assigned deny assignment at the specified scope.
By default, the deny assignment targets Everyone and requires at least one excluded principal.
Alternatively, use -PrincipalId and -PrincipalType to target a specific user or service principal.
Syntax
EveryoneParameterSet (Default)
New-AzDenyAssignment
-DenyAssignmentName <String>
-Scope <String>
-ExcludePrincipalId <String[]>
[-Description <String>]
[-Action <String[]>]
[-NotAction <String[]>]
[-DataAction <String[]>]
[-NotDataAction <String[]>]
[-ExcludePrincipalType <String[]>]
[-DoNotApplyToChildScope]
[-DenyAssignmentId <Guid>]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
PerPrincipalParameterSet
New-AzDenyAssignment
-DenyAssignmentName <String>
-Scope <String>
-PrincipalId <String>
-PrincipalType <String>
[-Description <String>]
[-Action <String[]>]
[-NotAction <String[]>]
[-DataAction <String[]>]
[-NotDataAction <String[]>]
[-ExcludePrincipalId <String[]>]
[-ExcludePrincipalType <String[]>]
[-DoNotApplyToChildScope]
[-DenyAssignmentId <Guid>]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
New-AzDenyAssignment
-Scope <String>
-InputFile <String>
[-DenyAssignmentId <Guid>]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
Description
Use the New-AzDenyAssignment command to create a new user-assigned deny assignment at the specified scope.
By default, the deny assignment targets all principals (Everyone) and requires at least one excluded principal via the ExcludePrincipalId parameter.
Alternatively, use -PrincipalId and -PrincipalType to target a specific user or service principal. In this mode, -ExcludePrincipalId is optional. Group type principals are not supported for user-assigned deny assignments.
Only write, delete, and action operations can be denied. Read actions and data actions are not supported.
Examples
Example 1: Create a deny assignment that blocks delete actions for everyone
New-AzDenyAssignment -DenyAssignmentName "Block deletes" `
-Scope "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myRG" `
-Action "*/delete" `
-ExcludePrincipalId "11111111-1111-1111-1111-111111111111" `
-ExcludePrincipalType "User"
Creates a deny assignment named "Block deletes" at the resource group scope that denies all delete actions for everyone. The specified user is excluded from the deny assignment.
New-AzDenyAssignment -DenyAssignmentName "Block user writes" `
-Scope "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myRG" `
-Action "*/write" `
-PrincipalId "11111111-1111-1111-1111-111111111111" `
-PrincipalType "User"
Creates a deny assignment that blocks write operations for a specific user. No excluded principals are required in per-principal mode.
Example 3: Block a specific service principal from deleting resources
New-AzDenyAssignment -DenyAssignmentName "Block SP deletes" `
-Scope "/subscriptions/00000000-0000-0000-0000-000000000000" `
-Action "*/delete" `
-PrincipalId "22222222-2222-2222-2222-222222222222" `
-PrincipalType "ServicePrincipal"
Creates a deny assignment that blocks delete operations for a specific service principal at subscription scope.
New-AzDenyAssignment -Scope "/subscriptions/00000000-0000-0000-0000-000000000000" `
-InputFile "C:\DenyAssignment.json"
Creates a deny assignment using the definition in the specified JSON file. The input file must include DenyAssignmentName, Actions, and either ExcludePrincipalIds (Everyone mode) or PrincipalIds + PrincipalTypes (per-principal mode).
Example 5: Create a deny assignment with multiple exclude principals
New-AzDenyAssignment -DenyAssignmentName "Block writes" `
-Scope "/subscriptions/00000000-0000-0000-0000-000000000000" `
-Action "*/write" `
-ExcludePrincipalId "11111111-1111-1111-1111-111111111111", "22222222-2222-2222-2222-222222222222" `
-ExcludePrincipalType "User", "ServicePrincipal"
Creates a deny assignment that denies write actions for everyone, excluding a user and a service principal.
Parameters
-Action
Actions to deny. Wildcards supported (e.g., /delete, Microsoft.Storage/storageAccounts/ ).
Parameter properties
Type: String [ ]
Default value: None Supports wildcards: False DontShow: False
Parameter sets
EveryoneParameterSet
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
PerPrincipalParameterSet
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
-Confirm
Prompts you for confirmation before running the cmdlet.
Parameter properties
Type: SwitchParameter
Default value: False Supports wildcards: False DontShow: False Aliases: cf
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-DataAction
Data actions to deny. Note: Data actions are not supported for user-assigned deny assignments and will be rejected by the service.
Parameter properties
Type: String [ ]
Default value: None Supports wildcards: False DontShow: False
Parameter sets
EveryoneParameterSet
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
PerPrincipalParameterSet
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
-DefaultProfile
The credentials, account, tenant, and subscription used for communication with Azure.
Parameter properties
Type: IAzureContextContainer
Default value: None Supports wildcards: False DontShow: False Aliases: AzContext, AzureRmContext, AzureCredential
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-DenyAssignmentId
The GUID for the deny assignment. If not specified, a new GUID will be generated.
Parameter properties
Type: Guid
Default value: None Supports wildcards: False DontShow: False
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-DenyAssignmentName
The display name for the deny assignment.
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False
Parameter sets
EveryoneParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
PerPrincipalParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
-Description
A description of the deny assignment.
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False
Parameter sets
EveryoneParameterSet
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
PerPrincipalParameterSet
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
-DoNotApplyToChildScope
If set, the deny assignment does not apply to child scopes. Note: This property is not supported for user-assigned deny assignments and will be rejected by the service.
Parameter properties
Type: SwitchParameter
Default value: False Supports wildcards: False DontShow: False
Parameter sets
EveryoneParameterSet
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
PerPrincipalParameterSet
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-ExcludePrincipalId
Object IDs of principals to exclude from the deny assignment. Required when targeting Everyone. Optional when using -PrincipalId.
Parameter properties
Type: String [ ]
Default value: None Supports wildcards: False DontShow: False
Parameter sets
EveryoneParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
-ExcludePrincipalType
Type(s) of the exclude principals (User, Group, ServicePrincipal). One per ExcludePrincipalId, or a single value applied to all. Defaults to User.
Parameter properties
Type: String [ ]
Default value: None Accepted values: User, Group, ServicePrincipal Supports wildcards: False DontShow: False
Parameter sets
EveryoneParameterSet
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
PerPrincipalParameterSet
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
Path to a JSON file containing the deny assignment definition.
Type: String
Default value: None Supports wildcards: False DontShow: False
InputFileParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
-NotAction
Actions to exclude from the deny assignment.
Parameter properties
Type: String [ ]
Default value: None Supports wildcards: False DontShow: False
Parameter sets
EveryoneParameterSet
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
PerPrincipalParameterSet
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
-NotDataAction
Data actions to exclude from the deny assignment. Note: Data actions are not supported for user-assigned deny assignments.
Parameter properties
Type: String [ ]
Default value: None Supports wildcards: False DontShow: False
Parameter sets
EveryoneParameterSet
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
PerPrincipalParameterSet
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
-PrincipalId
Object ID of the user or service principal to deny. When specified, the deny assignment targets this specific principal instead of Everyone.
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False
Parameter sets
PerPrincipalParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
-PrincipalType
Type of the principal specified by -PrincipalId. Accepted values are User and ServicePrincipal. Group type is not supported for user-assigned deny assignments.
Parameter properties
Type: String
Default value: None Accepted values: User, ServicePrincipal Supports wildcards: False DontShow: False
Parameter sets
PerPrincipalParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
-Scope
Scope of the deny assignment. In the format of relative URI. For example, /subscriptions/{id}/resourceGroups/{rgName}.
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False
Parameter sets
(All)
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
-WhatIf
Shows what would happen if the cmdlet runs. The cmdlet is not run.
Parameter properties
Type: SwitchParameter
Default value: False Supports wildcards: False DontShow: False Aliases: wi
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable,
-InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable,
-ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see
about_CommonParameters .
Outputs
