Update-AzPolicyAssignment

Module:

Az.Resources Module

This operation updates a policy assignment with the given scope and name. Policy assignments apply to all resources contained within their scope. For example, when you assign a policy at resource group scope, that policy applies to all resources in the group.

Syntax

Name (Default)

Update-AzPolicyAssignment
    -Name <String>
    [-Scope <String>]
    [-NotScope <String[]>]
    [-DisplayName <String>]
    [-Description <String>]
    [-Metadata <String>]
    [-Location <String>]
    [-EnforcementMode <String>]
    [-IdentityType <String>]
    [-IdentityId <String>]
    [-NonComplianceMessage <PSObject[]>]
    [-Override <IOverride[]>]
    [-ResourceSelector <IResourceSelector[]>]
    [-BackwardCompatible]
    [-DefaultProfile <PSObject>]
    [-WhatIf]
    [-Confirm]
    [<CommonParameters>]

NameParameterObject

Update-AzPolicyAssignment
    -Name <String>
    -PolicyParameterObject <PSObject>
    [-Scope <String>]
    [-NotScope <String[]>]
    [-DisplayName <String>]
    [-Description <String>]
    [-Metadata <String>]
    [-Location <String>]
    [-EnforcementMode <String>]
    [-IdentityType <String>]
    [-IdentityId <String>]
    [-NonComplianceMessage <PSObject[]>]
    [-Override <IOverride[]>]
    [-ResourceSelector <IResourceSelector[]>]
    [-BackwardCompatible]
    [-DefaultProfile <PSObject>]
    [-WhatIf]
    [-Confirm]
    [<CommonParameters>]

NameParameterString

Update-AzPolicyAssignment
    -Name <String>
    -PolicyParameter <String>
    [-Scope <String>]
    [-NotScope <String[]>]
    [-DisplayName <String>]
    [-Description <String>]
    [-Metadata <String>]
    [-Location <String>]
    [-EnforcementMode <String>]
    [-IdentityType <String>]
    [-IdentityId <String>]
    [-NonComplianceMessage <PSObject[]>]
    [-Override <IOverride[]>]
    [-ResourceSelector <IResourceSelector[]>]
    [-BackwardCompatible]
    [-DefaultProfile <PSObject>]
    [-WhatIf]
    [-Confirm]
    [<CommonParameters>]

Id

Update-AzPolicyAssignment
    -Id <String>
    [-NotScope <String[]>]
    [-DisplayName <String>]
    [-Description <String>]
    [-Metadata <String>]
    [-Location <String>]
    [-EnforcementMode <String>]
    [-IdentityType <String>]
    [-IdentityId <String>]
    [-NonComplianceMessage <PSObject[]>]
    [-Override <IOverride[]>]
    [-ResourceSelector <IResourceSelector[]>]
    [-BackwardCompatible]
    [-DefaultProfile <PSObject>]
    [-WhatIf]
    [-Confirm]
    [<CommonParameters>]

IdParameterObject

Update-AzPolicyAssignment
    -Id <String>
    -PolicyParameterObject <PSObject>
    [-NotScope <String[]>]
    [-DisplayName <String>]
    [-Description <String>]
    [-Metadata <String>]
    [-Location <String>]
    [-EnforcementMode <String>]
    [-IdentityType <String>]
    [-IdentityId <String>]
    [-NonComplianceMessage <PSObject[]>]
    [-Override <IOverride[]>]
    [-ResourceSelector <IResourceSelector[]>]
    [-BackwardCompatible]
    [-DefaultProfile <PSObject>]
    [-WhatIf]
    [-Confirm]
    [<CommonParameters>]

IdParameterString

Update-AzPolicyAssignment
    -Id <String>
    -PolicyParameter <String>
    [-NotScope <String[]>]
    [-DisplayName <String>]
    [-Description <String>]
    [-Metadata <String>]
    [-Location <String>]
    [-EnforcementMode <String>]
    [-IdentityType <String>]
    [-IdentityId <String>]
    [-NonComplianceMessage <PSObject[]>]
    [-Override <IOverride[]>]
    [-ResourceSelector <IResourceSelector[]>]
    [-BackwardCompatible]
    [-DefaultProfile <PSObject>]
    [-WhatIf]
    [-Confirm]
    [<CommonParameters>]

InputObject

Update-AzPolicyAssignment
    -InputObject <IPolicyAssignment>
    [-NotScope <String[]>]
    [-DisplayName <String>]
    [-Description <String>]
    [-Metadata <String>]
    [-Location <String>]
    [-EnforcementMode <String>]
    [-IdentityType <String>]
    [-IdentityId <String>]
    [-NonComplianceMessage <PSObject[]>]
    [-Override <IOverride[]>]
    [-ResourceSelector <IResourceSelector[]>]
    [-BackwardCompatible]
    [-DefaultProfile <PSObject>]
    [-WhatIf]
    [-Confirm]
    [<CommonParameters>]

Description

This operation updates a policy assignment with the given scope and name. Policy assignments apply to all resources contained within their scope. For example, when you assign a policy at resource group scope, that policy applies to all resources in the group.

Examples

Example 1: Update the display name

$ResourceGroup = Get-AzResourceGroup -Name 'ResourceGroup11'
$PolicyAssignment = Get-AzPolicyAssignment -Name 'PolicyAssignment' -Scope $ResourceGroup.ResourceId
Update-AzPolicyAssignment -Id $PolicyAssignment.Id -DisplayName 'Do not allow VM creation'

The first command gets a resource group named ResourceGroup11 by using the Get-AzResourceGroup cmdlet. The command stores that object in the $ResourceGroup variable. The second command gets the policy assignment named PolicyAssignment by using the Get-AzPolicyAssignment cmdlet. The command stores that object in the $PolicyAssignment variable. The final command updates the display name on the policy assignment on the resource group identified by the ResourceId property of $ResourceGroup.

Example 2: Add a system assigned managed identity to the policy assignment

$PolicyAssignment = Get-AzPolicyAssignment -Name 'PolicyAssignment'
Update-AzPolicyAssignment -Id $PolicyAssignment.Id -IdentityType 'SystemAssigned' -Location 'westus'

The first command gets the policy assignment named PolicyAssignment from the current subscription by using the Get-AzPolicyAssignment cmdlet. The command stores that object in the $PolicyAssignment variable. The final command assigns a system assigned managed identity to the policy assignment.

Example 3: Add a user assigned managed identity to the policy assignment

$PolicyAssignment = Get-AzPolicyAssignment -Name 'PolicyAssignment'
$UserAssignedIdentity = Get-AzUserAssignedIdentity -ResourceGroupName 'ResourceGroup1' -Name 'UserAssignedIdentity1'
 Update-AzPolicyAssignment -Id $PolicyAssignment.Id -IdentityType 'UserAssigned' -Location 'westus' -IdentityId $UserAssignedIdentity.Id

The first command gets the policy assignment named PolicyAssignment from the current subscription by using the Get-AzPolicyAssignment cmdlet. The command stores that object in the $PolicyAssignment variable. The second command gets the user assigned managed identity named UserAssignedIdentity1 by using the Get-AzUserAssignedIdentity cmdlet and stores it in the $UserAssignedIdentity variable. The final command assigns the user assigned managed identity identified by the Id property of $UserAssignedIdentity to the policy assignment.

Example 4: Update policy assignment parameters with new policy parameter object

$Locations = Get-AzLocation | Where-Object {($_.displayname -like 'france*') -or ($_.displayname -like 'uk*')}
$AllowedLocations = @{'listOfAllowedLocations'=($Locations.location)}
$PolicyAssignment = Get-AzPolicyAssignment -Name 'PolicyAssignment'
Update-AzPolicyAssignment -Id $PolicyAssignment.Id -PolicyParameterObject $AllowedLocations

The first and second commands create an object containing all Azure regions whose names start with "france" or "uk". The second command stores that object in the $AllowedLocations variable. The third command gets the policy assignment named 'PolicyAssignment' The command stores that object in the $PolicyAssignment variable. The final command updates the parameter values on the policy assignment named PolicyAssignment.

Example 5: Update policy assignment parameters with policy parameter file

{
  "listOfAllowedLocations":  {
    "value": [
      "uksouth",
      "ukwest",
      "francecentral",
      "francesouth"
    ]
  }
}

Update-AzPolicyAssignment -Name 'PolicyAssignment' -PolicyParameter .\AllowedLocations.json

The command updates the policy assignment named 'PolicyAssignment' using the policy parameter file AllowedLocations.json from the local working directory.

Example 6: Update an enforcementMode

$ResourceGroup = Get-AzResourceGroup -Name 'ResourceGroup11'
$PolicyAssignment = Get-AzPolicyAssignment -Name 'PolicyAssignment' -Scope $ResourceGroup.ResourceId
Update-AzPolicyAssignment -Id $PolicyAssignment.Id -EnforcementMode Default

The first command gets a resource group named ResourceGroup11 by using the Get-AzResourceGroup cmdlet. The command stores that object in the $ResourceGroup variable. The second command gets the policy assignment named PolicyAssignment by using the Get-AzPolicyAssignment cmdlet. The command stores that object in the $PolicyAssignment variable. The final command updates the enforcementMode property on the policy assignment on the resource group identified by the ResourceId property of $ResourceGroup.

Example 7: Update non-compliance messages

$PolicyAssignment = Get-AzPolicyAssignment -Name 'VirtualMachinePolicy'
Update-AzPolicyAssignment -Id $PolicyAssignment.Id -NonComplianceMessage @{Message="All resources must follow resource naming guidelines."}

The first command gets the policy assignment named VirtualMachinePolicy by using the Get-AzPolicyAssignment cmdlet and stores it in the $PolicyAssignment variable. The final command updates the non-compliance messages on the policy assignment with a new message that will be displayed if a resource is denied by the policy.

Example 8: Update resource selector

$ResourceSelector = @{Name = "MyLocationSelector"; Selector = @(@{Kind = "resourceLocation"; NotIn = @("eastus", "eastus2")})}
Update-AzPolicyAssignment -Name 'VirtualMachinePolicyAssignment' -ResourceSelector $ResourceSelector

The first command creates a resource selector object that will be used to specify the assignment should only apply to resources not located in East US or East US 2 and stores it in the $ResourceSelector variable. The final command updates the policy assignment named VirtualMachinePolicyAssignment with the resource selector specified by $ResourceSelector.

Example 9: Update override

$Selector = @{Kind = "resourceLocation"; NotIn = @("eastus", "eastus2")}
$Override = @(@{Kind = "policyEffect"; Value = 'Disabled'; Selector = @($Selector)})
Update-AzPolicyAssignment -Name 'VirtualMachinePolicyAssignment' -Override $Override

The first command creates a location selector specifying locations other than East US or East US 2 and stores in in the $Selector variable. The second command creates an override object that will be used to specify that the assigned definition should have a Disabled effect in the locations identified by $Selector. The final command updates the policy assignment named VirtualMachinePolicyAssignment with the override specified by $Override.

Example 10: [Backcompat] Update an enforcementMode

$ResourceGroup = Get-AzResourceGroup -Name 'ResourceGroup11'
$PolicyAssignment = Get-AzPolicyAssignment -Name 'PolicyAssignment' -Scope $ResourceGroup.ResourceId -BackwardCompatible
Set-AzPolicyAssignment -Id $PolicyAssignment.ResourceId -EnforcementMode Default

The first command gets a resource group named ResourceGroup11 by using the Get-AzResourceGroup cmdlet. The command stores that object in the $ResourceGroup variable. The second command gets the policy assignment named PolicyAssignment by using the Get-AzPolicyAssignment cmdlet. The command stores that object in the $PolicyAssignment variable. The final command updates the enforcementMode property on the policy assignment on the resource group identified by the ResourceId property of $ResourceGroup.

Parameters

-BackwardCompatible

Causes cmdlet to return artifacts using legacy format placing policy-specific properties in a property bag object.

Parameter properties

Type:	SwitchParameter
Default value:	None
Supports wildcards:	False
DontShow:	False

Parameter sets

(All)

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

-Confirm

Prompts you for confirmation before running the cmdlet.

Parameter properties

Type:	SwitchParameter
Default value:	None
Supports wildcards:	False
DontShow:	False
Aliases:	cf

Parameter sets

(All)

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

-DefaultProfile

The DefaultProfile parameter is not functional. Use the SubscriptionId parameter when available if executing the cmdlet against a different subscription.

Parameter properties

Type:	PSObject
Default value:	None
Supports wildcards:	False
DontShow:	False
Aliases:	AzureRMContext, AzureCredential

Parameter sets

(All)

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

-Description

This message will be part of response in case of policy violation.

Parameter properties

Type:	String
Default value:	None
Supports wildcards:	False
DontShow:	False

Parameter sets

(All)

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	True
Value from remaining arguments:	False

-DisplayName

The display name of the policy assignment.

Parameter properties

Type:	String
Default value:	None
Supports wildcards:	False
DontShow:	False

Parameter sets

(All)

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	True
Value from remaining arguments:	False

-EnforcementMode

The policy assignment enforcement mode. Possible values are Default and DoNotEnforce.

Parameter properties

Type:	String
Default value:	None
Supports wildcards:	False
DontShow:	False

Parameter sets

(All)

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	True
Value from remaining arguments:	False

-Id

The ID of the policy assignment to update. Use the format '{scope}/providers/Microsoft.Authorization/policyAssignments/{policyAssignmentName}'.

Parameter properties

Type:	String
Default value:	None
Supports wildcards:	False
DontShow:	False
Aliases:	ResourceId, PolicyAssignmentId

Parameter sets

Id

Position:	Named
Mandatory:	True
Value from pipeline:	True
Value from pipeline by property name:	False
Value from remaining arguments:	False

IdParameterObject

Position:	Named
Mandatory:	True
Value from pipeline:	True
Value from pipeline by property name:	False
Value from remaining arguments:	False

IdParameterString

Position:	Named
Mandatory:	True
Value from pipeline:	True
Value from pipeline by property name:	False
Value from remaining arguments:	False

-IdentityId

The user identity associated with the policy. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'.

Parameter properties

Type:	String
Default value:	None
Supports wildcards:	False
DontShow:	False

Parameter sets

(All)

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

-IdentityType

The identity type. This is the only required field when adding a system or user assigned identity to a resource.

Parameter properties

Type:	String
Default value:	None
Supports wildcards:	False
DontShow:	False

Parameter sets

(All)

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

-InputObject

This operation updates a policy assignment with the given scope and name. Policy assignments apply to all resources contained within their scope. For example, when you assign a policy at resource group scope, that policy applies to all resources in the group.

Parameter properties

Type:	IPolicyAssignment
Default value:	None
Supports wildcards:	False
DontShow:	False

Parameter sets

InputObject

Position:	Named
Mandatory:	True
Value from pipeline:	True
Value from pipeline by property name:	True
Value from remaining arguments:	False

-Location

The location of the policy assignment. Only required when utilizing managed identity.

Parameter properties

Type:	String
Default value:	None
Supports wildcards:	False
DontShow:	False

Parameter sets

(All)

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	True
Value from remaining arguments:	False

-Metadata

The policy assignment metadata. Metadata is an open ended object and is typically a collection of key value pairs.

Parameter properties

Type:	String
Default value:	None
Supports wildcards:	False
DontShow:	False

Parameter sets

(All)

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	True
Value from remaining arguments:	False

-Name

The name of the policy assignment.

Parameter properties

Type:	String
Default value:	None
Supports wildcards:	False
DontShow:	False
Aliases:	PolicyAssignmentName

Parameter sets

Name

Position:	Named
Mandatory:	True
Value from pipeline:	False
Value from pipeline by property name:	True
Value from remaining arguments:	False

NameParameterObject

Position:	Named
Mandatory:	True
Value from pipeline:	False
Value from pipeline by property name:	True
Value from remaining arguments:	False

NameParameterString

Position:	Named
Mandatory:	True
Value from pipeline:	False
Value from pipeline by property name:	True
Value from remaining arguments:	False

-NonComplianceMessage

The messages that describe why a resource is non-compliant with the policy. To construct, see NOTES section for NONCOMPLIANCEMESSAGE properties and create a hash table.

Parameter properties

Type:	PSObject[]
Default value:	None
Supports wildcards:	False
DontShow:	False

Parameter sets

(All)

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	True
Value from remaining arguments:	False

-NotScope

The policy's excluded scopes.

Parameter properties

Type:	String[]
Default value:	None
Supports wildcards:	False
DontShow:	False

Parameter sets

(All)

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	True
Value from remaining arguments:	False

-Override

The policy property value override.

Parameter properties

Type:	IOverride[]
Default value:	None
Supports wildcards:	False
DontShow:	False

Parameter sets

(All)

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

-PolicyParameter

The parameter values for the assigned policy rule. The keys are the parameter names.

Parameter properties

Type:	String
Default value:	None
Supports wildcards:	False
DontShow:	False

Parameter sets

NameParameterString

Position:	Named
Mandatory:	True
Value from pipeline:	False
Value from pipeline by property name:	True
Value from remaining arguments:	False

IdParameterString

Position:	Named
Mandatory:	True
Value from pipeline:	False
Value from pipeline by property name:	True
Value from remaining arguments:	False

-PolicyParameterObject

The parameter values for the assigned policy rule. The keys are the parameter names.

Parameter properties

Type:	PSObject
Default value:	None
Supports wildcards:	False
DontShow:	False

Parameter sets

NameParameterObject

Position:	Named
Mandatory:	True
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

IdParameterObject

Position:	Named
Mandatory:	True
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

-ResourceSelector

The resource selector list to filter policies by resource properties.

Parameter properties

Type:	IResourceSelector[]
Default value:	None
Supports wildcards:	False
DontShow:	False

Parameter sets

(All)

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

-Scope

The scope of the policy assignment. Valid scopes are: management group (format: '/providers/Microsoft.Management/managementGroups/{managementGroup}'), subscription (format: '/subscriptions/{subscriptionId}'), resource group (format: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}', or resource (format: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/[{parentResourcePath}/]{resourceType}/{resourceName}'

Parameter properties

Type:	String
Default value:	None
Supports wildcards:	False
DontShow:	False

Parameter sets

Name

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	True
Value from remaining arguments:	False

NameParameterObject

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	True
Value from remaining arguments:	False

NameParameterString

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	True
Value from remaining arguments:	False

-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.

Parameter properties

Type:	SwitchParameter
Default value:	None
Supports wildcards:	False
DontShow:	False
Aliases:	wi

Parameter sets

(All)

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

Inputs

IPolicyAssignment

PSObject

String

String

Outputs

IPolicyAssignment

Notes

ALIASES

Set-AzPolicyAssignment