Policy Assignments - Create By Id
Creates or updates a policy assignment.
This operation creates or updates the policy assignment with the given ID. Policy assignments made on a scope apply to all resources contained in that scope. For example, when you assign a policy to a resource group that policy applies to all resources in the group. Policy assignment IDs have this format: '{scope}/providers/Microsoft.Authorization/policyAssignments/{policyAssignmentName}'. Valid scopes are: management group (format: '/providers/Microsoft.Management/managementGroups/{managementGroup}'), subscription (format: '/subscriptions/{subscriptionId}'), resource group (format: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}', or resource (format: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/[{parentResourcePath}/]{resourceType}/{resourceName}'.
PUT https://management.azure.com/{policyAssignmentId}?api-version=2025-01-01URI Parameters
| Name | In | Required | Type | Description |
|---|---|---|---|---|
|
policy
|
path | True |
string |
The ID of the policy assignment to create. Use the format '{scope}/providers/Microsoft.Authorization/policyAssignments/{policyAssignmentName}'. |
|
api-version
|
query | True |
string minLength: 1 |
The API version to use for this operation. |
Request Body
| Name | Type | Description |
|---|---|---|
| identity |
The managed identity associated with the policy assignment. |
|
| location |
string |
The location of the policy assignment. Only required when utilizing managed identity. |
| properties.assignmentType |
The type of policy assignment. Possible values are NotSpecified, System, SystemHidden, and Custom. Immutable. |
|
| properties.definitionVersion |
string |
The version of the policy definition to use. |
| properties.description |
string |
This message will be part of response in case of policy violation. |
| properties.displayName |
string |
The display name of the policy assignment. |
| properties.enforcementMode |
The policy assignment enforcement mode. Possible values are Default, DoNotEnforce, and Enroll |
|
| properties.metadata |
object |
The policy assignment metadata. Metadata is an open ended object and is typically a collection of key value pairs. |
| properties.nonComplianceMessages |
The messages that describe why a resource is non-compliant with the policy. |
|
| properties.notScopes |
string[] |
The policy's excluded scopes. |
| properties.overrides |
Override[] |
The policy property value override. |
| properties.parameters |
<string,
Parameter |
The parameter values for the assigned policy rule. The keys are the parameter names. |
| properties.policyDefinitionId |
string |
The ID of the policy definition or policy set definition being assigned. |
| properties.resourceSelectors |
The resource selector list to filter policies by resource properties. |
Responses
| Name | Type | Description |
|---|---|---|
| 201 Created |
Created - Returns information about the policy assignment. |
|
| Other Status Codes |
Error response describing why the operation failed. |
Security
azure_auth
Azure Active Directory OAuth2 Flow.
Type:
oauth2
Flow:
implicit
Authorization URL:
https://login.microsoftonline.com/common/oauth2/authorize
Scopes
| Name | Description |
|---|---|
| user_impersonation | impersonate your user account |
Examples
| Create or update policy assignment by ID |
| Create or update policy assignment with a managed identity by ID |
Create or update policy assignment by ID
Sample request
PUT https://management.azure.com/providers/Microsoft.Management/managementGroups/MyManagementGroup/providers/Microsoft.Authorization/policyAssignments/LowCostStorage?api-version=2025-01-01
{
"properties": {
"displayName": "Enforce storage account SKU",
"description": "Allow only storage accounts of SKU Standard_GRS or Standard_LRS to be created",
"metadata": {
"assignedBy": "Cheapskate Boss"
},
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7433c107-6db4-4ad1-b57a-a76dce0154a1",
"definitionVersion": "1.*.*",
"parameters": {
"listOfAllowedSKUs": {
"value": [
"Standard_GRS",
"Standard_LRS"
]
}
},
"enforcementMode": "Default"
}
}
Sample response
{
"properties": {
"displayName": "Enforce storage account SKU",
"description": "Allow only storage accounts of SKU Standard_GRS or Standard_LRS to be created",
"metadata": {
"assignedBy": "Cheapskate Boss"
},
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7433c107-6db4-4ad1-b57a-a76dce0154a1",
"definitionVersion": "1.*.*",
"notScopes": [],
"parameters": {
"listOfAllowedSKUs": {
"value": [
"Standard_GRS",
"Standard_LRS"
]
}
},
"enforcementMode": "Default",
"instanceId": "b7e0f8a9-1c2d-4e3f-8b4c-5d6e7f8a9b0c"
},
"id": "/providers/Microsoft.Management/managementGroups/MyManagementGroup/providers/Microsoft.Authorization/policyAssignments/LowCostStorage",
"type": "Microsoft.Authorization/policyAssignments",
"name": "LowCostStorage"
}Create or update policy assignment with a managed identity by ID
Sample request
PUT https://management.azure.com/providers/Microsoft.Management/managementGroups/MyManagementGroup/providers/Microsoft.Authorization/policyAssignments/LowCostStorage?api-version=2025-01-01
{
"identity": {
"type": "SystemAssigned"
},
"location": "eastus",
"properties": {
"displayName": "Enforce storage account SKU",
"description": "Allow only storage accounts of SKU Standard_GRS or Standard_LRS to be created",
"metadata": {
"assignedBy": "Cheapskate Boss"
},
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7433c107-6db4-4ad1-b57a-a76dce0154a1",
"definitionVersion": "1.*.*",
"parameters": {
"listOfAllowedSKUs": {
"value": [
"Standard_GRS",
"Standard_LRS"
]
}
},
"enforcementMode": "Default"
}
}
Sample response
{
"properties": {
"displayName": "Enforce storage account SKU",
"description": "Allow only storage accounts of SKU Standard_GRS or Standard_LRS to be created",
"metadata": {
"assignedBy": "Cheapskate Boss"
},
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7433c107-6db4-4ad1-b57a-a76dce0154a1",
"definitionVersion": "1.*.*",
"notScopes": [],
"parameters": {
"listOfAllowedSKUs": {
"value": [
"Standard_GRS",
"Standard_LRS"
]
}
},
"enforcementMode": "Default",
"instanceId": "b7e0f8a9-1c2d-4e3f-8b4c-5d6e7f8a9b0c"
},
"identity": {
"type": "SystemAssigned",
"principalId": "e6d23f8d-af97-4fbc-bda6-00604e4e3d0a",
"tenantId": "4bee2b8a-1bee-47c2-90e9-404241551135"
},
"location": "eastus",
"id": "/providers/Microsoft.Management/managementGroups/MyManagementGroup/providers/Microsoft.Authorization/policyAssignments/LowCostStorage",
"type": "Microsoft.Authorization/policyAssignments",
"name": "LowCostStorage"
}Definitions
| Name | Description |
|---|---|
|
assignment |
The type of policy assignment. Possible values are NotSpecified, System, SystemHidden, and Custom. Immutable. |
|
Cloud |
An error response from a policy operation. |
|
created |
The type of identity that created the resource. |
|
enforcement |
The policy assignment enforcement mode. Possible values are Default, DoNotEnforce, and Enroll |
|
Error |
The resource management error additional info. |
|
Error |
Error Response |
| Identity |
Identity for the resource. Policy assignments support a maximum of one identity. That is either a system assigned identity or a single user assigned identity. |
|
Non |
A message that describes why a resource is non-compliant with the policy. This is shown in 'deny' error messages and on resource's non-compliant compliance results. |
| Override |
The policy property value override. |
|
Override |
The override kind. |
|
Parameter |
The value of a parameter. |
|
Policy |
The policy assignment. |
|
Resource |
The identity type. This is the only required field when adding a system or user assigned identity to a resource. |
|
Resource |
The resource selector to filter policies by resource properties. |
| Selector |
The selector expression. |
|
Selector |
The selector kind. |
|
system |
Metadata pertaining to creation and last modification of the resource. |
|
User |
The user identity associated with the policy. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. |
assignmentType
The type of policy assignment. Possible values are NotSpecified, System, SystemHidden, and Custom. Immutable.
| Value | Description |
|---|---|
| NotSpecified | |
| System | |
| SystemHidden | |
| Custom |
CloudError
An error response from a policy operation.
| Name | Type | Description |
|---|---|---|
| error |
Error Response |
createdByType
The type of identity that created the resource.
| Value | Description |
|---|---|
| User | |
| Application | |
| ManagedIdentity | |
| Key |
enforcementMode
The policy assignment enforcement mode. Possible values are Default, DoNotEnforce, and Enroll
| Value | Description |
|---|---|
| Default |
The policy effect is enforced during resource creation or update. |
| DoNotEnforce |
The policy effect is not enforced during resource creation or update. |
| Enroll |
The policy effect is not enforced during resource creation or update until the resource or scope of the resource is enrolled to the assignment instance. Enrollment occurs upon deployment of the policy enrollment resource. |
ErrorAdditionalInfo
The resource management error additional info.
| Name | Type | Description |
|---|---|---|
| info |
object |
The additional info. |
| type |
string |
The additional info type. |
ErrorResponse
Error Response
| Name | Type | Description |
|---|---|---|
| additionalInfo |
The error additional info. |
|
| code |
string |
The error code. |
| details |
The error details. |
|
| message |
string |
The error message. |
| target |
string |
The error target. |
Identity
Identity for the resource. Policy assignments support a maximum of one identity. That is either a system assigned identity or a single user assigned identity.
| Name | Type | Description |
|---|---|---|
| principalId |
string |
The principal ID of the resource identity. This property will only be provided for a system assigned identity |
| tenantId |
string |
The tenant ID of the resource identity. This property will only be provided for a system assigned identity |
| type |
The identity type. This is the only required field when adding a system or user assigned identity to a resource. |
|
| userAssignedIdentities |
The user identity associated with the policy. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. |
NonComplianceMessage
A message that describes why a resource is non-compliant with the policy. This is shown in 'deny' error messages and on resource's non-compliant compliance results.
| Name | Type | Description |
|---|---|---|
| message |
string |
A message that describes why a resource is non-compliant with the policy. This is shown in 'deny' error messages and on resource's non-compliant compliance results. |
| policyDefinitionReferenceId |
string |
The policy definition reference ID within a policy set definition the message is intended for. This is only applicable if the policy assignment assigns a policy set definition. If this is not provided the message applies to all policies assigned by this policy assignment. |
Override
The policy property value override.
| Name | Type | Description |
|---|---|---|
| kind |
The override kind. |
|
| selectors |
Selector[] |
The list of the selector expressions. |
| value |
string |
The value to override the policy property. |
OverrideKind
The override kind.
| Value | Description |
|---|---|
| policyEffect |
It will override the policy effect type. |
| definitionVersion |
It will override the definition version property value of the policy assignment. |
ParameterValuesValue
The value of a parameter.
| Name | Type | Description |
|---|---|---|
| value |
|
The value of the parameter. |
PolicyAssignment
The policy assignment.
| Name | Type | Default value | Description |
|---|---|---|---|
| id |
string |
The ID of the policy assignment. |
|
| identity |
The managed identity associated with the policy assignment. |
||
| location |
string |
The location of the policy assignment. Only required when utilizing managed identity. |
|
| name |
string |
The name of the policy assignment. |
|
| properties.assignmentType |
The type of policy assignment. Possible values are NotSpecified, System, SystemHidden, and Custom. Immutable. |
||
| properties.definitionVersion |
string |
The version of the policy definition to use. |
|
| properties.description |
string |
This message will be part of response in case of policy violation. |
|
| properties.displayName |
string |
The display name of the policy assignment. |
|
| properties.effectiveDefinitionVersion |
string |
The effective version of the policy definition in use. This is only present if requested via the $expand query parameter. |
|
| properties.enforcementMode | Default |
The policy assignment enforcement mode. Possible values are Default, DoNotEnforce, and Enroll |
|
| properties.instanceId |
string |
The instance ID of the policy assignment. This ID only and always changes when the assignment is deleted and recreated. |
|
| properties.latestDefinitionVersion |
string |
The latest version of the policy definition available. This is only present if requested via the $expand query parameter. |
|
| properties.metadata |
object |
The policy assignment metadata. Metadata is an open ended object and is typically a collection of key value pairs. |
|
| properties.nonComplianceMessages |
The messages that describe why a resource is non-compliant with the policy. |
||
| properties.notScopes |
string[] |
The policy's excluded scopes. |
|
| properties.overrides |
Override[] |
The policy property value override. |
|
| properties.parameters |
<string,
Parameter |
The parameter values for the assigned policy rule. The keys are the parameter names. |
|
| properties.policyDefinitionId |
string |
The ID of the policy definition or policy set definition being assigned. |
|
| properties.resourceSelectors |
The resource selector list to filter policies by resource properties. |
||
| properties.scope |
string |
The scope for the policy assignment. |
|
| systemData |
The system metadata relating to this resource. |
||
| type |
string |
The type of the policy assignment. |
ResourceIdentityType
The identity type. This is the only required field when adding a system or user assigned identity to a resource.
| Value | Description |
|---|---|
| SystemAssigned |
Indicates that a system assigned identity is associated with the resource. |
| UserAssigned |
Indicates that a system assigned identity is associated with the resource. |
| None |
Indicates that no identity is associated with the resource or that the existing identity should be removed. |
ResourceSelector
The resource selector to filter policies by resource properties.
| Name | Type | Description |
|---|---|---|
| name |
string |
The name of the resource selector. |
| selectors |
Selector[] |
The list of the selector expressions. |
Selector
The selector expression.
| Name | Type | Description |
|---|---|---|
| in |
string[] |
The list of values to filter in. |
| kind |
The selector kind. |
|
| notIn |
string[] |
The list of values to filter out. |
SelectorKind
The selector kind.
| Value | Description |
|---|---|
| resourceLocation |
The selector kind to filter policies by the resource location. |
| resourceType |
The selector kind to filter policies by the resource type. |
| resourceWithoutLocation |
The selector kind to filter policies by the resource without location. |
| policyDefinitionReferenceId |
The selector kind to filter policies by the policy definition reference ID. |
systemData
Metadata pertaining to creation and last modification of the resource.
| Name | Type | Description |
|---|---|---|
| createdAt |
string (date-time) |
The timestamp of resource creation (UTC). |
| createdBy |
string |
The identity that created the resource. |
| createdByType |
The type of identity that created the resource. |
|
| lastModifiedAt |
string (date-time) |
The timestamp of resource last modification (UTC) |
| lastModifiedBy |
string |
The identity that last modified the resource. |
| lastModifiedByType |
The type of identity that last modified the resource. |
UserAssignedIdentities
The user identity associated with the policy. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'.
| Name | Type | Description |
|---|---|---|
|
|