Policy Enrollments - List For Resource
Retrieves all policy enrollments that apply to a resource.
This operation retrieves the list of all policy enrollments associated with the specified resource in the given resource group and subscription that match the optional given $filter. Valid values for $filter are: 'atScope()' or 'atExactScope()'. If $filter is not provided, the unfiltered list includes all policy enrollments associated with the resource, including those that apply directly or from all containing scopes, as well as any applied to resources contained within the resource. Three parameters plus the resource name are used to identify a specific resource. If the resource is not part of a parent resource (the more common case), the parent resource path should not be provided (or provided as ''). For example a web app could be specified as ({resourceProviderNamespace} == 'Microsoft.Web', {parentResourcePath} == '', {resourceType} == 'sites', {resourceName} == 'MyWebApp'). If the resource is part of a parent resource, then all parameters should be provided. For example a virtual machine DNS name could be specified as ({resourceProviderNamespace} == 'Microsoft.Compute', {parentResourcePath} == 'virtualMachines/MyVirtualMachine', {resourceType} == 'domainNames', {resourceName} == 'MyComputerName'). A convenient alternative to providing the namespace and type name separately is to provide both in the {resourceType} parameter, format: ({resourceProviderNamespace} == '', {parentResourcePath} == '', {resourceType} == 'Microsoft.Web/sites', {resourceName} == 'MyWebApp').
GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{parentResourcePath}/{resourceType}/{resourceName}/providers/Microsoft.Authorization/policyEnrollments?api-version=2026-01-01-previewGET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{parentResourcePath}/{resourceType}/{resourceName}/providers/Microsoft.Authorization/policyEnrollments?api-version=2026-01-01-preview&$filter={$filter}URI Parameters
| Name | In | Required | Type | Description |
|---|---|---|---|---|
|
parent
|
path | True |
string |
The parent resource path. Use empty string if there is none. |
|
resource
|
path | True |
string minLength: 1maxLength: 90 |
The name of the resource group. The name is case insensitive. |
|
resource
|
path | True |
string pattern: ^.+$ |
The name of the resource. |
|
resource
|
path | True |
string |
The namespace of the resource provider. For example, the namespace of a virtual machine is Microsoft.Compute (from Microsoft.Compute/virtualMachines) |
|
resource
|
path | True |
string |
The resource type name. For example the type name of a web app is 'sites' (from Microsoft.Web/sites). |
|
subscription
|
path | True |
string (uuid) |
The ID of the target subscription. The value must be an UUID. |
|
api-version
|
query | True |
string minLength: 1 |
The API version to use for this operation. |
|
$filter
|
query |
string |
The filter to apply on the operation. Valid values for $filter are: 'atScope()' or 'atExactScope()'. If $filter is not provided, no filtering is performed. If $filter is not provided, the unfiltered list includes all policy enrollments associated with the scope, including those that apply directly or from containing scopes. If $filter=atScope() is provided, the returned list includes all policy enrollments that apply to the scope, which is everything in the unfiltered list except those applied to sub-scopes contained within the given scope. If $filter=atExactScope() is provided, the returned list only includes all policy enrollments that apply at the given scope. |
Responses
| Name | Type | Description |
|---|---|---|
| 200 OK |
Azure operation completed successfully. |
|
| Other Status Codes |
An unexpected error response. |
Security
azure_auth
Azure Active Directory OAuth2 Flow.
Type:
oauth2
Flow:
implicit
Authorization URL:
https://login.microsoftonline.com/common/oauth2/authorize
Scopes
| Name | Description |
|---|---|
| user_impersonation | impersonate your user account |
Examples
List policy enrollments for resource
Sample request
GET https://management.azure.com/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/resourceGroups/TestResourceGroup/providers/Microsoft.Compute/virtualMachines/MyTestVm/domainNames/MyTestComputer.cloudapp.net/providers/Microsoft.Authorization/policyEnrollments?api-version=2026-01-01-preview
Sample response
{
"value": [
{
"properties": {
"policyAssignmentId": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyAssignments/CostManagement",
"policyDefinitionReferenceIds": [
"Limit_Skus"
],
"policyAssignmentInstanceId": "00000000-0000-0000-0000-000000000000",
"displayName": "Enroll demo cluster",
"description": "Enroll demo cluster from limit sku",
"metadata": {
"reason": "Enrollment for a expensive VM demo"
}
},
"systemData": {
"createdBy": "string",
"createdByType": "User",
"createdAt": "2020-07-01T01:01:01.1075056Z",
"lastModifiedBy": "string",
"lastModifiedByType": "User",
"lastModifiedAt": "2020-07-01T02:01:01.1075056Z"
},
"id": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/resourceGroups/TestResourceGroup/providers/Microsoft.Authorization/policyEnrollments/DemoExpensiveVMGroup",
"type": "Microsoft.Authorization/policyEnrollments",
"eTag": "00000000-0000-0000-0000-000000000000",
"name": "DemoExpensiveVMGroup"
},
{
"properties": {
"policyAssignmentId": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyAssignments/LimitPorts",
"policyAssignmentInstanceId": "00000000-0000-0000-0000-000000000000",
"displayName": "Enroll jump box open ports",
"description": "Enroll jump box open ports from limit ports policy",
"metadata": {
"reason": "Need to open RDP port to corp net"
}
},
"systemData": {
"createdBy": "string",
"createdByType": "User",
"createdAt": "2020-07-01T01:01:01.1075056Z",
"lastModifiedBy": "string",
"lastModifiedByType": "User",
"lastModifiedAt": "2020-07-01T02:01:01.1075056Z"
},
"id": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/resourceGroups/TestResourceGroup/providers/Microsoft.Compute/virtualMachines/MyTestVm/providers/Microsoft.Authorization/policyEnrollments/jumpBoxEnrollment",
"type": "Microsoft.Authorization/policyEnrollments",
"eTag": "00000000-0000-0000-0000-000000000000",
"name": "jumpBoxEnrollment"
}
]
}Definitions
| Name | Description |
|---|---|
|
Assignment |
The option to validate whether the exemption or enrollment is at or under the assignment scope. |
|
created |
The type of identity that created the resource. |
|
Error |
The resource management error additional info. |
|
Error |
The error detail. |
|
Error |
Error response |
|
Policy |
The policy enrollment. |
|
Policy |
The response of a PolicyEnrollment list operation. |
|
Resource |
The resource selector to filter policies by resource properties. |
| Selector |
The selector expression. |
|
Selector |
The selector kind. |
|
system |
Metadata pertaining to creation and last modification of the resource. |
AssignmentScopeValidation
The option to validate whether the exemption or enrollment is at or under the assignment scope.
| Value | Description |
|---|---|
| Default |
This option will validate the exemption is at or under the assignment scope. |
| DoNotValidate |
This option will bypass the validation the exemption scope is at or under the policy assignment scope. |
createdByType
The type of identity that created the resource.
| Value | Description |
|---|---|
| User | |
| Application | |
| ManagedIdentity | |
| Key |
ErrorAdditionalInfo
The resource management error additional info.
| Name | Type | Description |
|---|---|---|
| info |
object |
The additional info. |
| type |
string |
The additional info type. |
ErrorDetail
The error detail.
| Name | Type | Description |
|---|---|---|
| additionalInfo |
The error additional info. |
|
| code |
string |
The error code. |
| details |
The error details. |
|
| message |
string |
The error message. |
| target |
string |
The error target. |
ErrorResponse
Error response
| Name | Type | Description |
|---|---|---|
| error |
The error object. |
PolicyEnrollment
The policy enrollment.
| Name | Type | Description |
|---|---|---|
| eTag |
string |
The ETag for the policy enrollment. |
| id |
string (arm-id) |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
| name |
string |
The name of the resource |
| properties.assignmentScopeValidation |
The option whether to validate the enrollment is at or under the assignment scope. |
|
| properties.description |
string |
The description of the policy enrollment. |
| properties.displayName |
string |
The display name of the policy enrollment. |
| properties.metadata |
|
The policy enrollment metadata. Metadata is an open ended object and is typically a collection of key value pairs. |
| properties.policyAssignmentId |
string (arm-id) |
The ID of the policy assignment that is being enrolled. |
| properties.policyAssignmentInstanceId |
string (uuid) |
The policy assignment instance ID associated with this enrollment. The value is set to the instance ID of the policy assignment the policyAssignmentId references when the enrollment is created or updated. The format is a GUID string. |
| properties.policyDefinitionReferenceIds |
string[] |
The policy definition reference IDs for policy definitions in an assigned policy set definition.
These IDs correspond to a subset of |
| properties.resourceSelectors |
The resource selector list to filter policies by resource properties. |
|
| systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
| type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
PolicyEnrollmentListResult
The response of a PolicyEnrollment list operation.
| Name | Type | Description |
|---|---|---|
| nextLink |
string (uri) |
The link to the next page of items |
| value |
The PolicyEnrollment items on this page |
ResourceSelector
The resource selector to filter policies by resource properties.
| Name | Type | Description |
|---|---|---|
| name |
string |
The name of the resource selector. |
| selectors |
Selector[] |
The list of the selector expressions. |
Selector
The selector expression.
| Name | Type | Description |
|---|---|---|
| in |
string[] |
The list of values to filter in. |
| kind |
The selector kind. |
|
| notIn |
string[] |
The list of values to filter out. |
SelectorKind
The selector kind.
| Value | Description |
|---|---|
| resourceLocation |
The selector kind to filter policies by the resource location. |
| resourceType |
The selector kind to filter policies by the resource type. |
| resourceWithoutLocation |
The selector kind to filter policies by the resource without location. |
| policyDefinitionReferenceId |
The selector kind to filter policies by the policy definition reference ID. |
| userPrincipalId |
The selector kind to filter policies by the user principal ID. |
| groupPrincipalId |
The selector kind to filter policies by the security group membership ID. |
systemData
Metadata pertaining to creation and last modification of the resource.
| Name | Type | Description |
|---|---|---|
| createdAt |
string (date-time) |
The timestamp of resource creation (UTC). |
| createdBy |
string |
The identity that created the resource. |
| createdByType |
The type of identity that created the resource. |
|
| lastModifiedAt |
string (date-time) |
The timestamp of resource last modification (UTC) |
| lastModifiedBy |
string |
The identity that last modified the resource. |
| lastModifiedByType |
The type of identity that last modified the resource. |