Policy Definitions - List

Service:

Policy

API Version:

2023-04-01

Retrieves policy definitions in a subscription
This operation retrieves a list of all the policy definitions in a given subscription that match the optional given $filter. Valid values for $filter are: 'atExactScope()', 'policyType -eq {value}' or 'category eq '{value}''. If $filter is not provided, the unfiltered list includes all policy definitions associated with the subscription, including those that apply directly or from management groups that contain the given subscription. If $filter=atExactScope() is provided, the returned list only includes all policy definitions that at the given subscription. If $filter='policyType -eq {value}' is provided, the returned list only includes all policy definitions whose type match the {value}. Possible policyType values are NotSpecified, BuiltIn, Custom, and Static. If $filter='category -eq {value}' is provided, the returned list only includes all policy definitions whose category match the {value}.

GET https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/policyDefinitions?api-version=2023-04-01

With optional parameters:

GET https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/policyDefinitions?api-version=2023-04-01&$filter={$filter}&$top={$top}

URI Parameters

Name	In	Required	Type	Description
subscriptionId	path	True	string uuid	The ID of the target subscription. The value must be an UUID.
api-version	query	True	string	The API version to use for this operation.
$filter	query		string	The filter to apply on the operation. Valid values for $filter are: 'atExactScope()', 'policyType -eq {value}' or 'category eq '{value}''. If $filter is not provided, no filtering is performed. If $filter=atExactScope() is provided, the returned list only includes all policy definitions that at the given scope. If $filter='policyType -eq {value}' is provided, the returned list only includes all policy definitions whose type match the {value}. Possible policyType values are NotSpecified, BuiltIn, Custom, and Static. If $filter='category -eq {value}' is provided, the returned list only includes all policy definitions whose category match the {value}.
$top	query		integer int32	Maximum number of records to return. When the $top filter is not provided, it will return 500 records.

Responses

Name	Type	Description
200 OK	PolicyDefinitionListResult	OK - Returns an array of policy definitions.
Other Status Codes	CloudError	Error response describing why the operation failed.

Security

azure_auth

Azure Active Directory OAuth2 Flow.

Type: oauth2
Flow: implicit
Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize

Scopes

Name	Description
user_impersonation	impersonate your user account

Examples

List policy definitions by subscription

Sample Request

HTTP

GET https://management.azure.com/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyDefinitions?api-version=2023-04-01

Sample Response

Status code:

200

{
  "value": [
    {
      "properties": {
        "mode": "All",
        "displayName": "Allowed storage account SKUs",
        "policyType": "BuiltIn",
        "description": "This policy enables you to specify a set of storage account SKUs that your organization can deploy.",
        "parameters": {
          "listOfAllowedSKUs": {
            "type": "Array",
            "metadata": {
              "description": "The list of SKUs that can be specified for storage accounts.",
              "displayName": "Allowed SKUs",
              "strongType": "StorageSKUs"
            }
          }
        },
        "version": "1.2.1",
        "versions": [
          "1.2.1",
          "1.0.0"
        ],
        "policyRule": {
          "if": {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Storage/storageAccounts"
              },
              {
                "not": {
                  "field": "Microsoft.Storage/storageAccounts/sku.name",
                  "in": "[parameters('listOfAllowedSKUs')]"
                }
              }
            ]
          },
          "then": {
            "effect": "Deny"
          }
        }
      },
      "id": "/providers/Microsoft.Authorization/policyDefinitions/7433c107-6db4-4ad1-b57a-a76dce0154a1",
      "type": "Microsoft.Authorization/policyDefinitions",
      "name": "7433c107-6db4-4ad1-b57a-a76dce0154a1"
    },
    {
      "properties": {
        "mode": "All",
        "displayName": "Naming Convention",
        "description": "Force resource names to begin with 'prefix' and end with 'suffix'",
        "metadata": {
          "category": "Naming"
        },
        "parameters": {
          "prefix": {
            "type": "String",
            "metadata": {
              "displayName": "Prefix",
              "description": "Resource name prefix"
            }
          },
          "suffix": {
            "type": "String",
            "metadata": {
              "displayName": "Suffix",
              "description": "Resource name suffix"
            }
          }
        },
        "version": "1.2.1",
        "versions": [
          "1.2.1",
          "1.0.0"
        ],
        "policyRule": {
          "if": {
            "not": {
              "field": "name",
              "like": "[concat(parameters('prefix'), '*', parameters('suffix'))]"
            }
          },
          "then": {
            "effect": "deny"
          }
        },
        "policyType": "Custom"
      },
      "id": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyDefinitions/ResourceNaming",
      "type": "Microsoft.Authorization/policyDefinitions",
      "name": "ResourceNaming"
    },
    {
      "properties": {
        "mode": "Microsoft.KeyVault.Data",
        "displayName": "Audit KeyVault certificates that expire within specified number of days",
        "description": "Audit certificates that are stored in Azure Key Vault, that expire within 'X' number of days.",
        "metadata": {
          "category": "KeyVault DataPlane"
        },
        "parameters": {
          "daysToExpire": {
            "type": "Integer",
            "metadata": {
              "displayName": "Days to expire",
              "description": "The number of days for a certificate to expire."
            }
          }
        },
        "version": "1.2.1",
        "versions": [
          "1.2.1",
          "1.0.0"
        ],
        "policyRule": {
          "if": {
            "field": "Microsoft.KeyVault.Data/vaults/certificates/attributes/expiresOn",
            "lessOrEquals": "[addDays(utcNow(), parameters('daysToExpire'))]"
          },
          "then": {
            "effect": "audit"
          }
        },
        "policyType": "Custom"
      },
      "id": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyDefinitions/AuditSoonToExpireCerts",
      "type": "Microsoft.Authorization/policyDefinitions",
      "name": "AuditSoonToExpireCerts"
    }
  ]
}

Definitions

Name	Description
CloudError	An error response from a policy operation.
createdByType	The type of identity that created the resource.
ErrorAdditionalInfo	The resource management error additional info.
ErrorResponse	Error Response
Metadata	General metadata for the parameter.
ParameterDefinitionsValue	The definition of a parameter that can be provided to the policy.
parameterType	The data type of the parameter.
PolicyDefinition	The policy definition.
PolicyDefinitionListResult	List of policy definitions.
policyType	The type of policy definition. Possible values are NotSpecified, BuiltIn, Custom, and Static.
systemData	Metadata pertaining to creation and last modification of the resource.

CloudError

An error response from a policy operation.

Name	Type	Description
error	ErrorResponse	Error Response Common error response for all Azure Resource Manager APIs to return error details for failed operations. (This also follows the OData error response format.)

createdByType

The type of identity that created the resource.

Name	Type	Description
Application	string
Key	string
ManagedIdentity	string
User	string

ErrorAdditionalInfo

The resource management error additional info.

Name	Type	Description
info	object	The additional info.
type	string	The additional info type.

ErrorResponse

Error Response

Name	Type	Description
additionalInfo	ErrorAdditionalInfo[]	The error additional info.
code	string	The error code.
details	ErrorResponse[]	The error details.
message	string	The error message.
target	string	The error target.

Metadata

General metadata for the parameter.

Name	Type	Description
assignPermissions	boolean	Set to true to have Azure portal create role assignments on the resource ID or resource scope value of this parameter during policy assignment. This property is useful in case you wish to assign permissions outside the assignment scope.
description	string	The description of the parameter.
displayName	string	The display name for the parameter.
strongType	string	Used when assigning the policy definition through the portal. Provides a context aware list of values for the user to choose from.

ParameterDefinitionsValue

The definition of a parameter that can be provided to the policy.

Name	Type	Description
allowedValues	object[]	The allowed values for the parameter.
defaultValue	object	The default value for the parameter if no value is provided.
metadata	Metadata	General metadata for the parameter.
schema	object	Provides validation of parameter inputs during assignment using a self-defined JSON schema. This property is only supported for object-type parameters and follows the Json.NET Schema 2019-09 implementation. You can learn more about using schemas at https://json-schema.org/ and test draft schemas at https://www.jsonschemavalidator.net/.
type	parameterType	The data type of the parameter.

parameterType

The data type of the parameter.

Name	Type	Description
Array	string
Boolean	string
DateTime	string
Float	string
Integer	string
Object	string
String	string

PolicyDefinition

The policy definition.

Name	Type	Default Value	Description
id	string		The ID of the policy definition.
name	string		The name of the policy definition.
properties.description	string		The policy definition description.
properties.displayName	string		The display name of the policy definition.
properties.metadata	object		The policy definition metadata. Metadata is an open ended object and is typically a collection of key value pairs.
properties.mode	string	Indexed	The policy definition mode. Some examples are All, Indexed, Microsoft.KeyVault.Data.
properties.parameters	<string,  ParameterDefinitionsValue>		The parameter definitions for parameters used in the policy rule. The keys are the parameter names.
properties.policyRule	object		The policy rule.
properties.policyType	policyType		The type of policy definition. Possible values are NotSpecified, BuiltIn, Custom, and Static.
properties.version	string		The policy definition version in #.#.# format.
properties.versions	string[]		A list of available versions for this policy definition.
systemData	systemData		The system metadata relating to this resource.
type	string		The type of the resource (Microsoft.Authorization/policyDefinitions).

PolicyDefinitionListResult

List of policy definitions.

Name	Type	Description
nextLink	string	The URL to use for getting the next set of results.
value	PolicyDefinition[]	An array of policy definitions.

policyType

The type of policy definition. Possible values are NotSpecified, BuiltIn, Custom, and Static.

Name	Type	Description
BuiltIn	string
Custom	string
NotSpecified	string
Static	string

systemData

Metadata pertaining to creation and last modification of the resource.

Name	Type	Description
createdAt	string	The timestamp of resource creation (UTC).
createdBy	string	The identity that created the resource.
createdByType	createdByType	The type of identity that created the resource.
lastModifiedAt	string	The timestamp of resource last modification (UTC)
lastModifiedBy	string	The identity that last modified the resource.
lastModifiedByType	createdByType	The type of identity that last modified the resource.