Policy Exemptions - List
Retrieves all policy exemptions that apply to a subscription.
This operation retrieves the list of all policy exemptions associated with the given subscription that match the optional given $filter. Valid values for $filter are: 'atScope()', 'atExactScope()', 'excludeExpired()' or 'policyAssignmentId eq '{value}''. If $filter is not provided, the unfiltered list includes all policy exemptions associated with the subscription, including those that apply directly or from management groups that contain the given subscription, as well as any applied to objects contained within the subscription.
GET https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/policyExemptions?api-version=2022-07-01-preview
GET https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/policyExemptions?$filter={$filter}&api-version=2022-07-01-preview
URI Parameters
Name | In | Required | Type | Description |
---|---|---|---|---|
subscription
|
path | True |
string |
The ID of the target subscription. |
api-version
|
query | True |
string |
The API version to use for the operation. |
$filter
|
query |
string |
The filter to apply on the operation. Valid values for $filter are: 'atScope()', 'atExactScope()', 'excludeExpired()' or 'policyAssignmentId eq '{value}''. If $filter is not provided, no filtering is performed. If $filter is not provided, the unfiltered list includes all policy exemptions associated with the scope, including those that apply directly or apply from containing scopes. If $filter=atScope() is provided, the returned list only includes all policy exemptions that apply to the scope, which is everything in the unfiltered list except those applied to sub scopes contained within the given scope. If $filter=atExactScope() is provided, the returned list only includes all policy exemptions that at the given scope. If $filter=excludeExpired() is provided, the returned list only includes all policy exemptions that either haven't expired or didn't set expiration date. If $filter=policyAssignmentId eq '{value}' is provided. the returned list only includes all policy exemptions that are associated with the give policyAssignmentId. |
Responses
Name | Type | Description |
---|---|---|
200 OK |
OK - Returns an array of policy exemptions. |
|
Other Status Codes |
Error response describing why the operation failed. |
Security
azure_auth
Azure Active Directory OAuth2 Flow.
Type:
oauth2
Flow:
implicit
Authorization URL:
https://login.microsoftonline.com/common/oauth2/authorize
Scopes
Name | Description |
---|---|
user_impersonation | impersonate your user account |
Examples
List policy exemptions that apply to a subscription
Sample request
Sample response
{
"value": [
{
"properties": {
"policyAssignmentId": "/providers/Microsoft.Management/managementGroups/DevOrg/providers/Microsoft.Authorization/policyAssignments/CostManagement",
"policyDefinitionReferenceIds": [
"Limit_Skus"
],
"exemptionCategory": "Waiver",
"displayName": "Exempt demo cluster",
"description": "Exempt demo cluster from limit sku",
"metadata": {
"reason": "Temporary exemption for a expensive VM demo"
}
},
"systemData": {
"createdBy": "string",
"createdByType": "User",
"createdAt": "2020-07-01T01:01:01.1075056Z",
"lastModifiedBy": "string",
"lastModifiedByType": "User",
"lastModifiedAt": "2020-07-01T02:01:01.1075056Z"
},
"id": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyExemptions/TestVMSub",
"type": "Microsoft.Authorization/policyExemptions",
"name": "TestVMSub"
},
{
"properties": {
"policyAssignmentId": "/providers/Microsoft.Management/managementGroups/DevOrg/providers/Microsoft.Authorization/policyAssignments/LimitPorts",
"exemptionCategory": "Mitigated",
"displayName": "Exempt jump box open ports",
"description": "Exempt jump box open ports from limit ports policy",
"metadata": {
"reason": "Need to open RDP port to corp net"
}
},
"systemData": {
"createdBy": "string",
"createdByType": "User",
"createdAt": "2020-07-01T01:01:01.1075056Z",
"lastModifiedBy": "string",
"lastModifiedByType": "User",
"lastModifiedAt": "2020-07-01T02:01:01.1075056Z"
},
"id": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyExemptions/TestVNetSub",
"type": "Microsoft.Authorization/policyExemptions",
"name": "TestVNetSub"
}
]
}
Definitions
Name | Description |
---|---|
Assignment |
The option whether validate the exemption is at or under the assignment scope. |
Cloud |
An error response from a policy operation. |
created |
The type of identity that created the resource. |
Error |
The resource management error additional info. |
Error |
Error Response |
exemption |
The policy exemption category. Possible values are Waiver and Mitigated. |
Policy |
The policy exemption. |
Policy |
List of policy exemptions. |
Resource |
The resource selector to filter policies by resource properties. |
Selector |
The selector expression. |
Selector |
The selector kind. |
system |
Metadata pertaining to creation and last modification of the resource. |
AssignmentScopeValidation
The option whether validate the exemption is at or under the assignment scope.
Name | Type | Description |
---|---|---|
Default |
string |
This option will validate the exemption is at or under the assignment scope. |
DoNotValidate |
string |
This option will bypass the validation the exemption scope is at or under the policy assignment scope. |
CloudError
An error response from a policy operation.
Name | Type | Description |
---|---|---|
error |
Error Response |
createdByType
The type of identity that created the resource.
Name | Type | Description |
---|---|---|
Application |
string |
|
Key |
string |
|
ManagedIdentity |
string |
|
User |
string |
ErrorAdditionalInfo
The resource management error additional info.
Name | Type | Description |
---|---|---|
info |
object |
The additional info. |
type |
string |
The additional info type. |
ErrorResponse
Error Response
Name | Type | Description |
---|---|---|
additionalInfo |
The error additional info. |
|
code |
string |
The error code. |
details |
The error details. |
|
message |
string |
The error message. |
target |
string |
The error target. |
exemptionCategory
The policy exemption category. Possible values are Waiver and Mitigated.
Name | Type | Description |
---|---|---|
Mitigated |
string |
This category of exemptions usually means the mitigation actions have been applied to the scope. |
Waiver |
string |
This category of exemptions usually means the scope is not applicable for the policy. |
PolicyExemption
The policy exemption.
Name | Type | Default value | Description |
---|---|---|---|
id |
string |
The ID of the policy exemption. |
|
name |
string |
The name of the policy exemption. |
|
properties.assignmentScopeValidation | Default |
The option whether validate the exemption is at or under the assignment scope. |
|
properties.description |
string |
The description of the policy exemption. |
|
properties.displayName |
string |
The display name of the policy exemption. |
|
properties.exemptionCategory |
The policy exemption category. Possible values are Waiver and Mitigated. |
||
properties.expiresOn |
string |
The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption. |
|
properties.metadata |
object |
The policy exemption metadata. Metadata is an open ended object and is typically a collection of key value pairs. |
|
properties.policyAssignmentId |
string |
The ID of the policy assignment that is being exempted. |
|
properties.policyDefinitionReferenceIds |
string[] |
The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition. |
|
properties.resourceSelectors |
The resource selector list to filter policies by resource properties. |
||
systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
||
type |
string |
The type of the resource (Microsoft.Authorization/policyExemptions). |
PolicyExemptionListResult
List of policy exemptions.
Name | Type | Description |
---|---|---|
nextLink |
string |
The URL to use for getting the next set of results. |
value |
An array of policy exemptions. |
ResourceSelector
The resource selector to filter policies by resource properties.
Name | Type | Description |
---|---|---|
name |
string |
The name of the resource selector. |
selectors |
Selector[] |
The list of the selector expressions. |
Selector
The selector expression.
Name | Type | Description |
---|---|---|
in |
string[] |
The list of values to filter in. |
kind |
The selector kind. |
|
notIn |
string[] |
The list of values to filter out. |
SelectorKind
The selector kind.
Name | Type | Description |
---|---|---|
policyDefinitionReferenceId |
string |
The selector kind to filter policies by the policy definition reference ID. |
resourceLocation |
string |
The selector kind to filter policies by the resource location. |
resourceType |
string |
The selector kind to filter policies by the resource type. |
resourceWithoutLocation |
string |
The selector kind to filter policies by the resource without location. |
systemData
Metadata pertaining to creation and last modification of the resource.
Name | Type | Description |
---|---|---|
createdAt |
string |
The timestamp of resource creation (UTC). |
createdBy |
string |
The identity that created the resource. |
createdByType |
The type of identity that created the resource. |
|
lastModifiedAt |
string |
The timestamp of resource last modification (UTC) |
lastModifiedBy |
string |
The identity that last modified the resource. |
lastModifiedByType |
The type of identity that last modified the resource. |