Policy Exemptions - List

Service:

Policy

API Version:

2022-07-01-preview

Retrieves all policy exemptions that apply to a subscription.
This operation retrieves the list of all policy exemptions associated with the given subscription that match the optional given $filter. Valid values for $filter are: 'atScope()', 'atExactScope()', 'excludeExpired()' or 'policyAssignmentId eq '{value}''. If $filter is not provided, the unfiltered list includes all policy exemptions associated with the subscription, including those that apply directly or from management groups that contain the given subscription, as well as any applied to objects contained within the subscription.

GET https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/policyExemptions?api-version=2022-07-01-preview

With optional parameters:

GET https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/policyExemptions?$filter={$filter}&api-version=2022-07-01-preview

URI Parameters

Name	In	Required	Type	Description
subscriptionId	path	True	string	The ID of the target subscription.
api-version	query	True	string	The API version to use for the operation.
$filter	query		string	The filter to apply on the operation. Valid values for $filter are: 'atScope()', 'atExactScope()', 'excludeExpired()' or 'policyAssignmentId eq '{value}''. If $filter is not provided, no filtering is performed. If $filter is not provided, the unfiltered list includes all policy exemptions associated with the scope, including those that apply directly or apply from containing scopes. If $filter=atScope() is provided, the returned list only includes all policy exemptions that apply to the scope, which is everything in the unfiltered list except those applied to sub scopes contained within the given scope. If $filter=atExactScope() is provided, the returned list only includes all policy exemptions that at the given scope. If $filter=excludeExpired() is provided, the returned list only includes all policy exemptions that either haven't expired or didn't set expiration date. If $filter=policyAssignmentId eq '{value}' is provided. the returned list only includes all policy exemptions that are associated with the give policyAssignmentId.

Responses

Name	Type	Description
200 OK	PolicyExemptionListResult	OK - Returns an array of policy exemptions.
Other Status Codes	CloudError	Error response describing why the operation failed.

Security

azure_auth

Azure Active Directory OAuth2 Flow.

Type: oauth2
Flow: implicit
Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize

Scopes

Name	Description
user_impersonation	impersonate your user account

Examples

List policy exemptions that apply to a subscription

Sample Request

HTTP

GET https://management.azure.com/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyExemptions?$filter=atScope()&api-version=2022-07-01-preview

Java

/** Samples for PolicyExemptions List. */
public final class Main {
    /*
     * x-ms-original-file:
     * specification/resources/resource-manager/Microsoft.Authorization/preview/2022-07-01-preview/examples/
     * listPolicyExemptionsForSubscription.json
     */
    /**
     * Sample code: List policy exemptions that apply to a subscription.
     *
     * @param azure The entry point for accessing resource management APIs in Azure.
     */
    public static void
        listPolicyExemptionsThatApplyToASubscription(com.azure.resourcemanager.AzureResourceManager azure) {
        azure.genericResources().manager().policyClient().getPolicyExemptions().list("atScope()",
            com.azure.core.util.Context.NONE);
    }
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

Go

package armpolicy_test

import (
	"context"
	"log"

	"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armpolicy"
)

// Generated from example definition: https://github.com/Azure/azure-rest-api-specs/blob/9ec0fcc278aa2128c4fbb2b8a1aa93432d72cce0/specification/resources/resource-manager/Microsoft.Authorization/preview/2022-07-01-preview/examples/listPolicyExemptionsForSubscription.json
func ExampleExemptionsClient_NewListPager() {
	cred, err := azidentity.NewDefaultAzureCredential(nil)
	if err != nil {
		log.Fatalf("failed to obtain a credential: %v", err)
	}
	ctx := context.Background()
	clientFactory, err := armpolicy.NewClientFactory("<subscription-id>", cred, nil)
	if err != nil {
		log.Fatalf("failed to create client: %v", err)
	}
	pager := clientFactory.NewExemptionsClient().NewListPager(&armpolicy.ExemptionsClientListOptions{Filter: to.Ptr("atScope()")})
	for pager.More() {
		page, err := pager.NextPage(ctx)
		if err != nil {
			log.Fatalf("failed to advance page: %v", err)
		}
		for _, v := range page.Value {
			// You could use page here. We use blank identifier for just demo purposes.
			_ = v
		}
		// If the HTTP response code is 200 as defined in example definition, your page structure would look as follows. Please pay attention that all the values in the output are fake values for just demo purposes.
		// page.ExemptionListResult = armpolicy.ExemptionListResult{
		// 	Value: []*armpolicy.Exemption{
		// 		{
		// 			Name: to.Ptr("TestVMSub"),
		// 			Type: to.Ptr("Microsoft.Authorization/policyExemptions"),
		// 			ID: to.Ptr("/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyExemptions/TestVMSub"),
		// 			Properties: &armpolicy.ExemptionProperties{
		// 				Description: to.Ptr("Exempt demo cluster from limit sku"),
		// 				DisplayName: to.Ptr("Exempt demo cluster"),
		// 				ExemptionCategory: to.Ptr(armpolicy.ExemptionCategoryWaiver),
		// 				Metadata: map[string]any{
		// 					"reason": "Temporary exemption for a expensive VM demo",
		// 				},
		// 				PolicyAssignmentID: to.Ptr("/providers/Microsoft.Management/managementGroups/DevOrg/providers/Microsoft.Authorization/policyAssignments/CostManagement"),
		// 				PolicyDefinitionReferenceIDs: []*string{
		// 					to.Ptr("Limit_Skus")},
		// 				},
		// 				SystemData: &armpolicy.SystemData{
		// 					CreatedAt: to.Ptr(func() time.Time { t, _ := time.Parse(time.RFC3339Nano, "2020-07-01T01:01:01.107Z"); return t}()),
		// 					CreatedBy: to.Ptr("string"),
		// 					CreatedByType: to.Ptr(armpolicy.CreatedByTypeUser),
		// 					LastModifiedAt: to.Ptr(func() time.Time { t, _ := time.Parse(time.RFC3339Nano, "2020-07-01T02:01:01.107Z"); return t}()),
		// 					LastModifiedBy: to.Ptr("string"),
		// 					LastModifiedByType: to.Ptr(armpolicy.CreatedByTypeUser),
		// 				},
		// 			},
		// 			{
		// 				Name: to.Ptr("TestVNetSub"),
		// 				Type: to.Ptr("Microsoft.Authorization/policyExemptions"),
		// 				ID: to.Ptr("/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyExemptions/TestVNetSub"),
		// 				Properties: &armpolicy.ExemptionProperties{
		// 					Description: to.Ptr("Exempt jump box open ports from limit ports policy"),
		// 					DisplayName: to.Ptr("Exempt jump box open ports"),
		// 					ExemptionCategory: to.Ptr(armpolicy.ExemptionCategoryMitigated),
		// 					Metadata: map[string]any{
		// 						"reason": "Need to open RDP port to corp net",
		// 					},
		// 					PolicyAssignmentID: to.Ptr("/providers/Microsoft.Management/managementGroups/DevOrg/providers/Microsoft.Authorization/policyAssignments/LimitPorts"),
		// 				},
		// 				SystemData: &armpolicy.SystemData{
		// 					CreatedAt: to.Ptr(func() time.Time { t, _ := time.Parse(time.RFC3339Nano, "2020-07-01T01:01:01.107Z"); return t}()),
		// 					CreatedBy: to.Ptr("string"),
		// 					CreatedByType: to.Ptr(armpolicy.CreatedByTypeUser),
		// 					LastModifiedAt: to.Ptr(func() time.Time { t, _ := time.Parse(time.RFC3339Nano, "2020-07-01T02:01:01.107Z"); return t}()),
		// 					LastModifiedBy: to.Ptr("string"),
		// 					LastModifiedByType: to.Ptr(armpolicy.CreatedByTypeUser),
		// 				},
		// 		}},
		// 	}
	}
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

Sample Response

Status code:

200

{
  "value": [
    {
      "properties": {
        "policyAssignmentId": "/providers/Microsoft.Management/managementGroups/DevOrg/providers/Microsoft.Authorization/policyAssignments/CostManagement",
        "policyDefinitionReferenceIds": [
          "Limit_Skus"
        ],
        "exemptionCategory": "Waiver",
        "displayName": "Exempt demo cluster",
        "description": "Exempt demo cluster from limit sku",
        "metadata": {
          "reason": "Temporary exemption for a expensive VM demo"
        }
      },
      "systemData": {
        "createdBy": "string",
        "createdByType": "User",
        "createdAt": "2020-07-01T01:01:01.1075056Z",
        "lastModifiedBy": "string",
        "lastModifiedByType": "User",
        "lastModifiedAt": "2020-07-01T02:01:01.1075056Z"
      },
      "id": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyExemptions/TestVMSub",
      "type": "Microsoft.Authorization/policyExemptions",
      "name": "TestVMSub"
    },
    {
      "properties": {
        "policyAssignmentId": "/providers/Microsoft.Management/managementGroups/DevOrg/providers/Microsoft.Authorization/policyAssignments/LimitPorts",
        "exemptionCategory": "Mitigated",
        "displayName": "Exempt jump box open ports",
        "description": "Exempt jump box open ports from limit ports policy",
        "metadata": {
          "reason": "Need to open RDP port to corp net"
        }
      },
      "systemData": {
        "createdBy": "string",
        "createdByType": "User",
        "createdAt": "2020-07-01T01:01:01.1075056Z",
        "lastModifiedBy": "string",
        "lastModifiedByType": "User",
        "lastModifiedAt": "2020-07-01T02:01:01.1075056Z"
      },
      "id": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyExemptions/TestVNetSub",
      "type": "Microsoft.Authorization/policyExemptions",
      "name": "TestVNetSub"
    }
  ]
}

Definitions

Name	Description
AssignmentScopeValidation	The option whether validate the exemption is at or under the assignment scope.
CloudError	An error response from a policy operation.
createdByType	The type of identity that created the resource.
ErrorAdditionalInfo	The resource management error additional info.
ErrorResponse	Error Response
exemptionCategory	The policy exemption category. Possible values are Waiver and Mitigated.
PolicyExemption	The policy exemption.
PolicyExemptionListResult	List of policy exemptions.
ResourceSelector	The resource selector to filter policies by resource properties.
Selector	The selector expression.
SelectorKind	The selector kind.
systemData	Metadata pertaining to creation and last modification of the resource.

AssignmentScopeValidation

The option whether validate the exemption is at or under the assignment scope.

Name	Type	Description
Default	string	This option will validate the exemption is at or under the assignment scope.
DoNotValidate	string	This option will bypass the validation the exemption scope is at or under the policy assignment scope.

CloudError

An error response from a policy operation.

Name	Type	Description
error	ErrorResponse	Error Response Common error response for all Azure Resource Manager APIs to return error details for failed operations. (This also follows the OData error response format.)

createdByType

The type of identity that created the resource.

Name	Type	Description
Application	string
Key	string
ManagedIdentity	string
User	string

ErrorAdditionalInfo

The resource management error additional info.

Name	Type	Description
info	object	The additional info.
type	string	The additional info type.

ErrorResponse

Error Response

Name	Type	Description
additionalInfo	ErrorAdditionalInfo[]	The error additional info.
code	string	The error code.
details	ErrorResponse[]	The error details.
message	string	The error message.
target	string	The error target.

exemptionCategory

The policy exemption category. Possible values are Waiver and Mitigated.

Name	Type	Description
Mitigated	string	This category of exemptions usually means the mitigation actions have been applied to the scope.
Waiver	string	This category of exemptions usually means the scope is not applicable for the policy.

PolicyExemption

The policy exemption.

Name	Type	Default Value	Description
id	string		The ID of the policy exemption.
name	string		The name of the policy exemption.
properties.assignmentScopeValidation	AssignmentScopeValidation	Default	The option whether validate the exemption is at or under the assignment scope.
properties.description	string		The description of the policy exemption.
properties.displayName	string		The display name of the policy exemption.
properties.exemptionCategory	exemptionCategory		The policy exemption category. Possible values are Waiver and Mitigated.
properties.expiresOn	string		The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption.
properties.metadata	object		The policy exemption metadata. Metadata is an open ended object and is typically a collection of key value pairs.
properties.policyAssignmentId	string		The ID of the policy assignment that is being exempted.
properties.policyDefinitionReferenceIds	string[]		The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition.
properties.resourceSelectors	ResourceSelector[]		The resource selector list to filter policies by resource properties.
systemData	systemData		Azure Resource Manager metadata containing createdBy and modifiedBy information.
type	string		The type of the resource (Microsoft.Authorization/policyExemptions).

PolicyExemptionListResult

List of policy exemptions.

Name	Type	Description
nextLink	string	The URL to use for getting the next set of results.
value	PolicyExemption[]	An array of policy exemptions.

ResourceSelector

The resource selector to filter policies by resource properties.

Name	Type	Description
name	string	The name of the resource selector.
selectors	Selector[]	The list of the selector expressions.

Selector

The selector expression.

Name	Type	Description
in	string[]	The list of values to filter in.
kind	SelectorKind	The selector kind.
notIn	string[]	The list of values to filter out.

SelectorKind

The selector kind.

Name	Type	Description
policyDefinitionReferenceId	string	The selector kind to filter policies by the policy definition reference ID.
resourceLocation	string	The selector kind to filter policies by the resource location.
resourceType	string	The selector kind to filter policies by the resource type.
resourceWithoutLocation	string	The selector kind to filter policies by the resource without location.

systemData

Metadata pertaining to creation and last modification of the resource.

Name	Type	Description
createdAt	string	The timestamp of resource creation (UTC).
createdBy	string	The identity that created the resource.
createdByType	createdByType	The type of identity that created the resource.
lastModifiedAt	string	The timestamp of resource last modification (UTC)
lastModifiedBy	string	The identity that last modified the resource.
lastModifiedByType	createdByType	The type of identity that last modified the resource.