Modifier

Partager via


New-AzPolicyDefinition

Creates or updates a policy definition.

Syntax

New-AzPolicyDefinition
   -Name <String>
   -Policy <String>
   [-DisplayName <String>]
   [-Description <String>]
   [-Metadata <String>]
   [-Parameter <String>]
   [-Mode <String>]
   [-BackwardCompatible]
   [-DefaultProfile <PSObject>]
   [-WhatIf]
   [-Confirm]
   [<CommonParameters>]
New-AzPolicyDefinition
   -Name <String>
   -ManagementGroupName <String>
   -Policy <String>
   [-DisplayName <String>]
   [-Description <String>]
   [-Metadata <String>]
   [-Parameter <String>]
   [-Mode <String>]
   [-BackwardCompatible]
   [-DefaultProfile <PSObject>]
   [-WhatIf]
   [-Confirm]
   [<CommonParameters>]
New-AzPolicyDefinition
   -Name <String>
   -SubscriptionId <String>
   -Policy <String>
   [-DisplayName <String>]
   [-Description <String>]
   [-Metadata <String>]
   [-Parameter <String>]
   [-Mode <String>]
   [-BackwardCompatible]
   [-DefaultProfile <PSObject>]
   [-WhatIf]
   [-Confirm]
   [<CommonParameters>]

Description

The New-AzPolicyDefinition cmdlet creates or updates a policy definition that includes a policy rule JSON format.

Examples

Example 1: Create a policy definition by using a policy file

{
   "if": {
      "field": "location",
      "notIn": ["eastus", "westus", "centralus"]
   },
   "then": {
      "effect": "audit"
   }
}

New-AzPolicyDefinition -Name 'LocationDefinition' -Policy C:\LocationPolicy.json

This command creates a policy definition named LocationDefinition that contains the policy rule specified in C:\LocationPolicy.json. Example content for the LocationPolicy.json file is provided above. Three file content formats are supported: 1. Policy rule only (example above). 2. Policy properties object. This format is displayed in the portal when editing a policy definition and may include parameters. 3. Full policy object. This format is generated by the Azure Policy export function and may include parameters.

Note: Values provided on the command line (e.g. parameters, metadata) override corresponding values present in the file.

Example 2: Create a parameterized policy definition using inline parameters

{
   "if": {
      "field": "location",
      "notIn": "[parameters('listOfAllowedLocations')]"
   },
   "then": {
      "effect": "audit"
   }
}
New-AzPolicyDefinition -Name 'LocationDefinition' -Policy C:\LocationPolicy.json -Parameter '{ "listOfAllowedLocations": { "type": "array" } }'

This command creates a policy definition named LocationDefinition that contains the policy rule specified in C:\LocationPolicy.json. The parameter definition for the policy rule is provided inline.

Example 3: Create a policy definition inline in a management group

New-AzPolicyDefinition -Name 'VMPolicyDefinition' -ManagementGroupName Dept42 -DisplayName 'Virtual Machine policy definition' -Policy '{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachines"},"then":{"effect":"deny"}}'

This command creates a policy definition named VMPolicyDefinition in management group Dept42. The command specifies the policy as a string in valid JSON format.

Example 4: Create a policy definition inline with metadata

New-AzPolicyDefinition -Name 'VMPolicyDefinition' -Metadata '{"category":"Virtual Machine"}' -Policy '{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachines"},"then":{"effect":"deny"}}' | Format-List

This command creates a policy definition named VMPolicyDefinition with metadata indicating its category is "Virtual Machine". The command specifies the policy as a string in valid JSON format.

Example 5: Create a policy definition inline with mode

New-AzPolicyDefinition -Name 'TagsPolicyDefinition' -Policy '{"if":{"value":"[less(length(field(''tags'')), 3)]","equals":true},"then":{"effect":"deny"}}' -Mode Indexed

This command creates a policy definition named TagsPolicyDefinition with mode "Indexed" indicating the policy should be evaluated only for resource types that support tags and location.

Parameters

-BackwardCompatible

Causes cmdlet to return artifacts using legacy format placing policy-specific properties in a property bag object.

Type:SwitchParameter
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-Confirm

Prompts you for confirmation before running the cmdlet.

Type:SwitchParameter
Aliases:cf
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-DefaultProfile

The DefaultProfile parameter is not functional. Use the SubscriptionId parameter when available if executing the cmdlet against a different subscription.

Type:PSObject
Aliases:AzureRMContext, AzureCredential
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-Description

The policy definition description.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-DisplayName

The display name of the policy definition.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-ManagementGroupName

The ID of the management group.

Type:String
Position:Named
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-Metadata

The policy definition metadata. Metadata is an open ended object and is typically a collection of key value pairs.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-Mode

The policy definition mode. Some examples are All, Indexed, Microsoft.KeyVault.Data.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-Name

The name of the policy definition to create.

Type:String
Aliases:PolicyDefinitionName
Position:Named
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-Parameter

The parameter definitions for parameters used in the policy rule. The keys are the parameter names.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-Policy

The policy rule.

Type:String
Position:Named
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-SubscriptionId

The ID of the target subscription.

Type:String
Position:Named
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.

Type:SwitchParameter
Aliases:wi
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

Inputs

String

Outputs

IPolicyDefinition