Authorization actions and attributes
Authorization actions
This section lists the supported authorization actions you can target for conditions.
Create or update role assignments
| Property | Value |
|---|---|
| Display name | Create or update role assignments |
| Description | Control plane action for creating role assignments |
| Action | Microsoft.Authorization/roleAssignments/write |
| Resource attributes | |
| Request attributes | Role definition ID Principal ID Principal type |
| Examples | !(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})Example: Constrain roles |
Delete a role assignment
| Property | Value |
|---|---|
| Display name | Delete a role assignment |
| Description | Control plane action for deleting role assignments |
| Action | Microsoft.Authorization/roleAssignments/delete |
| Resource attributes | Role definition ID Principal ID Principal type |
| Request attributes | |
| Examples | !(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})Example: Constrain roles |
Authorization attributes
This section lists the authorization attributes you can use in your condition expressions depending on the action you target. If you select multiple actions for a single condition, there might be fewer attributes to choose from for your condition because the attributes must be available across the selected actions.
Role definition ID
| Property | Value |
|---|---|
| Display name | Role definition ID |
| Description | The role definition ID used in the role assignment |
| Attribute | Microsoft.Authorization/roleAssignments:RoleDefinitionId |
| Attribute source | Request Resource |
| Attribute type | GUID |
| Operators | GuidEquals GuidNotEquals ForAnyOfAnyValues:GuidEquals ForAnyOfAllValues:GuidNotEquals |
| Examples | @Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {b24988ac-6180-42a0-ab88-20f7382dd24c, acdd72a7-3385-48ef-bd42-f606fba81ae7}Example: Constrain roles |
Principal ID
| Property | Value |
|---|---|
| Display name | Principal ID |
| Description | The principal ID assigned to the role. This maps to the ID inside the Active Directory. It can point to a user, service principal, or security group |
| Attribute | Microsoft.Authorization/roleAssignments:PrincipalId |
| Attribute source | Request Resource |
| Attribute type | GUID |
| Operators | GuidEquals GuidNotEquals ForAnyOfAnyValues:GuidEquals ForAnyOfAllValues:GuidNotEquals |
| Examples | @Request[Microsoft.Authorization/roleAssignments:PrincipalId] ForAnyOfAnyValues:GuidEquals {28c35fea-2099-4cf5-8ad9-473547bc9423, 86951b8b-723a-407b-a74a-1bca3f0c95d0}Example: Constrain roles and specific groups |
Principal type
| Property | Value |
|---|---|
| Display name | Principal type |
| Description | Principal type represents a user, group, service principal, or managed identity that is requesting access to Azure resources. You can assign a role to any of these security principals |
| Attribute | Microsoft.Authorization/roleAssignments:PrincipalType |
| Attribute source | Request Resource |
| Attribute type | STRING |
| Values | User ServicePrincipal Group |
| Operators | StringEqualsIgnoreCase StringNotEqualsIgnoreCase ForAnyOfAnyValues:StringEqualsIgnoreCase ForAnyOfAllValues:StringNotEqualsIgnoreCase |
| Examples | @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'User', 'Group'}Example: Constrain roles and principal types |