Policy Assignments - List
Retrieves all policy assignments that apply to a subscription.
This operation retrieves the list of all policy assignments associated with the given subscription that match the optional given $filter. Valid values for $filter are: 'atScope()', 'atExactScope()' or 'policyDefinitionId eq '{value}''. If $filter is not provided, the unfiltered list includes all policy assignments associated with the subscription, including those that apply directly or from management groups that contain the given subscription, as well as any applied to objects contained within the subscription. If $filter=atScope() is provided, the returned list includes all policy assignments that apply to the subscription, which is everything in the unfiltered list except those applied to objects contained within the subscription. If $filter=atExactScope() is provided, the returned list only includes all policy assignments that at the subscription. If $filter=policyDefinitionId eq '{value}' is provided, the returned list includes all policy assignments of the policy definition whose id is {value}.
GET https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/policyAssignments?api-version=2023-04-01GET https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/policyAssignments?$filter={$filter}&$top={$top}&api-version=2023-04-01URI Parameters
| Name | In | Required | Type | Description |
|---|---|---|---|---|
|
subscription
|
path | True |
string uuid |
The ID of the target subscription. The value must be an UUID. |
|
api-version
|
query | True |
string |
The API version to use for this operation. |
|
$filter
|
query |
string |
The filter to apply on the operation. Valid values for $filter are: 'atScope()', 'atExactScope()' or 'policyDefinitionId eq '{value}''. If $filter is not provided, no filtering is performed. If $filter=atScope() is provided, the returned list only includes all policy assignments that apply to the scope, which is everything in the unfiltered list except those applied to sub scopes contained within the given scope. If $filter=atExactScope() is provided, the returned list only includes all policy assignments that at the given scope. If $filter=policyDefinitionId eq '{value}' is provided, the returned list includes all policy assignments of the policy definition whose id is {value}. |
|
|
$top
|
query |
integer int32 |
Maximum number of records to return. When the $top filter is not provided, it will return 500 records. |
Responses
| Name | Type | Description |
|---|---|---|
| 200 OK |
OK - Returns an array of policy assignments. |
|
| Other Status Codes |
Error response describing why the operation failed. |
Security
azure_auth
Azure Active Directory OAuth2 Flow.
Type:
oauth2
Flow:
implicit
Authorization URL:
https://login.microsoftonline.com/common/oauth2/authorize
Scopes
| Name | Description |
|---|---|
| user_impersonation | impersonate your user account |
Examples
List policy assignments that apply to a subscription
Sample request
GET https://management.azure.com/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyAssignments?$filter=atScope()&api-version=2023-04-01
Sample response
{
"value": [
{
"id": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyAssignments/CostManagement",
"type": "Microsoft.Authorization/policyAssignments",
"name": "CostManagement",
"location": "eastus",
"identity": {
"type": "SystemAssigned",
"principalId": "e6d23f8d-af97-4fbc-bda6-00604e4e3d0a",
"tenantId": "4bee2b8a-1bee-47c2-90e9-404241551135"
},
"properties": {
"displayName": "Storage Cost Management",
"description": "Minimize the risk of accidental cost overruns",
"metadata": {
"category": "Cost Management"
},
"policyDefinitionId": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyDefinitions/storageSkus",
"definitionVersion": "1.*.*",
"parameters": {
"allowedSkus": {
"value": "Standard_A1"
}
},
"scope": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2",
"notScopes": []
}
},
{
"id": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyAssignments/TagEnforcement",
"type": "Microsoft.Authorization/policyAssignments",
"name": "TagEnforcement",
"properties": {
"displayName": "Enforces a tag key and value",
"description": "Ensure a given tag key and value are present on all resources",
"policyDefinitionId": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyDefinitions/TagKeyValue",
"definitionVersion": "1.*.*",
"scope": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2",
"notScopes": []
}
}
]
}Definitions
| Name | Description |
|---|---|
|
Cloud |
An error response from a policy operation. |
|
created |
The type of identity that created the resource. |
|
enforcement |
The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. |
|
Error |
The resource management error additional info. |
|
Error |
Error Response |
| Identity |
Identity for the resource. Policy assignments support a maximum of one identity. That is either a system assigned identity or a single user assigned identity. |
|
Non |
A message that describes why a resource is non-compliant with the policy. This is shown in 'deny' error messages and on resource's non-compliant compliance results. |
| Override |
The policy property value override. |
|
Override |
The override kind. |
|
Parameter |
The value of a parameter. |
|
Policy |
The policy assignment. |
|
Policy |
List of policy assignments. |
|
Resource |
The identity type. This is the only required field when adding a system or user assigned identity to a resource. |
|
Resource |
The resource selector to filter policies by resource properties. |
| Selector |
The selector expression. |
|
Selector |
The selector kind. |
|
system |
Metadata pertaining to creation and last modification of the resource. |
|
User |
The user identity associated with the policy. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. |
CloudError
An error response from a policy operation.
| Name | Type | Description |
|---|---|---|
| error |
Error Response |
createdByType
The type of identity that created the resource.
| Name | Type | Description |
|---|---|---|
| Application |
string |
|
| Key |
string |
|
| ManagedIdentity |
string |
|
| User |
string |
enforcementMode
The policy assignment enforcement mode. Possible values are Default and DoNotEnforce.
| Name | Type | Description |
|---|---|---|
| Default |
string |
The policy effect is enforced during resource creation or update. |
| DoNotEnforce |
string |
The policy effect is not enforced during resource creation or update. |
ErrorAdditionalInfo
The resource management error additional info.
| Name | Type | Description |
|---|---|---|
| info |
object |
The additional info. |
| type |
string |
The additional info type. |
ErrorResponse
Error Response
| Name | Type | Description |
|---|---|---|
| additionalInfo |
The error additional info. |
|
| code |
string |
The error code. |
| details |
The error details. |
|
| message |
string |
The error message. |
| target |
string |
The error target. |
Identity
Identity for the resource. Policy assignments support a maximum of one identity. That is either a system assigned identity or a single user assigned identity.
| Name | Type | Description |
|---|---|---|
| principalId |
string |
The principal ID of the resource identity. This property will only be provided for a system assigned identity |
| tenantId |
string |
The tenant ID of the resource identity. This property will only be provided for a system assigned identity |
| type |
The identity type. This is the only required field when adding a system or user assigned identity to a resource. |
|
| userAssignedIdentities |
The user identity associated with the policy. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. |
NonComplianceMessage
A message that describes why a resource is non-compliant with the policy. This is shown in 'deny' error messages and on resource's non-compliant compliance results.
| Name | Type | Description |
|---|---|---|
| message |
string |
A message that describes why a resource is non-compliant with the policy. This is shown in 'deny' error messages and on resource's non-compliant compliance results. |
| policyDefinitionReferenceId |
string |
The policy definition reference ID within a policy set definition the message is intended for. This is only applicable if the policy assignment assigns a policy set definition. If this is not provided the message applies to all policies assigned by this policy assignment. |
Override
The policy property value override.
| Name | Type | Description |
|---|---|---|
| kind |
The override kind. |
|
| selectors |
Selector[] |
The list of the selector expressions. |
| value |
string |
The value to override the policy property. |
OverrideKind
The override kind.
| Name | Type | Description |
|---|---|---|
| policyEffect |
string |
It will override the policy effect type. |
ParameterValuesValue
The value of a parameter.
| Name | Type | Description |
|---|---|---|
| value |
object |
The value of the parameter. |
PolicyAssignment
The policy assignment.
| Name | Type | Default value | Description |
|---|---|---|---|
| id |
string |
The ID of the policy assignment. |
|
| identity |
The managed identity associated with the policy assignment. |
||
| location |
string |
The location of the policy assignment. Only required when utilizing managed identity. |
|
| name |
string |
The name of the policy assignment. |
|
| properties.definitionVersion |
string |
The version of the policy definition to use. |
|
| properties.description |
string |
This message will be part of response in case of policy violation. |
|
| properties.displayName |
string |
The display name of the policy assignment. |
|
| properties.enforcementMode | Default |
The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. |
|
| properties.metadata |
object |
The policy assignment metadata. Metadata is an open ended object and is typically a collection of key value pairs. |
|
| properties.nonComplianceMessages |
The messages that describe why a resource is non-compliant with the policy. |
||
| properties.notScopes |
string[] |
The policy's excluded scopes. |
|
| properties.overrides |
Override[] |
The policy property value override. |
|
| properties.parameters |
<string,
Parameter |
The parameter values for the assigned policy rule. The keys are the parameter names. |
|
| properties.policyDefinitionId |
string |
The ID of the policy definition or policy set definition being assigned. |
|
| properties.resourceSelectors |
The resource selector list to filter policies by resource properties. |
||
| properties.scope |
string |
The scope for the policy assignment. |
|
| systemData |
The system metadata relating to this resource. |
||
| type |
string |
The type of the policy assignment. |
PolicyAssignmentListResult
List of policy assignments.
| Name | Type | Description |
|---|---|---|
| nextLink |
string |
The URL to use for getting the next set of results. |
| value |
An array of policy assignments. |
ResourceIdentityType
The identity type. This is the only required field when adding a system or user assigned identity to a resource.
| Name | Type | Description |
|---|---|---|
| None |
string |
Indicates that no identity is associated with the resource or that the existing identity should be removed. |
| SystemAssigned |
string |
Indicates that a system assigned identity is associated with the resource. |
| UserAssigned |
string |
Indicates that a system assigned identity is associated with the resource. |
ResourceSelector
The resource selector to filter policies by resource properties.
| Name | Type | Description |
|---|---|---|
| name |
string |
The name of the resource selector. |
| selectors |
Selector[] |
The list of the selector expressions. |
Selector
The selector expression.
| Name | Type | Description |
|---|---|---|
| in |
string[] |
The list of values to filter in. |
| kind |
The selector kind. |
|
| notIn |
string[] |
The list of values to filter out. |
SelectorKind
The selector kind.
| Name | Type | Description |
|---|---|---|
| policyDefinitionReferenceId |
string |
The selector kind to filter policies by the policy definition reference ID. |
| resourceLocation |
string |
The selector kind to filter policies by the resource location. |
| resourceType |
string |
The selector kind to filter policies by the resource type. |
| resourceWithoutLocation |
string |
The selector kind to filter policies by the resource without location. |
systemData
Metadata pertaining to creation and last modification of the resource.
| Name | Type | Description |
|---|---|---|
| createdAt |
string |
The timestamp of resource creation (UTC). |
| createdBy |
string |
The identity that created the resource. |
| createdByType |
The type of identity that created the resource. |
|
| lastModifiedAt |
string |
The timestamp of resource last modification (UTC) |
| lastModifiedBy |
string |
The identity that last modified the resource. |
| lastModifiedByType |
The type of identity that last modified the resource. |
UserAssignedIdentities
The user identity associated with the policy. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'.
| Name | Type | Description |
|---|---|---|
|
|