你当前正在访问 Microsoft Azure Global Edition 技术文档网站。 如果需要访问由世纪互联运营的 Microsoft Azure 中国技术文档网站,请访问 https://docs.azure.cn。
Get-AzDenyAssignment
列出指定范围内的 Azure RBAC 拒绝分配。 默认情况下,它会列出所选 Azure 订阅中的所有拒绝分配。 使用相应的参数列出特定用户的拒绝分配,或列出特定资源组或资源上的拒绝分配。
该 cmdlet 可以根据输入参数调用以下 Microsoft Graph API:
- GET /directoryObjects/{id}
- POST /directoryObjects/getByIds
语法
Get-AzDenyAssignment
[-Scope <String>]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>] Get-AzDenyAssignment
-ObjectId <Guid>
[-ExpandPrincipalGroups]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>] Get-AzDenyAssignment
-ObjectId <Guid>
-ResourceGroupName <String>
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>] Get-AzDenyAssignment
-ObjectId <Guid>
-ResourceGroupName <String>
-ResourceName <String>
-ResourceType <String>
[-ParentResource <String>]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>] Get-AzDenyAssignment
-ObjectId <Guid>
-Scope <String>
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>] Get-AzDenyAssignment
-SignInName <String>
-ResourceGroupName <String>
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>] Get-AzDenyAssignment
-SignInName <String>
-ResourceGroupName <String>
-ResourceName <String>
-ResourceType <String>
[-ParentResource <String>]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>] Get-AzDenyAssignment
-SignInName <String>
-Scope <String>
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>] Get-AzDenyAssignment
-SignInName <String>
[-ExpandPrincipalGroups]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>] Get-AzDenyAssignment
-ServicePrincipalName <String>
-ResourceGroupName <String>
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>] Get-AzDenyAssignment
-ServicePrincipalName <String>
-ResourceGroupName <String>
-ResourceName <String>
-ResourceType <String>
[-ParentResource <String>]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>] Get-AzDenyAssignment
-ServicePrincipalName <String>
-Scope <String>
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>] Get-AzDenyAssignment
-ServicePrincipalName <String>
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>] Get-AzDenyAssignment
-ResourceGroupName <String>
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>] Get-AzDenyAssignment
-ResourceGroupName <String>
-ResourceName <String>
-ResourceType <String>
[-ParentResource <String>]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>] Get-AzDenyAssignment
-Scope <String>
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>] Get-AzDenyAssignment
[-Scope <String>]
-Id <String>
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>] Get-AzDenyAssignment
[-Scope <String>]
-DenyAssignmentName <String>
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>] 说明
使用 Get-AzDenyAssignment 命令列出在范围上生效的所有拒绝分配。 如果没有任何参数,此命令将返回订阅下所做的所有拒绝分配。 可以使用主体、拒绝分配名称和作用域的筛选参数筛选此列表。 若要指定用户,请使用 SignInName 或 Microsoft Entra ObjectId 参数。 若要指定安全组,请使用 Microsoft Entra ObjectId 参数。 若要指定 Microsoft Entra 应用程序,请使用 ServicePrincipalName 或 ObjectId 参数。 可以指定拒绝访问的范围。 默认为所选订阅。 可以使用下列参数组合之一指定拒绝分配的范围。 范围 - 这是从 /subscriptions/<subscriptionId> 开始的完全限定范围。 这将筛选在特定范围生效的拒绝分配,即在该范围及更高范围内的所有拒绝分配。 b. ResourceGroupName - 订阅下的任何资源组的名称。 这将筛选在指定资源组中生效的分配,即该范围及更高级别的所有拒绝分配。 c. ResourceName、ResourceType、ResourceGroupName 和 (可选)ParentResource - 标识订阅下的特定资源,并将筛选该资源范围内有效的拒绝分配。 若要确定订阅中特定用户拒绝的访问权限,请使用 ExpandPrincipalGroups 开关。 这会列出分配给用户的所有拒绝分配,以及分配给用户所属的组。
示例
示例 1
列出订阅中的所有拒绝分配
Get-AzDenyAssignment
Id : /subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/providers/Microsoft.Authorization/denyAssignments/22704996-fbd0-4ab1-8625-722d897825d2
DenyAssignmentName : Test deny assignment 1
Description : Test deny assignment for PS cmdlets
Actions : {foo/*}
NotActions : {foo/*/read}
DataActions : {foo/*}
NotDataActions : {}
Scope : /subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f
DoNotApplyToChildScopes : False
Principals : {
DisplayName: All Principals
ObjectType: SystemDefined
ObjectId: 00000000-0000-0000-0000-000000000000
}
ExcludePrincipals : {
DisplayName: testuser
ObjectType: User
ObjectId: f8d526a0-54eb-4941-ae69-ebf4a334d0f0
}
IsSystemProtected : True
Id : /subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourcegroups/testRG/providers/Microsoft.Authorization/denyAssignments/43af7d0c-0bf8-407f-96c0-96a29d076431
DenyAssignmentName : Test deny assignment 2
Description : Test deny assignment for PS cmdlets
Actions : {foo/*}
NotActions : {foo/*/read}
DataActions : {foo/*}
NotDataActions : {}
Scope : /subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourcegroups/testRG
DoNotApplyToChildScopes : False
Principals : {
DisplayName: testuser
ObjectType: User
ObjectId: f8d526a0-54eb-4941-ae69-ebf4a334d0f0
,
DisplayName: PowershellTestingApp
ObjectType: ServicePrincipal
ObjectId: f2dc21ac-702a-4bde-a4ce-146edf751d81
}
ExcludePrincipals : {}
IsSystemProtected : True示例 2
获取对范围 testRG 及更高版本的用户 john.doe@contoso.com 所做的所有拒绝分配。
Get-AzDenyAssignment -ResourceGroupName testRG -SignInName john.doe@contoso.com
Id : /subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/providers/Microsoft.Authorization/denyAssignments/22704996-fbd0-4ab1-8625-722d897825d2
DenyAssignmentName : Test deny assignment 1
Description : Test deny assignment for PS cmdlets
Actions : {foo/*}
NotActions : {foo/*/read}
DataActions : {foo/*}
NotDataActions : {}
Scope : /subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f
DoNotApplyToChildScopes : False
Principals : {
DisplayName: john.doe
ObjectType: User
ObjectId: f8d526a0-54eb-4941-ae69-ebf4a334d0f0
}
ExcludePrincipals : {}
IsSystemProtected : True
Id : /subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourcegroups/testRG/providers/Microsoft.Authorization/denyAssignments/43af7d0c-0bf8-407f-96c0-96a29d076431
DenyAssignmentName : Test deny assignment
Description : Test deny assignment for PS cmdlets
Actions : {foo/*}
NotActions : {foo/*/read}
DataActions : {foo/*}
NotDataActions : {}
Scope : /subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourcegroups/testRG
DoNotApplyToChildScopes : False
Principals : {
DisplayName: john.doe
ObjectType: User
ObjectId: f8d526a0-54eb-4941-ae69-ebf4a334d0f0
,
DisplayName: PowershellTestingApp
ObjectType: ServicePrincipal
ObjectId: f2dc21ac-702a-4bde-a4ce-146edf751d81
}
ExcludePrincipals : {}
IsSystemProtected : True示例 3
获取指定服务主体的所有拒绝分配
Get-AzDenyAssignment -ServicePrincipalName 'http://testapp1.com'
Id : /subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourcegroups/testRG/providers/Microsoft.Authorization/denyAssignments/43af7d0c-0bf8-407f-96c0-96a29d076431
DenyAssignmentName : Test deny assignment 1
Description : Test deny assignment for PS cmdlets
Actions : {foo/*}
NotActions : {foo/*/read}
DataActions : {foo/*}
NotDataActions : {}
Scope : /subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourcegroups/testRG
DoNotApplyToChildScopes : False
Principals : {
DisplayName: TestApp
ObjectType: ServicePrincipal
ObjectId: f2dc21ac-702a-4bde-a4ce-146edf751d81
}
ExcludePrincipals : {}
IsSystemProtected : True
Id : /subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/testRG/providers/Microsoft.Web/sites/site1/providers/Microsoft.Authorization/denyAssignments/94e3d9da-3700-4113-aab4-15f6c173d794
DenyAssignmentName : Test deny assignment 2
Description : Test deny assignment for PS cmdlets
Actions : {foo/*}
NotActions : {foo/*/read}
DataActions : {foo/*}
NotDataActions : {}
Scope : /subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/testRG/providers/Microsoft.Web/sites/site1
DoNotApplyToChildScopes : False
Principals : {
DisplayName: testuser
ObjectType: User
ObjectId: f8d526a0-54eb-4941-ae69-ebf4a334d0f0
,
DisplayName: TestApp
ObjectType: ServicePrincipal
ObjectId: f2dc21ac-702a-4bde-a4ce-146edf751d81
}
ExcludePrincipals : {}
IsSystemProtected : True示例 4
获取“site1”网站范围内的拒绝分配。
Get-AzDenyAssignment -Scope '/subscriptions/96231a05-34ce-4eb4-aa6a-70759cbb5e83/resourcegroups/testRG/providers/Microsoft.Web/sites/site1'
Id : /subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourcegroups/testRG/providers/Microsoft.Authorization/denyAssignments/43af7d0c-0bf8-407f-96c0-96a29d076431
DenyAssignmentName : Test deny assignment 1
Description : Test deny assignment for PS cmdlets
Actions : {foo/*}
NotActions : {foo/*/read}
DataActions : {foo/*}
NotDataActions : {}
Scope : /subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourcegroups/testRG
DoNotApplyToChildScopes : False
Principals : {
DisplayName: testuser
ObjectType: User
ObjectId: f8d526a0-54eb-4941-ae69-ebf4a334d0f0
}
ExcludePrincipals : {}
IsSystemProtected : True
Id : /subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/testRG/providers/Microsoft.Web/sites/site1/providers/Microsoft.Authorization/denyAssignments/594e3d9da-3700-4113-aab4-15f6c173d794
DenyAssignmentName : Test deny assignment 2
Description : Test deny assignment for PS cmdlets
Actions : {foo/*}
NotActions : {foo/*/read}
DataActions : {foo/*}
NotDataActions : {}
Scope : /subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/testRG/providers/Microsoft.Web/sites/site1
DoNotApplyToChildScopes : False
Principals : {
DisplayName: testuser
ObjectType: User
ObjectId: f8d526a0-54eb-4941-ae69-ebf4a334d0f0
,
DisplayName: TestApp
ObjectType: ServicePrincipal
ObjectId: f2dc21ac-702a-4bde-a4ce-146edf751d81
}
ExcludePrincipals : {}
IsSystemProtected : True参数
-DefaultProfile
用于与 azure 通信的凭据、帐户、租户和订阅
| Type: | IAzureContextContainer |
| Aliases: | AzContext, AzureRmContext, AzureCredential |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-DenyAssignmentName
拒绝分配的名称。
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-ExpandPrincipalGroups
如果指定,则返回直接分配给用户的拒绝分配,并返回用户所属的组(可传递)。 仅支持用户主体。
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Id
拒绝分配完全限定的 ID 或 GUID。 当 ID 作为 GUID 提供时,会将当前订阅作为默认范围。
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-ObjectId
用户、组或服务主体的 Microsoft Entra ObjectId。 筛选对指定主体所做的所有拒绝分配。
| Type: | Nullable<T>[Guid] |
| Aliases: | PrincipalId |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-ParentResource
使用 ResourceName 参数指定的资源的层次结构中的父资源。 必须与 ResourceGroupName、ResourceType 和 ResourceName 参数结合使用。
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-ResourceGroupName
资源组名称。 列出在指定资源组中有效的拒绝分配。 当与 ResourceName、ResourceType 和 ParentResource 参数结合使用时,该命令将列出在资源组中的资源上有效的拒绝分配。
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-ResourceName
资源名称。 例如 storageaccountprod。 必须与 ResourceGroupName、ResourceType 和 (可选)ParentResource 参数结合使用。
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-ResourceType
资源类型。 例如 Microsoft.Network/virtualNetworks。 必须与 ResourceGroupName、ResourceName 和 (可选)ParentResource 参数结合使用。
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-Scope
角色分配的范围。 相对 URI 的格式。 例如 /subscriptions/9004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/TestRG。 它必须以“/subscriptions/{id}”开头。 该命令会筛选在该范围内生效的所有拒绝分配。
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-ServicePrincipalName
服务主体的 ServicePrincipalName。 筛选对指定 Microsoft Entra 应用程序所做的所有拒绝分配。
| Type: | String |
| Aliases: | SPN |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-SignInName
用户的电子邮件地址或用户主体名称。 筛选对指定用户所做的所有拒绝分配。
| Type: | String |
| Aliases: | Email, UserPrincipalName |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
输入
输出
备注
关键字:azure, azurerm, arm, 资源, 管理, 经理, 资源组, 模板, 部署
反馈
即将发布:在整个 2024 年,我们将逐步淘汰作为内容反馈机制的“GitHub 问题”,并将其取代为新的反馈系统。 有关详细信息,请参阅:https://aka.ms/ContentUserFeedback。
提交和查看相关反馈