Policy Restrictions - Check At Subscription Scope
檢查 Azure Policy 會對訂閱內的資源施加哪些限制。
POST https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.PolicyInsights/checkPolicyRestrictions?api-version=2024-10-01URI 參數
| 名稱 | 位於 | 必要 | 類型 | Description |
|---|---|---|---|---|
|
subscription
|
path | True |
string minLength: 1 |
目標訂用帳戶的標識碼。 |
|
api-version
|
query | True |
string minLength: 1 |
用於此作業的 API 版本。 |
要求本文
| 名稱 | 必要 | 類型 | Description |
|---|---|---|---|
| resourceDetails | True |
將評估之資源的相關信息。 |
|
| includeAuditEffect |
boolean |
是否要在結果中包含具有「稽核」效果的原則。 預設為 False。 |
|
| pendingFields |
應評估是否有潛在限制的欄位和值清單。 |
回應
| 名稱 | 類型 | Description |
|---|---|---|
| 200 OK |
Azure Policy 將對資源施加的限制。 |
|
| Other Status Codes |
描述作業失敗原因的錯誤回應。 |
安全性
azure_auth
Azure Active Directory OAuth2 Flow
類型:
oauth2
Flow:
implicit
授權 URL:
https://login.microsoftonline.com/common/oauth2/authorize
範圍
| 名稱 | Description |
|---|---|
| user_impersonation | 模擬您的用戶帳戶 |
範例
| Check policy restrictions at subscription scope |
| Check policy restrictions at subscription scope including audit effect |
Check policy restrictions at subscription scope
範例要求
POST https://management.azure.com/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/providers/Microsoft.PolicyInsights/checkPolicyRestrictions?api-version=2024-10-01
{
"resourceDetails": {
"resourceContent": {
"type": "Microsoft.Compute/virtualMachines",
"properties": {
"priority": "Spot"
}
},
"apiVersion": "2019-12-01"
},
"pendingFields": [
{
"field": "name",
"values": [
"myVMName"
]
},
{
"field": "location",
"values": [
"eastus",
"westus",
"westus2",
"westeurope"
]
},
{
"field": "tags"
}
]
}
範例回覆
{
"fieldRestrictions": [
{
"field": "tags.newtag",
"restrictions": [
{
"result": "Required",
"defaultValue": "defaultVal",
"policy": {
"policyDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyDefinitions/1D0906C3",
"policyAssignmentId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyAssignments/57DAC8A0",
"policySetDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policySetDefinitions/05D92080",
"policyDefinitionReferenceId": "DefRef"
},
"policyEffect": "Deny",
"reason": "tags.newtag is required"
}
]
},
{
"field": "tags.environment",
"restrictions": [
{
"result": "Required",
"values": [
"Prod",
"Int",
"Test"
],
"policy": {
"policyDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyDefinitions/30BD79F6",
"policyAssignmentId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyAssignments/7EB1508A",
"policySetDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policySetDefinitions/735551F1",
"policyDefinitionReferenceId": "DefRef"
},
"policyEffect": "Deny",
"reason": "tags.environment is required"
}
]
},
{
"field": "location",
"restrictions": [
{
"result": "Deny",
"values": [
"west europe"
],
"policy": {
"policyDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyDefinitions/0711CCC1",
"policyAssignmentId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyAssignments/1563EBD3",
"policySetDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policySetDefinitions/1E17783A",
"policyDefinitionReferenceId": "DefRef"
},
"policyEffect": "Deny",
"reason": "location must be one of the following: eastus, westus, westus2"
},
{
"result": "Deny",
"values": [
"eastus",
"westus"
],
"policy": {
"policyDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyDefinitions/25C9F66B",
"policyAssignmentId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyAssignments/5382A69D",
"policySetDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policySetDefinitions/392D107B",
"policyDefinitionReferenceId": "DefRef"
},
"policyEffect": "Deny",
"reason": "location must be one of the following: westus2"
}
]
}
],
"contentEvaluationResult": {
"policyEvaluations": [
{
"policyInfo": {
"policyDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyDefinitions/435CAE41",
"policySetDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policySetDefinitions/2162358E",
"policyDefinitionReferenceId": "defref222",
"policyAssignmentId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyAssignments/2FF66C37"
},
"evaluationResult": "NonCompliant",
"evaluationDetails": {
"evaluatedExpressions": [
{
"result": "True",
"expressionKind": "field",
"expression": "type",
"path": "type",
"expressionValue": "microsoft.compute/virtualmachines",
"targetValue": "microsoft.compute/virtualmachines",
"operator": "equals"
}
]
},
"effectDetails": {
"policyEffect": "Deny"
}
}
]
}
}Check policy restrictions at subscription scope including audit effect
範例要求
POST https://management.azure.com/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/providers/Microsoft.PolicyInsights/checkPolicyRestrictions?api-version=2024-10-01
{
"resourceDetails": {
"resourceContent": {
"type": "Microsoft.Compute/virtualMachines",
"properties": {
"priority": "Spot"
}
},
"apiVersion": "2019-12-01"
},
"pendingFields": [
{
"field": "name",
"values": [
"myVMName"
]
},
{
"field": "location",
"values": [
"eastus",
"westus",
"westus2",
"westeurope"
]
},
{
"field": "tags"
}
],
"includeAuditEffect": true
}
範例回覆
{
"fieldRestrictions": [
{
"field": "tags.newtag",
"restrictions": [
{
"result": "Required",
"defaultValue": "defaultVal",
"policy": {
"policyDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyDefinitions/1D0906C3",
"policyAssignmentId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyAssignments/57DAC8A0",
"policySetDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policySetDefinitions/05D92080",
"policyDefinitionReferenceId": "DefRef"
},
"policyEffect": "Deny",
"reason": "tags.newtag is required"
}
]
},
{
"field": "tags.environment",
"restrictions": [
{
"result": "Required",
"values": [
"Prod",
"Int",
"Test"
],
"policy": {
"policyDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyDefinitions/30BD79F6",
"policyAssignmentId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyAssignments/7EB1508A",
"policySetDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policySetDefinitions/735551F1",
"policyDefinitionReferenceId": "DefRef"
},
"policyEffect": "Audit",
"reason": "tags.environment is required"
}
]
},
{
"field": "location",
"restrictions": [
{
"result": "Deny",
"values": [
"west europe"
],
"policy": {
"policyDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyDefinitions/0711CCC1",
"policyAssignmentId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyAssignments/1563EBD3",
"policySetDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policySetDefinitions/1E17783A",
"policyDefinitionReferenceId": "DefRef"
},
"policyEffect": "Deny",
"reason": "The selected location is not allowed"
},
{
"result": "Audit",
"values": [
"eastus",
"westus"
],
"policy": {
"policyDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyDefinitions/25C9F66B",
"policyAssignmentId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyAssignments/5382A69D",
"policySetDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policySetDefinitions/392D107B",
"policyDefinitionReferenceId": "DefRef"
},
"policyEffect": "Audit",
"reason": "The selected location is not allowed"
}
]
}
],
"contentEvaluationResult": {
"policyEvaluations": [
{
"policyInfo": {
"policyDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyDefinitions/435CAE41",
"policySetDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policySetDefinitions/2162358E",
"policyDefinitionReferenceId": "defref222",
"policyAssignmentId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyAssignments/2FF66C37"
},
"evaluationResult": "NonCompliant",
"evaluationDetails": {
"evaluatedExpressions": [
{
"result": "True",
"expressionKind": "field",
"expression": "type",
"path": "type",
"expressionValue": "microsoft.compute/virtualmachines",
"targetValue": "microsoft.compute/virtualmachines",
"operator": "equals"
}
],
"reason": "Resource creation of the selected type is not allowed"
},
"effectDetails": {
"policyEffect": "Audit"
}
}
]
}
}定義
| 名稱 | Description |
|---|---|
|
Check |
原則評估詳細數據。 |
|
Check |
檢查原則限制參數,描述正在評估的資源。 |
|
Check |
將評估之資源的相關信息。 |
|
Check |
資源上檢查原則限制評估的結果。 |
|
Content |
所提供部分資源內容的評估結果。 |
|
Error |
錯誤定義。 |
|
Error |
錯誤回應。 |
|
Expression |
原則語言表達式的評估詳細數據。 |
|
Field |
特定原則所強加之欄位的限制。 |
|
Field |
對欄位施加的限制類型。 |
|
Field |
將依原則在資源中的欄位上設定的限制。 |
|
If |
IfNotExists 效果的評估詳細數據。 |
|
Pending |
一個欄位應該根據 Azure Policy 評估以判斷限制。 |
|
Policy |
套用至資源之效果的詳細數據。 |
|
Policy |
針對指定資源內容進行不符合規範的原則評估結果。 |
|
Policy |
原則的資源標識碼。 |
|
Typed |
案例特定錯誤詳細數據。 |
CheckRestrictionEvaluationDetails
原則評估詳細數據。
| 名稱 | 類型 | Description |
|---|---|---|
| evaluatedExpressions |
評估表達式的詳細數據。 |
|
| ifNotExistsDetails |
IfNotExists 效果的評估詳細數據。 |
|
| reason |
string |
評估結果的原因。 |
CheckRestrictionsRequest
檢查原則限制參數,描述正在評估的資源。
| 名稱 | 類型 | 預設值 | Description |
|---|---|---|---|
| includeAuditEffect |
boolean |
False |
是否要在結果中包含具有「稽核」效果的原則。 預設為 False。 |
| pendingFields |
應評估是否有潛在限制的欄位和值清單。 |
||
| resourceDetails |
將評估之資源的相關信息。 |
CheckRestrictionsResourceDetails
將評估之資源的相關信息。
| 名稱 | 類型 | Description |
|---|---|---|
| apiVersion |
string |
資源內容的 API 版本。 |
| resourceContent |
object |
資源內容。 這應該包含任何已知屬性,而且可以是所有資源屬性的一組部分。 |
| scope |
string |
正在建立資源的範圍。 例如,如果資源是子資源,這會是父資源的資源標識符。 |
CheckRestrictionsResult
資源上檢查原則限制評估的結果。
| 名稱 | 類型 | Description |
|---|---|---|
| contentEvaluationResult |
所提供部分資源內容的評估結果。 |
|
| fieldRestrictions |
原則將放在資源中各種欄位的限制。 |
ContentEvaluationResult
所提供部分資源內容的評估結果。
| 名稱 | 類型 | Description |
|---|---|---|
| policyEvaluations |
針對指定資源內容的原則評估結果。 這表示所提供的部分內容是否會遭到拒絕,as-is。 |
ErrorDefinition
錯誤定義。
| 名稱 | 類型 | Description |
|---|---|---|
| additionalInfo |
其他案例特定錯誤詳細數據。 |
|
| code |
string |
服務特定的錯誤碼,做為 HTTP 錯誤碼的子狀態。 |
| details |
內部錯誤詳細數據。 |
|
| message |
string |
錯誤的描述。 |
| target |
string |
錯誤的目標。 |
ErrorResponse
錯誤回應。
| 名稱 | 類型 | Description |
|---|---|---|
| error |
錯誤詳情 |
ExpressionEvaluationDetails
原則語言表達式的評估詳細數據。
| 名稱 | 類型 | Description |
|---|---|---|
| expression |
string |
評估的表達式。 |
| expressionKind |
string |
評估的表達式種類。 |
| expressionValue |
object |
表達式的值。 |
| operator |
string |
比較表達式值和目標值的運算元。 |
| path |
string |
如果表達式是欄位或別名,則屬性路徑。 |
| result |
string |
評估結果。 |
| targetValue |
object |
要與表達式值比較的目標值。 |
FieldRestriction
特定原則所強加之欄位的限制。
| 名稱 | 類型 | Description |
|---|---|---|
| defaultValue |
string |
如果使用者未提供值,則原則會為字段設定的值。 |
| policy |
造成欄位限制的原則詳細數據。 |
|
| policyEffect |
string |
造成欄位限制的原則效果。 http://aka.ms/policyeffects |
| reason |
string |
限制的原因。 |
| result |
對欄位施加的限制類型。 |
|
| values |
string[] |
原則要求或拒絕欄位的值。 |
FieldRestrictionResult
對欄位施加的限制類型。
| 值 | Description |
|---|---|
| Required |
原則需要欄位和/或值。 |
| Removed |
欄位將會由原則移除。 |
| Deny |
原則會拒絕欄位和/或值。 |
| Audit |
欄位和/或值將由原則稽核。 |
FieldRestrictions
將依原則在資源中的欄位上設定的限制。
| 名稱 | 類型 | Description |
|---|---|---|
| field |
string |
欄位的名稱。 這可以是頂層屬性,如「name」或「type」,或是 Azure Policy 欄位別名。 |
| restrictions |
原則對該欄位的限制。 |
IfNotExistsEvaluationDetails
IfNotExists 效果的評估詳細數據。
| 名稱 | 類型 | Description |
|---|---|---|
| resourceId |
string |
IfNotExists 效果最後評估資源標識符。 |
| totalResources |
integer |
存在條件適用的資源總數。 |
PendingField
一個欄位應該根據 Azure Policy 評估以判斷限制。
| 名稱 | 類型 | Description |
|---|---|---|
| field |
string |
欄位的名稱。 這可以是頂層屬性,如「name」或「type」,或是 Azure Policy 欄位別名。 |
| values |
string[] |
欄位中應根據 Azure Policy 評估的潛在值清單。 |
PolicyEffectDetails
套用至資源之效果的詳細數據。
| 名稱 | 類型 | Description |
|---|---|---|
| policyEffect |
string |
套用至資源的效果。 http://aka.ms/policyeffects |
PolicyEvaluationResult
針對指定資源內容進行不符合規範的原則評估結果。
| 名稱 | 類型 | Description |
|---|---|---|
| effectDetails |
套用至資源之效果的詳細數據。 |
|
| evaluationDetails |
評估的原則表達式和值的詳細結果。 |
|
| evaluationResult |
string |
針對資源的原則評估結果。 這通常為 『NonCompliant』,但如果發生錯誤,可能會包含其他值。 |
| policyInfo |
評估之原則的詳細數據。 |
PolicyReference
原則的資源標識碼。
| 名稱 | 類型 | Description |
|---|---|---|
| policyAssignmentId |
string |
原則指派的資源標識碼。 |
| policyDefinitionId |
string |
原則定義的資源標識碼。 |
| policyDefinitionReferenceId |
string |
原則集定義內特定原則定義的參考標識符。 |
| policySetDefinitionId |
string |
原則集定義的資源標識碼。 |
TypedErrorInfo
案例特定錯誤詳細數據。
| 名稱 | 類型 | Description |
|---|---|---|
| info |
案例特定的錯誤詳細數據。 |
|
| type |
string |
包含的錯誤詳細數據類型。 |