Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This section lists the supported authorization actions you can target for conditions.
| Property | Value |
|---|---|
| Display name | Create or update role assignments |
| Description | Control plane action for creating role assignments |
| Action | Microsoft.Authorization/roleAssignments/write |
| Resource attributes | |
| Request attributes | Role definition ID Principal ID Principal type |
| Examples | !(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}) |
| Property | Value |
|---|---|
| Display name | Delete a role assignment |
| Description | Control plane action for deleting role assignments |
| Action | Microsoft.Authorization/roleAssignments/delete |
| Resource attributes | Role definition ID Principal ID Principal type |
| Request attributes | |
| Examples | !(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'}) |
This section lists the authorization attributes you can use in your condition expressions depending on the action you target. If you select multiple actions for a single condition, there might be fewer attributes to choose from for your condition because the attributes must be available across the selected actions.
| Property | Value |
|---|---|
| Display name | Role definition ID |
| Description | The role definition ID used in the role assignment |
| Attribute | Microsoft.Authorization/roleAssignments:RoleDefinitionId |
| Attribute source | Request Resource |
| Attribute type | GUID |
| Operators | GuidEquals GuidNotEquals ForAnyOfAnyValues:GuidEquals ForAnyOfAllValues:GuidNotEquals |
| Examples | @Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {b24988ac-6180-42a0-ab88-20f7382dd24c, acdd72a7-3385-48ef-bd42-f606fba81ae7} |
| Property | Value |
|---|---|
| Display name | Principal ID |
| Description | The principal ID assigned to the role. This maps to the ID inside the Active Directory. It can point to a user, service principal, or security group |
| Attribute | Microsoft.Authorization/roleAssignments:PrincipalId |
| Attribute source | Request Resource |
| Attribute type | GUID |
| Operators | GuidEquals GuidNotEquals ForAnyOfAnyValues:GuidEquals ForAnyOfAllValues:GuidNotEquals |
| Examples | @Request[Microsoft.Authorization/roleAssignments:PrincipalId] ForAnyOfAnyValues:GuidEquals {28c35fea-2099-4cf5-8ad9-473547bc9423, 86951b8b-723a-407b-a74a-1bca3f0c95d0} |
| Property | Value |
|---|---|
| Display name | Principal type |
| Description | Principal type represents a user, group, service principal, or managed identity that is requesting access to Azure resources. You can assign a role to any of these security principals |
| Attribute | Microsoft.Authorization/roleAssignments:PrincipalType |
| Attribute source | Request Resource |
| Attribute type | STRING |
| Values | User ServicePrincipal Group |
| Operators | StringEqualsIgnoreCase StringNotEqualsIgnoreCase ForAnyOfAnyValues:StringEqualsIgnoreCase ForAnyOfAllValues:StringNotEqualsIgnoreCase |
| Examples | @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'User', 'Group'} |