Authorization actions and attributes
Authorization actions
This section lists the supported authorization actions you can target for conditions.
Create or update role assignments
Property | Value |
---|---|
Display name | Create or update role assignments |
Description | Control plane action for creating role assignments |
Action | Microsoft.Authorization/roleAssignments/write |
Resource attributes | |
Request attributes | Role definition ID Principal ID Principal type |
Examples | !(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}) |
Delete a role assignment
Property | Value |
---|---|
Display name | Delete a role assignment |
Description | Control plane action for deleting role assignments |
Action | Microsoft.Authorization/roleAssignments/delete |
Resource attributes | Role definition ID Principal ID Principal type |
Request attributes | |
Examples | !(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'}) |
Authorization attributes
This section lists the authorization attributes you can use in your condition expressions depending on the action you target. If you select multiple actions for a single condition, there might be fewer attributes to choose from for your condition because the attributes must be available across the selected actions.
Role definition ID
Property | Value |
---|---|
Display name | Role definition ID |
Description | The role definition ID used in the role assignment |
Attribute | Microsoft.Authorization/roleAssignments:RoleDefinitionId |
Attribute source | Request Resource |
Attribute type | GUID |
Operators | GuidEquals GuidNotEquals ForAnyOfAnyValues:GuidEquals ForAnyOfAllValues:GuidNotEquals |
Examples | @Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {b24988ac-6180-42a0-ab88-20f7382dd24c, acdd72a7-3385-48ef-bd42-f606fba81ae7} |
Principal ID
Property | Value |
---|---|
Display name | Principal ID |
Description | The principal ID assigned to the role. This maps to the ID inside the Active Directory. It can point to a user, service principal, or security group |
Attribute | Microsoft.Authorization/roleAssignments:PrincipalId |
Attribute source | Request Resource |
Attribute type | GUID |
Operators | GuidEquals GuidNotEquals ForAnyOfAnyValues:GuidEquals ForAnyOfAllValues:GuidNotEquals |
Examples | @Request[Microsoft.Authorization/roleAssignments:PrincipalId] ForAnyOfAnyValues:GuidEquals {28c35fea-2099-4cf5-8ad9-473547bc9423, 86951b8b-723a-407b-a74a-1bca3f0c95d0} |
Principal type
Property | Value |
---|---|
Display name | Principal type |
Description | Principal type represents a user, group, service principal, or managed identity that is requesting access to Azure resources. You can assign a role to any of these security principals |
Attribute | Microsoft.Authorization/roleAssignments:PrincipalType |
Attribute source | Request Resource |
Attribute type | STRING |
Values | User ServicePrincipal Group |
Operators | StringEqualsIgnoreCase StringNotEqualsIgnoreCase ForAnyOfAnyValues:StringEqualsIgnoreCase ForAnyOfAllValues:StringNotEqualsIgnoreCase |
Examples | @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'User', 'Group'} |