az policy assignment

Manage resource policy assignments.

Commands

az policy assignment create

Create a resource policy assignment.

az policy assignment delete

Delete a resource policy assignment.

az policy assignment identity

Manage a policy assignment's managed identity.

az policy assignment identity assign

Add a system assigned identity to a policy assignment.

az policy assignment identity remove

Remove a managed identity from a policy assignment.

az policy assignment identity show

Show a policy assignment's managed identity.

az policy assignment list

List resource policy assignments.

az policy assignment show

Show a resource policy assignment.

az policy assignment create

Create a resource policy assignment.

az policy assignment create [--assign-identity]
                            [--display-name]
                            [--enforcement-mode {Default, DoNotEnforce}]
                            [--identity-scope]
                            [--location]
                            [--name]
                            [--not-scopes]
                            [--params]
                            [--policy]
                            [--policy-set-definition]
                            [--resource-group]
                            [--role]
                            [--scope]
                            [--sku {free, standard}]

Examples

Create a resource policy assignment at scope

Valid scopes are management group, subscription, resource group, and resource, for example
   management group:  /providers/Microsoft.Management/managementGroups/MyManagementGroup
   subscription:      /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333
   resource group:    /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup
   resource:          /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM
     az policy assignment create --scope \
        "/providers/Microsoft.Management/managementGroups/MyManagementGroup" \
            --policy {PolicyName} -p "{ \"allowedLocations\": \
                { \"value\": [ \"australiaeast\", \"eastus\", \"japaneast\" ] } }"

Create a resource policy assignment and provide rule parameter values.

az policy assignment create --policy {PolicyName} -p "{ \"allowedLocations\": \
    { \"value\": [ \"australiaeast\", \"eastus\", \"japaneast\" ] } }"

Create a resource policy assignment with a system assigned identity.

az policy assignment create --name myPolicy --policy {PolicyName} --assign-identity

Create a resource policy assignment with a system assigned identity. The identity will have 'Contributor' role access to the subscription.

az policy assignment create --name myPolicy --policy {PolicyName} --assign-identity --identity-scope /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx --role Contributor

Create a resource policy assignment with an enforcement mode. It indicates whether a policy effect will be enforced or not during assignment creation and update. Please visit https://aka.ms/azure-policyAssignment-enforcement-mode for more information.

az policy assignment create --name myPolicy --policy {PolicyName} --enforcement-mode 'DoNotEnforce'

Optional Parameters

--assign-identity

Assigns a system assigned identity to the policy assignment.

--display-name

Display name of the policy assignment.

--enforcement-mode -e

Enforcement mode of the policy assignment, e.g. Default, DoNotEnforce. Please visit https://aka.ms/azure-policyAssignment-enforcement-mode for more information.

accepted values: Default, DoNotEnforce
default value: Default
--identity-scope

Scope that the system assigned identity can access.

--location -l

The location of the policy assignment. Only required when utilizing managed identity.

--name -n

Name of the new policy assignment.

--not-scopes

Space-separated scopes where the policy assignment does not apply.

--params -p

JSON formatted string or a path to a file or uri with parameter values of the policy rule.

--policy

Name or id of the policy definition.

--policy-set-definition -d

Name or id of the policy set definition.

--resource-group -g

The resource group where the policy will be applied.

--role

Role name or id that will be assigned to the managed identity.

default value: Contributor
--scope

Scope to which this policy assignment applies.

--sku -s

Policy sku.

accepted values: free, standard

az policy assignment delete

Delete a resource policy assignment.

az policy assignment delete --name
                            [--resource-group]
                            [--scope]

Examples

Delete a resource policy assignment. (autogenerated)

az policy assignment delete --name MyPolicyAssignment

Required Parameters

--name -n

Name of the policy assignment.

Optional Parameters

--resource-group -g

The resource group where the policy will be applied.

--scope

Scope to which this policy assignment applies.

az policy assignment list

List resource policy assignments.

az policy assignment list [--disable-scope-strict-match]
                          [--query-examples]
                          [--resource-group]
                          [--scope]

Optional Parameters

--disable-scope-strict-match

Include policy assignments either inherited from parent scope or at child scope.

--query-examples

Recommend JMESPath string for you. You can copy one of the query and paste it after --query parameter within double quotation marks to see the results. You can add one or more positional keywords so that we can give suggestions based on these key words.

--resource-group -g

The resource group where the policy will be applied.

--scope

Scope to which this policy assignment applies.

az policy assignment show

Show a resource policy assignment.

az policy assignment show --name
                          [--query-examples]
                          [--resource-group]
                          [--scope]

Examples

Show a resource policy assignment. (autogenerated)

az policy assignment show --name MyPolicyAssignment

Required Parameters

--name -n

Name of the policy assignment.

Optional Parameters

--query-examples

Recommend JMESPath string for you. You can copy one of the query and paste it after --query parameter within double quotation marks to see the results. You can add one or more positional keywords so that we can give suggestions based on these key words.

--resource-group -g

The resource group where the policy will be applied.

--scope

Scope to which this policy assignment applies.