az policy assignment

Manage resource policy assignments.

Commands

az policy assignment create	Create a resource policy assignment.
az policy assignment delete	Delete a resource policy assignment.
az policy assignment identity	Manage a policy assignment's managed identity.
az policy assignment identity assign	Add a system assigned identity to a policy assignment.
az policy assignment identity remove	Remove a managed identity from a policy assignment.
az policy assignment identity show	Show a policy assignment's managed identity.
az policy assignment list	List resource policy assignments.
az policy assignment show	Show a resource policy assignment.

az policy assignment create

Edit

Create a resource policy assignment.

az policy assignment create [--assign-identity]
                            [--display-name]
                            [--identity-scope]
                            [--location]
                            [--name]
                            [--not-scopes]
                            [--params]
                            [--policy]
                            [--policy-set-definition]
                            [--resource-group]
                            [--role]
                            [--scope]
                            [--sku {free, standard}]
                            [--subscription]

Examples

Create a resource policy assignment at scope

Valid scopes are management group, subscription, resource group, and resource, for example
                           management group:  /providers/Microsoft.Management/managementGroups/MyManagementGroup
                           subscription:      /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333
                           resource group:    /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup
                           resource:          /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM
                             az policy assignment create --scope '/providers/Microsoft.Management/managementGroups/MyManagementGroup' --policy {PolicyName} -p '{ \
                                 "allowedLocations": { \
                                     "value": [ \
                                         "australiaeast", \
                                         "eastus", \
                                         "japaneast" \
                                     ] \
                                 } \
                             }'

Create a resource policy assignment and provide rule parameter values.

az policy assignment create --policy {PolicyName} -p '{ \
                            "allowedLocations": { \
                                "value": [ \
                                    "australiaeast", \
                                    "eastus", \
                                    "japaneast" \
                                ] \
                            } \
                        }'

Create a resource policy assignment with a system assigned identity.

az policy assignment create --name myPolicy --policy {PolicyName} --assign-identity

Create a resource policy assignment with a system assigned identity. The identity will have 'Contributor' role access to the subscription.

az policy assignment create --name myPolicy --policy {PolicyName} --assign-identity --identity-scope /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx --role Contributor

Optional Parameters

--assign-identity

Assigns a system assigned identity to the policy assignment.

--display-name

Display name of the policy assignment.

--identity-scope

Scope that the system assigned identity can access.

--location -l

Location. Values from: az account list-locations. You can configure the default location using az configure --defaults location=<location>.

--name -n

Name of the new policy assignment.

--not-scopes

Space-separated scopes where the policy assignment does not apply.

--params -p

JSON formatted string or a path to a file or uri with parameter values of the policy rule.

--policy

Name or id of the policy definition.

--policy-set-definition -d

Name or id of the policy set definition.

--resource-group -g

The resource group where the policy will be applied.

--role

Role name or id that will be assigned to the managed identity.

default value: Contributor

--scope

Scope to which this policy assignment applies.

--sku -s

Policy sku.

accepted values: free, standard

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--output -o

Output format.

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--verbose

Increase logging verbosity. Use --debug for full debug logs.