az policy assignment
Manage resource policy assignments.
Commands
az policy assignment create |
Create a resource policy assignment. |
az policy assignment delete |
Delete a resource policy assignment. |
az policy assignment identity |
Manage a policy assignment's managed identity. |
az policy assignment identity assign |
Add a system assigned identity to a policy assignment. |
az policy assignment identity remove |
Remove a managed identity from a policy assignment. |
az policy assignment identity show |
Show a policy assignment's managed identity. |
az policy assignment list |
List resource policy assignments. |
az policy assignment show |
Show a resource policy assignment. |
az policy assignment create
Create a resource policy assignment.
az policy assignment create [--assign-identity]
[--display-name]
[--enforcement-mode {Default, DoNotEnforce}]
[--identity-scope]
[--location]
[--name]
[--not-scopes]
[--params]
[--policy]
[--policy-set-definition]
[--resource-group]
[--role]
[--scope]
[--sku {free, standard}]
Examples
Create a resource policy assignment at scope
Valid scopes are management group, subscription, resource group, and resource, for example
management group: /providers/Microsoft.Management/managementGroups/MyManagementGroup
subscription: /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333
resource group: /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup
resource: /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM
az policy assignment create --scope \
"/providers/Microsoft.Management/managementGroups/MyManagementGroup" \
--policy {PolicyName} -p "{ \"allowedLocations\": \
{ \"value\": [ \"australiaeast\", \"eastus\", \"japaneast\" ] } }"
Create a resource policy assignment and provide rule parameter values.
az policy assignment create --policy {PolicyName} -p "{ \"allowedLocations\": \
{ \"value\": [ \"australiaeast\", \"eastus\", \"japaneast\" ] } }"
Create a resource policy assignment with a system assigned identity.
az policy assignment create --name myPolicy --policy {PolicyName} --assign-identity
Create a resource policy assignment with a system assigned identity. The identity will have 'Contributor' role access to the subscription.
az policy assignment create --name myPolicy --policy {PolicyName} --assign-identity --identity-scope /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx --role Contributor
Create a resource policy assignment with an enforcement mode. It indicates whether a policy effect will be enforced or not during assignment creation and update. Please visit https://aka.ms/azure-policyAssignment-enforcement-mode for more information.
az policy assignment create --name myPolicy --policy {PolicyName} --enforcement-mode 'DoNotEnforce'
Optional Parameters
Assigns a system assigned identity to the policy assignment.
Display name of the policy assignment.
Enforcement mode of the policy assignment, e.g. Default, DoNotEnforce. Please visit https://aka.ms/azure-policyAssignment-enforcement-mode for more information.
Scope that the system assigned identity can access.
The location of the policy assignment. Only required when utilizing managed identity.
Name of the new policy assignment.
Space-separated scopes where the policy assignment does not apply.
JSON formatted string or a path to a file or uri with parameter values of the policy rule.
Name or id of the policy definition.
Name or id of the policy set definition.
The resource group where the policy will be applied.
Role name or id that will be assigned to the managed identity.
Scope to which this policy assignment applies.
Policy sku.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Increase logging verbosity. Use --debug for full debug logs.
az policy assignment delete
Delete a resource policy assignment.
az policy assignment delete --name
[--resource-group]
[--scope]
Examples
Delete a resource policy assignment. (autogenerated)
az policy assignment delete --name MyPolicyAssignment
Required Parameters
Name of the policy assignment.
Optional Parameters
The resource group where the policy will be applied.
Scope to which this policy assignment applies.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Increase logging verbosity. Use --debug for full debug logs.
az policy assignment list
List resource policy assignments.
az policy assignment list [--disable-scope-strict-match]
[--query-examples]
[--resource-group]
[--scope]
Optional Parameters
Include policy assignments either inherited from parent scope or at child scope.
Recommend JMESPath string for you. You can copy one of the query and paste it after --query parameter within double quotation marks to see the results. You can add one or more positional keywords so that we can give suggestions based on these key words.
The resource group where the policy will be applied.
Scope to which this policy assignment applies.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Increase logging verbosity. Use --debug for full debug logs.
az policy assignment show
Show a resource policy assignment.
az policy assignment show --name
[--query-examples]
[--resource-group]
[--scope]
Examples
Show a resource policy assignment. (autogenerated)
az policy assignment show --name MyPolicyAssignment
Required Parameters
Name of the policy assignment.
Optional Parameters
Recommend JMESPath string for you. You can copy one of the query and paste it after --query parameter within double quotation marks to see the results. You can add one or more positional keywords so that we can give suggestions based on these key words.
The resource group where the policy will be applied.
Scope to which this policy assignment applies.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Increase logging verbosity. Use --debug for full debug logs.