使用 Azure PowerShell 列出 Azure 拒绝分配List Azure deny assignments using Azure PowerShell

• 12/01/2020
• • r
  • a

即使角色分配向用户授予了访问权限，Azure 拒绝分配也会阻止用户执行特定的 Azure 资源操作。Azure deny assignments block users from performing specific Azure resource actions even if a role assignment grants them access. 本文介绍如何使用 Azure PowerShell 列出拒绝分配。This article describes how to list deny assignments using Azure PowerShell.

先决条件Prerequisites

如要获取拒绝分配的相关信息，必须具有：To get information about a deny assignment, you must have:

• Microsoft.Authorization/denyAssignments/read 权限，大多数 Azure 内置角色都包含该权限Microsoft.Authorization/denyAssignments/read permission, which is included in most Azure built-in roles
• Azure PowerShellAzure PowerShell

列出拒绝分配List deny assignments

列出所有拒绝分配List all deny assignments

若要列出当前订阅的所有“拒绝分配”信息，请使用 Get-AzDenyAssignment。To list all deny assignments for the current subscription, use Get-AzDenyAssignment.

Get-AzDenyAssignment

PS C:\> Get-AzDenyAssignment

Id                      : 22222222-2222-2222-2222-222222222222
DenyAssignmentName      : Deny assignment '22222222-2222-2222-2222-222222222222' created by Blueprint Assignment
                          '/subscriptions/11111111-1111-1111-1111-111111111111/providers/Microsoft.Blueprint/blueprintAssignments/assignment-locked-storageaccount-TestingBPLocks'.
Description             : Created by Blueprint Assignment '/subscriptions/11111111-1111-1111-1111-111111111111/providers/Microsoft.Blueprint/blueprintAssignments/assignment-locked-storageaccount-TestingBPLocks'.
Actions                 : {*}
NotActions              : {*/read}
DataActions             : {}
NotDataActions          : {}
Scope                   : /subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/TestingBPLocks
DoNotApplyToChildScopes : True
Principals              : {
                          DisplayName:  All Principals
                          ObjectType:   SystemDefined
                          ObjectId:     00000000-0000-0000-0000-000000000000
                          }
ExcludePrincipals       : {
                          ObjectType:   ServicePrincipal
                          }
IsSystemProtected       : True

Id                      : 33333333-3333-3333-3333-333333333333
DenyAssignmentName      : Deny assignment '33333333-3333-3333-3333-333333333333' created by Blueprint Assignment
                          '/subscriptions/11111111-1111-1111-1111-111111111111/providers/Microsoft.Blueprint/blueprintAssignments/assignment-locked-storageaccount-TestingBPLocks'.
Description             : Created by Blueprint Assignment '/subscriptions/11111111-1111-1111-1111-111111111111/providers/Microsoft.Blueprint/blueprintAssignments/assignment-locked-storageaccount-TestingBPLocks'.
Actions                 : {*}
NotActions              : {*/read}
DataActions             : {}
NotDataActions          : {}
Scope                   : /subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/TestingBPLocks/providers/Microsoft.Storage/storageAccounts/storep6vkuxmu4m4pq
DoNotApplyToChildScopes : True
Principals              : {
                          DisplayName:  All Principals
                          ObjectType:   SystemDefined
                          ObjectId:     00000000-0000-0000-0000-000000000000
                          }
ExcludePrincipals       : {
                          DisplayName:  assignment-locked-storageaccount-TestingBPLocks
                          ObjectType:   ServicePrincipal
                          ObjectId:     2311a0b7-657a-4ca2-af6f-d1c33f6d2fff
                          }
IsSystemProtected       : True

列出资源组范围内的拒绝分配List deny assignments at a resource group scope

若要列出资源组范围内的所有拒绝分配，请使用 Get-AzDenyAssignment。To list all deny assignments at a resource group scope, use Get-AzDenyAssignment.

Get-AzDenyAssignment -ResourceGroupName <resource_group_name>

PS C:\> Get-AzDenyAssignment -ResourceGroupName TestingBPLocks | FL DenyAssignmentName, Scope

DenyAssignmentName : Deny assignment '22222222-2222-2222-2222-222222222222' created by Blueprint Assignment
                     '/subscriptions/11111111-1111-1111-1111-111111111111/providers/Microsoft.Blueprint/blueprintAssignments/assignment-locked-storageaccount-TestingBPLocks'.
Scope              : /subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/TestingBPLocks
Principals         : {
                     DisplayName:       All Principals
                     ObjectType:        SystemDefined
                     ObjectId:  00000000-0000-0000-0000-000000000000
                     }

列出订阅范围内的拒绝分配List deny assignments at a subscription scope

若要列出订阅范围内的所有拒绝分配，请使用 Get-AzDenyAssignment。To list all deny assignments at a subscription scope, use Get-AzDenyAssignment. 若要获取订阅 ID，可以在 Azure 门户中的“订阅”边栏选项卡上找到它，也可以使用 Get-AzSubscription。To get the subscription ID, you can find it on the Subscriptions blade in the Azure portal or you can use Get-AzSubscription.

Get-AzDenyAssignment -Scope /subscriptions/<subscription_id>

PS C:\> Get-AzDenyAssignment -Scope /subscriptions/11111111-1111-1111-1111-111111111111

后续步骤Next steps

• 了解 Azure 拒绝分配Understand Azure deny assignments
• 使用 Azure 门户列出 Azure 拒绝分配List Azure deny assignments using the Azure portal
• 使用 REST API 列出 Azure 拒绝分配List Azure deny assignments using the REST API