使用 Azure PowerShell 列出 Azure 拒绝分配List Azure deny assignments using Azure PowerShell

05/25/2020

即使角色分配向用户授予了访问权限，Azure 拒绝分配也会阻止用户执行特定的 Azure 资源操作。Azure deny assignments block users from performing specific Azure resource actions even if a role assignment grants them access. 本文介绍如何使用 Azure PowerShell 列出拒绝分配。This article describes how to list deny assignments using Azure PowerShell.

备注

不能直接创建自己的拒绝分配。You can't directly create your own deny assignments. 有关如何创建拒绝分配的信息，请参阅 Azure 拒绝分配。For information about how deny assignments are created, see Azure deny assignments.

先决条件Prerequisites

如要获取拒绝分配的相关信息，必须具有：To get information about a deny assignment, you must have:

Microsoft.Authorization/denyAssignments/read 权限，大多数 Azure 内置角色都包含该权限Microsoft.Authorization/denyAssignments/read permission, which is included in most Azure built-in roles
Azure PowerShellAzure PowerShell

列出拒绝分配List deny assignments

列出所有拒绝分配List all deny assignments

若要列出当前订阅的所有“拒绝分配”信息，请使用 Get-AzDenyAssignment。To list all deny assignments for the current subscription, use Get-AzDenyAssignment.

Get-AzDenyAssignment

PS C:\> Get-AzDenyAssignment

Id                      : 22222222-2222-2222-2222-222222222222
DenyAssignmentName      : Deny assignment '22222222-2222-2222-2222-222222222222' created by Blueprint Assignment
                          '/subscriptions/11111111-1111-1111-1111-111111111111/providers/Microsoft.Blueprint/blueprintAssignments/assignment-locked-storageaccount-TestingBPLocks'.
Description             : Created by Blueprint Assignment '/subscriptions/11111111-1111-1111-1111-111111111111/providers/Microsoft.Blueprint/blueprintAssignments/assignment-locked-storageaccount-TestingBPLocks'.
Actions                 : {*}
NotActions              : {*/read}
DataActions             : {}
NotDataActions          : {}
Scope                   : /subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/TestingBPLocks
DoNotApplyToChildScopes : True
Principals              : {
                          DisplayName:  All Principals
                          ObjectType:   SystemDefined
                          ObjectId:     00000000-0000-0000-0000-000000000000
                          }
ExcludePrincipals       : {
                          ObjectType:   ServicePrincipal
                          }
IsSystemProtected       : True

Id                      : 33333333-3333-3333-3333-333333333333
DenyAssignmentName      : Deny assignment '33333333-3333-3333-3333-333333333333' created by Blueprint Assignment
                          '/subscriptions/11111111-1111-1111-1111-111111111111/providers/Microsoft.Blueprint/blueprintAssignments/assignment-locked-storageaccount-TestingBPLocks'.
Description             : Created by Blueprint Assignment '/subscriptions/11111111-1111-1111-1111-111111111111/providers/Microsoft.Blueprint/blueprintAssignments/assignment-locked-storageaccount-TestingBPLocks'.
Actions                 : {*}
NotActions              : {*/read}
DataActions             : {}
NotDataActions          : {}
Scope                   : /subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/TestingBPLocks/providers/Microsoft.Storage/storageAccounts/storep6vkuxmu4m4pq
DoNotApplyToChildScopes : True
Principals              : {
                          DisplayName:  All Principals
                          ObjectType:   SystemDefined
                          ObjectId:     00000000-0000-0000-0000-000000000000
                          }
ExcludePrincipals       : {
                          DisplayName:  assignment-locked-storageaccount-TestingBPLocks
                          ObjectType:   ServicePrincipal
                          ObjectId:     2311a0b7-657a-4ca2-af6f-d1c33f6d2fff
                          }
IsSystemProtected       : True

列出资源组范围内的拒绝分配List deny assignments at a resource group scope

若要列出资源组范围内的所有拒绝分配，请使用 Get-AzDenyAssignment。To list all deny assignments at a resource group scope, use Get-AzDenyAssignment.

Get-AzDenyAssignment -ResourceGroupName <resource_group_name>

PS C:\> Get-AzDenyAssignment -ResourceGroupName TestingBPLocks | FL DenyAssignmentName, Scope

DenyAssignmentName : Deny assignment '22222222-2222-2222-2222-222222222222' created by Blueprint Assignment
                     '/subscriptions/11111111-1111-1111-1111-111111111111/providers/Microsoft.Blueprint/blueprintAssignments/assignment-locked-storageaccount-TestingBPLocks'.
Scope              : /subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/TestingBPLocks
Principals         : {
                     DisplayName:       All Principals
                     ObjectType:        SystemDefined
                     ObjectId:  00000000-0000-0000-0000-000000000000
                     }

列出订阅范围内的拒绝分配List deny assignments at a subscription scope

若要列出订阅范围内的所有拒绝分配，请使用 Get-AzDenyAssignment。To list all deny assignments at a subscription scope, use Get-AzDenyAssignment. 若要获取订阅 ID，可以在 Azure 门户中的“订阅”边栏选项卡上找到它，也可以使用 Get-AzSubscription。To get the subscription ID, you can find it on the Subscriptions blade in the Azure portal or you can use Get-AzSubscription.

Get-AzDenyAssignment -Scope /subscriptions/<subscription_id>

PS C:\> Get-AzDenyAssignment -Scope /subscriptions/11111111-1111-1111-1111-111111111111