使用 Azure PowerShell 列出 Azure 拒绝分配List Azure deny assignments using Azure PowerShell
即使角色分配向用户授予了访问权限,Azure 拒绝分配也会阻止用户执行特定的 Azure 资源操作。Azure deny assignments block users from performing specific Azure resource actions even if a role assignment grants them access. 本文介绍如何使用 Azure PowerShell 列出拒绝分配。This article describes how to list deny assignments using Azure PowerShell.
备注
不能直接创建自己的拒绝分配。You can't directly create your own deny assignments. 有关如何创建拒绝分配的信息,请参阅 Azure 拒绝分配。For information about how deny assignments are created, see Azure deny assignments.
先决条件Prerequisites
如要获取拒绝分配的相关信息,必须具有:To get information about a deny assignment, you must have:
Microsoft.Authorization/denyAssignments/read
权限,大多数 Azure 内置角色都包含该权限Microsoft.Authorization/denyAssignments/read
permission, which is included in most Azure built-in roles- Azure PowerShellAzure PowerShell
列出拒绝分配List deny assignments
列出所有拒绝分配List all deny assignments
若要列出当前订阅的所有“拒绝分配”信息,请使用 Get-AzDenyAssignment。To list all deny assignments for the current subscription, use Get-AzDenyAssignment.
Get-AzDenyAssignment
PS C:\> Get-AzDenyAssignment
Id : 22222222-2222-2222-2222-222222222222
DenyAssignmentName : Deny assignment '22222222-2222-2222-2222-222222222222' created by Blueprint Assignment
'/subscriptions/11111111-1111-1111-1111-111111111111/providers/Microsoft.Blueprint/blueprintAssignments/assignment-locked-storageaccount-TestingBPLocks'.
Description : Created by Blueprint Assignment '/subscriptions/11111111-1111-1111-1111-111111111111/providers/Microsoft.Blueprint/blueprintAssignments/assignment-locked-storageaccount-TestingBPLocks'.
Actions : {*}
NotActions : {*/read}
DataActions : {}
NotDataActions : {}
Scope : /subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/TestingBPLocks
DoNotApplyToChildScopes : True
Principals : {
DisplayName: All Principals
ObjectType: SystemDefined
ObjectId: 00000000-0000-0000-0000-000000000000
}
ExcludePrincipals : {
ObjectType: ServicePrincipal
}
IsSystemProtected : True
Id : 33333333-3333-3333-3333-333333333333
DenyAssignmentName : Deny assignment '33333333-3333-3333-3333-333333333333' created by Blueprint Assignment
'/subscriptions/11111111-1111-1111-1111-111111111111/providers/Microsoft.Blueprint/blueprintAssignments/assignment-locked-storageaccount-TestingBPLocks'.
Description : Created by Blueprint Assignment '/subscriptions/11111111-1111-1111-1111-111111111111/providers/Microsoft.Blueprint/blueprintAssignments/assignment-locked-storageaccount-TestingBPLocks'.
Actions : {*}
NotActions : {*/read}
DataActions : {}
NotDataActions : {}
Scope : /subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/TestingBPLocks/providers/Microsoft.Storage/storageAccounts/storep6vkuxmu4m4pq
DoNotApplyToChildScopes : True
Principals : {
DisplayName: All Principals
ObjectType: SystemDefined
ObjectId: 00000000-0000-0000-0000-000000000000
}
ExcludePrincipals : {
DisplayName: assignment-locked-storageaccount-TestingBPLocks
ObjectType: ServicePrincipal
ObjectId: 2311a0b7-657a-4ca2-af6f-d1c33f6d2fff
}
IsSystemProtected : True
列出资源组范围内的拒绝分配List deny assignments at a resource group scope
若要列出资源组范围内的所有拒绝分配,请使用 Get-AzDenyAssignment。To list all deny assignments at a resource group scope, use Get-AzDenyAssignment.
Get-AzDenyAssignment -ResourceGroupName <resource_group_name>
PS C:\> Get-AzDenyAssignment -ResourceGroupName TestingBPLocks | FL DenyAssignmentName, Scope
DenyAssignmentName : Deny assignment '22222222-2222-2222-2222-222222222222' created by Blueprint Assignment
'/subscriptions/11111111-1111-1111-1111-111111111111/providers/Microsoft.Blueprint/blueprintAssignments/assignment-locked-storageaccount-TestingBPLocks'.
Scope : /subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/TestingBPLocks
Principals : {
DisplayName: All Principals
ObjectType: SystemDefined
ObjectId: 00000000-0000-0000-0000-000000000000
}
列出订阅范围内的拒绝分配List deny assignments at a subscription scope
若要列出订阅范围内的所有拒绝分配,请使用 Get-AzDenyAssignment。To list all deny assignments at a subscription scope, use Get-AzDenyAssignment. 若要获取订阅 ID,可以在 Azure 门户中的“订阅”边栏选项卡上找到它,也可以使用 Get-AzSubscription。To get the subscription ID, you can find it on the Subscriptions blade in the Azure portal or you can use Get-AzSubscription.
Get-AzDenyAssignment -Scope /subscriptions/<subscription_id>
PS C:\> Get-AzDenyAssignment -Scope /subscriptions/11111111-1111-1111-1111-111111111111