使用 REST API 列出 Azure 拒绝分配List Azure deny assignments using the REST API

即使角色分配向用户授予了访问权限,Azure 拒绝分配也会阻止用户执行特定的 Azure 资源操作。Azure deny assignments block users from performing specific Azure resource actions even if a role assignment grants them access. 本文介绍如何使用 REST API 列出拒绝分配。This article describes how to list deny assignments using the REST API.

备注

不能直接创建自己的拒绝分配。You can't directly create your own deny assignments. 有关如何创建拒绝分配的信息,请参阅 Azure 拒绝分配For information about how deny assignments are created, see Azure deny assignments.

先决条件Prerequisites

如要获取拒绝分配的相关信息,必须具有:To get information about a deny assignment, you must have:

  • Microsoft.Authorization/denyAssignments/read 权限,大多数 Azure 内置角色都包含该权限。Microsoft.Authorization/denyAssignments/read permission, which is included in most Azure built-in roles.

列出单个拒绝分配List a single deny assignment

  1. 从下面的请求开始:Start with the following request:

    GET https://management.chinacloudapi.cn/{scope}/providers/Microsoft.Authorization/denyAssignments/{deny-assignment-id}?api-version=2018-07-01-preview
    
  2. 在 URI 中,将 {scope} 替换为要列出拒绝分配的范围。Within the URI, replace {scope} with the scope for which you want to list the deny assignments.

    作用域Scope 类型Type
    subscriptions/{subscriptionId} 订阅Subscription
    subscriptions/{subscriptionId}/resourceGroups/myresourcegroup1 资源组Resource group
    subscriptions/{subscriptionId}/resourceGroups/myresourcegroup1/providers/Microsoft.Web/sites/mysite1 资源Resource
  3. 将 {deny-assignment-id} 替换为要检索的拒绝分配标识符。Replace {deny-assignment-id} with the deny assignment identifier you want to retrieve.

列出多个拒绝分配List multiple deny assignments

  1. 先处理下述请求之一:Start with one of the following requests:

    GET https://management.chinacloudapi.cn/{scope}/providers/Microsoft.Authorization/denyAssignments?api-version=2018-07-01-preview
    

    具有可选参数:With optional parameters:

    GET https://management.chinacloudapi.cn/{scope}/providers/Microsoft.Authorization/denyAssignments?api-version=2018-07-01-preview&$filter={filter}
    
  2. 在 URI 中,将 {scope} 替换为要列出拒绝分配的范围。Within the URI, replace {scope} with the scope for which you want to list the deny assignments.

    作用域Scope 类型Type
    subscriptions/{subscriptionId} 订阅Subscription
    subscriptions/{subscriptionId}/resourceGroups/myresourcegroup1 资源组Resource group
    subscriptions/{subscriptionId}/resourceGroups/myresourcegroup1/providers/Microsoft.Web/sites/mysite1 资源Resource
  3. 将 {filter} 替换为筛选拒绝分配列表时要应用的条件。Replace {filter} with the condition that you want to apply to filter the deny assignment list.

    筛选器Filter 说明Description
    (无筛选器)(no filter) 列出指定范围之内、之上和之下的所有拒绝分配。Lists all deny assignments at, above, and below the specified scope.
    $filter=atScope() 仅列出指定范围内及其上的拒绝分配。Lists deny assignments for only the specified scope and above. 不包含子范围处的拒绝分配。Does not include the deny assignments at subscopes.
    $filter=assignedTo('{objectId}') 列出指定用户或服务主体的拒绝分配。Lists deny assignments for the specified user or service principal.
    如果用户属于包含拒绝分配的组,则也会列出该拒绝分配。If the user is a member of a group that has a deny assignment, that deny assignment is also listed. 此筛选器对于组是可传递的,这意味着如果用户是组的成员,并且该组是包含拒绝分配的另一个组的成员,则该拒绝分配也会列出。This filter is transitive for groups which means that if the user is a member of a group and that group is a member of another group that has a deny assignment, that deny assignment is also listed.
    此筛选器仅接受用户或服务主体的对象 ID。This filter only accepts an object ID for a user or a service principal. 不能传递组的对象 ID。You cannot pass an object ID for a group.
    $filter=atScope()+and+assignedTo('{objectId}') 列出指定范围内指定用户或服务主体的拒绝分配。Lists deny assignments for the specified user or service principal and at the specified scope.
    $filter=denyAssignmentName+eq+'{deny-assignment-name}' 列出具有指定名称的拒绝分配。Lists deny assignments with the specified name.
    $filter=principalId+eq+'{objectId}' 列出指定用户、组或服务主体的拒绝分配。Lists deny assignments for the specified user, group, or service principal.

列出根范围 (/) 处的拒绝分配List deny assignments at the root scope (/)

  1. 提升访问权限,如提升访问权限以管理所有 Azure 订阅和管理组所述。Elevate your access as described in Elevate access to manage all Azure subscriptions and management groups.

  2. 使用以下请求:Use the following request:

    GET https://management.chinacloudapi.cn/providers/Microsoft.Authorization/denyAssignments?api-version=2018-07-01-preview&$filter={filter}
    
  3. 将 {filter} 替换为筛选拒绝分配列表时要应用的条件。Replace {filter} with the condition that you want to apply to filter the deny assignment list. 需使用筛选器。A filter is required.

    筛选器Filter 说明Description
    $filter=atScope() 仅列出根范围处的拒绝分配。List deny assignments for only the root scope. 不包含子范围处的拒绝分配。Does not include the deny assignments at subscopes.
    $filter=denyAssignmentName+eq+'{deny-assignment-name}' 列出具有指定名称的拒绝分配。List deny assignments with the specified name.
  4. 删除已提升的访问权限。Remove elevated access.

后续步骤Next steps