New-AzPolicyDefinition
Creates a policy definition.
Note
This is the previous version of our documentation. Please consult the most recent version for up-to-date information.
Syntax
New-AzPolicyDefinition
-Name <String>
[-DisplayName <String>]
[-Description <String>]
-Policy <String>
[-Metadata <String>]
[-Parameter <String>]
[-Mode <String>]
[-ApiVersion <String>]
[-Pre]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>] New-AzPolicyDefinition
-Name <String>
[-DisplayName <String>]
[-Description <String>]
-Policy <String>
[-Metadata <String>]
[-Parameter <String>]
[-Mode <String>]
-ManagementGroupName <String>
[-ApiVersion <String>]
[-Pre]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>] New-AzPolicyDefinition
-Name <String>
[-DisplayName <String>]
[-Description <String>]
-Policy <String>
[-Metadata <String>]
[-Parameter <String>]
[-Mode <String>]
-SubscriptionId <Guid>
[-ApiVersion <String>]
[-Pre]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>] Description
The New-AzPolicyDefinition cmdlet creates a policy definition that includes a policy rule in JavaScript Object Notation (JSON) format.
Examples
Example 1: Create a policy definition by using a policy file
{
"if": {
"field": "location",
"notIn": ["eastus", "westus", "centralus"]
},
"then": {
"effect": "audit"
}
}
PS C:\> New-AzPolicyDefinition -Name 'LocationDefinition' -Policy C:\LocationPolicy.jsonThis command creates a policy definition named LocationDefinition that contains the policy rule specified in C:\LocationPolicy.json. Example content for the LocationPolicy.json file is provided above. Three file content formats are supported:
- Policy rule only (example above).
- Policy properties object. This format is displayed in the portal when editing a policy definition and may include parameters.
- Full policy object. This format is generated by the Azure Policy export function and may include parameters.
Note: Values provided on the command line (e.g. parameters, metadata) override corresponding values present in the file.
Example 2: Create a parameterized policy definition using inline parameters
{
"if": {
"field": "location",
"notIn": "[parameters('listOfAllowedLocations')]"
},
"then": {
"effect": "audit"
}
}
PS C:\> New-AzPolicyDefinition -Name 'LocationDefinition' -Policy C:\LocationPolicy.json -Parameter '{ "listOfAllowedLocations": { "type": "array" } }'This command creates a policy definition named LocationDefinition that contains the policy rule specified in C:\LocationPolicy.json. The parameter definition for the policy rule is provided inline.
Example 3: Create a policy definition inline in a management group
PS C:\> New-AzPolicyDefinition -Name 'VMPolicyDefinition' -ManagementGroupName Dept42 -DisplayName 'Virtual Machine policy definition' -Policy '{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachines"},"then":{"effect":"deny"}}'This command creates a policy definition named VMPolicyDefinition in management group Dept42. The command specifies the policy as a string in valid JSON format.
Example 4: Create a policy definition inline with metadata
PS C:\> New-AzPolicyDefinition -Name 'VMPolicyDefinition' -Metadata '{"category":"Virtual Machine"}' -Policy '{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachines"},"then":{"effect":"deny"}}'
Name : VMPolicyDefinition
ResourceId : /subscriptions/11111111-1111-1111-1111-111111111111/providers/Microsoft.Authorization/policyDefinitions/VMPolicyDefinition
ResourceName : VMPolicyDefinition
ResourceType : Microsoft.Authorization/policyDefinitions
SubscriptionId : 11111111-1111-1111-1111-111111111111
Properties : @{displayName=VMPolicyDefinition; policyType=Custom; mode=All; metadata=; policyRule=}
PolicyDefinitionId : /subscriptions/11111111-1111-1111-1111-111111111111/providers/Microsoft.Authorization/policyDefinitions/VMPolicyDefinitionThis command creates a policy definition named VMPolicyDefinition with metadata indicating its category is "Virtual Machine". The command specifies the policy as a string in valid JSON format.
Example 5: Create a policy definition inline with mode
PS C:\> New-AzPolicyDefinition -Name 'TagsPolicyDefinition' -Policy '{"if":{"value":"[less(length(field(''tags'')), 3)]","equals":true},"then":{"effect":"deny"}}' -Mode Indexed
Name : TagsPolicyDefinition
ResourceId : /subscriptions/11111111-1111-1111-1111-111111111111/providers/Microsoft.Authorization/policyDefinitions/TagsPolicyDefinition
ResourceName : TagsPolicyDefinition
ResourceType : Microsoft.Authorization/policyDefinitions
SubscriptionId : 11111111-1111-1111-1111-111111111111
Properties : @{displayName=TagsPolicyDefinition; policyType=Custom; mode=Indexed; metadata=; parameters=; policyRule=}
PolicyDefinitionId : /subscriptions/11111111-1111-1111-1111-111111111111/providers/Microsoft.Authorization/policyDefinitions/TagsPolicyDefinitionThis command creates a policy definition named TagsPolicyDefinition with mode "Indexed" indicating the policy should be evaluated only for resource types that support tags and location.
Parameters
Specifies the version of the resource provider API to use. If you do not specify a version, this cmdlet uses the latest available version.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
The credentials, account, tenant, and subscription used for communication with azure
| Type: | IAzureContextContainer |
| Aliases: | AzContext, AzureRmContext, AzureCredential |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
Specifies a description for the policy definition.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
Specifies a display name for the policy definition.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
The name of the management group of the new policy definition.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
The metadata for policy definition. This can either be a path to a file name containing the metadata, or the metadata as string
| Type: | String |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
The mode of the policy definition
| Type: | String |
| Position: | Named |
| Default value: | All |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
Specifies a name for the policy definition.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
The parameters declaration for policy definition. This can either be a path to a file name containing the parameters declaration, or the parameters declaration as string.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
Specifies a policy rule for the policy definition. You can specify the path of a .json file or a string that contains the policy in JSON format.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
Indicates that this cmdlet considers pre-release API versions when it automatically determines which version to use.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
The subscription ID of the new policy definition.
| Type: | Nullable<T>[Guid] |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
Inputs
Nullable<T>[[System.Guid, System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e]]