Microsoft.Authorization policyAssignments

Template format

To create a Microsoft.Authorization/policyAssignments resource, add the following JSON to the resources section of your template.

{
  "name": "string",
  "type": "Microsoft.Authorization/policyAssignments",
  "apiVersion": "2020-09-01",
  "scope": "string",
  "properties": {
    "displayName": "string",
    "policyDefinitionId": "string",
    "notScopes": [
      "string"
    ],
    "parameters": {},
    "description": "string",
    "metadata": {},
    "enforcementMode": "string",
    "nonComplianceMessages": [
      {
        "message": "string",
        "policyDefinitionReferenceId": "string"
      }
    ]
  },
  "location": "string",
  "identity": {
    "type": "string"
  }
}

Property values

The following tables describe the values you need to set in the schema.

Microsoft.Authorization/policyAssignments object

Note

In Bicep, type and apiVersion are specified in the first line of the resource declaration. Use the format <type>@<apiVersion>. Don't set those properties in the resource body.

Name Type Required Value
name string Yes
type enum Yes For JSON - Microsoft.Authorization/policyAssignments
apiVersion enum Yes For JSON - 2020-09-01
scope string No Use when specifying a scope that is different than the deployment scope. See Setting scope for extension resources in ARM templates.
properties object Yes Properties for the policy assignment. - PolicyAssignmentProperties object
location string No The location of the policy assignment. Only required when utilizing managed identity.
identity object No The managed identity associated with the policy assignment. - Identity object

PolicyAssignmentProperties object

Name Type Required Value
displayName string No The display name of the policy assignment.
policyDefinitionId string No The ID of the policy definition or policy set definition being assigned.
notScopes array No The policy's excluded scopes. - string
parameters object No The parameter values for the assigned policy rule. The keys are the parameter names.
description string No This message will be part of response in case of policy violation.
metadata object No The policy assignment metadata. Metadata is an open ended object and is typically a collection of key value pairs.
enforcementMode enum No The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. - Default or DoNotEnforce
nonComplianceMessages array No The messages that describe why a resource is non-compliant with the policy. - NonComplianceMessage object

Identity object

Name Type Required Value
type enum No The identity type. This is the only required field when adding a system assigned identity to a resource. - SystemAssigned or None

NonComplianceMessage object

Name Type Required Value
message string Yes A message that describes why a resource is non-compliant with the policy. This is shown in 'deny' error messages and on resource's non-compliant compliance results.
policyDefinitionReferenceId string No The policy definition reference ID within a policy set definition the message is intended for. This is only applicable if the policy assignment assigns a policy set definition. If this is not provided the message applies to all policies assigned by this policy assignment.

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
Deploy a policy definition and assign to a management group

Deploy to Azure
This template is a management group level template that will create a policy definition and assign that policy to the target management group. Currently, this template cannot be deployed via the Azure Portal.
Deploy a Policy Def and Assign to Multiple Mgmt Groups

Deploy to Azure
This template is a management group level template that will create a policy definition and assign that policy to multiple management groups.
Assign a built-in policy to an existing resource group

Deploy to Azure
This template assigns a built-in policy to an existing resource group.