az policy assignment

Manage resource policy assignments.

Commands

az policy assignment create Create a resource policy assignment.
az policy assignment delete Delete a resource policy assignment.
az policy assignment identity Manage a policy assignment's managed identity.
az policy assignment identity assign Add a system assigned identity to a policy assignment.
az policy assignment identity remove Remove a managed identity from a policy assignment.
az policy assignment identity show Show a policy assignment's managed identity.
az policy assignment list List resource policy assignments.
az policy assignment show Show a resource policy assignment.

az policy assignment create

Create a resource policy assignment.

az policy assignment create [--assign-identity]
[--display-name]
[--identity-scope]
[--location]
[--name]
[--not-scopes]
[--params]
[--policy]
[--policy-set-definition]
[--resource-group]
[--role]
[--scope]
[--sku {free, standard}]
[--subscription]

Examples

Create a resource policy assignment at scope

Valid scopes are management group, subscription, resource group, and resource, for example
                           management group:  /providers/Microsoft.Management/managementGroups/MyManagementGroup
                           subscription:      /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333
                           resource group:    /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup
                           resource:          /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM
                             az policy assignment create --scope '/providers/Microsoft.Management/managementGroups/MyManagementGroup' --policy {PolicyName} -p '{ \
                                 "allowedLocations": { \
                                     "value": [ \
                                         "australiaeast", \
                                         "eastus", \
                                         "japaneast" \
                                     ] \
                                 } \
                             }'

Create a resource policy assignment and provide rule parameter values.

az policy assignment create --policy {PolicyName} -p '{ \
                            "allowedLocations": { \
                                "value": [ \
                                    "australiaeast", \
                                    "eastus", \
                                    "japaneast" \
                                ] \
                            } \
                        }'

Create a resource policy assignment with a system assigned identity.

az policy assignment create --name myPolicy --policy {PolicyName} --assign-identity

Create a resource policy assignment with a system assigned identity. The identity will have 'Contributor' role access to the subscription.

az policy assignment create --name myPolicy --policy {PolicyName} --assign-identity --identity-scope /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx --role Contributor

Optional Parameters

--assign-identity

Assigns a system assigned identity to the policy assignment.

--display-name

Display name of the policy assignment.

--identity-scope

Scope that the system assigned identity can access.

--location -l

Location. Values from: az account list-locations. You can configure the default location using az configure --defaults location=<location>.

--name -n

Name of the new policy assignment.

--not-scopes

Space-separated scopes where the policy assignment does not apply.

--params -p

JSON formatted string or a path to a file or uri with parameter values of the policy rule.

--policy

Name or id of the policy definition.

--policy-set-definition -d

Name or id of the policy set definition.

--resource-group -g

The resource group where the policy will be applied.

--role

Role name or id that will be assigned to the managed identity.

default value: Contributor
--scope

Scope to which this policy assignment applies.

--sku -s

Policy sku.

accepted values: free, standard
--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

az policy assignment delete

Delete a resource policy assignment.

az policy assignment delete --name
[--resource-group]
[--scope]
[--subscription]

Required Parameters

--name -n

Name of the policy assignment.

Optional Parameters

--resource-group -g

The resource group where the policy will be applied.

--scope

Scope to which this policy assignment applies.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

az policy assignment list

List resource policy assignments.

az policy assignment list [--disable-scope-strict-match]
[--resource-group]
[--scope]
[--subscription]

Optional Parameters

--disable-scope-strict-match

Include policy assignments either inherited from parent scope or at child scope.

--resource-group -g

The resource group where the policy will be applied.

--scope

Scope to which this policy assignment applies.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

az policy assignment show

Show a resource policy assignment.

az policy assignment show --name
[--resource-group]
[--scope]
[--subscription]

Required Parameters

--name -n

Name of the policy assignment.

Optional Parameters

--resource-group -g

The resource group where the policy will be applied.

--scope

Scope to which this policy assignment applies.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.