az policy assignment

Manage resource policy assignments.

Commands

az policy assignment create Create a resource policy assignment.
az policy assignment delete Delete a resource policy assignment.
az policy assignment identity Manage a policy assignment's managed identity.
az policy assignment identity assign Add a system assigned identity to a policy assignment.
az policy assignment identity remove Remove a managed identity from a policy assignment.
az policy assignment identity show Show a policy assignment's managed identity.
az policy assignment list List resource policy assignments.
az policy assignment show Show a resource policy assignment.

az policy assignment create

Create a resource policy assignment.

az policy assignment create [--assign-identity]
[--display-name]
[--enforcement-mode {Default, DoNotEnforce}]
[--identity-scope]
[--location]
[--name]
[--not-scopes]
[--params]
[--policy]
[--policy-set-definition]
[--resource-group]
[--role]
[--scope]
[--sku {free, standard}]

Examples

Create a resource policy assignment at scope

Valid scopes are management group, subscription, resource group, and resource, for example
   management group:  /providers/Microsoft.Management/managementGroups/MyManagementGroup
   subscription:      /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333
   resource group:    /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup
   resource:          /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM
     az policy assignment create --scope '/providers/Microsoft.Management/managementGroups/MyManagementGroup' --policy {PolicyName} -p '{
         "allowedLocations": {
             "value": [
                 "australiaeast",
                 "eastus",
                 "japaneast"
             ]
         }
     }'

Create a resource policy assignment and provide rule parameter values.

az policy assignment create --policy {PolicyName} -p '{
    "allowedLocations": {
        "value": [
            "australiaeast",
            "eastus",
            "japaneast"
        ]
    }
}'

Create a resource policy assignment with a system assigned identity.

az policy assignment create --name myPolicy --policy {PolicyName} --assign-identity

Create a resource policy assignment with a system assigned identity. The identity will have 'Contributor' role access to the subscription.

az policy assignment create --name myPolicy --policy {PolicyName} --assign-identity --identity-scope /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx --role Contributor

Create a resource policy assignment with an enforcement mode. It indicates whether a policy effect will be enforced or not during assignment creation and update. Please visit https://aka.ms/azure-policyAssignment-enforcement-mode for more information.

az policy assignment create --name myPolicy --policy {PolicyName} --enforcement-mode 'DoNotEnforce'

Optional Parameters

--assign-identity

Assigns a system assigned identity to the policy assignment.

--display-name

Display name of the policy assignment.

--enforcement-mode -e

Enforcement mode of the policy assignment, e.g. Default, DoNotEnforce. Please visit https://aka.ms/azure-policyAssignment-enforcement-mode for more information.

accepted values: Default, DoNotEnforce
default value: Default
--identity-scope

Scope that the system assigned identity can access.

--location -l

Location. Values from: az account list-locations. You can configure the default location using az configure --defaults location=<location>.

--name -n

Name of the new policy assignment.

--not-scopes

Space-separated scopes where the policy assignment does not apply.

--params -p

JSON formatted string or a path to a file or uri with parameter values of the policy rule.

--policy

Name or id of the policy definition.

--policy-set-definition -d

Name or id of the policy set definition.

--resource-group -g

The resource group where the policy will be applied.

--role

Role name or id that will be assigned to the managed identity.

default value: Contributor
--scope

Scope to which this policy assignment applies.

--sku -s

Policy sku.

accepted values: free, standard

az policy assignment delete

Delete a resource policy assignment.

az policy assignment delete --name
[--resource-group]
[--scope]

Examples

Delete a resource policy assignment. (autogenerated)

az policy assignment delete --name MyPolicyAssignment

Required Parameters

--name -n

Name of the policy assignment.

Optional Parameters

--resource-group -g

The resource group where the policy will be applied.

--scope

Scope to which this policy assignment applies.

az policy assignment list

List resource policy assignments.

az policy assignment list [--disable-scope-strict-match]
[--resource-group]
[--scope]

Optional Parameters

--disable-scope-strict-match

Include policy assignments either inherited from parent scope or at child scope.

--resource-group -g

The resource group where the policy will be applied.

--scope

Scope to which this policy assignment applies.

az policy assignment show

Show a resource policy assignment.

az policy assignment show --name
[--resource-group]
[--scope]

Examples

Show a resource policy assignment. (autogenerated)

az policy assignment show --name MyPolicyAssignment

Required Parameters

--name -n

Name of the policy assignment.

Optional Parameters

--resource-group -g

The resource group where the policy will be applied.

--scope

Scope to which this policy assignment applies.