az policy definition

Manage resource policy definitions.

Commands

az policy definition create Create a policy definition.
az policy definition delete Delete a policy definition.
az policy definition list List policy definitions.
az policy definition show Show a policy definition.
az policy definition update Update a policy definition.

az policy definition create

Create a policy definition.

az policy definition create --name
[--description]
[--display-name]
[--management-group]
[--rules]
[--subscription]

Examples

Create a read-only policy.

az policy definition create --name readOnlyStorage --rules '{
                            "if":
                            {
                                "field": "type",
                                "equals": "Microsoft.Storage/storageAccounts/write"
                            },
                            "then":
                            {
                                "effect": "deny"
                            }
                        }'

Create a policy parameter definition.

az policy definition create --name allowedLocations --rules '{
                            "if": {
                                "allOf": [
                                    {
                                        "field": "location",
                                        "notIn": "[parameters('listOfAllowedLocations')]"
                                    },
                                    {
                                        "field": "location",
                                        "notEquals": "global"
                                    },
                                    {
                                        "field": "type",
                                        "notEquals": "Microsoft.AzureActiveDirectory/b2cDirectories"
                                    }
                                ]
                            },
                            "then": {
                                "effect": "deny"
                            }
                        }' \
                        --params '{
                            "allowedLocations": {
                                "type": "array",
                                "metadata": {
                                    "description": "The list of locations that can be specified when deploying resources",
                                    "strongType": "location",
                                    "displayName": "Allowed locations"
                                }
                            }
                        }'

Create a read-only policy that can be applied within a management group.

az policy definition create -n readOnlyStorage --management-group 'MyManagementGroup' --rules '{
                            "if":
                            {
                                "field": "type",
                                "equals": "Microsoft.Storage/storageAccounts/write"
                            },
                            "then":
                            {
                                "effect": "deny"
                            }
                        }'

Required Parameters

--name -n

Name of the new policy definition.

Optional Parameters

--description

Description of policy definition.

--display-name

Display name of policy definition.

--management-group

Name of the management group the new policy definition can be assigned in.

--rules

Policy rules in JSON format, or a path to a file containing JSON rules.

--subscription

Name or id of the subscription the new policy definition can be assigned in.

az policy definition delete

Delete a policy definition.

az policy definition delete --name
[--management-group]
[--subscription]

Examples

Delete a policy definition. (autogenerated)

az policy definition delete --name MyPolicyDefinition

Required Parameters

--name -n

The policy definition name.

Optional Parameters

--management-group

The name of the management group of the policy [set] definition.

--subscription

The subscription id of the policy [set] definition.

az policy definition list

List policy definitions.

az policy definition list [--management-group]
[--subscription]

Optional Parameters

--management-group

The name of the management group of the policy [set] definition.

--subscription

The subscription id of the policy [set] definition.

az policy definition show

Show a policy definition.

az policy definition show --name
[--management-group]
[--subscription]

Examples

Show a policy definition. (autogenerated)

az policy definition show --name MyPolicyDefinition

Required Parameters

--name -n

The policy definition name.

Optional Parameters

--management-group

The name of the management group of the policy [set] definition.

--subscription

The subscription id of the policy [set] definition.

az policy definition update

Update a policy definition.

az policy definition update --name
[--description]
[--display-name]
[--management-group]
[--rules]
[--subscription]

Required Parameters

--name -n

The policy definition name.

Optional Parameters

--description

Description of policy definition.

--display-name

Display name of policy definition.

--management-group

The name of the management group of the policy [set] definition.

--rules

JSON formatted string or a path to a file with such content.

--subscription

The subscription id of the policy [set] definition.