az policy definition

Manage resource policy definitions.

Commands

az policy definition create Create a policy definition.
az policy definition delete Delete a policy definition.
az policy definition list List policy definitions.
az policy definition show Show a policy definition.
az policy definition update Update a policy definition.

az policy definition create

Create a policy definition.

az policy definition create --name
[--description]
[--display-name]
[--management-group]
[--metadata]
[--mode {All, Indexed, NotSpecified}]
[--params]
[--rules]
[--subscription]

Examples

Create a read-only policy.

az policy definition create --name readOnlyStorage --rules '{ \
                            "if": \
                            { \
                                "field": "type", \
                                "equals": "Microsoft.Storage/storageAccounts/write" \
                            }, \
                            "then": \
                            { \
                                "effect": "deny" \
                            } \
                        }'

Create a policy parameter definition.

az policy definition create --name allowedLocations --rules '{ \
                            "if": { \
                                "allOf": [ \
                                    { \
                                        "field": "location", \
                                        "notIn": "[parameters('listOfAllowedLocations')]" \
                                    }, \
                                    { \
                                        "field": "location", \
                                        "notEquals": "global" \
                                    }, \
                                    { \
                                        "field": "type", \
                                        "notEquals": "Microsoft.AzureActiveDirectory/b2cDirectories" \
                                    } \
                                ] \
                            }, \
                            "then": { \
                                "effect": "deny" \
                            } \
                        }' \
                        --params '{ \
                            "allowedLocations": { \
                                "type": "array", \
                                "metadata": { \
                                    "description": "The list of locations that can be specified when deploying resources", \
                                    "strongType": "location", \
                                    "displayName": "Allowed locations" \
                                } \
                            } \
                        }'

Create a read-only policy that can be applied within a management group.

az policy definition create -n readOnlyStorage --management-group 'MyManagementGroup' --rules '{ \
                            "if": \
                            { \
                                "field": "type", \
                                "equals": "Microsoft.Storage/storageAccounts/write" \
                            }, \
                            "then": \
                            { \
                                "effect": "deny" \
                            } \
                        }'

Required Parameters

--name -n

Name of the new policy definition.

Optional Parameters

--description

Description of policy definition.

--display-name

Display name of policy definition.

--management-group

Name of the management group the new policy definition can be assigned in.

--metadata

Metadata in space-separated key=value pairs.

--mode -m

Mode of the new policy definition.

accepted values: All, Indexed, NotSpecified
--params

JSON formatted string or a path to a file or uri with parameter definitions.

--rules

Policy rules in JSON format, or a path to a file containing JSON rules.

--subscription

Name or id of the subscription the new policy definition can be assigned in.

az policy definition delete

Delete a policy definition.

az policy definition delete --name
[--management-group]
[--subscription]

Examples

Delete a policy definition. (autogenerated)

az policy definition delete --name MyPolicyDefinition

Required Parameters

--name -n

The policy definition name.

Optional Parameters

--management-group

The name of the management group of the policy [set] definition.

--subscription

The subscription id of the policy [set] definition.

az policy definition list

List policy definitions.

az policy definition list [--management-group]
[--subscription]

Optional Parameters

--management-group

The name of the management group of the policy [set] definition.

--subscription

The subscription id of the policy [set] definition.

az policy definition show

Show a policy definition.

az policy definition show --name
[--management-group]
[--subscription]

Examples

Show a policy definition. (autogenerated)

az policy definition show --name MyPolicyDefinition

Required Parameters

--name -n

The policy definition name.

Optional Parameters

--management-group

The name of the management group of the policy [set] definition.

--subscription

The subscription id of the policy [set] definition.

az policy definition update

Update a policy definition.

az policy definition update --name
[--description]
[--display-name]
[--management-group]
[--metadata]
[--mode]
[--params]
[--rules]
[--subscription]

Required Parameters

--name -n

The policy definition name.

Optional Parameters

--description

Description of policy definition.

--display-name

Display name of policy definition.

--management-group

The name of the management group of the policy [set] definition.

--metadata

Metadata in space-separated key=value pairs.

--mode
--params

JSON formatted string or a path to a file or uri with parameter definitions.

--rules

JSON formatted string or a path to a file with such content.

--subscription

The subscription id of the policy [set] definition.