az policy definition

Manage resource policy definitions.

Commands

az policy definition create Create a policy definition.
az policy definition delete Delete a policy definition.
az policy definition list List policy definitions.
az policy definition show Show a policy definition.
az policy definition update Update a policy definition.

az policy definition create

Create a policy definition.

az policy definition create --name
[--description]
[--display-name]
[--management-group]
[--metadata]
[--mode]
[--params]
[--rules]
[--subscription]

Examples

Create a read-only policy.

az policy definition create --name readOnlyStorage --rules '{
    "if":
    {
        "field": "type",
        "equals": "Microsoft.Storage/storageAccounts/write"
    },
    "then":
    {
        "effect": "deny"
    }
}'

Create a policy parameter definition.

az policy definition create --name allowedLocations --rules '{
    "if": {
        "allOf": [
            {
                "field": "location",
                "notIn": "[parameters('listOfAllowedLocations')]"
            },
            {
                "field": "location",
                "notEquals": "global"
            },
            {
                "field": "type",
                "notEquals": "Microsoft.AzureActiveDirectory/b2cDirectories"
            }
        ]
    },
    "then": {
        "effect": "deny"
    }
}' \
--params '{
    "allowedLocations": {
        "type": "array",
        "metadata": {
            "description": "The list of locations that can be specified when deploying resources",
            "strongType": "location",
            "displayName": "Allowed locations"
        }
    }
}'

Create a read-only policy that can be applied within a management group.

az policy definition create -n readOnlyStorage --management-group 'MyManagementGroup' --rules '{
    "if":
    {
        "field": "type",
        "equals": "Microsoft.Storage/storageAccounts/write"
    },
    "then":
    {
        "effect": "deny"
    }
}'

Create a policy definition with mode. The mode 'Indexed' indicates the policy should be evaluated only for resource types that support tags and location.

az policy definition create --name TagsPolicyDefinition --subscription 'MySubscription' --mode Indexed --rules '{
    "if":
    {
        "field": "tags",
        "exists": "false"
    },
    "then":
    {
        "effect": "deny"
    }
}'

Required Parameters

--name -n

Name of the new policy definition.

Optional Parameters

--description

Description of policy definition.

--display-name

Display name of policy definition.

--management-group

Name of the management group the new policy definition can be assigned in.

--metadata

Metadata in space-separated key=value pairs.

--mode -m

Mode of the policy definition, e.g. All, Indexed. Please visit https://aka.ms/azure-policy-mode for more information.

--params

JSON formatted string or a path to a file or uri with parameter definitions.

--rules

Policy rules in JSON format, or a path to a file containing JSON rules.

--subscription

Name or id of the subscription the new policy definition can be assigned in.

az policy definition delete

Delete a policy definition.

az policy definition delete --name
[--management-group]
[--subscription]

Examples

Delete a policy definition. (autogenerated)

az policy definition delete --name MyPolicyDefinition

Required Parameters

--name -n

The policy definition name.

Optional Parameters

--management-group

The name of the management group of the policy [set] definition.

--subscription

The subscription id of the policy [set] definition.

az policy definition list

List policy definitions.

az policy definition list [--management-group]
[--subscription]

Optional Parameters

--management-group

The name of the management group of the policy [set] definition.

--subscription

The subscription id of the policy [set] definition.

az policy definition show

Show a policy definition.

az policy definition show --name
[--management-group]
[--subscription]

Examples

Show a policy definition. (autogenerated)

az policy definition show --name MyPolicyDefinition

Required Parameters

--name -n

The policy definition name.

Optional Parameters

--management-group

The name of the management group of the policy [set] definition.

--subscription

The subscription id of the policy [set] definition.

az policy definition update

Update a policy definition.

az policy definition update --name
[--description]
[--display-name]
[--management-group]
[--metadata]
[--mode]
[--params]
[--rules]
[--subscription]

Required Parameters

--name -n

The policy definition name.

Optional Parameters

--description

Description of policy definition.

--display-name

Display name of policy definition.

--management-group

The name of the management group of the policy [set] definition.

--metadata

Metadata in space-separated key=value pairs.

--mode -m

Mode of the policy definition, e.g. All, Indexed. Please visit https://aka.ms/azure-policy-mode for more information.

--params

JSON formatted string or a path to a file or uri with parameter definitions.

--rules

JSON formatted string or a path to a file with such content.

--subscription

The subscription id of the policy [set] definition.