Set-AzPolicyAssignment
Modifies a policy assignment.
Syntax
Set-AzPolicyAssignment
-Name <String>
[-Scope <String>]
[-NotScope <String[]>]
[-DisplayName <String>]
[-Description <String>]
[-Metadata <String>]
[-AssignIdentity]
[-Location <String>]
[-EnforcementMode <PolicyAssignmentEnforcementMode>]
[-IdentityType <ManagedIdentityType>]
[-IdentityId <String>]
[-NonComplianceMessage <PsNonComplianceMessage[]>]
[-ApiVersion <String>]
[-Pre]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>] Set-AzPolicyAssignment
-Name <String>
[-Scope <String>]
[-NotScope <String[]>]
[-DisplayName <String>]
[-Description <String>]
[-Metadata <String>]
-PolicyParameterObject <Hashtable>
[-AssignIdentity]
[-Location <String>]
[-EnforcementMode <PolicyAssignmentEnforcementMode>]
[-IdentityType <ManagedIdentityType>]
[-IdentityId <String>]
[-NonComplianceMessage <PsNonComplianceMessage[]>]
[-ApiVersion <String>]
[-Pre]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>] Set-AzPolicyAssignment
-Name <String>
[-Scope <String>]
[-NotScope <String[]>]
[-DisplayName <String>]
[-Description <String>]
[-Metadata <String>]
-PolicyParameter <String>
[-AssignIdentity]
[-Location <String>]
[-EnforcementMode <PolicyAssignmentEnforcementMode>]
[-IdentityType <ManagedIdentityType>]
[-IdentityId <String>]
[-NonComplianceMessage <PsNonComplianceMessage[]>]
[-ApiVersion <String>]
[-Pre]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>] Set-AzPolicyAssignment
[-NotScope <String[]>]
-Id <String>
[-DisplayName <String>]
[-Description <String>]
[-Metadata <String>]
[-AssignIdentity]
[-Location <String>]
[-EnforcementMode <PolicyAssignmentEnforcementMode>]
[-IdentityType <ManagedIdentityType>]
[-IdentityId <String>]
[-NonComplianceMessage <PsNonComplianceMessage[]>]
[-ApiVersion <String>]
[-Pre]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>] Set-AzPolicyAssignment
[-NotScope <String[]>]
-Id <String>
[-DisplayName <String>]
[-Description <String>]
[-Metadata <String>]
-PolicyParameterObject <Hashtable>
[-AssignIdentity]
[-Location <String>]
[-EnforcementMode <PolicyAssignmentEnforcementMode>]
[-IdentityType <ManagedIdentityType>]
[-IdentityId <String>]
[-NonComplianceMessage <PsNonComplianceMessage[]>]
[-ApiVersion <String>]
[-Pre]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>] Set-AzPolicyAssignment
[-NotScope <String[]>]
-Id <String>
[-DisplayName <String>]
[-Description <String>]
[-Metadata <String>]
-PolicyParameter <String>
[-AssignIdentity]
[-Location <String>]
[-EnforcementMode <PolicyAssignmentEnforcementMode>]
[-IdentityType <ManagedIdentityType>]
[-IdentityId <String>]
[-NonComplianceMessage <PsNonComplianceMessage[]>]
[-ApiVersion <String>]
[-Pre]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>] Set-AzPolicyAssignment
[-NotScope <String[]>]
[-DisplayName <String>]
[-Description <String>]
[-Metadata <String>]
[-AssignIdentity]
[-Location <String>]
[-EnforcementMode <PolicyAssignmentEnforcementMode>]
[-IdentityType <ManagedIdentityType>]
[-IdentityId <String>]
-InputObject <PsPolicyAssignment>
[-NonComplianceMessage <PsNonComplianceMessage[]>]
[-ApiVersion <String>]
[-Pre]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>] Description
The Set-AzPolicyAssignment cmdlet modifies a policy assignment. Specify an assignment by ID or by name and scope.
Examples
Example 1: Update the display name
$ResourceGroup = Get-AzResourceGroup -Name 'ResourceGroup11'
$PolicyAssignment = Get-AzPolicyAssignment -Name 'PolicyAssignment' -Scope $ResourceGroup.ResourceId
Set-AzPolicyAssignment -Id $PolicyAssignment.ResourceId -DisplayName 'Do not allow VM creation'The first command gets a resource group named ResourceGroup11 by using the Get-AzResourceGroup cmdlet. The command stores that object in the $ResourceGroup variable. The second command gets the policy assignment named PolicyAssignment by using the Get-AzPolicyAssignment cmdlet. The command stores that object in the $PolicyAssignment variable. The final command updates the display name on the policy assignment on the resource group identified by the ResourceId property of $ResourceGroup.
Example 2: Add a system assigned managed identity to the policy assignment
$PolicyAssignment = Get-AzPolicyAssignment -Name 'PolicyAssignment'
Set-AzPolicyAssignment -Id $PolicyAssignment.ResourceId -IdentityType 'SystemAssigned' -Location 'westus'The first command gets the policy assignment named PolicyAssignment from the current subscription by using the Get-AzPolicyAssignment cmdlet. The command stores that object in the $PolicyAssignment variable. The final command assigns a system assigned managed identity to the policy assignment.
Example 3: Add a user assigned managed identity to the policy assignment
$PolicyAssignment = Get-AzPolicyAssignment -Name 'PolicyAssignment'
$UserAssignedIdentity = Get-AzUserAssignedIdentity -ResourceGroupName 'ResourceGroup1' -Name 'UserAssignedIdentity1'
Set-AzPolicyAssignment -Id $PolicyAssignment.ResourceId -IdentityType 'UserAssigned' -Location 'westus' -IdentityId $UserAssignedIdentity.IdThe first command gets the policy assignment named PolicyAssignment from the current subscription by using the Get-AzPolicyAssignment cmdlet. The command stores that object in the $PolicyAssignment variable. The second command gets the user assigned managed identity named UserAssignedIdentity1 by using the Get-AzUserAssignedIdentity cmdlet and stores it in the $UserAssignedIdentity variable. The final command assigns the user assigned managed identity identified by the Id property of $UserAssignedIdentity to the policy assignment.
Example 4: Update policy assignment parameters with new policy parameter object
$Locations = Get-AzLocation | Where-Object {($_.displayname -like 'france*') -or ($_.displayname -like 'uk*')}
$AllowedLocations = @{'listOfAllowedLocations'=($Locations.location)}
$PolicyAssignment = Get-AzPolicyAssignment -Name 'PolicyAssignment'
Set-AzPolicyAssignment -Id $PolicyAssignment.ResourceId -PolicyParameterObject $AllowedLocationsThe first and second commands create an object containing all Azure regions whose names start with "france" or "uk". The second command stores that object in the $AllowedLocations variable. The third command gets the policy assignment named 'PolicyAssignment' The command stores that object in the $PolicyAssignment variable. The final command updates the parameter values on the policy assignment named PolicyAssignment.
Example 5: Update policy assignment parameters with policy parameter file
Create a file called AllowedLocations.json in the local working directory with the following content.
{
"listOfAllowedLocations": {
"value": [
"uksouth",
"ukwest",
"francecentral",
"francesouth"
]
}
}
Set-AzPolicyAssignment -Name 'PolicyAssignment' -PolicyParameter .\AllowedLocations.jsonThe command updates the policy assignment named 'PolicyAssignment' using the policy parameter file AllowedLocations.json from the local working directory.
Example 6: Update an enforcementMode
$ResourceGroup = Get-AzResourceGroup -Name 'ResourceGroup11'
$PolicyAssignment = Get-AzPolicyAssignment -Name 'PolicyAssignment' -Scope $ResourceGroup.ResourceId
Set-AzPolicyAssignment -Id $PolicyAssignment.ResourceId -EnforcementMode DefaultThe first command gets a resource group named ResourceGroup11 by using the Get-AzResourceGroup cmdlet. The command stores that object in the $ResourceGroup variable. The second command gets the policy assignment named PolicyAssignment by using the Get-AzPolicyAssignment cmdlet. The command stores that object in the $PolicyAssignment variable. The final command updates the enforcementMode property on the policy assignment on the resource group identified by the ResourceId property of $ResourceGroup.
Example 7: Update non-compliance messages
$PolicyAssignment = Get-AzPolicyAssignment -Name 'VirtualMachinePolicy'
Set-AzPolicyAssignment -Id $PolicyAssignment.ResourceId -NonComplianceMessage @{Message="All resources must follow resource naming guidelines."}The first command gets the policy assignment named VirtualMachinePolicy by using the Get-AzPolicyAssignment cmdlet and stores it in the $PolicyAssignment variable. The final command updates the non-compliance messages on the policy assignment with a new message that will be displayed if a resource is denied by the policy.
Parameters
-ApiVersion
Specifies the version of the resource provider API to use. If you do not specify a version, this cmdlet uses the latest available version.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-AssignIdentity
Generate and assign a system assigned managed identity for this policy assignment. The identity will be used when executing deployments for 'deployIfNotExists' and 'modify' policies. Location is required when assigning an identity.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-DefaultProfile
The credentials, account, tenant, and subscription used for communication with azure
| Type: | IAzureContextContainer |
| Aliases: | AzContext, AzureRmContext, AzureCredential |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Description
The description for policy assignment
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-DisplayName
Specifies a new display name for the policy assignment.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-EnforcementMode
The enforcement mode for policy assignment. Currently, valid values are Default, DoNotEnforce.
| Type: | Nullable<T>[PolicyAssignmentEnforcementMode] |
| Accepted values: | Default, DoNotEnforce |
| Position: | Named |
| Default value: | Default |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-Id
Specifies the fully qualified resource ID for the policy assignment that this cmdlet modifies.
| Type: | String |
| Aliases: | ResourceId |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-IdentityId
Specifies the Id of the user assigned managed identity to assign to this policy assignment. This value is required if the value 'UserAssigned' is passed to the -IdentityType parameter.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-IdentityType
Specifies the type of managed identity to assign to this policy assignment. If the 'SystemAssigned' value is provided, a system assigned managed identity is generated and assigned to this policy assignment. If the 'UserAssigned' value is provided, the user assigned identity passed via its Id to the -IdentityId parameter is assigned to this policy assignment. The identity will be used when executing deployments for 'deployIfNotExists' and 'modify' policies. Location is required when assigning an identity. Permissions must be granted to the identity using New-AzRoleAssignment after the system assigned identity is created. The IdentityType parameter will be given precedence if both the AssignIdentity and the IdentityType parameter are used.
| Type: | Nullable<T>[ManagedIdentityType] |
| Accepted values: | SystemAssigned, UserAssigned, None |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-InputObject
The policy assignment object to update that was output from another cmdlet.
| Type: | PsPolicyAssignment |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-Location
The location of the policy assignment's resource identity. This is required when the -IdentityType value is provided.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-Metadata
The updated metadata for the policy assignment. This can either be a path to a file name containing the metadata, or the metadata as a string.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-Name
Specifies the name of the policy assignment that this cmdlet modifies.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-NonComplianceMessage
The non-compliance messages that describe why a resource is non-compliant with the policy.
| Type: | PsNonComplianceMessage[] |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-NotScope
The policy assignment not scopes.
| Type: | String[] |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-PolicyParameter
The new policy parameters file path or string for the policy assignment.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-PolicyParameterObject
The new policy parameters object for the policy assignment.
| Type: | Hashtable |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Pre
Indicates that this cmdlet considers pre-release API versions when it automatically determines which version to use.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Scope
Specifies the scope at which the policy is applied.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
Inputs
String[]
Nullable<T>[[Microsoft.Azure.Commands.ResourceManager.Cmdlets.Entities.Policy.PolicyAssignmentEnforcementMode, Microsoft.Azure.PowerShell.Cmdlets.ResourceManager, Version=3.5.0.0, Culture=neutral, PublicKeyToken=null]]
Outputs
Related Links
Azure PowerShell
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for