Policy Assignments - Create
This operation creates or updates a policy assignment with the given scope and name. Policy assignments apply to all resources contained within their scope. For example, when you assign a policy at resource group scope, that policy applies to all resources in the group.
PUT https://management.azure.com/{scope}/providers/Microsoft.Authorization/policyAssignments/{policyAssignmentName}?api-version=2021-06-01URI Parameters
| Name | In | Required | Type | Description |
|---|---|---|---|---|
|
policy
|
path | True |
|
The name of the policy assignment. |
|
scope
|
path | True |
|
The scope of the policy assignment. Valid scopes are: management group (format: '/providers/Microsoft.Management/managementGroups/{managementGroup}'), subscription (format: '/subscriptions/{subscriptionId}'), resource group (format: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}', or resource (format: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/[{parentResourcePath}/]{resourceType}/{resourceName}' |
|
api-version
|
query | True |
|
The API version to use for the operation. |
Request Body
| Name | Type | Description |
|---|---|---|
| identity |
The managed identity associated with the policy assignment. |
|
| location |
|
The location of the policy assignment. Only required when utilizing managed identity. |
| properties.description |
|
This message will be part of response in case of policy violation. |
| properties.displayName |
|
The display name of the policy assignment. |
| properties.enforcementMode |
The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. |
|
| properties.metadata |
|
The policy assignment metadata. Metadata is an open ended object and is typically a collection of key value pairs. |
| properties.nonComplianceMessages |
The messages that describe why a resource is non-compliant with the policy. |
|
| properties.notScopes |
|
The policy's excluded scopes. |
| properties.parameters |
|
The parameter values for the assigned policy rule. The keys are the parameter names. |
| properties.policyDefinitionId |
|
The ID of the policy definition or policy set definition being assigned. |
Responses
| Name | Type | Description |
|---|---|---|
| 201 Created |
Created - Returns information about the new policy assignment. |
|
| Other Status Codes |
Error response describing why the operation failed. |
Security
azure_auth
Azure Active Directory OAuth2 Flow
Type:
oauth2
Flow:
implicit
Authorization URL:
https://login.microsoftonline.com/common/oauth2/authorize
Scopes
| Name | Description |
|---|---|
| user_impersonation | impersonate your user account |
Examples
Create or update a policy assignment
Sample Request
PUT https://management.azure.com/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyAssignments/EnforceNaming?api-version=2021-06-01{
"properties": {
"displayName": "Enforce resource naming rules",
"description": "Force resource names to begin with given DeptA and end with -LC",
"metadata": {
"assignedBy": "Special Someone"
},
"policyDefinitionId": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyDefinitions/ResourceNaming",
"parameters": {
"prefix": {
"value": "DeptA"
},
"suffix": {
"value": "-LC"
}
},
"nonComplianceMessages": [
{
"message": "Resource names must start with 'DeptA' and end with '-LC'."
}
]
}
}Sample Response
{
"properties": {
"displayName": "Enforce resource naming rules",
"description": "Force resource names to begin with given DeptA and end with -LC",
"metadata": {
"assignedBy": "Special Someone"
},
"policyDefinitionId": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyDefinitions/ResourceNaming",
"notScopes": [],
"parameters": {
"prefix": {
"value": "DeptA"
},
"suffix": {
"value": "-LC"
}
},
"enforcementMode": "Default",
"scope": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2",
"nonComplianceMessages": [
{
"message": "Resource names must start with 'DeptA' and end with '-LC'."
}
]
},
"id": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyAssignments/EnforceNaming",
"type": "Microsoft.Authorization/policyAssignments",
"name": "EnforceNaming"
}Create or update a policy assignment with a system assigned identity
Sample Request
PUT https://management.azure.com/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyAssignments/EnforceNaming?api-version=2021-06-01{
"location": "eastus",
"identity": {
"type": "SystemAssigned"
},
"properties": {
"displayName": "Enforce resource naming rules",
"description": "Force resource names to begin with given DeptA and end with -LC",
"metadata": {
"assignedBy": "Foo Bar"
},
"policyDefinitionId": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyDefinitions/ResourceNaming",
"parameters": {
"prefix": {
"value": "DeptA"
},
"suffix": {
"value": "-LC"
}
},
"enforcementMode": "Default"
}
}Sample Response
{
"properties": {
"displayName": "Enforce resource naming rules",
"description": "Force resource names to begin with given DeptA and end with -LC",
"metadata": {
"assignedBy": "Special Someone"
},
"policyDefinitionId": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyDefinitions/ResourceNaming",
"notScopes": [],
"parameters": {
"prefix": {
"value": "DeptA"
},
"suffix": {
"value": "-LC"
}
},
"enforcementMode": "Default",
"scope": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2"
},
"identity": {
"type": "SystemAssigned",
"principalId": "e6d23f8d-af97-4fbc-bda6-00604e4e3d0a",
"tenantId": "4bee2b8a-1bee-47c2-90e9-404241551135"
},
"location": "eastus",
"id": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyAssignments/EnforceNaming",
"type": "Microsoft.Authorization/policyAssignments",
"name": "EnforceNaming"
}Create or update a policy assignment with a user assigned identity
Sample Request
PUT https://management.azure.com/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyAssignments/EnforceNaming?api-version=2021-06-01{
"location": "eastus",
"identity": {
"type": "UserAssigned",
"userAssignedIdentities": {
"/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/resourceGroups/testResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/test-identity": {}
}
},
"properties": {
"displayName": "Enforce resource naming rules",
"description": "Force resource names to begin with given DeptA and end with -LC",
"metadata": {
"assignedBy": "Foo Bar"
},
"policyDefinitionId": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyDefinitions/ResourceNaming",
"parameters": {
"prefix": {
"value": "DeptA"
},
"suffix": {
"value": "-LC"
}
},
"enforcementMode": "Default"
}
}Sample Response
{
"properties": {
"displayName": "Enforce resource naming rules",
"description": "Force resource names to begin with given DeptA and end with -LC",
"metadata": {
"assignedBy": "Special Someone"
},
"policyDefinitionId": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyDefinitions/ResourceNaming",
"notScopes": [],
"parameters": {
"prefix": {
"value": "DeptA"
},
"suffix": {
"value": "-LC"
}
},
"enforcementMode": "Default",
"scope": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2"
},
"identity": {
"type": "UserAssigned",
"userAssignedIdentities": {
"/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/resourceGroups/testResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/test-identity": {
"principalId": "e6d23f8d-af97-4fbc-bda6-00604e4e3d0a",
"clientId": "4bee2b8a-1bee-47c2-90e9-404241551135"
}
}
},
"location": "eastus",
"id": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyAssignments/EnforceNaming",
"type": "Microsoft.Authorization/policyAssignments",
"name": "EnforceNaming"
}Create or update a policy assignment with multiple non-compliance messages
Sample Request
PUT https://management.azure.com/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyAssignments/securityInitAssignment?api-version=2021-06-01{
"properties": {
"displayName": "Enforce security policies",
"policyDefinitionId": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policySetDefinitions/securityInitiative",
"nonComplianceMessages": [
{
"message": "Resources must comply with all internal security policies. See <internal site URL> for more info."
},
{
"message": "Resource names must start with 'DeptA' and end with '-LC'.",
"policyDefinitionReferenceId": "10420126870854049575"
},
{
"message": "Storage accounts must have firewall rules configured.",
"policyDefinitionReferenceId": "8572513655450389710"
}
]
}
}Sample Response
{
"properties": {
"displayName": "Enforce security policies",
"metadata": {
"assignedBy": "User 1"
},
"policyDefinitionId": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policySetDefinitions/securityInitiative",
"notScopes": [],
"enforcementMode": "Default",
"scope": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2",
"nonComplianceMessages": [
{
"message": "Resources must comply with all internal security policies. See <internal site URL> for more info."
},
{
"message": "Resource names must start with 'DeptA' and end with '-LC'.",
"policyDefinitionReferenceId": "10420126870854049575"
},
{
"message": "Storage accounts must have firewall rules configured.",
"policyDefinitionReferenceId": "8572513655450389710"
}
]
},
"id": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyAssignments/securityInitAssignment",
"type": "Microsoft.Authorization/policyAssignments",
"name": "securityInitAssignment"
}Create or update a policy assignment without enforcing policy effect during resource creation or update.
Sample Request
PUT https://management.azure.com/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyAssignments/EnforceNaming?api-version=2021-06-01{
"properties": {
"displayName": "Enforce resource naming rules",
"description": "Force resource names to begin with given DeptA and end with -LC",
"metadata": {
"assignedBy": "Special Someone"
},
"policyDefinitionId": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyDefinitions/ResourceNaming",
"parameters": {
"prefix": {
"value": "DeptA"
},
"suffix": {
"value": "-LC"
}
},
"enforcementMode": "DoNotEnforce"
}
}Sample Response
{
"properties": {
"displayName": "Enforce resource naming rules",
"description": "Force resource names to begin with given DeptA and end with -LC",
"metadata": {
"assignedBy": "Special Someone"
},
"policyDefinitionId": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyDefinitions/ResourceNaming",
"notScopes": [],
"parameters": {
"prefix": {
"value": "DeptA"
},
"suffix": {
"value": "-LC"
}
},
"enforcementMode": "DoNotEnforce",
"scope": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2"
},
"id": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyAssignments/EnforceNaming",
"type": "Microsoft.Authorization/policyAssignments",
"name": "EnforceNaming"
}Definitions
|
Cloud |
An error response from a policy operation. |
|
created |
The type of identity that created the resource. |
|
enforcement |
The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. |
|
Error |
The resource management error additional info. |
|
Error |
Error Response |
| Identity |
Identity for the resource. Policy assignments support a maximum of one identity. That is either a system assigned identity or a single user assigned identity. |
|
Non |
A message that describes why a resource is non-compliant with the policy. This is shown in 'deny' error messages and on resource's non-compliant compliance results. |
|
Parameter |
The value of a parameter. |
|
Policy |
The policy assignment. |
|
Resource |
The identity type. This is the only required field when adding a system or user assigned identity to a resource. |
|
system |
Metadata pertaining to creation and last modification of the resource. |
|
User |
The user identity associated with the policy. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. |
CloudError
An error response from a policy operation.
| Name | Type | Description |
|---|---|---|
| error |
Error Response |
createdByType
The type of identity that created the resource.
| Name | Type | Description |
|---|---|---|
| Application |
|
|
| Key |
|
|
| ManagedIdentity |
|
|
| User |
|
enforcementMode
The policy assignment enforcement mode. Possible values are Default and DoNotEnforce.
| Name | Type | Description |
|---|---|---|
| Default |
|
The policy effect is enforced during resource creation or update. |
| DoNotEnforce |
|
The policy effect is not enforced during resource creation or update. |
ErrorAdditionalInfo
The resource management error additional info.
| Name | Type | Description |
|---|---|---|
| info |
|
The additional info. |
| type |
|
The additional info type. |
ErrorResponse
Error Response
| Name | Type | Description |
|---|---|---|
| additionalInfo |
The error additional info. |
|
| code |
|
The error code. |
| details |
The error details. |
|
| message |
|
The error message. |
| target |
|
The error target. |
Identity
Identity for the resource. Policy assignments support a maximum of one identity. That is either a system assigned identity or a single user assigned identity.
| Name | Type | Description |
|---|---|---|
| principalId |
|
The principal ID of the resource identity. This property will only be provided for a system assigned identity |
| tenantId |
|
The tenant ID of the resource identity. This property will only be provided for a system assigned identity |
| type |
The identity type. This is the only required field when adding a system or user assigned identity to a resource. |
|
| userAssignedIdentities |
The user identity associated with the policy. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. |
NonComplianceMessage
A message that describes why a resource is non-compliant with the policy. This is shown in 'deny' error messages and on resource's non-compliant compliance results.
| Name | Type | Description |
|---|---|---|
| message |
|
A message that describes why a resource is non-compliant with the policy. This is shown in 'deny' error messages and on resource's non-compliant compliance results. |
| policyDefinitionReferenceId |
|
The policy definition reference ID within a policy set definition the message is intended for. This is only applicable if the policy assignment assigns a policy set definition. If this is not provided the message applies to all policies assigned by this policy assignment. |
ParameterValuesValue
The value of a parameter.
| Name | Type | Description |
|---|---|---|
| value |
|
The value of the parameter. |
PolicyAssignment
The policy assignment.
| Name | Type | Description |
|---|---|---|
| id |
|
The ID of the policy assignment. |
| identity |
The managed identity associated with the policy assignment. |
|
| location |
|
The location of the policy assignment. Only required when utilizing managed identity. |
| name |
|
The name of the policy assignment. |
| properties.description |
|
This message will be part of response in case of policy violation. |
| properties.displayName |
|
The display name of the policy assignment. |
| properties.enforcementMode |
The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. |
|
| properties.metadata |
|
The policy assignment metadata. Metadata is an open ended object and is typically a collection of key value pairs. |
| properties.nonComplianceMessages |
The messages that describe why a resource is non-compliant with the policy. |
|
| properties.notScopes |
|
The policy's excluded scopes. |
| properties.parameters |
|
The parameter values for the assigned policy rule. The keys are the parameter names. |
| properties.policyDefinitionId |
|
The ID of the policy definition or policy set definition being assigned. |
| properties.scope |
|
The scope for the policy assignment. |
| systemData |
The system metadata relating to this resource. |
|
| type |
|
The type of the policy assignment. |
ResourceIdentityType
The identity type. This is the only required field when adding a system or user assigned identity to a resource.
| Name | Type | Description |
|---|---|---|
| None |
|
Indicates that no identity is associated with the resource or that the existing identity should be removed. |
| SystemAssigned |
|
Indicates that a system assigned identity is associated with the resource. |
| UserAssigned |
|
Indicates that a system assigned identity is associated with the resource. |
systemData
Metadata pertaining to creation and last modification of the resource.
| Name | Type | Description |
|---|---|---|
| createdAt |
|
The timestamp of resource creation (UTC). |
| createdBy |
|
The identity that created the resource. |
| createdByType |
The type of identity that created the resource. |
|
| lastModifiedAt |
|
The timestamp of resource last modification (UTC) |
| lastModifiedBy |
|
The identity that last modified the resource. |
| lastModifiedByType |
The type of identity that last modified the resource. |
UserAssignedIdentities
The user identity associated with the policy. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'.
| Name | Type | Description |
|---|---|---|
|
|