Policy Assignments - Create

This operation creates or updates a policy assignment with the given scope and name. Policy assignments apply to all resources contained within their scope. For example, when you assign a policy at resource group scope, that policy applies to all resources in the group.

PUT https://management.azure.com/{scope}/providers/Microsoft.Authorization/policyAssignments/{policyAssignmentName}?api-version=2021-06-01

URI Parameters

Name In Required Type Description
policyAssignmentName
path True
  • string

The name of the policy assignment.

scope
path True
  • string

The scope of the policy assignment. Valid scopes are: management group (format: '/providers/Microsoft.Management/managementGroups/{managementGroup}'), subscription (format: '/subscriptions/{subscriptionId}'), resource group (format: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}', or resource (format: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/[{parentResourcePath}/]{resourceType}/{resourceName}'

api-version
query True
  • string

The API version to use for the operation.

Request Body

Name Type Description
identity

The managed identity associated with the policy assignment.

location
  • string

The location of the policy assignment. Only required when utilizing managed identity.

properties.description
  • string

This message will be part of response in case of policy violation.

properties.displayName
  • string

The display name of the policy assignment.

properties.enforcementMode

The policy assignment enforcement mode. Possible values are Default and DoNotEnforce.

properties.metadata
  • object

The policy assignment metadata. Metadata is an open ended object and is typically a collection of key value pairs.

properties.nonComplianceMessages

The messages that describe why a resource is non-compliant with the policy.

properties.notScopes
  • string[]

The policy's excluded scopes.

properties.parameters

The parameter values for the assigned policy rule. The keys are the parameter names.

properties.policyDefinitionId
  • string

The ID of the policy definition or policy set definition being assigned.

Responses

Name Type Description
201 Created

Created - Returns information about the new policy assignment.

Other Status Codes

Error response describing why the operation failed.

Security

azure_auth

Azure Active Directory OAuth2 Flow

Type: oauth2
Flow: implicit
Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize

Scopes

Name Description
user_impersonation impersonate your user account

Examples

Create or update a policy assignment
Create or update a policy assignment with a system assigned identity
Create or update a policy assignment with a user assigned identity
Create or update a policy assignment with multiple non-compliance messages
Create or update a policy assignment without enforcing policy effect during resource creation or update.

Create or update a policy assignment

Sample Request

PUT https://management.azure.com/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyAssignments/EnforceNaming?api-version=2021-06-01
{
  "properties": {
    "displayName": "Enforce resource naming rules",
    "description": "Force resource names to begin with given DeptA and end with -LC",
    "metadata": {
      "assignedBy": "Special Someone"
    },
    "policyDefinitionId": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyDefinitions/ResourceNaming",
    "parameters": {
      "prefix": {
        "value": "DeptA"
      },
      "suffix": {
        "value": "-LC"
      }
    },
    "nonComplianceMessages": [
      {
        "message": "Resource names must start with 'DeptA' and end with '-LC'."
      }
    ]
  }
}

Sample Response

{
  "properties": {
    "displayName": "Enforce resource naming rules",
    "description": "Force resource names to begin with given DeptA and end with -LC",
    "metadata": {
      "assignedBy": "Special Someone"
    },
    "policyDefinitionId": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyDefinitions/ResourceNaming",
    "notScopes": [],
    "parameters": {
      "prefix": {
        "value": "DeptA"
      },
      "suffix": {
        "value": "-LC"
      }
    },
    "enforcementMode": "Default",
    "scope": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2",
    "nonComplianceMessages": [
      {
        "message": "Resource names must start with 'DeptA' and end with '-LC'."
      }
    ]
  },
  "id": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyAssignments/EnforceNaming",
  "type": "Microsoft.Authorization/policyAssignments",
  "name": "EnforceNaming"
}

Create or update a policy assignment with a system assigned identity

Sample Request

PUT https://management.azure.com/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyAssignments/EnforceNaming?api-version=2021-06-01
{
  "location": "eastus",
  "identity": {
    "type": "SystemAssigned"
  },
  "properties": {
    "displayName": "Enforce resource naming rules",
    "description": "Force resource names to begin with given DeptA and end with -LC",
    "metadata": {
      "assignedBy": "Foo Bar"
    },
    "policyDefinitionId": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyDefinitions/ResourceNaming",
    "parameters": {
      "prefix": {
        "value": "DeptA"
      },
      "suffix": {
        "value": "-LC"
      }
    },
    "enforcementMode": "Default"
  }
}

Sample Response

{
  "properties": {
    "displayName": "Enforce resource naming rules",
    "description": "Force resource names to begin with given DeptA and end with -LC",
    "metadata": {
      "assignedBy": "Special Someone"
    },
    "policyDefinitionId": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyDefinitions/ResourceNaming",
    "notScopes": [],
    "parameters": {
      "prefix": {
        "value": "DeptA"
      },
      "suffix": {
        "value": "-LC"
      }
    },
    "enforcementMode": "Default",
    "scope": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2"
  },
  "identity": {
    "type": "SystemAssigned",
    "principalId": "e6d23f8d-af97-4fbc-bda6-00604e4e3d0a",
    "tenantId": "4bee2b8a-1bee-47c2-90e9-404241551135"
  },
  "location": "eastus",
  "id": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyAssignments/EnforceNaming",
  "type": "Microsoft.Authorization/policyAssignments",
  "name": "EnforceNaming"
}

Create or update a policy assignment with a user assigned identity

Sample Request

PUT https://management.azure.com/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyAssignments/EnforceNaming?api-version=2021-06-01
{
  "location": "eastus",
  "identity": {
    "type": "UserAssigned",
    "userAssignedIdentities": {
      "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/resourceGroups/testResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/test-identity": {}
    }
  },
  "properties": {
    "displayName": "Enforce resource naming rules",
    "description": "Force resource names to begin with given DeptA and end with -LC",
    "metadata": {
      "assignedBy": "Foo Bar"
    },
    "policyDefinitionId": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyDefinitions/ResourceNaming",
    "parameters": {
      "prefix": {
        "value": "DeptA"
      },
      "suffix": {
        "value": "-LC"
      }
    },
    "enforcementMode": "Default"
  }
}

Sample Response

{
  "properties": {
    "displayName": "Enforce resource naming rules",
    "description": "Force resource names to begin with given DeptA and end with -LC",
    "metadata": {
      "assignedBy": "Special Someone"
    },
    "policyDefinitionId": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyDefinitions/ResourceNaming",
    "notScopes": [],
    "parameters": {
      "prefix": {
        "value": "DeptA"
      },
      "suffix": {
        "value": "-LC"
      }
    },
    "enforcementMode": "Default",
    "scope": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2"
  },
  "identity": {
    "type": "UserAssigned",
    "userAssignedIdentities": {
      "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/resourceGroups/testResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/test-identity": {
        "principalId": "e6d23f8d-af97-4fbc-bda6-00604e4e3d0a",
        "clientId": "4bee2b8a-1bee-47c2-90e9-404241551135"
      }
    }
  },
  "location": "eastus",
  "id": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyAssignments/EnforceNaming",
  "type": "Microsoft.Authorization/policyAssignments",
  "name": "EnforceNaming"
}

Create or update a policy assignment with multiple non-compliance messages

Sample Request

PUT https://management.azure.com/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyAssignments/securityInitAssignment?api-version=2021-06-01
{
  "properties": {
    "displayName": "Enforce security policies",
    "policyDefinitionId": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policySetDefinitions/securityInitiative",
    "nonComplianceMessages": [
      {
        "message": "Resources must comply with all internal security policies. See <internal site URL> for more info."
      },
      {
        "message": "Resource names must start with 'DeptA' and end with '-LC'.",
        "policyDefinitionReferenceId": "10420126870854049575"
      },
      {
        "message": "Storage accounts must have firewall rules configured.",
        "policyDefinitionReferenceId": "8572513655450389710"
      }
    ]
  }
}

Sample Response

{
  "properties": {
    "displayName": "Enforce security policies",
    "metadata": {
      "assignedBy": "User 1"
    },
    "policyDefinitionId": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policySetDefinitions/securityInitiative",
    "notScopes": [],
    "enforcementMode": "Default",
    "scope": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2",
    "nonComplianceMessages": [
      {
        "message": "Resources must comply with all internal security policies. See <internal site URL> for more info."
      },
      {
        "message": "Resource names must start with 'DeptA' and end with '-LC'.",
        "policyDefinitionReferenceId": "10420126870854049575"
      },
      {
        "message": "Storage accounts must have firewall rules configured.",
        "policyDefinitionReferenceId": "8572513655450389710"
      }
    ]
  },
  "id": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyAssignments/securityInitAssignment",
  "type": "Microsoft.Authorization/policyAssignments",
  "name": "securityInitAssignment"
}

Create or update a policy assignment without enforcing policy effect during resource creation or update.

Sample Request

PUT https://management.azure.com/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyAssignments/EnforceNaming?api-version=2021-06-01
{
  "properties": {
    "displayName": "Enforce resource naming rules",
    "description": "Force resource names to begin with given DeptA and end with -LC",
    "metadata": {
      "assignedBy": "Special Someone"
    },
    "policyDefinitionId": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyDefinitions/ResourceNaming",
    "parameters": {
      "prefix": {
        "value": "DeptA"
      },
      "suffix": {
        "value": "-LC"
      }
    },
    "enforcementMode": "DoNotEnforce"
  }
}

Sample Response

{
  "properties": {
    "displayName": "Enforce resource naming rules",
    "description": "Force resource names to begin with given DeptA and end with -LC",
    "metadata": {
      "assignedBy": "Special Someone"
    },
    "policyDefinitionId": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyDefinitions/ResourceNaming",
    "notScopes": [],
    "parameters": {
      "prefix": {
        "value": "DeptA"
      },
      "suffix": {
        "value": "-LC"
      }
    },
    "enforcementMode": "DoNotEnforce",
    "scope": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2"
  },
  "id": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyAssignments/EnforceNaming",
  "type": "Microsoft.Authorization/policyAssignments",
  "name": "EnforceNaming"
}

Definitions

CloudError

An error response from a policy operation.

createdByType

The type of identity that created the resource.

enforcementMode

The policy assignment enforcement mode. Possible values are Default and DoNotEnforce.

ErrorAdditionalInfo

The resource management error additional info.

ErrorResponse

Error Response

Identity

Identity for the resource. Policy assignments support a maximum of one identity. That is either a system assigned identity or a single user assigned identity.

NonComplianceMessage

A message that describes why a resource is non-compliant with the policy. This is shown in 'deny' error messages and on resource's non-compliant compliance results.

ParameterValuesValue

The value of a parameter.

PolicyAssignment

The policy assignment.

ResourceIdentityType

The identity type. This is the only required field when adding a system or user assigned identity to a resource.

systemData

Metadata pertaining to creation and last modification of the resource.

UserAssignedIdentities

The user identity associated with the policy. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'.

CloudError

An error response from a policy operation.

Name Type Description
error

Error Response
Common error response for all Azure Resource Manager APIs to return error details for failed operations. (This also follows the OData error response format.)

createdByType

The type of identity that created the resource.

Name Type Description
Application
  • string
Key
  • string
ManagedIdentity
  • string
User
  • string

enforcementMode

The policy assignment enforcement mode. Possible values are Default and DoNotEnforce.

Name Type Description
Default
  • string

The policy effect is enforced during resource creation or update.

DoNotEnforce
  • string

The policy effect is not enforced during resource creation or update.

ErrorAdditionalInfo

The resource management error additional info.

Name Type Description
info
  • object

The additional info.

type
  • string

The additional info type.

ErrorResponse

Error Response

Name Type Description
additionalInfo

The error additional info.

code
  • string

The error code.

details

The error details.

message
  • string

The error message.

target
  • string

The error target.

Identity

Identity for the resource. Policy assignments support a maximum of one identity. That is either a system assigned identity or a single user assigned identity.

Name Type Description
principalId
  • string

The principal ID of the resource identity. This property will only be provided for a system assigned identity

tenantId
  • string

The tenant ID of the resource identity. This property will only be provided for a system assigned identity

type

The identity type. This is the only required field when adding a system or user assigned identity to a resource.

userAssignedIdentities

The user identity associated with the policy. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'.

NonComplianceMessage

A message that describes why a resource is non-compliant with the policy. This is shown in 'deny' error messages and on resource's non-compliant compliance results.

Name Type Description
message
  • string

A message that describes why a resource is non-compliant with the policy. This is shown in 'deny' error messages and on resource's non-compliant compliance results.

policyDefinitionReferenceId
  • string

The policy definition reference ID within a policy set definition the message is intended for. This is only applicable if the policy assignment assigns a policy set definition. If this is not provided the message applies to all policies assigned by this policy assignment.

ParameterValuesValue

The value of a parameter.

Name Type Description
value
  • object

The value of the parameter.

PolicyAssignment

The policy assignment.

Name Type Description
id
  • string

The ID of the policy assignment.

identity

The managed identity associated with the policy assignment.

location
  • string

The location of the policy assignment. Only required when utilizing managed identity.

name
  • string

The name of the policy assignment.

properties.description
  • string

This message will be part of response in case of policy violation.

properties.displayName
  • string

The display name of the policy assignment.

properties.enforcementMode

The policy assignment enforcement mode. Possible values are Default and DoNotEnforce.

properties.metadata
  • object

The policy assignment metadata. Metadata is an open ended object and is typically a collection of key value pairs.

properties.nonComplianceMessages

The messages that describe why a resource is non-compliant with the policy.

properties.notScopes
  • string[]

The policy's excluded scopes.

properties.parameters

The parameter values for the assigned policy rule. The keys are the parameter names.

properties.policyDefinitionId
  • string

The ID of the policy definition or policy set definition being assigned.

properties.scope
  • string

The scope for the policy assignment.

systemData

The system metadata relating to this resource.

type
  • string

The type of the policy assignment.

ResourceIdentityType

The identity type. This is the only required field when adding a system or user assigned identity to a resource.

Name Type Description
None
  • string

Indicates that no identity is associated with the resource or that the existing identity should be removed.

SystemAssigned
  • string

Indicates that a system assigned identity is associated with the resource.

UserAssigned
  • string

Indicates that a system assigned identity is associated with the resource.

systemData

Metadata pertaining to creation and last modification of the resource.

Name Type Description
createdAt
  • string

The timestamp of resource creation (UTC).

createdBy
  • string

The identity that created the resource.

createdByType

The type of identity that created the resource.

lastModifiedAt
  • string

The timestamp of resource last modification (UTC)

lastModifiedBy
  • string

The identity that last modified the resource.

lastModifiedByType

The type of identity that last modified the resource.

UserAssignedIdentities

The user identity associated with the policy. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'.

Name Type Description