Policy Assignments - List

Retrieves all policy assignments that apply to a subscription.
This operation retrieves the list of all policy assignments associated with the given subscription that match the optional given $filter. Valid values for $filter are: 'atScope()', 'atExactScope()' or 'policyDefinitionId eq '{value}''. If $filter is not provided, the unfiltered list includes all policy assignments associated with the subscription, including those that apply directly or from management groups that contain the given subscription, as well as any applied to objects contained within the subscription. If $filter=atScope() is provided, the returned list includes all policy assignments that apply to the subscription, which is everything in the unfiltered list except those applied to objects contained within the subscription. If $filter=atExactScope() is provided, the returned list only includes all policy assignments that at the subscription. If $filter=policyDefinitionId eq '{value}' is provided, the returned list includes all policy assignments of the policy definition whose id is {value}.

GET https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/policyAssignments?api-version=2021-06-01
GET https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/policyAssignments?$filter={$filter}&$top={$top}&api-version=2021-06-01

URI Parameters

Name In Required Type Description
subscriptionId
path True
  • string

The ID of the target subscription.

api-version
query True
  • string

The API version to use for the operation.

$filter
query
  • string

The filter to apply on the operation. Valid values for $filter are: 'atScope()', 'atExactScope()' or 'policyDefinitionId eq '{value}''. If $filter is not provided, no filtering is performed. If $filter=atScope() is provided, the returned list only includes all policy assignments that apply to the scope, which is everything in the unfiltered list except those applied to sub scopes contained within the given scope. If $filter=atExactScope() is provided, the returned list only includes all policy assignments that at the given scope. If $filter=policyDefinitionId eq '{value}' is provided, the returned list includes all policy assignments of the policy definition whose id is {value}.

$top
query
  • integer
int32

Maximum number of records to return. When the $top filter is not provided, it will return 500 records.

Responses

Name Type Description
200 OK

OK - Returns an array of policy assignments.

Other Status Codes

Error response describing why the operation failed.

Security

azure_auth

Azure Active Directory OAuth2 Flow

Type: oauth2
Flow: implicit
Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize

Scopes

Name Description
user_impersonation impersonate your user account

Examples

List policy assignments that apply to a subscription

Sample Request

GET https://management.azure.com/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyAssignments?$filter=atScope()&api-version=2021-06-01

Sample Response

{
  "value": [
    {
      "id": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyAssignments/CostManagement",
      "type": "Microsoft.Authorization/policyAssignments",
      "name": "CostManagement",
      "location": "eastus",
      "identity": {
        "type": "SystemAssigned",
        "principalId": "e6d23f8d-af97-4fbc-bda6-00604e4e3d0a",
        "tenantId": "4bee2b8a-1bee-47c2-90e9-404241551135"
      },
      "properties": {
        "displayName": "Storage Cost Management",
        "description": "Minimize the risk of accidental cost overruns",
        "metadata": {
          "category": "Cost Management"
        },
        "policyDefinitionId": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyDefinitions/storageSkus",
        "parameters": {
          "allowedSkus": {
            "value": "Standard_A1"
          }
        },
        "scope": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2",
        "notScopes": []
      }
    },
    {
      "id": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyAssignments/TagEnforcement",
      "type": "Microsoft.Authorization/policyAssignments",
      "name": "TagEnforcement",
      "properties": {
        "displayName": "Enforces a tag key and value",
        "description": "Ensure a given tag key and value are present on all resources",
        "policyDefinitionId": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyDefinitions/TagKeyValue",
        "scope": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2",
        "notScopes": []
      }
    }
  ]
}

Definitions

CloudError

An error response from a policy operation.

createdByType

The type of identity that created the resource.

enforcementMode

The policy assignment enforcement mode. Possible values are Default and DoNotEnforce.

ErrorAdditionalInfo

The resource management error additional info.

ErrorResponse

Error Response

Identity

Identity for the resource. Policy assignments support a maximum of one identity. That is either a system assigned identity or a single user assigned identity.

NonComplianceMessage

A message that describes why a resource is non-compliant with the policy. This is shown in 'deny' error messages and on resource's non-compliant compliance results.

ParameterValuesValue

The value of a parameter.

PolicyAssignment

The policy assignment.

PolicyAssignmentListResult

List of policy assignments.

ResourceIdentityType

The identity type. This is the only required field when adding a system or user assigned identity to a resource.

systemData

Metadata pertaining to creation and last modification of the resource.

UserAssignedIdentities

The user identity associated with the policy. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'.

CloudError

An error response from a policy operation.

Name Type Description
error

Error Response
Common error response for all Azure Resource Manager APIs to return error details for failed operations. (This also follows the OData error response format.)

createdByType

The type of identity that created the resource.

Name Type Description
Application
  • string
Key
  • string
ManagedIdentity
  • string
User
  • string

enforcementMode

The policy assignment enforcement mode. Possible values are Default and DoNotEnforce.

Name Type Description
Default
  • string

The policy effect is enforced during resource creation or update.

DoNotEnforce
  • string

The policy effect is not enforced during resource creation or update.

ErrorAdditionalInfo

The resource management error additional info.

Name Type Description
info
  • object

The additional info.

type
  • string

The additional info type.

ErrorResponse

Error Response

Name Type Description
additionalInfo

The error additional info.

code
  • string

The error code.

details

The error details.

message
  • string

The error message.

target
  • string

The error target.

Identity

Identity for the resource. Policy assignments support a maximum of one identity. That is either a system assigned identity or a single user assigned identity.

Name Type Description
principalId
  • string

The principal ID of the resource identity. This property will only be provided for a system assigned identity

tenantId
  • string

The tenant ID of the resource identity. This property will only be provided for a system assigned identity

type

The identity type. This is the only required field when adding a system or user assigned identity to a resource.

userAssignedIdentities

The user identity associated with the policy. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'.

NonComplianceMessage

A message that describes why a resource is non-compliant with the policy. This is shown in 'deny' error messages and on resource's non-compliant compliance results.

Name Type Description
message
  • string

A message that describes why a resource is non-compliant with the policy. This is shown in 'deny' error messages and on resource's non-compliant compliance results.

policyDefinitionReferenceId
  • string

The policy definition reference ID within a policy set definition the message is intended for. This is only applicable if the policy assignment assigns a policy set definition. If this is not provided the message applies to all policies assigned by this policy assignment.

ParameterValuesValue

The value of a parameter.

Name Type Description
value
  • object

The value of the parameter.

PolicyAssignment

The policy assignment.

Name Type Default Value Description
id
  • string

The ID of the policy assignment.

identity

The managed identity associated with the policy assignment.

location
  • string

The location of the policy assignment. Only required when utilizing managed identity.

name
  • string

The name of the policy assignment.

properties.description
  • string

This message will be part of response in case of policy violation.

properties.displayName
  • string

The display name of the policy assignment.

properties.enforcementMode Default

The policy assignment enforcement mode. Possible values are Default and DoNotEnforce.

properties.metadata
  • object

The policy assignment metadata. Metadata is an open ended object and is typically a collection of key value pairs.

properties.nonComplianceMessages

The messages that describe why a resource is non-compliant with the policy.

properties.notScopes
  • string[]

The policy's excluded scopes.

properties.parameters

The parameter values for the assigned policy rule. The keys are the parameter names.

properties.policyDefinitionId
  • string

The ID of the policy definition or policy set definition being assigned.

properties.scope
  • string

The scope for the policy assignment.

systemData

The system metadata relating to this resource.

type
  • string

The type of the policy assignment.

PolicyAssignmentListResult

List of policy assignments.

Name Type Description
nextLink
  • string

The URL to use for getting the next set of results.

value

An array of policy assignments.

ResourceIdentityType

The identity type. This is the only required field when adding a system or user assigned identity to a resource.

Name Type Description
None
  • string

Indicates that no identity is associated with the resource or that the existing identity should be removed.

SystemAssigned
  • string

Indicates that a system assigned identity is associated with the resource.

UserAssigned
  • string

Indicates that a system assigned identity is associated with the resource.

systemData

Metadata pertaining to creation and last modification of the resource.

Name Type Description
createdAt
  • string

The timestamp of resource creation (UTC).

createdBy
  • string

The identity that created the resource.

createdByType

The type of identity that created the resource.

lastModifiedAt
  • string

The timestamp of resource last modification (UTC)

lastModifiedBy
  • string

The identity that last modified the resource.

lastModifiedByType

The type of identity that last modified the resource.

UserAssignedIdentities

The user identity associated with the policy. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'.

Name Type Description