az policy definition

Manage resource policy definitions.

Commands

az policy definition create Create a policy definition.
az policy definition delete Delete a policy definition.
az policy definition list List policy definitions.
az policy definition show Show a policy definition.
az policy definition update Update a policy definition.

az policy definition create

Create a policy definition.

az policy definition create --name
[--description]
[--display-name]
[--management-group]
[--metadata]
[--mode]
[--only-show-errors]
[--params]
[--rules]
[--subscription]

Examples

Create a read-only policy.

az policy definition create --name readOnlyStorage --rules "{ \"if\": \
    { \"field\": \"type\", \"equals\": \"Microsoft.Storage/storageAccounts/write\" }, \
        \"then\": { \"effect\": \"deny\" } }"

Create a policy parameter definition.

az policy definition create --name allowedLocations \
    --rules "{ \"if\": { \"allOf\": [ \
        { \"field\": \"location\",\"notIn\": \"[parameters('listOfAllowedLocations')]\" }, \
            { \"field\": \"location\", \"notEquals\": \"global\" }, \
                { \"field\": \"type\", \"notEquals\": \
                    \"Microsoft.AzureActiveDirectory/b2cDirectories\"} \
                        ] }, \"then\": { \"effect\": \"deny\" } }" \
    --params "{ \"allowedLocations\": { \
        \"type\": \"array\", \"metadata\": { \"description\": \
            \"The list of locations that can be specified when deploying resources\", \
                \"strongType\": \"location\", \"displayName\": \"Allowed locations\" } } }"

Create a read-only policy that can be applied within a management group.

az policy definition create -n readOnlyStorage --management-group "MyManagementGroup" \
    --rules "{ \"if\": { \"field\": \"type\", \
        \"equals\": \"Microsoft.Storage/storageAccounts/write\" }, \
            \"then\": { \"effect\": \"deny\" } }"

Create a policy definition with mode. The mode 'Indexed' indicates the policy should be evaluated only for resource types that support tags and location.

az policy definition create --name TagsPolicyDefinition --subscription "MySubscription" \
    --mode Indexed --rules "{ \"if\": { \"field\": \"tags\", \"exists\": \"false\" }, \
        \"then\": { \"effect\": \"deny\" } }"

Required Parameters

--name -n

Name of the new policy definition.

Optional Parameters

--description

Description of policy definition.

--display-name

Display name of policy definition.

--management-group

Name of the management group the new policy definition can be assigned in.

--metadata

Metadata in space-separated key=value pairs.

--mode -m

Mode of the policy definition, e.g. All, Indexed. Please visit https://aka.ms/azure-policy-mode for more information.

--only-show-errors

Only show errors, suppressing warnings.

--params

JSON formatted string or a path to a file or uri with parameter definitions.

--rules

Policy rules in JSON format, or a path to a file containing JSON rules.

--subscription

Name or id of the subscription the new policy definition can be assigned in.

az policy definition delete

Delete a policy definition.

az policy definition delete --name
[--management-group]
[--only-show-errors]
[--subscription]

Examples

Delete a policy definition. (autogenerated)

az policy definition delete --name MyPolicyDefinition

Required Parameters

--name -n

The policy definition name.

Optional Parameters

--management-group

The name of the management group of the policy [set] definition.

--only-show-errors

Only show errors, suppressing warnings.

--subscription

The subscription id of the policy [set] definition.

az policy definition list

List policy definitions.

az policy definition list [--management-group]
[--only-show-errors]
[--subscription]

Optional Parameters

--management-group

The name of the management group of the policy [set] definition.

--only-show-errors

Only show errors, suppressing warnings.

--subscription

The subscription id of the policy [set] definition.

az policy definition show

Show a policy definition.

az policy definition show --name
[--management-group]
[--only-show-errors]
[--subscription]

Examples

Show a policy definition. (autogenerated)

az policy definition show --name MyPolicyDefinition

Required Parameters

--name -n

The policy definition name.

Optional Parameters

--management-group

The name of the management group of the policy [set] definition.

--only-show-errors

Only show errors, suppressing warnings.

--subscription

The subscription id of the policy [set] definition.

az policy definition update

Update a policy definition.

az policy definition update --name
[--description]
[--display-name]
[--management-group]
[--metadata]
[--mode]
[--only-show-errors]
[--params]
[--rules]
[--subscription]

Examples

Update a policy definition. (autogenerated)

az policy definition update --name MyPolicyDefinition

Required Parameters

--name -n

The policy definition name.

Optional Parameters

--description

Description of policy definition.

--display-name

Display name of policy definition.

--management-group

The name of the management group of the policy [set] definition.

--metadata

Metadata in space-separated key=value pairs.

--mode -m

Mode of the policy definition, e.g. All, Indexed. Please visit https://aka.ms/azure-policy-mode for more information.

--only-show-errors

Only show errors, suppressing warnings.

--params

JSON formatted string or a path to a file or uri with parameter definitions.

--rules

JSON formatted string or a path to a file with such content.

--subscription

The subscription id of the policy [set] definition.