您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

New-AzPolicyAssignment

Creates a policy assignment.

Syntax

New-AzPolicyAssignment
   -Name <String>
   -Scope <String>
   [-NotScope <String[]>]
   [-DisplayName <String>]
   [-Description <String>]
   [-PolicyDefinition <PSObject>]
   [-PolicySetDefinition <PSObject>]
   [-Metadata <String>]
   [-AssignIdentity]
   [-Location <String>]
   [-ApiVersion <String>]
   [-Pre]
   [-DefaultProfile <IAzureContextContainer>]
   [<CommonParameters>]
New-AzPolicyAssignment
   -Name <String>
   -Scope <String>
   [-NotScope <String[]>]
   [-DisplayName <String>]
   [-Description <String>]
   -PolicyDefinition <PSObject>
   [-PolicySetDefinition <PSObject>]
   -PolicyParameterObject <Hashtable>
   [-Metadata <String>]
   [-AssignIdentity]
   [-Location <String>]
   [-ApiVersion <String>]
   [-Pre]
   [-DefaultProfile <IAzureContextContainer>]
   [<CommonParameters>]
New-AzPolicyAssignment
   -Name <String>
   -Scope <String>
   [-NotScope <String[]>]
   [-DisplayName <String>]
   [-Description <String>]
   -PolicyDefinition <PSObject>
   [-PolicySetDefinition <PSObject>]
   -PolicyParameter <String>
   [-Metadata <String>]
   [-AssignIdentity]
   [-Location <String>]
   [-ApiVersion <String>]
   [-Pre]
   [-DefaultProfile <IAzureContextContainer>]
   [<CommonParameters>]
New-AzPolicyAssignment
   -Name <String>
   -Scope <String>
   [-NotScope <String[]>]
   [-DisplayName <String>]
   [-Description <String>]
   [-PolicyDefinition <PSObject>]
   -PolicySetDefinition <PSObject>
   -PolicyParameterObject <Hashtable>
   [-Metadata <String>]
   [-AssignIdentity]
   [-Location <String>]
   [-ApiVersion <String>]
   [-Pre]
   [-DefaultProfile <IAzureContextContainer>]
   [<CommonParameters>]
New-AzPolicyAssignment
   -Name <String>
   -Scope <String>
   [-NotScope <String[]>]
   [-DisplayName <String>]
   [-Description <String>]
   [-PolicyDefinition <PSObject>]
   -PolicySetDefinition <PSObject>
   -PolicyParameter <String>
   [-Metadata <String>]
   [-AssignIdentity]
   [-Location <String>]
   [-ApiVersion <String>]
   [-Pre]
   [-DefaultProfile <IAzureContextContainer>]
   [<CommonParameters>]

Description

The New-AzPolicyAssignment cmdlet creates a policy assignment. Specify a policy and scope.

Examples

Example 1: Policy assignment at subscription level

PS C:\> $Subscription = Get-AzSubscription -SubscriptionName 'Subscription01'
PS C:\> $Policy = Get-AzPolicyDefinition -Name 'VirtualMachinePolicy'
PS C:\> New-AzPolicyAssignment -Name 'VirtualMachinePolicyAssignment' -PolicyDefinition $Policy -Scope "/subscriptions/$($Subscription.Id)"

The first command gets a subscription named Subscription01 by using the Get-AzSubscription cmdlet and stores it in the $Subscription variable. The second command gets the policy definition named VirtualMachinePolicy by using the Get-AzPolicyDefinition cmdlet and stores it in the $Policy variable. The final command assigns the policy in $Policy at the level of the subscription identified by the subscription scope string.

Example 2: Policy assignment at resource group level

PS C:\> $ResourceGroup = Get-AzResourceGroup -Name 'ResourceGroup11'
PS C:\> $Policy = Get-AzPolicyDefinition -Name 'VirtualMachinePolicy'
PS C:\> New-AzPolicyAssignment -Name 'VirtualMachinePolicyAssignment' -PolicyDefinition $Policy -Scope $ResourceGroup.ResourceId

The first command gets a resource group named ResourceGroup11 by using the Get-AzResourceGroup cmdlet and stores it in the $ResourceGroup variable. The second command gets the policy definition named VirtualMachinePolicy by using the Get-AzPolicyDefinition cmdlet and stores it in the $Policy variable. The final command assigns the policy in $Policy at the level of the resource group identified by the ResourceId property of $ResourceGroup.

Example 3: Policy assignment at resource group level with policy parameter object

PS C:\> $ResourceGroup = Get-AzResourceGroup -Name 'ResourceGroup11'
PS C:\> $Policy = Get-AzPolicyDefinition -BuiltIn | Where-Object {$_.Properties.DisplayName -eq 'Allowed locations'}
PS C:\> $Locations = Get-AzLocation | where displayname -like '*east*'
PS C:\> $AllowedLocations = @{'listOfAllowedLocations'=($Locations.location)}
PS C:\> New-AzPolicyAssignment -Name 'RestrictLocationPolicyAssignment' -PolicyDefinition $Policy -Scope $ResourceGroup.ResourceId -PolicyParameterObject $AllowedLocations

The first command gets a resource group named ResourceGroup11 by using the Get-AzResourceGroup cmdlet. The command stores that object in the $ResourceGroup variable. The second command gets the built-in policy definition for allowed locations by using the Get-AzPolicyDefinition cmdlet. The command stores that object in the $Policy variable. The third and fourth commands create an object containing all Azure regions with "east" in the name. The commands store that object in the $AllowedLocations variable. The final command assigns the policy in $Policy at the level of a resource group using the policy parameter object in $AllowedLocations. The ResourceId property of $ResourceGroup identifies the resource group.

Example 4: Policy assignment at resource group level with policy parameter file

Create a file called AllowedLocations.json in the local working directory with the following content.

{
    "listOfAllowedLocations":  {
      "value": [
        "westus",
        "westeurope",
        "japanwest"
      ]
    }
}

PS C:\> $ResourceGroup = Get-AzResourceGroup -Name 'ResourceGroup11'
PS C:\> $Policy = Get-AzPolicyDefinition -BuiltIn | Where-Object {$_.Properties.DisplayName -eq 'Allowed locations'}
PS C:\> New-AzPolicyAssignment -Name 'RestrictLocationPolicyAssignment' -PolicyDefinition $Policy -Scope $ResourceGroup.ResourceId -PolicyParameter .\AllowedLocations.json

The first command gets a resource group named ResourceGroup11 by using the Get-AzResourceGroup cmdlet and stores it in the $ResourceGroup variable. The second command gets the built-in policy definition for allowed locations by using the Get-AzPolicyDefinition cmdlet and stores it in the $Policy variable. The final command assigns the policy in $Policy at the resource group identified by the ResourceId property of $ResourceGroup using the policy parameter file AllowedLocations.json from the local working directory.

Example 5: Policy assignment with a managed identity

PS C:\> $ResourceGroup = Get-AzResourceGroup -Name 'ResourceGroup11'
PS C:\> $Policy = Get-AzPolicyDefinition -Name 'VirtualMachinePolicy'
PS C:\> New-AzPolicyAssignment -Name 'VirtualMachinePolicyAssignment' -PolicyDefinition $Policy -Scope $ResourceGroup.ResourceId -Location 'eastus' -AssignIdentity

The first command gets a resource group named ResourceGroup11 by using the Get-AzResourceGroup cmdlet and stores it in the $ResourceGroup variable. The second command gets the policy definition named VirtualMachinePolicy by using the Get-AzPolicyDefinition cmdlet and stores it in the $Policy variable. The final command assigns the policy in $Policy to the resource group. A managed identity is automatically created and assigned to the policy assignment.

Parameters

-ApiVersion

Specifies the version of the resource provider API to use. If you do not specify a version, this cmdlet uses the latest available version.

Type:String
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-AssignIdentity

Generate and assign an Azure Active Directory Identity for this policy assignment. The identity will be used when executing deployments for 'deployIfNotExists' policies. Location is required when assigning an identity.

Type:SwitchParameter
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-DefaultProfile

The credentials, account, tenant, and subscription used for communication with azure

Type:Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer
Aliases:AzContext, AzureRmContext, AzureCredential
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-Description

The description for policy assignment

Type:String
Position:Named
Default value:None
Accept pipeline input:True (ByPropertyName)
Accept wildcard characters:False
-DisplayName

Specifies a display name for the policy assignment.

Type:String
Position:Named
Default value:None
Accept pipeline input:True (ByPropertyName)
Accept wildcard characters:False
-Location

The location of the policy assignment's resource identity. This is required when the -AssignIdentity switch is used.

Type:String
Position:Named
Default value:None
Accept pipeline input:True (ByPropertyName)
Accept wildcard characters:False
-Metadata

The metadata for the new policy assignment. This can either be a path to a file name containing the metadata, or the metadata as a string.

Type:String
Position:Named
Default value:None
Accept pipeline input:True (ByPropertyName)
Accept wildcard characters:False
-Name

Specifies a name for the policy assignment.

Type:String
Position:Named
Default value:None
Accept pipeline input:True (ByPropertyName)
Accept wildcard characters:False
-NotScope

The not scopes for policy assignment.

Type:System.String[]
Position:Named
Default value:None
Accept pipeline input:True (ByPropertyName)
Accept wildcard characters:False
-PolicyDefinition

Specifies a policy, as a PsPolicyDefinition object that contains the policy rule.

Type:PSObject
Position:Named
Default value:None
Accept pipeline input:True (ByPropertyName)
Accept wildcard characters:False
-PolicyParameter

The policy parameter file path or policy parameter string.

Type:String
Position:Named
Default value:None
Accept pipeline input:True (ByPropertyName)
Accept wildcard characters:False
-PolicyParameterObject

The policy parameter object.

Type:Hashtable
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-PolicySetDefinition

The policy set definition object.

Type:PSObject
Position:Named
Default value:None
Accept pipeline input:True (ByPropertyName)
Accept wildcard characters:False
-Pre

Indicates that this cmdlet considers pre-release API versions when it automatically determines which version to use.

Type:SwitchParameter
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-Scope

Specifies the scope at which to assign the policy. For instance, to assign a policy to a resource group, specify the following: /subscriptions/subscription ID/resourcegroups/resource group name

Type:String
Position:Named
Default value:None
Accept pipeline input:True (ByPropertyName)
Accept wildcard characters:False

Inputs

String

System.String[]

PSObject

Outputs

PSObject