你当前正在访问 Microsoft Azure Global Edition 技术文档网站。 如果需要访问由世纪互联运营的 Microsoft Azure 中国技术文档网站,请访问 https://docs.azure.cn。
Policy Assignments - Create
此操作会创建或更新具有给定范围和名称的策略分配。 策略分配适用于其范围内包含的所有资源。 例如,在资源组范围内分配策略时,该策略将应用于组中的所有资源。
PUT https://management.azure.com/{scope}/providers/Microsoft.Authorization/policyAssignments/{policyAssignmentName}?api-version=2023-04-01
URI 参数
名称 | 在 | 必需 | 类型 | 说明 |
---|---|---|---|---|
policy
|
path | True |
string |
策略分配的名称。 Regex pattern: |
scope
|
path | True |
string |
策略分配的范围。 有效作用域为:管理组 (格式:'/providers/Microsoft.Management/managementGroups/{managementGroup}') , 订阅 (格式:“/subscriptions/{subscriptionId}”) ,资源组 (格式:“/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}”,或资源 (格式:“/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/[{parentResourcePath}/]{resourceType}/{resourceName}' |
api-version
|
query | True |
string |
要用于此操作的 API 版本。 |
请求正文
名称 | 类型 | 说明 |
---|---|---|
identity |
与策略分配关联的托管标识。 |
|
location |
string |
策略分配的位置。 仅在使用托管标识时才需要。 |
properties.description |
string |
如果违反策略,此消息将成为响应的一部分。 |
properties.displayName |
string |
策略分配的显示名称。 |
properties.enforcementMode |
策略分配强制模式。 可能的值为 Default 和 DoNotEnforce。 |
|
properties.metadata |
object |
策略分配元数据。 元数据是一个开放式对象,通常是键值对的集合。 |
properties.nonComplianceMessages |
描述资源不符合策略的原因的消息。 |
|
properties.notScopes |
string[] |
策略的已排除范围。 |
properties.overrides |
Override[] |
策略属性值替代。 |
properties.parameters |
<string,
Parameter |
分配的策略规则的参数值。 键是参数名称。 |
properties.policyDefinitionId |
string |
要分配的策略定义或策略集定义的 ID。 |
properties.resourceSelectors |
用于按资源属性筛选策略的资源选择器列表。 |
响应
名称 | 类型 | 说明 |
---|---|---|
201 Created |
Created - 返回有关新策略分配的信息。 |
|
Other Status Codes |
描述操作失败原因的错误响应。 |
安全性
azure_auth
Azure Active Directory OAuth2 Flow。
Type:
oauth2
Flow:
implicit
Authorization URL:
https://login.microsoftonline.com/common/oauth2/authorize
Scopes
名称 | 说明 |
---|---|
user_impersonation | 模拟用户帐户 |
示例
Create or update a policy assignment
Sample Request
PUT https://management.azure.com/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyAssignments/EnforceNaming?api-version=2023-04-01
{
"properties": {
"displayName": "Enforce resource naming rules",
"description": "Force resource names to begin with given DeptA and end with -LC",
"metadata": {
"assignedBy": "Special Someone"
},
"policyDefinitionId": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyDefinitions/ResourceNaming",
"parameters": {
"prefix": {
"value": "DeptA"
},
"suffix": {
"value": "-LC"
}
},
"nonComplianceMessages": [
{
"message": "Resource names must start with 'DeptA' and end with '-LC'."
}
]
}
}
Sample Response
{
"properties": {
"displayName": "Enforce resource naming rules",
"description": "Force resource names to begin with given DeptA and end with -LC",
"metadata": {
"assignedBy": "Special Someone"
},
"policyDefinitionId": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyDefinitions/ResourceNaming",
"notScopes": [],
"parameters": {
"prefix": {
"value": "DeptA"
},
"suffix": {
"value": "-LC"
}
},
"enforcementMode": "Default",
"scope": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2",
"nonComplianceMessages": [
{
"message": "Resource names must start with 'DeptA' and end with '-LC'."
}
]
},
"id": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyAssignments/EnforceNaming",
"type": "Microsoft.Authorization/policyAssignments",
"name": "EnforceNaming"
}
Create or update a policy assignment with a system assigned identity
Sample Request
PUT https://management.azure.com/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyAssignments/EnforceNaming?api-version=2023-04-01
{
"location": "eastus",
"identity": {
"type": "SystemAssigned"
},
"properties": {
"displayName": "Enforce resource naming rules",
"description": "Force resource names to begin with given DeptA and end with -LC",
"metadata": {
"assignedBy": "Foo Bar"
},
"policyDefinitionId": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyDefinitions/ResourceNaming",
"parameters": {
"prefix": {
"value": "DeptA"
},
"suffix": {
"value": "-LC"
}
},
"enforcementMode": "Default"
}
}
Sample Response
{
"properties": {
"displayName": "Enforce resource naming rules",
"description": "Force resource names to begin with given DeptA and end with -LC",
"metadata": {
"assignedBy": "Special Someone"
},
"policyDefinitionId": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyDefinitions/ResourceNaming",
"notScopes": [],
"parameters": {
"prefix": {
"value": "DeptA"
},
"suffix": {
"value": "-LC"
}
},
"enforcementMode": "Default",
"scope": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2"
},
"identity": {
"type": "SystemAssigned",
"principalId": "e6d23f8d-af97-4fbc-bda6-00604e4e3d0a",
"tenantId": "4bee2b8a-1bee-47c2-90e9-404241551135"
},
"location": "eastus",
"id": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyAssignments/EnforceNaming",
"type": "Microsoft.Authorization/policyAssignments",
"name": "EnforceNaming"
}
Create or update a policy assignment with a user assigned identity
Sample Request
PUT https://management.azure.com/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyAssignments/EnforceNaming?api-version=2023-04-01
{
"location": "eastus",
"identity": {
"type": "UserAssigned",
"userAssignedIdentities": {
"/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/resourceGroups/testResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/test-identity": {}
}
},
"properties": {
"displayName": "Enforce resource naming rules",
"description": "Force resource names to begin with given DeptA and end with -LC",
"metadata": {
"assignedBy": "Foo Bar"
},
"policyDefinitionId": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyDefinitions/ResourceNaming",
"parameters": {
"prefix": {
"value": "DeptA"
},
"suffix": {
"value": "-LC"
}
},
"enforcementMode": "Default"
}
}
Sample Response
{
"properties": {
"displayName": "Enforce resource naming rules",
"description": "Force resource names to begin with given DeptA and end with -LC",
"metadata": {
"assignedBy": "Special Someone"
},
"policyDefinitionId": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyDefinitions/ResourceNaming",
"notScopes": [],
"parameters": {
"prefix": {
"value": "DeptA"
},
"suffix": {
"value": "-LC"
}
},
"enforcementMode": "Default",
"scope": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2"
},
"identity": {
"type": "UserAssigned",
"userAssignedIdentities": {
"/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/resourceGroups/testResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/test-identity": {
"principalId": "e6d23f8d-af97-4fbc-bda6-00604e4e3d0a",
"clientId": "4bee2b8a-1bee-47c2-90e9-404241551135"
}
}
},
"location": "eastus",
"id": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyAssignments/EnforceNaming",
"type": "Microsoft.Authorization/policyAssignments",
"name": "EnforceNaming"
}
Create or update a policy assignment with multiple non-compliance messages
Sample Request
PUT https://management.azure.com/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyAssignments/securityInitAssignment?api-version=2023-04-01
{
"properties": {
"displayName": "Enforce security policies",
"policyDefinitionId": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policySetDefinitions/securityInitiative",
"nonComplianceMessages": [
{
"message": "Resources must comply with all internal security policies. See <internal site URL> for more info."
},
{
"message": "Resource names must start with 'DeptA' and end with '-LC'.",
"policyDefinitionReferenceId": "10420126870854049575"
},
{
"message": "Storage accounts must have firewall rules configured.",
"policyDefinitionReferenceId": "8572513655450389710"
}
]
}
}
Sample Response
{
"properties": {
"displayName": "Enforce security policies",
"metadata": {
"assignedBy": "User 1"
},
"policyDefinitionId": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policySetDefinitions/securityInitiative",
"notScopes": [],
"enforcementMode": "Default",
"scope": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2",
"nonComplianceMessages": [
{
"message": "Resources must comply with all internal security policies. See <internal site URL> for more info."
},
{
"message": "Resource names must start with 'DeptA' and end with '-LC'.",
"policyDefinitionReferenceId": "10420126870854049575"
},
{
"message": "Storage accounts must have firewall rules configured.",
"policyDefinitionReferenceId": "8572513655450389710"
}
]
},
"id": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyAssignments/securityInitAssignment",
"type": "Microsoft.Authorization/policyAssignments",
"name": "securityInitAssignment"
}
Create or update a policy assignment with overrides
Sample Request
PUT https://management.azure.com/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyAssignments/CostManagement?api-version=2023-04-01
{
"properties": {
"displayName": "Limit the resource location and resource SKU",
"description": "Limit the resource location and resource SKU",
"metadata": {
"assignedBy": "Special Someone"
},
"policyDefinitionId": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policySetDefinitions/CostManagement",
"overrides": [
{
"kind": "policyEffect",
"value": "Audit",
"selectors": [
{
"kind": "policyDefinitionReferenceId",
"in": [
"Limit_Skus",
"Limit_Locations"
]
}
]
}
]
}
}
Sample Response
{
"properties": {
"displayName": "Limit the resource location and resource SKU",
"description": "Limit the resource location and resource SKU",
"metadata": {
"assignedBy": "Special Someone"
},
"policyDefinitionId": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policySetDefinitions/CostManagement",
"notScopes": [],
"enforcementMode": "Default",
"scope": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2",
"overrides": [
{
"kind": "policyEffect",
"value": "Audit",
"selectors": [
{
"kind": "policyDefinitionReferenceId",
"in": [
"Limit_Skus",
"Limit_Locations"
]
}
]
}
]
},
"id": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyAssignments/CostManagement",
"type": "Microsoft.Authorization/policyAssignments",
"name": "CostManagement"
}
Create or update a policy assignment with resource selectors
Sample Request
PUT https://management.azure.com/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyAssignments/CostManagement?api-version=2023-04-01
{
"properties": {
"displayName": "Limit the resource location and resource SKU",
"description": "Limit the resource location and resource SKU",
"metadata": {
"assignedBy": "Special Someone"
},
"policyDefinitionId": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policySetDefinitions/CostManagement",
"resourceSelectors": [
{
"name": "SDPRegions",
"selectors": [
{
"kind": "resourceLocation",
"in": [
"eastus2euap",
"centraluseuap"
]
}
]
}
]
}
}
Sample Response
{
"properties": {
"displayName": "Limit the resource location and resource SKU",
"description": "Limit the resource location and resource SKU",
"metadata": {
"assignedBy": "Special Someone"
},
"policyDefinitionId": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policySetDefinitions/CostManagement",
"notScopes": [],
"enforcementMode": "Default",
"scope": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2",
"resourceSelectors": [
{
"name": "SDPRegions",
"selectors": [
{
"kind": "resourceLocation",
"in": [
"eastus2euap",
"centraluseuap"
]
}
]
}
]
},
"id": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyAssignments/CostManagement",
"type": "Microsoft.Authorization/policyAssignments",
"name": "CostManagement"
}
Create or update a policy assignment without enforcing policy effect during resource creation or update.
Sample Request
PUT https://management.azure.com/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyAssignments/EnforceNaming?api-version=2023-04-01
{
"properties": {
"displayName": "Enforce resource naming rules",
"description": "Force resource names to begin with given DeptA and end with -LC",
"metadata": {
"assignedBy": "Special Someone"
},
"policyDefinitionId": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyDefinitions/ResourceNaming",
"parameters": {
"prefix": {
"value": "DeptA"
},
"suffix": {
"value": "-LC"
}
},
"enforcementMode": "DoNotEnforce"
}
}
Sample Response
{
"properties": {
"displayName": "Enforce resource naming rules",
"description": "Force resource names to begin with given DeptA and end with -LC",
"metadata": {
"assignedBy": "Special Someone"
},
"policyDefinitionId": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyDefinitions/ResourceNaming",
"notScopes": [],
"parameters": {
"prefix": {
"value": "DeptA"
},
"suffix": {
"value": "-LC"
}
},
"enforcementMode": "DoNotEnforce",
"scope": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2"
},
"id": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyAssignments/EnforceNaming",
"type": "Microsoft.Authorization/policyAssignments",
"name": "EnforceNaming"
}
定义
名称 | 说明 |
---|---|
Cloud |
策略操作的错误响应。 |
created |
创建资源的标识类型。 |
enforcement |
策略分配强制模式。 可能的值为 Default 和 DoNotEnforce。 |
Error |
资源管理错误附加信息。 |
Error |
错误响应 |
Identity |
资源的标识。 策略分配最多支持一个标识。 这是系统分配的标识或单个用户分配的标识。 |
Non |
描述资源不符合策略的原因的消息。 这显示在“拒绝”错误消息和资源不符合符合性结果中。 |
Override |
策略属性值替代。 |
Override |
替代类型。 |
Parameter |
参数的值。 |
Policy |
策略分配。 |
Resource |
标识类型。 这是向资源添加系统或用户分配的标识时唯一必需的字段。 |
Resource |
用于按资源属性筛选策略的资源选择器。 |
Selector |
选择器表达式。 |
Selector |
选择器类型。 |
system |
与资源的创建和上次修改相关的元数据。 |
User |
与策略关联的用户标识。 用户标识字典密钥引用将是 ARM 资源 ID,格式为:“/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}”。 |
CloudError
策略操作的错误响应。
名称 | 类型 | 说明 |
---|---|---|
error |
错误响应 |
createdByType
创建资源的标识类型。
名称 | 类型 | 说明 |
---|---|---|
Application |
string |
|
Key |
string |
|
ManagedIdentity |
string |
|
User |
string |
enforcementMode
策略分配强制模式。 可能的值为 Default 和 DoNotEnforce。
名称 | 类型 | 说明 |
---|---|---|
Default |
string |
在创建或更新资源期间强制实施策略效果。 |
DoNotEnforce |
string |
在资源创建或更新期间不会强制实施策略效果。 |
ErrorAdditionalInfo
资源管理错误附加信息。
名称 | 类型 | 说明 |
---|---|---|
info |
object |
其他信息。 |
type |
string |
其他信息类型。 |
ErrorResponse
错误响应
名称 | 类型 | 说明 |
---|---|---|
additionalInfo |
错误附加信息。 |
|
code |
string |
错误代码。 |
details |
错误详细信息。 |
|
message |
string |
错误消息。 |
target |
string |
错误目标。 |
Identity
资源的标识。 策略分配最多支持一个标识。 这是系统分配的标识或单个用户分配的标识。
名称 | 类型 | 说明 |
---|---|---|
principalId |
string |
资源标识的主体 ID。 仅为系统分配的标识提供此属性 |
tenantId |
string |
资源标识的租户 ID。 仅为系统分配的标识提供此属性 |
type |
标识类型。 这是向资源添加系统或用户分配的标识时唯一必需的字段。 |
|
userAssignedIdentities |
与策略关联的用户标识。 用户标识字典密钥引用将是 ARM 资源 ID,格式为:“/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}”。 |
NonComplianceMessage
描述资源不符合策略的原因的消息。 这显示在“拒绝”错误消息和资源不符合符合性结果中。
名称 | 类型 | 说明 |
---|---|---|
message |
string |
描述资源不符合策略的原因的消息。 这显示在“拒绝”错误消息和资源不符合符合性结果中。 |
policyDefinitionReferenceId |
string |
消息要用于的策略集定义中的策略定义引用 ID。 仅当策略分配分配策略集定义时,这才适用。 如果未提供此项,则消息将应用于此策略分配分配的所有策略。 |
Override
策略属性值替代。
名称 | 类型 | 说明 |
---|---|---|
kind |
替代类型。 |
|
selectors |
Selector[] |
选择器表达式的列表。 |
value |
string |
要替代策略属性的值。 |
OverrideKind
替代类型。
名称 | 类型 | 说明 |
---|---|---|
policyEffect |
string |
它将替代策略效果类型。 |
ParameterValuesValue
参数的值。
名称 | 类型 | 说明 |
---|---|---|
value |
object |
参数值。 |
PolicyAssignment
策略分配。
名称 | 类型 | 默认值 | 说明 |
---|---|---|---|
id |
string |
策略分配的 ID。 |
|
identity |
与策略分配关联的托管标识。 |
||
location |
string |
策略分配的位置。 仅在使用托管标识时才需要。 |
|
name |
string |
策略分配的名称。 |
|
properties.description |
string |
如果违反策略,此消息将成为响应的一部分。 |
|
properties.displayName |
string |
策略分配的显示名称。 |
|
properties.enforcementMode | Default |
策略分配强制模式。 可能的值为 Default 和 DoNotEnforce。 |
|
properties.metadata |
object |
策略分配元数据。 元数据是一个开放式对象,通常是键值对的集合。 |
|
properties.nonComplianceMessages |
描述资源不符合策略的原因的消息。 |
||
properties.notScopes |
string[] |
策略的已排除范围。 |
|
properties.overrides |
Override[] |
策略属性值替代。 |
|
properties.parameters |
<string,
Parameter |
分配的策略规则的参数值。 键是参数名称。 |
|
properties.policyDefinitionId |
string |
要分配的策略定义或策略集定义的 ID。 |
|
properties.resourceSelectors |
用于按资源属性筛选策略的资源选择器列表。 |
||
properties.scope |
string |
策略分配的范围。 |
|
systemData |
与此资源相关的系统元数据。 |
||
type |
string |
策略分配的类型。 |
ResourceIdentityType
标识类型。 这是向资源添加系统或用户分配的标识时唯一必需的字段。
名称 | 类型 | 说明 |
---|---|---|
None |
string |
指示没有标识与资源关联,或者应删除现有标识。 |
SystemAssigned |
string |
指示系统分配的标识与资源相关联。 |
UserAssigned |
string |
指示系统分配的标识与资源相关联。 |
ResourceSelector
用于按资源属性筛选策略的资源选择器。
名称 | 类型 | 说明 |
---|---|---|
name |
string |
资源选择器的名称。 |
selectors |
Selector[] |
选择器表达式的列表。 |
Selector
选择器表达式。
名称 | 类型 | 说明 |
---|---|---|
in |
string[] |
要筛选的值列表。 |
kind |
选择器类型。 |
|
notIn |
string[] |
要筛选出的值列表。 |
SelectorKind
选择器类型。
名称 | 类型 | 说明 |
---|---|---|
policyDefinitionReferenceId |
string |
按策略定义引用 ID 筛选策略的选择器类型。 |
resourceLocation |
string |
按资源位置筛选策略的选择器类型。 |
resourceType |
string |
按资源类型筛选策略的选择器类型。 |
resourceWithoutLocation |
string |
按不带位置的资源筛选策略的选择器类型。 |
systemData
与资源的创建和上次修改相关的元数据。
名称 | 类型 | 说明 |
---|---|---|
createdAt |
string |
资源的创建时间戳 (UTC) 。 |
createdBy |
string |
创建资源的标识。 |
createdByType |
创建资源的标识类型。 |
|
lastModifiedAt |
string |
资源上次修改的时间戳 (UTC) |
lastModifiedBy |
string |
上次修改资源的标识。 |
lastModifiedByType |
上次修改资源的标识类型。 |
UserAssignedIdentities
与策略关联的用户标识。 用户标识字典密钥引用将是 ARM 资源 ID,格式为:“/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}”。
名称 | 类型 | 说明 |
---|---|---|
|