Share via

Microsoft.Authorization policyAssignments 2021-06-01

  • Article

Bicep resource definition

The policyAssignments resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Authorization/policyAssignments resource, add the following Bicep to your template.

resource symbolicname 'Microsoft.Authorization/policyAssignments@2021-06-01' = {
  scope: resourceSymbolicName or scope
  identity: {
    type: 'string'
    userAssignedIdentities: {
      {customized property}: {}
    }
  }
  location: 'string'
  name: 'string'
  properties: {
    description: 'string'
    displayName: 'string'
    enforcementMode: 'string'
    metadata: any(Azure.Bicep.Types.Concrete.AnyType)
    nonComplianceMessages: [
      {
        message: 'string'
        policyDefinitionReferenceId: 'string'
      }
    ]
    notScopes: [
      'string'
    ]
    parameters: {
      {customized property}: {
        value: any(Azure.Bicep.Types.Concrete.AnyType)
      }
    }
    policyDefinitionId: 'string'
  }
}

Property values

Identity

Name Description Value
type The identity type. This is the only required field when adding a system or user assigned identity to a resource. 'None'
'SystemAssigned'
'UserAssigned'
userAssignedIdentities The user identity associated with the policy. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. IdentityUserAssignedIdentities

IdentityUserAssignedIdentities

Name Description Value

Microsoft.Authorization/policyAssignments

Name Description Value
identity The managed identity associated with the policy assignment. Identity
location The location of the policy assignment. Only required when utilizing managed identity. string
name The resource name string (required)
properties Properties for the policy assignment. PolicyAssignmentProperties
scope Use when creating a resource at a scope that is different than the deployment scope. Set this property to the symbolic name of a resource to apply the extension resource.

NonComplianceMessage

Name Description Value
message A message that describes why a resource is non-compliant with the policy. This is shown in 'deny' error messages and on resource's non-compliant compliance results. string (required)
policyDefinitionReferenceId The policy definition reference ID within a policy set definition the message is intended for. This is only applicable if the policy assignment assigns a policy set definition. If this is not provided the message applies to all policies assigned by this policy assignment. string

ParameterValues

Name Description Value

ParameterValuesValue

Name Description Value
value The value of the parameter. any

PolicyAssignmentProperties

Name Description Value
description This message will be part of response in case of policy violation. string
displayName The display name of the policy assignment. string
enforcementMode The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. 'Default'
'DoNotEnforce'
metadata The policy assignment metadata. Metadata is an open ended object and is typically a collection of key value pairs. any
nonComplianceMessages The messages that describe why a resource is non-compliant with the policy. NonComplianceMessage[]
notScopes The policy's excluded scopes. string[]
parameters The parameter values for the assigned policy rule. The keys are the parameter names. ParameterValues
policyDefinitionId The ID of the policy definition or policy set definition being assigned. string

UserAssignedIdentitiesValue

Name Description Value

Quickstart samples

The following quickstart samples deploy this resource type.

Bicep File Description
Assign built-in policy to audit VM managed disks This template assigns a built-in policy to a resource group scope to audit virtual machine (VM) managed disks.
Create an Azure Virtual Network Manager and sample VNETs This template deploys an Azure Virtual Network Manager and sample virtual networks into the named resource group. It supports multiple connectivity topologies and network group membership types.
Deploy a Policy Def and Assign to Multiple Mgmt Groups This template is a management group level template that will create a policy definition and assign that policy to multiple management groups.
Deploy a policy definition and assign to a management group This template is a management group level template that will create a policy definition and assign that policy to the target management group. Currently, this template cannot be deployed via the Azure Portal.

ARM template resource definition

The policyAssignments resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Authorization/policyAssignments resource, add the following JSON to your template.

{
  "type": "Microsoft.Authorization/policyAssignments",
  "apiVersion": "2021-06-01",
  "name": "string",
  "identity": {
    "type": "string",
    "userAssignedIdentities": {
      "{customized property}": {
      }
    }
  },
  "location": "string",
  "properties": {
    "description": "string",
    "displayName": "string",
    "enforcementMode": "string",
    "metadata": {},
    "nonComplianceMessages": [
      {
        "message": "string",
        "policyDefinitionReferenceId": "string"
      }
    ],
    "notScopes": [ "string" ],
    "parameters": {
      "{customized property}": {
        "value": {}
      }
    },
    "policyDefinitionId": "string"
  }
}

Property values

Identity

Name Description Value
type The identity type. This is the only required field when adding a system or user assigned identity to a resource. 'None'
'SystemAssigned'
'UserAssigned'
userAssignedIdentities The user identity associated with the policy. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. IdentityUserAssignedIdentities

IdentityUserAssignedIdentities

Name Description Value

Microsoft.Authorization/policyAssignments

Name Description Value
apiVersion The api version '2021-06-01'
identity The managed identity associated with the policy assignment. Identity
location The location of the policy assignment. Only required when utilizing managed identity. string
name The resource name string (required)
properties Properties for the policy assignment. PolicyAssignmentProperties
type The resource type 'Microsoft.Authorization/policyAssignments'

NonComplianceMessage

Name Description Value
message A message that describes why a resource is non-compliant with the policy. This is shown in 'deny' error messages and on resource's non-compliant compliance results. string (required)
policyDefinitionReferenceId The policy definition reference ID within a policy set definition the message is intended for. This is only applicable if the policy assignment assigns a policy set definition. If this is not provided the message applies to all policies assigned by this policy assignment. string

ParameterValues

Name Description Value

ParameterValuesValue

Name Description Value
value The value of the parameter. any

PolicyAssignmentProperties

Name Description Value
description This message will be part of response in case of policy violation. string
displayName The display name of the policy assignment. string
enforcementMode The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. 'Default'
'DoNotEnforce'
metadata The policy assignment metadata. Metadata is an open ended object and is typically a collection of key value pairs. any
nonComplianceMessages The messages that describe why a resource is non-compliant with the policy. NonComplianceMessage[]
notScopes The policy's excluded scopes. string[]
parameters The parameter values for the assigned policy rule. The keys are the parameter names. ParameterValues
policyDefinitionId The ID of the policy definition or policy set definition being assigned. string

UserAssignedIdentitiesValue

Name Description Value

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
Assign a built-in policy to an existing resource group

Deploy to Azure		 This template assigns a built-in policy to an existing resource group.
Assign built-in policy to audit VM managed disks

Deploy to Azure		 This template assigns a built-in policy to a resource group scope to audit virtual machine (VM) managed disks.
Create an Azure Virtual Network Manager and sample VNETs

Deploy to Azure		 This template deploys an Azure Virtual Network Manager and sample virtual networks into the named resource group. It supports multiple connectivity topologies and network group membership types.
Deploy a Policy Def and Assign to Multiple Mgmt Groups

Deploy to Azure		 This template is a management group level template that will create a policy definition and assign that policy to multiple management groups.
Deploy a policy definition and assign to a management group

Deploy to Azure		 This template is a management group level template that will create a policy definition and assign that policy to the target management group. Currently, this template cannot be deployed via the Azure Portal.

Terraform (AzAPI provider) resource definition

The policyAssignments resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Authorization/policyAssignments resource, add the following Terraform to your template.

resource "azapi_resource" "symbolicname" {
  type = "Microsoft.Authorization/policyAssignments@2021-06-01"
  name = "string"
  parent_id = "string"
  identity = {
    type = "string"
    userAssignedIdentities = {
      {customized property} = {
      }
    }
  }
  location = "string"
  body = jsonencode({
    properties = {
      description = "string"
      displayName = "string"
      enforcementMode = "string"
      metadata = ?
      nonComplianceMessages = [
        {
          message = "string"
          policyDefinitionReferenceId = "string"
        }
      ]
      notScopes = [
        "string"
      ]
      parameters = {
        {customized property} = {
          value = ?
        }
      }
      policyDefinitionId = "string"
    }
  })
}

Property values

Identity

Name Description Value
type The identity type. This is the only required field when adding a system or user assigned identity to a resource. 'None'
'SystemAssigned'
'UserAssigned'
userAssignedIdentities The user identity associated with the policy. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. IdentityUserAssignedIdentities

IdentityUserAssignedIdentities

Name Description Value

Microsoft.Authorization/policyAssignments

Name Description Value
identity The managed identity associated with the policy assignment. Identity
location The location of the policy assignment. Only required when utilizing managed identity. string
name The resource name string (required)
parent_id The ID of the resource to apply this extension resource to. string (required)
properties Properties for the policy assignment. PolicyAssignmentProperties
type The resource type "Microsoft.Authorization/policyAssignments@2021-06-01"

NonComplianceMessage

Name Description Value
message A message that describes why a resource is non-compliant with the policy. This is shown in 'deny' error messages and on resource's non-compliant compliance results. string (required)
policyDefinitionReferenceId The policy definition reference ID within a policy set definition the message is intended for. This is only applicable if the policy assignment assigns a policy set definition. If this is not provided the message applies to all policies assigned by this policy assignment. string

ParameterValues

Name Description Value

ParameterValuesValue

Name Description Value
value The value of the parameter. any

PolicyAssignmentProperties

Name Description Value
description This message will be part of response in case of policy violation. string
displayName The display name of the policy assignment. string
enforcementMode The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. 'Default'
'DoNotEnforce'
metadata The policy assignment metadata. Metadata is an open ended object and is typically a collection of key value pairs. any
nonComplianceMessages The messages that describe why a resource is non-compliant with the policy. NonComplianceMessage[]
notScopes The policy's excluded scopes. string[]
parameters The parameter values for the assigned policy rule. The keys are the parameter names. ParameterValues
policyDefinitionId The ID of the policy definition or policy set definition being assigned. string

UserAssignedIdentitiesValue

Name Description Value