Microsoft.Authorization policyAssignments 2022-06-01

Article
12/09/2024

Bicep resource definition

The policyAssignments resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Authorization/policyAssignments resource, add the following Bicep to your template.

resource symbolicname 'Microsoft.Authorization/policyAssignments@2022-06-01' = {
  scope: resourceSymbolicName or scope
  identity: {
    type: 'string'
    userAssignedIdentities: {
      {customized property}: {}
    }
  }
  location: 'string'
  name: 'string'
  properties: {
    description: 'string'
    displayName: 'string'
    enforcementMode: 'string'
    metadata: any(Azure.Bicep.Types.Concrete.AnyType)
    nonComplianceMessages: [
      {
        message: 'string'
        policyDefinitionReferenceId: 'string'
      }
    ]
    notScopes: [
      'string'
    ]
    overrides: [
      {
        kind: 'string'
        selectors: [
          {
            in: [
              'string'
            ]
            kind: 'string'
            notIn: [
              'string'
            ]
          }
        ]
        value: 'string'
      }
    ]
    parameters: {
      {customized property}: {
        value: any(Azure.Bicep.Types.Concrete.AnyType)
      }
    }
    policyDefinitionId: 'string'
    resourceSelectors: [
      {
        name: 'string'
        selectors: [
          {
            in: [
              'string'
            ]
            kind: 'string'
            notIn: [
              'string'
            ]
          }
        ]
      }
    ]
  }
}

Property values

Identity

Name	Description	Value
type	The identity type. This is the only required field when adding a system or user assigned identity to a resource.	'None' 'SystemAssigned' 'UserAssigned'
userAssignedIdentities	The user identity associated with the policy. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'.	IdentityUserAssignedIdentities

IdentityUserAssignedIdentities

Name	Description	Value

Microsoft.Authorization/policyAssignments

Name	Description	Value
identity	The managed identity associated with the policy assignment.	Identity
location	The location of the policy assignment. Only required when utilizing managed identity.	string
name	The resource name	string (required)
properties	Properties for the policy assignment.	PolicyAssignmentProperties
scope	Use when creating a resource at a scope that is different than the deployment scope.	Set this property to the symbolic name of a resource to apply the extension resource.

NonComplianceMessage

Name	Description	Value
message	A message that describes why a resource is non-compliant with the policy. This is shown in 'deny' error messages and on resource's non-compliant compliance results.	string (required)
policyDefinitionReferenceId	The policy definition reference ID within a policy set definition the message is intended for. This is only applicable if the policy assignment assigns a policy set definition. If this is not provided the message applies to all policies assigned by this policy assignment.	string

Override

Name	Description	Value
kind	The override kind.	'policyEffect'
selectors	The list of the selector expressions.	Selector[]
value	The value to override the policy property.	string

ParameterValues

Name	Description	Value

ParameterValuesValue

Name	Description	Value
value	The value of the parameter.	any

PolicyAssignmentProperties

Name	Description	Value
description	This message will be part of response in case of policy violation.	string
displayName	The display name of the policy assignment.	string
enforcementMode	The policy assignment enforcement mode. Possible values are Default and DoNotEnforce.	'Default' 'DoNotEnforce'
metadata	The policy assignment metadata. Metadata is an open ended object and is typically a collection of key value pairs.	any
nonComplianceMessages	The messages that describe why a resource is non-compliant with the policy.	NonComplianceMessage[]
notScopes	The policy's excluded scopes.	string[]
overrides	The policy property value override.	Override[]
parameters	The parameter values for the assigned policy rule. The keys are the parameter names.	ParameterValues
policyDefinitionId	The ID of the policy definition or policy set definition being assigned.	string
resourceSelectors	The resource selector list to filter policies by resource properties.	ResourceSelector[]

ResourceSelector

Name	Description	Value
name	The name of the resource selector.	string
selectors	The list of the selector expressions.	Selector[]

Selector

Name	Description	Value
in	The list of values to filter in.	string[]
kind	The selector kind.	'policyDefinitionReferenceId' 'resourceLocation' 'resourceType' 'resourceWithoutLocation'
notIn	The list of values to filter out.	string[]

UserAssignedIdentitiesValue

Name	Description	Value

Quickstart samples

The following quickstart samples deploy this resource type.

Bicep File	Description
Assign built-in policy to audit VM managed disks	This template assigns a built-in policy to a resource group scope to audit virtual machine (VM) managed disks.
Create an Azure Virtual Network Manager and sample VNETs	This template deploys an Azure Virtual Network Manager and sample virtual networks into the named resource group. It supports multiple connectivity topologies and network group membership types.
Deploy a Policy Def and Assign to Multiple Mgmt Groups	This template is a management group level template that will create a policy definition and assign that policy to multiple management groups.
Deploy a policy definition and assign to a management group	This template is a management group level template that will create a policy definition and assign that policy to the target management group. Currently, this template cannot be deployed via the Azure Portal.

ARM template resource definition

The policyAssignments resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Authorization/policyAssignments resource, add the following JSON to your template.

{
  "type": "Microsoft.Authorization/policyAssignments",
  "apiVersion": "2022-06-01",
  "name": "string",
  "identity": {
    "type": "string",
    "userAssignedIdentities": {
      "{customized property}": {
      }
    }
  },
  "location": "string",
  "properties": {
    "description": "string",
    "displayName": "string",
    "enforcementMode": "string",
    "metadata": {},
    "nonComplianceMessages": [
      {
        "message": "string",
        "policyDefinitionReferenceId": "string"
      }
    ],
    "notScopes": [ "string" ],
    "overrides": [
      {
        "kind": "string",
        "selectors": [
          {
            "in": [ "string" ],
            "kind": "string",
            "notIn": [ "string" ]
          }
        ],
        "value": "string"
      }
    ],
    "parameters": {
      "{customized property}": {
        "value": {}
      }
    },
    "policyDefinitionId": "string",
    "resourceSelectors": [
      {
        "name": "string",
        "selectors": [
          {
            "in": [ "string" ],
            "kind": "string",
            "notIn": [ "string" ]
          }
        ]
      }
    ]
  }
}

Property values

Identity

Name	Description	Value
type	The identity type. This is the only required field when adding a system or user assigned identity to a resource.	'None' 'SystemAssigned' 'UserAssigned'
userAssignedIdentities	The user identity associated with the policy. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'.	IdentityUserAssignedIdentities

IdentityUserAssignedIdentities

Name	Description	Value

Microsoft.Authorization/policyAssignments

Name	Description	Value
apiVersion	The api version	'2022-06-01'
identity	The managed identity associated with the policy assignment.	Identity
location	The location of the policy assignment. Only required when utilizing managed identity.	string
name	The resource name	string (required)
properties	Properties for the policy assignment.	PolicyAssignmentProperties
type	The resource type	'Microsoft.Authorization/policyAssignments'

NonComplianceMessage

Name	Description	Value
message	A message that describes why a resource is non-compliant with the policy. This is shown in 'deny' error messages and on resource's non-compliant compliance results.	string (required)
policyDefinitionReferenceId	The policy definition reference ID within a policy set definition the message is intended for. This is only applicable if the policy assignment assigns a policy set definition. If this is not provided the message applies to all policies assigned by this policy assignment.	string

Override

Name	Description	Value
kind	The override kind.	'policyEffect'
selectors	The list of the selector expressions.	Selector[]
value	The value to override the policy property.	string

ParameterValues

Name	Description	Value

ParameterValuesValue

Name	Description	Value
value	The value of the parameter.	any

PolicyAssignmentProperties

Name	Description	Value
description	This message will be part of response in case of policy violation.	string
displayName	The display name of the policy assignment.	string
enforcementMode	The policy assignment enforcement mode. Possible values are Default and DoNotEnforce.	'Default' 'DoNotEnforce'
metadata	The policy assignment metadata. Metadata is an open ended object and is typically a collection of key value pairs.	any
nonComplianceMessages	The messages that describe why a resource is non-compliant with the policy.	NonComplianceMessage[]
notScopes	The policy's excluded scopes.	string[]
overrides	The policy property value override.	Override[]
parameters	The parameter values for the assigned policy rule. The keys are the parameter names.	ParameterValues
policyDefinitionId	The ID of the policy definition or policy set definition being assigned.	string
resourceSelectors	The resource selector list to filter policies by resource properties.	ResourceSelector[]

ResourceSelector

Name	Description	Value
name	The name of the resource selector.	string
selectors	The list of the selector expressions.	Selector[]

Selector

Name	Description	Value
in	The list of values to filter in.	string[]
kind	The selector kind.	'policyDefinitionReferenceId' 'resourceLocation' 'resourceType' 'resourceWithoutLocation'
notIn	The list of values to filter out.	string[]

UserAssignedIdentitiesValue

Name	Description	Value

Quickstart templates

The following quickstart templates deploy this resource type.

Template	Description
Assign a built-in policy to an existing resource group	This template assigns a built-in policy to an existing resource group.
Assign built-in policy to audit VM managed disks	This template assigns a built-in policy to a resource group scope to audit virtual machine (VM) managed disks.
Create an Azure Virtual Network Manager and sample VNETs	This template deploys an Azure Virtual Network Manager and sample virtual networks into the named resource group. It supports multiple connectivity topologies and network group membership types.
Deploy a Policy Def and Assign to Multiple Mgmt Groups	This template is a management group level template that will create a policy definition and assign that policy to multiple management groups.
Deploy a policy definition and assign to a management group	This template is a management group level template that will create a policy definition and assign that policy to the target management group. Currently, this template cannot be deployed via the Azure Portal.

Terraform (AzAPI provider) resource definition

The policyAssignments resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Authorization/policyAssignments resource, add the following Terraform to your template.

resource "azapi_resource" "symbolicname" {
  type = "Microsoft.Authorization/policyAssignments@2022-06-01"
  name = "string"
  parent_id = "string"
  identity = {
    type = "string"
    userAssignedIdentities = {
      {customized property} = {
      }
    }
  }
  location = "string"
  body = jsonencode({
    properties = {
      description = "string"
      displayName = "string"
      enforcementMode = "string"
      metadata = ?
      nonComplianceMessages = [
        {
          message = "string"
          policyDefinitionReferenceId = "string"
        }
      ]
      notScopes = [
        "string"
      ]
      overrides = [
        {
          kind = "string"
          selectors = [
            {
              in = [
                "string"
              ]
              kind = "string"
              notIn = [
                "string"
              ]
            }
          ]
          value = "string"
        }
      ]
      parameters = {
        {customized property} = {
          value = ?
        }
      }
      policyDefinitionId = "string"
      resourceSelectors = [
        {
          name = "string"
          selectors = [
            {
              in = [
                "string"
              ]
              kind = "string"
              notIn = [
                "string"
              ]
            }
          ]
        }
      ]
    }
  })
}

Property values

Identity

Name	Description	Value
type	The identity type. This is the only required field when adding a system or user assigned identity to a resource.	'None' 'SystemAssigned' 'UserAssigned'
userAssignedIdentities	The user identity associated with the policy. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'.	IdentityUserAssignedIdentities

IdentityUserAssignedIdentities

Name	Description	Value

Microsoft.Authorization/policyAssignments

Name	Description	Value
identity	The managed identity associated with the policy assignment.	Identity
location	The location of the policy assignment. Only required when utilizing managed identity.	string
name	The resource name	string (required)
parent_id	The ID of the resource to apply this extension resource to.	string (required)
properties	Properties for the policy assignment.	PolicyAssignmentProperties
type	The resource type	"Microsoft.Authorization/policyAssignments@2022-06-01"

NonComplianceMessage

Name	Description	Value
message	A message that describes why a resource is non-compliant with the policy. This is shown in 'deny' error messages and on resource's non-compliant compliance results.	string (required)
policyDefinitionReferenceId	The policy definition reference ID within a policy set definition the message is intended for. This is only applicable if the policy assignment assigns a policy set definition. If this is not provided the message applies to all policies assigned by this policy assignment.	string

Override

Name	Description	Value
kind	The override kind.	'policyEffect'
selectors	The list of the selector expressions.	Selector[]
value	The value to override the policy property.	string

ParameterValues

Name	Description	Value

ParameterValuesValue

Name	Description	Value
value	The value of the parameter.	any

PolicyAssignmentProperties

Name	Description	Value
description	This message will be part of response in case of policy violation.	string
displayName	The display name of the policy assignment.	string
enforcementMode	The policy assignment enforcement mode. Possible values are Default and DoNotEnforce.	'Default' 'DoNotEnforce'
metadata	The policy assignment metadata. Metadata is an open ended object and is typically a collection of key value pairs.	any
nonComplianceMessages	The messages that describe why a resource is non-compliant with the policy.	NonComplianceMessage[]
notScopes	The policy's excluded scopes.	string[]
overrides	The policy property value override.	Override[]
parameters	The parameter values for the assigned policy rule. The keys are the parameter names.	ParameterValues
policyDefinitionId	The ID of the policy definition or policy set definition being assigned.	string
resourceSelectors	The resource selector list to filter policies by resource properties.	ResourceSelector[]

ResourceSelector

Name	Description	Value
name	The name of the resource selector.	string
selectors	The list of the selector expressions.	Selector[]

Selector

Name	Description	Value
in	The list of values to filter in.	string[]
kind	The selector kind.	'policyDefinitionReferenceId' 'resourceLocation' 'resourceType' 'resourceWithoutLocation'
notIn	The list of values to filter out.	string[]

UserAssignedIdentitiesValue

Name	Description	Value

Share via

Microsoft.Authorization policyAssignments 2022-06-01

Bicep resource definition

Resource format

Property values

Identity

IdentityUserAssignedIdentities

Microsoft.Authorization/policyAssignments

NonComplianceMessage

Override

ParameterValues

ParameterValuesValue

PolicyAssignmentProperties

ResourceSelector

Selector

UserAssignedIdentitiesValue

Quickstart samples

ARM template resource definition

Resource format

Property values

Identity

IdentityUserAssignedIdentities

Microsoft.Authorization/policyAssignments

NonComplianceMessage

Override

ParameterValues

ParameterValuesValue

PolicyAssignmentProperties

ResourceSelector

Selector

UserAssignedIdentitiesValue

Quickstart templates

Terraform (AzAPI provider) resource definition

Resource format

Property values

Identity

IdentityUserAssignedIdentities

Microsoft.Authorization/policyAssignments

NonComplianceMessage

Override

ParameterValues

ParameterValuesValue

PolicyAssignmentProperties

ResourceSelector

Selector

UserAssignedIdentitiesValue

Feedback

Additional resources