Policy Set Definitions - Create Or Update At Management Group

This operation creates or updates a policy set definition in the given management group with the given name.

PUT https://management.azure.com/providers/Microsoft.Management/managementGroups/{managementGroupId}/providers/Microsoft.Authorization/policySetDefinitions/{policySetDefinitionName}?api-version=2023-04-01

URI Parameters

Name In Required Type Description
managementGroupId
path True

string

The ID of the management group.

policySetDefinitionName
path True

string

The name of the policy set definition to create.

Regex pattern: ^[^<>*%&:\?.+/]*[^<>*%&:\?.+/ ]+$

api-version
query True

string

The API version to use for this operation.

Request Body

Name Required Type Description
properties.policyDefinitions True

PolicyDefinitionReference[]

An array of policy definition references.

properties.description

string

The policy set definition description.

properties.displayName

string

The display name of the policy set definition.

properties.metadata

object

The policy set definition metadata. Metadata is an open ended object and is typically a collection of key value pairs.

properties.parameters

<string,  ParameterDefinitionsValue>

The policy set definition parameters that can be used in policy definition references.

properties.policyDefinitionGroups

PolicyDefinitionGroup[]

The metadata describing groups of policy definition references within the policy set definition.

properties.policyType

policyType

The type of policy set definition. Possible values are NotSpecified, BuiltIn, Custom, and Static.

properties.version

string

The policy set definition version in #.#.# format.

properties.versions

string[]

A list of available versions for this policy set definition.

Responses

Name Type Description
200 OK

PolicySetDefinition

OK - Returns information about the policy set definition.

201 Created

PolicySetDefinition

Created - Returns information about the policy set definition.

Other Status Codes

CloudError

Error response describing why the operation failed.

Security

azure_auth

Azure Active Directory OAuth2 Flow.

Type: oauth2
Flow: implicit
Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize

Scopes

Name Description
user_impersonation impersonate your user account

Examples

Create or update a policy set definition at management group level
Create or update a policy set definition with groups at management group level

Create or update a policy set definition at management group level

Sample request

PUT https://management.azure.com/providers/Microsoft.Management/managementGroups/MyManagementGroup/providers/Microsoft.Authorization/policySetDefinitions/CostManagement?api-version=2023-04-01

{
  "properties": {
    "displayName": "Cost Management",
    "description": "Policies to enforce low cost storage SKUs",
    "metadata": {
      "category": "Cost Management"
    },
    "policyDefinitions": [
      {
        "policyDefinitionId": "/providers/Microsoft.Management/managementgroups/MyManagementGroup/providers/Microsoft.Authorization/policyDefinitions/7433c107-6db4-4ad1-b57a-a76dce0154a1",
        "policyDefinitionReferenceId": "Limit_Skus",
        "parameters": {
          "listOfAllowedSKUs": {
            "value": [
              "Standard_GRS",
              "Standard_LRS"
            ]
          }
        }
      },
      {
        "policyDefinitionId": "/providers/Microsoft.Management/managementgroups/MyManagementGroup/providers/Microsoft.Authorization/policyDefinitions/ResourceNaming",
        "policyDefinitionReferenceId": "Resource_Naming",
        "parameters": {
          "prefix": {
            "value": "DeptA"
          },
          "suffix": {
            "value": "-LC"
          }
        }
      }
    ]
  }
}

Sample response

{
  "id": "/providers/Microsoft.Management/managementgroups/MyManagementGroup/providers/Microsoft.Authorization/policySetDefinitions/CostManagement",
  "type": "Microsoft.Authorization/policySetDefinitions",
  "name": "CostManagement",
  "properties": {
    "displayName": "Cost Management",
    "description": "Policies to enforce low cost storage SKUs",
    "metadata": {
      "category": "Cost Management"
    },
    "version": "1.2.1",
    "versions": [
      "1.2.1",
      "1.0.0"
    ],
    "policyDefinitions": [
      {
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7433c107-6db4-4ad1-b57a-a76dce0154a1",
        "definitionVersion": "1.*.*",
        "policyDefinitionReferenceId": "Limit_Skus",
        "parameters": {
          "listOfAllowedSKUs": {
            "value": [
              "Standard_GRS",
              "Standard_LRS"
            ]
          }
        }
      },
      {
        "policyDefinitionId": "/providers/Microsoft.Management/managementgroups/MyManagementGroup/providers/Microsoft.Authorization/policyDefinitions/ResourceNaming",
        "definitionVersion": "1.*.*",
        "policyDefinitionReferenceId": "Resource_Naming",
        "parameters": {
          "prefix": {
            "value": "DeptA"
          },
          "suffix": {
            "value": "-LC"
          }
        }
      }
    ]
  }
}
{
  "id": "/providers/Microsoft.Management/managementgroups/MyManagementGroup/providers/Microsoft.Authorization/policySetDefinitions/CostManagement",
  "type": "Microsoft.Authorization/policySetDefinitions",
  "name": "CostManagement",
  "properties": {
    "displayName": "Cost Management",
    "description": "Policies to enforce low cost storage SKUs",
    "metadata": {
      "category": "Cost Management"
    },
    "policyDefinitions": [
      {
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7433c107-6db4-4ad1-b57a-a76dce0154a1",
        "definitionVersion": "1.*.*",
        "policyDefinitionReferenceId": "Limit_Skus",
        "parameters": {
          "listOfAllowedSKUs": {
            "value": [
              "Standard_GRS",
              "Standard_LRS"
            ]
          }
        }
      },
      {
        "policyDefinitionId": "/providers/Microsoft.Management/managementgroups/MyManagementGroup/providers/Microsoft.Authorization/policyDefinitions/ResourceNaming",
        "definitionVersion": "1.*.*",
        "policyDefinitionReferenceId": "Resource_Naming",
        "parameters": {
          "prefix": {
            "value": "DeptA"
          },
          "suffix": {
            "value": "-LC"
          }
        }
      }
    ]
  }
}

Create or update a policy set definition with groups at management group level

Sample request

PUT https://management.azure.com/providers/Microsoft.Management/managementGroups/MyManagementGroup/providers/Microsoft.Authorization/policySetDefinitions/CostManagement?api-version=2023-04-01

{
  "properties": {
    "displayName": "Cost Management",
    "description": "Policies to enforce low cost storage SKUs",
    "metadata": {
      "category": "Cost Management"
    },
    "policyDefinitionGroups": [
      {
        "name": "CostSaving",
        "displayName": "Cost Management Policies",
        "description": "Policies designed to control spend within a subscription."
      },
      {
        "name": "Organizational",
        "displayName": "Organizational Policies",
        "description": "Policies that help enforce resource organization standards within a subscription."
      }
    ],
    "policyDefinitions": [
      {
        "policyDefinitionId": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyDefinitions/7433c107-6db4-4ad1-b57a-a76dce0154a1",
        "policyDefinitionReferenceId": "Limit_Skus",
        "groupNames": [
          "CostSaving"
        ],
        "parameters": {
          "listOfAllowedSKUs": {
            "value": [
              "Standard_GRS",
              "Standard_LRS"
            ]
          }
        }
      },
      {
        "policyDefinitionId": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyDefinitions/ResourceNaming",
        "policyDefinitionReferenceId": "Resource_Naming",
        "groupNames": [
          "Organizational"
        ],
        "parameters": {
          "prefix": {
            "value": "DeptA"
          },
          "suffix": {
            "value": "-LC"
          }
        }
      }
    ]
  }
}

Sample response

{
  "id": "/providers/Microsoft.Management/managementgroups/MyManagementGroup/providers/Microsoft.Authorization/policySetDefinitions/CostManagement",
  "type": "Microsoft.Authorization/policySetDefinitions",
  "name": "CostManagement",
  "properties": {
    "displayName": "Cost Management",
    "description": "Policies to enforce low cost storage SKUs",
    "metadata": {
      "category": "Cost Management"
    },
    "version": "1.2.1",
    "versions": [
      "1.2.1",
      "1.0.0"
    ],
    "policyDefinitionGroups": [
      {
        "name": "CostSaving",
        "displayName": "Cost Management Policies",
        "description": "Policies designed to control spend within a subscription."
      },
      {
        "name": "Organizational",
        "displayName": "Organizational Policies",
        "description": "Policies that help enforce resource organization standards within a subscription."
      }
    ],
    "policyDefinitions": [
      {
        "policyDefinitionId": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyDefinitions/7433c107-6db4-4ad1-b57a-a76dce0154a1",
        "definitionVersion": "1.*.*",
        "policyDefinitionReferenceId": "Limit_Skus",
        "groupNames": [
          "CostSaving"
        ],
        "parameters": {
          "listOfAllowedSKUs": {
            "value": [
              "Standard_GRS",
              "Standard_LRS"
            ]
          }
        }
      },
      {
        "policyDefinitionId": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyDefinitions/ResourceNaming",
        "definitionVersion": "1.*.*",
        "policyDefinitionReferenceId": "Resource_Naming",
        "groupNames": [
          "Organizational"
        ],
        "parameters": {
          "prefix": {
            "value": "DeptA"
          },
          "suffix": {
            "value": "-LC"
          }
        }
      }
    ]
  }
}
{
  "id": "/providers/Microsoft.Management/managementgroups/MyManagementGroup/providers/Microsoft.Authorization/policySetDefinitions/CostManagement",
  "type": "Microsoft.Authorization/policySetDefinitions",
  "name": "CostManagement",
  "properties": {
    "displayName": "Cost Management",
    "description": "Policies to enforce low cost storage SKUs",
    "metadata": {
      "category": "Cost Management"
    },
    "version": "1.2.1",
    "versions": [
      "1.2.1",
      "1.0.0"
    ],
    "policyDefinitionGroups": [
      {
        "name": "CostSaving",
        "displayName": "Cost Management Policies",
        "description": "Policies designed to control spend within a subscription."
      },
      {
        "name": "Organizational",
        "displayName": "Organizational Policies",
        "description": "Policies that help enforce resource organization standards within a subscription."
      }
    ],
    "policyDefinitions": [
      {
        "policyDefinitionId": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyDefinitions/7433c107-6db4-4ad1-b57a-a76dce0154a1",
        "definitionVersion": "1.*.*",
        "policyDefinitionReferenceId": "Limit_Skus",
        "groupNames": [
          "CostSaving"
        ],
        "parameters": {
          "listOfAllowedSKUs": {
            "value": [
              "Standard_GRS",
              "Standard_LRS"
            ]
          }
        }
      },
      {
        "policyDefinitionId": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyDefinitions/ResourceNaming",
        "definitionVersion": "1.*.*",
        "policyDefinitionReferenceId": "Resource_Naming",
        "groupNames": [
          "Organizational"
        ],
        "parameters": {
          "prefix": {
            "value": "DeptA"
          },
          "suffix": {
            "value": "-LC"
          }
        }
      }
    ]
  }
}

Definitions

Name Description
CloudError

An error response from a policy operation.

createdByType

The type of identity that created the resource.

ErrorAdditionalInfo

The resource management error additional info.

ErrorResponse

Error Response

Metadata

General metadata for the parameter.

ParameterDefinitionsValue

The definition of a parameter that can be provided to the policy.

parameterType

The data type of the parameter.

ParameterValuesValue

The value of a parameter.

PolicyDefinitionGroup

The policy definition group.

PolicyDefinitionReference

The policy definition reference.

PolicySetDefinition

The policy set definition.

policyType

The type of policy set definition. Possible values are NotSpecified, BuiltIn, Custom, and Static.

systemData

Metadata pertaining to creation and last modification of the resource.

CloudError

An error response from a policy operation.

Name Type Description
error

ErrorResponse

Error Response
Common error response for all Azure Resource Manager APIs to return error details for failed operations. (This also follows the OData error response format.)

createdByType

The type of identity that created the resource.

Name Type Description
Application

string

Key

string

ManagedIdentity

string

User

string

ErrorAdditionalInfo

The resource management error additional info.

Name Type Description
info

object

The additional info.

type

string

The additional info type.

ErrorResponse

Error Response

Name Type Description
additionalInfo

ErrorAdditionalInfo[]

The error additional info.

code

string

The error code.

details

ErrorResponse[]

The error details.

message

string

The error message.

target

string

The error target.

Metadata

General metadata for the parameter.

Name Type Description
assignPermissions

boolean

Set to true to have Azure portal create role assignments on the resource ID or resource scope value of this parameter during policy assignment. This property is useful in case you wish to assign permissions outside the assignment scope.

description

string

The description of the parameter.

displayName

string

The display name for the parameter.

strongType

string

Used when assigning the policy definition through the portal. Provides a context aware list of values for the user to choose from.

ParameterDefinitionsValue

The definition of a parameter that can be provided to the policy.

Name Type Description
allowedValues

object[]

The allowed values for the parameter.

defaultValue

object

The default value for the parameter if no value is provided.

metadata

Metadata

General metadata for the parameter.

schema

object

Provides validation of parameter inputs during assignment using a self-defined JSON schema. This property is only supported for object-type parameters and follows the Json.NET Schema 2019-09 implementation. You can learn more about using schemas at https://json-schema.org/ and test draft schemas at https://www.jsonschemavalidator.net/.

type

parameterType

The data type of the parameter.

parameterType

The data type of the parameter.

Name Type Description
Array

string

Boolean

string

DateTime

string

Float

string

Integer

string

Object

string

String

string

ParameterValuesValue

The value of a parameter.

Name Type Description
value

object

The value of the parameter.

PolicyDefinitionGroup

The policy definition group.

Name Type Description
additionalMetadataId

string

A resource ID of a resource that contains additional metadata about the group.

category

string

The group's category.

description

string

The group's description.

displayName

string

The group's display name.

name

string

The name of the group.

PolicyDefinitionReference

The policy definition reference.

Name Type Description
definitionVersion

string

The version of the policy definition to use.

effectiveDefinitionVersion

string

The effective version of the policy definition in use. This is only present if requested via the $expand query parameter.

groupNames

string[]

The name of the groups that this policy definition reference belongs to.

latestDefinitionVersion

string

The latest version of the policy definition available. This is only present if requested via the $expand query parameter.

parameters

<string,  ParameterValuesValue>

The parameter values for the referenced policy rule. The keys are the parameter names.

policyDefinitionId

string

The ID of the policy definition or policy set definition.

policyDefinitionReferenceId

string

A unique id (within the policy set definition) for this policy definition reference.

PolicySetDefinition

The policy set definition.

Name Type Description
id

string

The ID of the policy set definition.

name

string

The name of the policy set definition.

properties.description

string

The policy set definition description.

properties.displayName

string

The display name of the policy set definition.

properties.metadata

object

The policy set definition metadata. Metadata is an open ended object and is typically a collection of key value pairs.

properties.parameters

<string,  ParameterDefinitionsValue>

The policy set definition parameters that can be used in policy definition references.

properties.policyDefinitionGroups

PolicyDefinitionGroup[]

The metadata describing groups of policy definition references within the policy set definition.

properties.policyDefinitions

PolicyDefinitionReference[]

An array of policy definition references.

properties.policyType

policyType

The type of policy set definition. Possible values are NotSpecified, BuiltIn, Custom, and Static.

properties.version

string

The policy set definition version in #.#.# format.

properties.versions

string[]

A list of available versions for this policy set definition.

systemData

systemData

The system metadata relating to this resource.

type

string

The type of the resource (Microsoft.Authorization/policySetDefinitions).

policyType

The type of policy set definition. Possible values are NotSpecified, BuiltIn, Custom, and Static.

Name Type Description
BuiltIn

string

Custom

string

NotSpecified

string

Static

string

systemData

Metadata pertaining to creation and last modification of the resource.

Name Type Description
createdAt

string

The timestamp of resource creation (UTC).

createdBy

string

The identity that created the resource.

createdByType

createdByType

The type of identity that created the resource.

lastModifiedAt

string

The timestamp of resource last modification (UTC)

lastModifiedBy

string

The identity that last modified the resource.

lastModifiedByType

createdByType

The type of identity that last modified the resource.