مشاركة عبر

az policy assignment

Manage resource policy assignments.


Name Description Type Status
az policy assignment create

Create a resource policy assignment.

Core GA
az policy assignment delete

Delete a resource policy assignment.

Core GA
az policy assignment identity

Manage a policy assignment's managed identity.

Core GA
az policy assignment identity assign

Add a system assigned identity or a user assigned identity to a policy assignment.

Core GA
az policy assignment identity remove

Remove a managed identity from a policy assignment.

Core GA
az policy assignment identity show

Show a policy assignment's managed identity.

Core GA
az policy assignment list

List resource policy assignments.

Core GA
az policy assignment non-compliance-message

Manage a policy assignment's non-compliance messages.

Core GA
az policy assignment non-compliance-message create

Add a non-compliance message to a policy assignment.

Core GA
az policy assignment non-compliance-message delete

Remove one or more non-compliance messages from a policy assignment.

Core GA
az policy assignment non-compliance-message list

List the non-compliance messages for a policy assignment.

Core GA
az policy assignment show

Show a resource policy assignment.

Core GA
az policy assignment update

Update a resource policy assignment.

Core GA

az policy assignment create

Create a resource policy assignment.

az policy assignment create [--description]
                            [--enforcement-mode {Default, DoNotEnforce}]


Create a resource policy assignment at scope

Valid scopes are management group, subscription, resource group, and resource, for example
   management group:  /providers/Microsoft.Management/managementGroups/MyManagementGroup
   subscription:      /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333
   resource group:    /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup
   resource:          /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM
     az policy assignment create --scope \
        "/providers/Microsoft.Management/managementGroups/MyManagementGroup" \
            --policy {PolicyName} -p "{ \"allowedLocations\": \
                { \"value\": [ \"australiaeast\", \"eastus\", \"japaneast\" ] } }"

Create a resource policy assignment and provide rule parameter values.

az policy assignment create --policy {PolicyName} -p "{ \"allowedLocations\": \
    { \"value\": [ \"australiaeast\", \"eastus\", \"japaneast\" ] } }"

Create a resource policy assignment with a system assigned identity.

az policy assignment create --name myPolicy --policy {PolicyName} --mi-system-assigned --location eastus

Create a resource policy assignment with a system assigned identity. The identity will have 'Contributor' role access to the subscription.

az policy assignment create --name myPolicy --policy {PolicyName} --mi-system-assigned --identity-scope /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx --role Contributor --location eastus

Create a resource policy assignment with a user assigned identity.

az policy assignment create --name myPolicy --policy {PolicyName} -g MyResourceGroup --mi-user-assigned myAssignedId --location westus

Create a resource policy assignment with an enforcement mode. It indicates whether a policy effect will be enforced or not during assignment creation and update. Please visit https://aka.ms/azure-policyAssignment-enforcement-mode for more information.

az policy assignment create --name myPolicy --policy {PolicyName} --enforcement-mode 'DoNotEnforce'

Optional Parameters


Description of the policy assignment.


Display name of the policy assignment.

--enforcement-mode -e

Enforcement mode of the policy assignment, e.g. Default, DoNotEnforce. Please visit https://aka.ms/azure-policyAssignment-enforcement-mode for more information.

Accepted values: Default, DoNotEnforce
Default value: Default

Scope that the system assigned identity can access.

--location -l

The location of the policy assignment. Only required when utilizing managed identity.


Provide this flag to use system assigned identity for policy assignment. Check out help for more examples.


UserAssigned Identity Id to be used for policy assignment. Check out help for more examples.

--name -n

Name of the new policy assignment.


Space-separated scopes where the policy assignment does not apply.

--params -p

JSON formatted string or a path to a file or uri with parameter values of the policy rule.


Name or id of the policy definition. If not provided, a policy set definition parameter must be provided.

--policy-set-definition -d

Name or id of the policy set definition. If not provided, a policy definition parameter must be provided.

--resource-group -g

The resource group where the policy will be applied.


Role name or id that will be assigned to the managed identity.

Default value: Contributor

Scope to which this policy assignment applies.

Global Parameters

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.


Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json

JMESPath query string. See http://jmespath.org/ for more information and examples.


Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.


Increase logging verbosity. Use --debug for full debug logs.

az policy assignment delete

Delete a resource policy assignment.

az policy assignment delete --name


Delete a resource policy assignment. (autogenerated)

az policy assignment delete --name MyPolicyAssignment

Required Parameters

--name -n

Name of the policy assignment.

Optional Parameters

--resource-group -g

The resource group where the policy will be applied.


Scope at which this policy assignment subcommand applies. Defaults to current context subscription.

Global Parameters

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.


Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json

JMESPath query string. See http://jmespath.org/ for more information and examples.


Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.


Increase logging verbosity. Use --debug for full debug logs.

az policy assignment list

List resource policy assignments.

az policy assignment list [--disable-scope-strict-match]

Optional Parameters


Include policy assignments either inherited from parent scope or at child scope.

--resource-group -g

The resource group where the policy will be applied.


Scope at which this policy assignment subcommand applies. Defaults to current context subscription.

Global Parameters

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.


Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json

JMESPath query string. See http://jmespath.org/ for more information and examples.


Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.


Increase logging verbosity. Use --debug for full debug logs.

az policy assignment show

Show a resource policy assignment.

az policy assignment show --name


Show a resource policy assignment. (autogenerated)

az policy assignment show --name MyPolicyAssignment

Required Parameters

--name -n

Name of the policy assignment.

Optional Parameters

--resource-group -g

The resource group where the policy will be applied.


Scope at which this policy assignment subcommand applies. Defaults to current context subscription.

Global Parameters

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.


Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json

JMESPath query string. See http://jmespath.org/ for more information and examples.


Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.


Increase logging verbosity. Use --debug for full debug logs.

az policy assignment update

Update a resource policy assignment.

az policy assignment update [--description]
                            [--enforcement-mode {Default, DoNotEnforce}]


Update a resource policy assignment's description.

az policy assignment update --name myPolicy --description 'My policy description'

Optional Parameters


Description of the policy assignment.


Display name of the policy assignment.

--enforcement-mode -e

Enforcement mode of the policy assignment, e.g. Default, DoNotEnforce. Please visit https://aka.ms/azure-policyAssignment-enforcement-mode for more information.

Accepted values: Default, DoNotEnforce
--name -n

Name of the policy assignment.


Space-separated scopes where the policy assignment does not apply.

--params -p

JSON formatted string or a path to a file or uri with parameter values of the policy rule.

--resource-group -g

The resource group where the policy will be applied.


Scope at which this policy assignment subcommand applies. Defaults to current context subscription.

Global Parameters

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.


Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json

JMESPath query string. See http://jmespath.org/ for more information and examples.


Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.


Increase logging verbosity. Use --debug for full debug logs.