new az policy assignment

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

New-Az Policy Assignment

Creates a policy assignment.

Description

The New-AzPolicyAssignment cmdlet creates a policy assignment. Specify a policy and scope.

Example 1: Policy assignment at subscription level

The first command gets a subscription named Subscription01 by using the Get-AzSubscription cmdlet and stores it in the $Subscription variable. The second command gets the policy definition named VirtualMachinePolicy by using the Get-AzPolicyDefinition cmdlet and stores it in the $Policy variable. The final command assigns the policy in $Policy at the level of the subscription identified by the subscription scope string.

Example 2: Policy assignment at resource group level

The first command gets a resource group named ResourceGroup11 by using the Get-AzResourceGroup cmdlet and stores it in the $ResourceGroup variable. The second command gets the policy definition named VirtualMachinePolicy by using the Get-AzPolicyDefinition cmdlet and stores it in the $Policy variable. The final command assigns the policy in $Policy at the level of the resource group identified by the ResourceId property of $ResourceGroup.

Example 3: Policy assignment at resource group level with policy parameter object

The first command gets a resource group named ResourceGroup11 by using the Get-AzResourceGroup cmdlet. The command stores that object in the $ResourceGroup variable. The second command gets the built-in policy definition for allowed locations by using the Get-AzPolicyDefinition cmdlet. The command stores that object in the $Policy variable. The third and fourth commands create an object containing all Azure regions with "east" in the name. The commands store that object in the $AllowedLocations variable. The final command assigns the policy in $Policy at the level of a resource group using the policy parameter object in $AllowedLocations. The ResourceId property of $ResourceGroup identifies the resource group.

Example 4: Policy assignment at resource group level with policy parameter file

Create a file called AllowedLocations.json in the local working directory with the following content.

The first command gets a resource group named ResourceGroup11 by using the Get-AzResourceGroup cmdlet and stores it in the $ResourceGroup variable. The second command gets the built-in policy definition for allowed locations by using the Get-AzPolicyDefinition cmdlet and stores it in the $Policy variable. The final command assigns the policy in $Policy at the resource group identified by the ResourceId property of $ResourceGroup using the policy parameter file AllowedLocations.json from the local working directory.

Example 5: Policy assignment with a system assigned managed identity

The first command gets a resource group named ResourceGroup11 by using the Get-AzResourceGroup cmdlet and stores it in the $ResourceGroup variable. The second command gets the policy definition named VirtualMachinePolicy by using the Get-AzPolicyDefinition cmdlet and stores it in the $Policy variable. The final command assigns the policy in $Policy to the resource group. A system assigned managed identity is automatically created and assigned to the policy assignment.

Example 6: Policy assignment with a user assigned managed identity

The first command gets a resource group named ResourceGroup11 by using the Get-AzResourceGroup cmdlet and stores it in the $ResourceGroup variable. The second command gets the policy definition named VirtualMachinePolicy by using the Get-AzPolicyDefinition cmdlet and stores it in the $Policy variable. The third command gets the user assigned managed identity named UserAssignedIdentity1 by using the Get-AzUserAssignedIdentity cmdlet and stores it in the $UserAssignedIdentity variable. The final command assigns the policy in $Policy to the resource group. The user assigned managed identity identified by the Id property of $UserAssignedIdentity is assigned to the policy assignment by passing the Id * property to the IdentityId parameter.

Example 7: Policy assignment with an enforcement mode property

The first command gets a subscription named Subscription01 by using the Get-AzSubscription cmdlet and stores it in the $Subscription variable. The second command gets the policy definition named VirtualMachinePolicy by using the Get-AzPolicyDefinition cmdlet and stores it in the $Policy variable. The final command assigns the policy in $Policy at the level of the subscription identified by the subscription scope string. The assignment is set with an EnforcementMode value of DoNotEnforce i.e. the policy effect is not enforced during resource creation or update.

Example 8: Policy assignment with non-compliance messages

The first command gets the policy set definition named VirtualMachinePolicySet by using the Get-AzPolicySetDefinition cmdlet and stores it in the $PolicySet variable. The second command creates an array of non-compliance messages. One general purpose message for the entire assignment and one message specific to a SKU restriction policy within the assigned policy set definition. The final command assigns the policy set definition in $PolicySet to the subscription with two non-compliance messages that will be shown if a resource is denied by policy.

-ApiVersion

Specifies the version of the resource provider API to use. If you do not specify a version, this cmdlet uses the latest available version.

-AssignIdentity

Generate and assign a system assigned managed identity for this policy assignment. The identity will be used when executing deployments for 'deployIfNotExists' and 'modify' policies. Location is required when assigning an identity.

-DefaultProfile

The credentials, account, tenant, and subscription used for communication with azure

-Description

The description for policy assignment

-DisplayName

Specifies a display name for the policy assignment.

-EnforcementMode

The enforcement mode for policy assignment. Currently, valid values are Default, DoNotEnforce.

-IdentityId

Specifies the Id of the user assigned managed identity to assign to this policy assignment. This value is required if the value 'UserAssigned' is passed to the -IdentityType parameter.

-IdentityType

Specifies the type of managed identity to assign to this policy assignment. If the 'SystemAssigned' value is provided, a system assigned managed identity is generated and assigned to this policy assignment. If the 'UserAssigned' value is provided, the user assigned identity passed via its Id to the -IdentityId parameter is assigned to this policy assignment. The identity will be used when executing deployments for 'deployIfNotExists' and 'modify' policies. Location is required when assigning an identity. Permissions must be granted to the identity using New-AzRoleAssignment after the system assigned identity is created. The IdentityType parameter will be given precedence if both the AssignIdentity and the IdentityType parameter are used.

The location of the policy assignment's resource identity. This is required when the -IdentityType value is provided.

The metadata for the new policy assignment. This can either be a path to a file name containing the metadata, or the metadata as a string.

Specifies a name for the policy assignment.

-NonComplianceMessage

The non-compliance messages that describe why a resource is non-compliant with the policy.

The not scopes for policy assignment.

-PolicyDefinition

Specifies a policy, as a PsPolicyDefinition object that contains the policy rule.

-PolicyParameter

The policy parameter file path or policy parameter string.

-PolicyParameterObject

The policy parameter object.

-PolicySetDefinition

The policy set definition object.

Indicates that this cmdlet considers pre-release API versions when it automatically determines which version to use.

Specifies the scope at which to assign the policy. For instance, to assign a policy to a resource group, specify the following: /subscriptions/ subscription ID /resourcegroups/ resource group name

PsPolicyDefinition

PsPolicySetDefinition

Nullable<T> [ [ Microsoft.Azure.Commands.ResourceManager.Cmdlets.Entities.Policy.PolicyAssignmentEnforcementMode, Microsoft.Azure.PowerShell.Cmdlets.ResourceManager, Version=3.5.0.0, Culture=neutral, PublicKeyToken=null ] ]

PsNonComplianceMessage [ ]

PsPolicyAssignment

Related Links

• Get-AzPolicyDefinition
• Get-AzPolicyAssignment
• Remove-AzPolicyAssignment
• Set-AzPolicyAssignment

Azure PowerShell

Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback .

Submit and view feedback for

Additional resources

New-AzPolicyAssignment

Module: Az.Resources

Official Documentation: https://learn.microsoft.com/en-us/powershell/module/az.resources/new-azpolicyassignment

Back to the module overview  |  Back to the list of cmdlets

The 'New-AzPolicyAssignment' cmdlet is a command in PowerShell that is used to create a policy assignment in Azure Policy. Azure Policy enables organizations to enforce their own governance and compliance rules for the resources present in their Azure environment. When creating a policy assignment, you can specify various parameters, such as the policy definition, scope, display name, and various other properties. These parameters help define the behavior and scope of the policy assignment. Once the policy assignment is created, it can be applied to a specific resource group or management group to enforce compliance rules on the resources within that scope. The policy assignment can help organizations ensure their resources are configured correctly and adhere to specific guidelines or regulations. The 'New-AzPolicyAssignment' cmdlet is a valuable tool for administrators managing Azure resources, as it allows for the automated enforcement of policies across an organization's Azure environment.

Some code snippets about this cmdlet from our scripts:

{ Write-Warning " Enabling '$($enabledPolicy.Policy)' policy" $null = New-AzPolicyAssignment -Name $assignmentName -DisplayName $assignmentDisplayName -PolicySetDefinition $Policy -Scope "/subscriptions/$($sub.Id)" } } }

This Cmdlet is used in following scripts:

• \scripts\security\Onboard-SubscriptionsToDefender.ps1

This page was generated automatically and may contain errors. It does not claim to be complete or correct. All information without guarantee.

Creating Policy via the CLI

Specify the allowed VM SKU sizes using the Azure CLI.

Introduction

Most organizations want to give users freedom to create resources within Azure, but want to avoid users creating certain types of resources as some can be very expensive. In this lab we’ll specify which virtual machines a user is allowed to create and we’ll use Azure CLI to do so.

Registering the Policy provider

As we’re working in Azure CLI, we first we need to check that the policy resource provider is registered:

If not then register:

Viewing policy definitions and assignments

Let’s have a look at the current assignments through cli. We should be able to see the work we did in the previous lab.

View current assignments

No results? The default scope on the above command is on the subscription you’re logged into, so you cannot see the assignments with scopes of management groups or resource groups without specifying it. To see all assignments you must disable the scope match

Let’s see if there are any built in definitions to restrict which VM SKUs can be used:

To view all definitions:

Or to search for an existing definition containing “virtual machine”:

Notice the name column is a GUID (and remains the same across all tenants), and we can use the GUID in the next query to view the json of this policy definition.

Assign an inbuilt policy

Now we know the policy name, what it does, what it needs so we can assign it.

Test the policy

Now let’s test

Using a Standard_B1s should fail

Using a Standard_D2s_v3 should succeed

Finishing up

That concludes this lab, where we’ve learnt about applying an inbuilt policy using the Azure CLI. The resources you’ve created will be used in the next lab so don’t delete them yet.

Next we’ll group policies together using an initiative and use automatic remediation.

Help us improve

Azure Citadel is a community site built on GitHub, please contribute and send a pull request

Managing Policies with the Azure CLI

Policies are an important aspect of managing your Azure cloud and governing your resources intelligently. In this guide, we'll show how you can use the Azure CLI to make quick updates to policies.

Cloud technologies like Azure can appear deceptively simple, but not setting up a governance system in the initial stages can result in operational roadblocks further down the line.

While roles and groups enable flexible permissions for users , policies in Azure enable you to apply rules for resources in your organization to govern compliance, cost limits, consistency, and security.

In this article, we’ll briefly explain the basics of policies, and then show how you can assign them to a scope of resources using the Azure CLI . 

Understanding Policies in Azure

Azure policies are sets of rules that dictate what is allowed in either a specific resource group or across the account. For example, policies can be instituted to prevent over-provisioning and unexpected resource costs.

In practice, these policy definitions are described using JSON format and are then assigned to a certain scope of resources. If you have more than one related policy, that’s referred to as a policy initiative.

If a resource is updated or created in a way that violates a policy you have configured, then depending on your preference, deny the change, log the issue, or make additional remediations.

You can either use built-in policy options or fully customize them. For more details on creating policy definitions, you can read up on that here .

Here’s what a policy definition looks like in practice:

Assigning a Policy to a Scope 

Once you have a policy definition that you are looking to implement, you do that with the az policy assignment create command:

As you can see, you have lots of parameters you can use to customize your policy assignment, including enforcement options . These are the different types of scopes you can use when you’re assigning a policy:

• Management group: a container that manages policies across multiple subscriptions
• Subscription: uniquely-billed Azure account/plan
• Resource group: a container that holds related resources
• Resource: any entity managed by Azure (virtual machines, virtual networks, storage accounts, etc.)

Here’s an example using a management group as a scope.

Now that your policy is implemented, it will check compliance whenever a new resource in the scope is created or updated, policies in the scope are added or updated, as well as once every 24 hours.

Updating an Existing Policy Assignment

If you need to make updates to a policy, you can run the az policy assignment update command:

This update example changes the description of an existing policy:

Instead of updating a description, you might want to update these parameters:

• --enforcement-mode -e: change the enforcement mode for the policy
• --not-scopes: create exceptions within the scope where this policy doesn’t apply
• --params -p: change the JSON formatted string or a path to a file where the policy definition exists

Now that we’ve covered creating and updating policies, let’s look at deleting policies that are no longer relevant.

Deleting a Policy Assignment

To delete a policy assignment, you can use the az policy assignment delete command:

You can delete the entire policy by just using the name parameter.

Alternatively, you can delete the policy in the context of a certain scope by including a scope or resource-group parameters additionally.

Simplify Policy Updates with Blink

Instead of having to look up the specific command for each of these actions, tools like Blink enable you to keep your policies up to date easily with a low-code/ no-code UI.

Get started with Blink today and see how easy automation can be.

Automate your security operations everywhere.

Blink is secure, decentralized, and cloud-native. 
Get modern cloud and security operations today.

• Knowledge Base

New-AzPolicyAssignment

The Who, Where and When information is very important for an administrator to have complete knowledge of all activities that occur on their Active Directory. This helps them identify any desired / undesired activity happening. ADAudit Plus assists an administrator with this information in the form of reports. In real-time, ensure critical resources in the network like the Domain Controllers are audited, monitored and reported with the entire information on AD objects - Users, Groups, GPO, Computer, OU, DNS, AD Schema and Configuration changes with 200+ detailed event specific GUI reports and email alerts.

How to create a new Azure Policy Assignment using Azure PowerShell.

Description:.

An assignment can be defined as a policy that has been assigned to take place within a specific scope. The New-AzPolicyAssignment cmdlet creates a new policy assignment.

Example: The below mentioned PowerShell creates a Policy Assignment at subscription level.

Line 1 is the Get-AzSubscription command that gets a subscription under the name "Subscription 10" and stores it in the $Subscription variable.

Line 2 is the Get-AzPolicyDefinition command that gets the policy definition with the name Virtual Machine and stores it in the $Policy variable.

Line 3 uses the New-AzPolicyAssignment to assign the policy in $Policy at the level of the subscription identified by the subscription scope string.

About ADAudit Plus

ADAudit Plus is a real time change auditing software that helps keep your Active Directory, Azure AD, Windows file servers, NetApp filers, EMC file systems, Synology file systems, Windows member servers, and workstations secure. With ADAudit Plus, you can get visibility into:

• Authorized and unauthorized AD management changes
• User logons, logoffs, and account lockouts
• GPO changes
• Group attribute and membership changes
• Privileged access and permission changes among other things.

There are more than 200 event-specific reports, and you can configure instant email alerts. You can also export the reports to XLS, HTML, PDF and CSV formats to assist in interpretation and forensics. For more information on ADAudit Plus, visit: https://www.manageengine.com/active-directory-audit/ .

Explore Active Directory auditing and reporting with ADAudit Plus.

• By clicking 'Schedule a personalized demo' you agree to processing of personal data according to the Privacy Policy .
• Track User Administrators
• User Management Reports
• Insider Threat Detection
• Monitor User Logon Actions
• GPO Settings Auditing
• IT Compliance Auditing
• Windows Member Server Auditing
• Windows File Integrity Monitoring
• Security Eventlog Monitoring
• ADManager Plus Active Directory Management & Reporting
• ADAudit Plus Real-time Active Directory Auditing and UBA
• EventLog Analyzer Real-time Log Analysis & Reporting
• ADSelfService Plus Self-Service Password Management
• AD360 Integrated Identity & Access Management
• Log360 ( On-Premise | Cloud ) Comprehensive SIEM and UEBA
• AD Free Tools Active Directory FREE Tools

Search code, repositories, users, issues, pull requests...

Provide feedback.

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly.

To see all available qualifiers, see our documentation .

• Notifications

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement . We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New-AzPolicyAssignment to management group, assignment name limited to 24 characters #8992

ghost commented Apr 12, 2019

maddieclayton commented Apr 12, 2019

Sorry, something went wrong.

cormacpayne commented Apr 15, 2019

mentat9 commented Apr 15, 2019

Maddieclayton commented apr 15, 2019.

eosho commented Mar 12, 2020 • edited

mamirnadeem commented May 31, 2022

No branches or pull requests

Get-AzPolicyAssignment

In this Azure PowerShell article, we will discuss the syntax and usage of the Get-AzPolicyAssignment PowerShell cmdlet and along with that, we will also discuss the use of the Get-AzPolicyAssignment PowerShell command with an example.

Table of Contents

Get-AzPolicyAssignment – Video Tutorial

Get-AzPolicyAssignment is a very good Azure PowerShell command to retrieve the policy assignments.

Below is the syntax of the Get-AzPolicyAssignment PowerShell command.

Now, let’s discuss a few examples of how to use the Get-AzPolicyAssignment PowerShell command with a few examples.

Below PowerShell command can help you to retrieve the lists of policy assignments.

After running the above command, I got the below output.

You can see the same output here as below

Check out a video tutorial on this command.

In this Azure article, we discussed, the syntax and usage of the Get-AzPolicyAssignment PowerShell cmdlet and along with certain examples of how to use this command.

I am Rajkishore, and I have over 14 years of experience in Microsoft Azure and AWS, with good experience in Azure Functions, Storage, Virtual Machine, Logic Apps, PowerShell Commands, CLI Commands, Machine Learning, AI, Azure Cognitive Services, DevOps, etc. Not only that, I do have good real-time experience in designing and developing cloud-native data integrations on Azure or AWS, etc. I hope you will learn from these practical Azure tutorials. Read more .