Policy Assignments - Update By Id
Updates a policy assignment.
This operation updates the policy assignment with the given ID. Policy assignments made on a scope apply to all resources contained in that scope. For example, when you assign a policy to a resource group that policy applies to all resources in the group. Policy assignment IDs have this format: '{scope}/providers/Microsoft.Authorization/policyAssignments/{policyAssignmentName}'. Valid scopes are: management group (format: '/providers/Microsoft.Management/managementGroups/{managementGroup}'), subscription (format: '/subscriptions/{subscriptionId}'), resource group (format: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}', or resource (format: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/[{parentResourcePath}/]{resourceType}/{resourceName}'.
PATCH https://management.azure.com/{policyAssignmentId}?api-version=2023-04-01
URI Parameters
Name | In | Required | Type | Description |
---|---|---|---|---|
policy
|
path | True |
string |
The ID of the policy assignment to update. Use the format '{scope}/providers/Microsoft.Authorization/policyAssignments/{policyAssignmentName}'. |
api-version
|
query | True |
string |
The API version to use for this operation. |
Request Body
Name | Type | Description |
---|---|---|
identity |
The managed identity associated with the policy assignment. |
|
location |
string |
The location of the policy assignment. Only required when utilizing managed identity. |
properties.overrides |
Override[] |
The policy property value override. |
properties.resourceSelectors |
The resource selector list to filter policies by resource properties. |
Responses
Name | Type | Description |
---|---|---|
200 OK |
OK - Returns information about the policy assignment. |
|
Other Status Codes |
Error response describing why the operation failed. |
Security
azure_auth
Azure Active Directory OAuth2 Flow.
Type:
oauth2
Flow:
implicit
Authorization URL:
https://login.microsoftonline.com/common/oauth2/authorize
Scopes
Name | Description |
---|---|
user_impersonation | impersonate your user account |
Examples
Update policy assignment with a managed identity by ID
Sample request
PATCH https://management.azure.com/providers/Microsoft.Management/managementGroups/MyManagementGroup/providers/Microsoft.Authorization/policyAssignments/LowCostStorage?api-version=2023-04-01
{
"identity": {
"type": "SystemAssigned"
},
"location": "eastus"
}
Sample response
{
"properties": {
"displayName": "Enforce storage account SKU",
"description": "Allow only storage accounts of SKU Standard_GRS or Standard_LRS to be created",
"metadata": {
"assignedBy": "Cheapskate Boss"
},
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7433c107-6db4-4ad1-b57a-a76dce0154a1",
"definitionVersion": "1.*.*",
"notScopes": [],
"parameters": {
"listOfAllowedSKUs": {
"value": [
"Standard_GRS",
"Standard_LRS"
]
}
},
"enforcementMode": "Default"
},
"identity": {
"type": "SystemAssigned",
"principalId": "e6d23f8d-af97-4fbc-bda6-00604e4e3d0a",
"tenantId": "4bee2b8a-1bee-47c2-90e9-404241551135"
},
"location": "eastus",
"id": "/providers/Microsoft.Management/managementGroups/MyManagementGroup/providers/Microsoft.Authorization/policyAssignments/LowCostStorage",
"type": "Microsoft.Authorization/policyAssignments",
"name": "LowCostStorage"
}
Definitions
Name | Description |
---|---|
Cloud |
An error response from a policy operation. |
created |
The type of identity that created the resource. |
enforcement |
The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. |
Error |
The resource management error additional info. |
Error |
Error Response |
Identity |
Identity for the resource. Policy assignments support a maximum of one identity. That is either a system assigned identity or a single user assigned identity. |
Non |
A message that describes why a resource is non-compliant with the policy. This is shown in 'deny' error messages and on resource's non-compliant compliance results. |
Override |
The policy property value override. |
Override |
The override kind. |
Parameter |
The value of a parameter. |
Policy |
The policy assignment. |
Policy |
The policy assignment for Patch request. |
Resource |
The identity type. This is the only required field when adding a system or user assigned identity to a resource. |
Resource |
The resource selector to filter policies by resource properties. |
Selector |
The selector expression. |
Selector |
The selector kind. |
system |
Metadata pertaining to creation and last modification of the resource. |
User |
The user identity associated with the policy. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. |
CloudError
An error response from a policy operation.
Name | Type | Description |
---|---|---|
error |
Error Response |
createdByType
The type of identity that created the resource.
Name | Type | Description |
---|---|---|
Application |
string |
|
Key |
string |
|
ManagedIdentity |
string |
|
User |
string |
enforcementMode
The policy assignment enforcement mode. Possible values are Default and DoNotEnforce.
Name | Type | Description |
---|---|---|
Default |
string |
The policy effect is enforced during resource creation or update. |
DoNotEnforce |
string |
The policy effect is not enforced during resource creation or update. |
ErrorAdditionalInfo
The resource management error additional info.
Name | Type | Description |
---|---|---|
info |
object |
The additional info. |
type |
string |
The additional info type. |
ErrorResponse
Error Response
Name | Type | Description |
---|---|---|
additionalInfo |
The error additional info. |
|
code |
string |
The error code. |
details |
The error details. |
|
message |
string |
The error message. |
target |
string |
The error target. |
Identity
Identity for the resource. Policy assignments support a maximum of one identity. That is either a system assigned identity or a single user assigned identity.
Name | Type | Description |
---|---|---|
principalId |
string |
The principal ID of the resource identity. This property will only be provided for a system assigned identity |
tenantId |
string |
The tenant ID of the resource identity. This property will only be provided for a system assigned identity |
type |
The identity type. This is the only required field when adding a system or user assigned identity to a resource. |
|
userAssignedIdentities |
The user identity associated with the policy. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. |
NonComplianceMessage
A message that describes why a resource is non-compliant with the policy. This is shown in 'deny' error messages and on resource's non-compliant compliance results.
Name | Type | Description |
---|---|---|
message |
string |
A message that describes why a resource is non-compliant with the policy. This is shown in 'deny' error messages and on resource's non-compliant compliance results. |
policyDefinitionReferenceId |
string |
The policy definition reference ID within a policy set definition the message is intended for. This is only applicable if the policy assignment assigns a policy set definition. If this is not provided the message applies to all policies assigned by this policy assignment. |
Override
The policy property value override.
Name | Type | Description |
---|---|---|
kind |
The override kind. |
|
selectors |
Selector[] |
The list of the selector expressions. |
value |
string |
The value to override the policy property. |
OverrideKind
The override kind.
Name | Type | Description |
---|---|---|
policyEffect |
string |
It will override the policy effect type. |
ParameterValuesValue
The value of a parameter.
Name | Type | Description |
---|---|---|
value |
object |
The value of the parameter. |
PolicyAssignment
The policy assignment.
Name | Type | Default value | Description |
---|---|---|---|
id |
string |
The ID of the policy assignment. |
|
identity |
The managed identity associated with the policy assignment. |
||
location |
string |
The location of the policy assignment. Only required when utilizing managed identity. |
|
name |
string |
The name of the policy assignment. |
|
properties.definitionVersion |
string |
The version of the policy definition to use. |
|
properties.description |
string |
This message will be part of response in case of policy violation. |
|
properties.displayName |
string |
The display name of the policy assignment. |
|
properties.effectiveDefinitionVersion |
string |
The effective version of the policy definition in use. This is only present if requested via the $expand query parameter. |
|
properties.enforcementMode | Default |
The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. |
|
properties.latestDefinitionVersion |
string |
The latest version of the policy definition available. This is only present if requested via the $expand query parameter. |
|
properties.metadata |
object |
The policy assignment metadata. Metadata is an open ended object and is typically a collection of key value pairs. |
|
properties.nonComplianceMessages |
The messages that describe why a resource is non-compliant with the policy. |
||
properties.notScopes |
string[] |
The policy's excluded scopes. |
|
properties.overrides |
Override[] |
The policy property value override. |
|
properties.parameters |
<string,
Parameter |
The parameter values for the assigned policy rule. The keys are the parameter names. |
|
properties.policyDefinitionId |
string |
The ID of the policy definition or policy set definition being assigned. |
|
properties.resourceSelectors |
The resource selector list to filter policies by resource properties. |
||
properties.scope |
string |
The scope for the policy assignment. |
|
systemData |
The system metadata relating to this resource. |
||
type |
string |
The type of the policy assignment. |
PolicyAssignmentUpdate
The policy assignment for Patch request.
Name | Type | Description |
---|---|---|
identity |
The managed identity associated with the policy assignment. |
|
location |
string |
The location of the policy assignment. Only required when utilizing managed identity. |
properties.overrides |
Override[] |
The policy property value override. |
properties.resourceSelectors |
The resource selector list to filter policies by resource properties. |
ResourceIdentityType
The identity type. This is the only required field when adding a system or user assigned identity to a resource.
Name | Type | Description |
---|---|---|
None |
string |
Indicates that no identity is associated with the resource or that the existing identity should be removed. |
SystemAssigned |
string |
Indicates that a system assigned identity is associated with the resource. |
UserAssigned |
string |
Indicates that a system assigned identity is associated with the resource. |
ResourceSelector
The resource selector to filter policies by resource properties.
Name | Type | Description |
---|---|---|
name |
string |
The name of the resource selector. |
selectors |
Selector[] |
The list of the selector expressions. |
Selector
The selector expression.
Name | Type | Description |
---|---|---|
in |
string[] |
The list of values to filter in. |
kind |
The selector kind. |
|
notIn |
string[] |
The list of values to filter out. |
SelectorKind
The selector kind.
Name | Type | Description |
---|---|---|
policyDefinitionReferenceId |
string |
The selector kind to filter policies by the policy definition reference ID. |
resourceLocation |
string |
The selector kind to filter policies by the resource location. |
resourceType |
string |
The selector kind to filter policies by the resource type. |
resourceWithoutLocation |
string |
The selector kind to filter policies by the resource without location. |
systemData
Metadata pertaining to creation and last modification of the resource.
Name | Type | Description |
---|---|---|
createdAt |
string |
The timestamp of resource creation (UTC). |
createdBy |
string |
The identity that created the resource. |
createdByType |
The type of identity that created the resource. |
|
lastModifiedAt |
string |
The timestamp of resource last modification (UTC) |
lastModifiedBy |
string |
The identity that last modified the resource. |
lastModifiedByType |
The type of identity that last modified the resource. |
UserAssignedIdentities
The user identity associated with the policy. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'.
Name | Type | Description |
---|---|---|
|