Policy Assignments - Update By Id

Updates a policy assignment.
This operation updates the policy assignment with the given ID. Policy assignments made on a scope apply to all resources contained in that scope. For example, when you assign a policy to a resource group that policy applies to all resources in the group. Policy assignment IDs have this format: '{scope}/providers/Microsoft.Authorization/policyAssignments/{policyAssignmentName}'. Valid scopes are: management group (format: '/providers/Microsoft.Management/managementGroups/{managementGroup}'), subscription (format: '/subscriptions/{subscriptionId}'), resource group (format: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}', or resource (format: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/[{parentResourcePath}/]{resourceType}/{resourceName}'.

PATCH https://management.azure.com/{policyAssignmentId}?api-version=2023-04-01

URI Parameters

Name In Required Type Description
policyAssignmentId
path True

string

The ID of the policy assignment to update. Use the format '{scope}/providers/Microsoft.Authorization/policyAssignments/{policyAssignmentName}'.

api-version
query True

string

The API version to use for this operation.

Request Body

Name Type Description
identity

Identity

The managed identity associated with the policy assignment.

location

string

The location of the policy assignment. Only required when utilizing managed identity.

properties.overrides

Override[]

The policy property value override.

properties.resourceSelectors

ResourceSelector[]

The resource selector list to filter policies by resource properties.

Responses

Name Type Description
200 OK

PolicyAssignment

OK - Returns information about the policy assignment.

Other Status Codes

CloudError

Error response describing why the operation failed.

Security

azure_auth

Azure Active Directory OAuth2 Flow.

Type: oauth2
Flow: implicit
Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize

Scopes

Name Description
user_impersonation impersonate your user account

Examples

Update policy assignment with a managed identity by ID

Sample request

PATCH https://management.azure.com/providers/Microsoft.Management/managementGroups/MyManagementGroup/providers/Microsoft.Authorization/policyAssignments/LowCostStorage?api-version=2023-04-01

{
  "identity": {
    "type": "SystemAssigned"
  },
  "location": "eastus"
}

Sample response

{
  "properties": {
    "displayName": "Enforce storage account SKU",
    "description": "Allow only storage accounts of SKU Standard_GRS or Standard_LRS to be created",
    "metadata": {
      "assignedBy": "Cheapskate Boss"
    },
    "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7433c107-6db4-4ad1-b57a-a76dce0154a1",
    "definitionVersion": "1.*.*",
    "notScopes": [],
    "parameters": {
      "listOfAllowedSKUs": {
        "value": [
          "Standard_GRS",
          "Standard_LRS"
        ]
      }
    },
    "enforcementMode": "Default"
  },
  "identity": {
    "type": "SystemAssigned",
    "principalId": "e6d23f8d-af97-4fbc-bda6-00604e4e3d0a",
    "tenantId": "4bee2b8a-1bee-47c2-90e9-404241551135"
  },
  "location": "eastus",
  "id": "/providers/Microsoft.Management/managementGroups/MyManagementGroup/providers/Microsoft.Authorization/policyAssignments/LowCostStorage",
  "type": "Microsoft.Authorization/policyAssignments",
  "name": "LowCostStorage"
}

Definitions

Name Description
CloudError

An error response from a policy operation.

createdByType

The type of identity that created the resource.

enforcementMode

The policy assignment enforcement mode. Possible values are Default and DoNotEnforce.

ErrorAdditionalInfo

The resource management error additional info.

ErrorResponse

Error Response

Identity

Identity for the resource. Policy assignments support a maximum of one identity. That is either a system assigned identity or a single user assigned identity.

NonComplianceMessage

A message that describes why a resource is non-compliant with the policy. This is shown in 'deny' error messages and on resource's non-compliant compliance results.

Override

The policy property value override.

OverrideKind

The override kind.

ParameterValuesValue

The value of a parameter.

PolicyAssignment

The policy assignment.

PolicyAssignmentUpdate

The policy assignment for Patch request.

ResourceIdentityType

The identity type. This is the only required field when adding a system or user assigned identity to a resource.

ResourceSelector

The resource selector to filter policies by resource properties.

Selector

The selector expression.

SelectorKind

The selector kind.

systemData

Metadata pertaining to creation and last modification of the resource.

UserAssignedIdentities

The user identity associated with the policy. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'.

CloudError

An error response from a policy operation.

Name Type Description
error

ErrorResponse

Error Response
Common error response for all Azure Resource Manager APIs to return error details for failed operations. (This also follows the OData error response format.)

createdByType

The type of identity that created the resource.

Name Type Description
Application

string

Key

string

ManagedIdentity

string

User

string

enforcementMode

The policy assignment enforcement mode. Possible values are Default and DoNotEnforce.

Name Type Description
Default

string

The policy effect is enforced during resource creation or update.

DoNotEnforce

string

The policy effect is not enforced during resource creation or update.

ErrorAdditionalInfo

The resource management error additional info.

Name Type Description
info

object

The additional info.

type

string

The additional info type.

ErrorResponse

Error Response

Name Type Description
additionalInfo

ErrorAdditionalInfo[]

The error additional info.

code

string

The error code.

details

ErrorResponse[]

The error details.

message

string

The error message.

target

string

The error target.

Identity

Identity for the resource. Policy assignments support a maximum of one identity. That is either a system assigned identity or a single user assigned identity.

Name Type Description
principalId

string

The principal ID of the resource identity. This property will only be provided for a system assigned identity

tenantId

string

The tenant ID of the resource identity. This property will only be provided for a system assigned identity

type

ResourceIdentityType

The identity type. This is the only required field when adding a system or user assigned identity to a resource.

userAssignedIdentities

UserAssignedIdentities

The user identity associated with the policy. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'.

NonComplianceMessage

A message that describes why a resource is non-compliant with the policy. This is shown in 'deny' error messages and on resource's non-compliant compliance results.

Name Type Description
message

string

A message that describes why a resource is non-compliant with the policy. This is shown in 'deny' error messages and on resource's non-compliant compliance results.

policyDefinitionReferenceId

string

The policy definition reference ID within a policy set definition the message is intended for. This is only applicable if the policy assignment assigns a policy set definition. If this is not provided the message applies to all policies assigned by this policy assignment.

Override

The policy property value override.

Name Type Description
kind

OverrideKind

The override kind.

selectors

Selector[]

The list of the selector expressions.

value

string

The value to override the policy property.

OverrideKind

The override kind.

Name Type Description
policyEffect

string

It will override the policy effect type.

ParameterValuesValue

The value of a parameter.

Name Type Description
value

object

The value of the parameter.

PolicyAssignment

The policy assignment.

Name Type Default value Description
id

string

The ID of the policy assignment.

identity

Identity

The managed identity associated with the policy assignment.

location

string

The location of the policy assignment. Only required when utilizing managed identity.

name

string

The name of the policy assignment.

properties.definitionVersion

string

The version of the policy definition to use.

properties.description

string

This message will be part of response in case of policy violation.

properties.displayName

string

The display name of the policy assignment.

properties.effectiveDefinitionVersion

string

The effective version of the policy definition in use. This is only present if requested via the $expand query parameter.

properties.enforcementMode

enforcementMode

Default

The policy assignment enforcement mode. Possible values are Default and DoNotEnforce.

properties.latestDefinitionVersion

string

The latest version of the policy definition available. This is only present if requested via the $expand query parameter.

properties.metadata

object

The policy assignment metadata. Metadata is an open ended object and is typically a collection of key value pairs.

properties.nonComplianceMessages

NonComplianceMessage[]

The messages that describe why a resource is non-compliant with the policy.

properties.notScopes

string[]

The policy's excluded scopes.

properties.overrides

Override[]

The policy property value override.

properties.parameters

<string,  ParameterValuesValue>

The parameter values for the assigned policy rule. The keys are the parameter names.

properties.policyDefinitionId

string

The ID of the policy definition or policy set definition being assigned.

properties.resourceSelectors

ResourceSelector[]

The resource selector list to filter policies by resource properties.

properties.scope

string

The scope for the policy assignment.

systemData

systemData

The system metadata relating to this resource.

type

string

The type of the policy assignment.

PolicyAssignmentUpdate

The policy assignment for Patch request.

Name Type Description
identity

Identity

The managed identity associated with the policy assignment.

location

string

The location of the policy assignment. Only required when utilizing managed identity.

properties.overrides

Override[]

The policy property value override.

properties.resourceSelectors

ResourceSelector[]

The resource selector list to filter policies by resource properties.

ResourceIdentityType

The identity type. This is the only required field when adding a system or user assigned identity to a resource.

Name Type Description
None

string

Indicates that no identity is associated with the resource or that the existing identity should be removed.

SystemAssigned

string

Indicates that a system assigned identity is associated with the resource.

UserAssigned

string

Indicates that a system assigned identity is associated with the resource.

ResourceSelector

The resource selector to filter policies by resource properties.

Name Type Description
name

string

The name of the resource selector.

selectors

Selector[]

The list of the selector expressions.

Selector

The selector expression.

Name Type Description
in

string[]

The list of values to filter in.

kind

SelectorKind

The selector kind.

notIn

string[]

The list of values to filter out.

SelectorKind

The selector kind.

Name Type Description
policyDefinitionReferenceId

string

The selector kind to filter policies by the policy definition reference ID.

resourceLocation

string

The selector kind to filter policies by the resource location.

resourceType

string

The selector kind to filter policies by the resource type.

resourceWithoutLocation

string

The selector kind to filter policies by the resource without location.

systemData

Metadata pertaining to creation and last modification of the resource.

Name Type Description
createdAt

string

The timestamp of resource creation (UTC).

createdBy

string

The identity that created the resource.

createdByType

createdByType

The type of identity that created the resource.

lastModifiedAt

string

The timestamp of resource last modification (UTC)

lastModifiedBy

string

The identity that last modified the resource.

lastModifiedByType

createdByType

The type of identity that last modified the resource.

UserAssignedIdentities

The user identity associated with the policy. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'.

Name Type Description