Policy Restrictions - Check At Resource Group Scope
Checks what restrictions Azure Policy will place on a resource within a resource group. Use this when the resource group the resource will be created in is already known.
POST https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.PolicyInsights/checkPolicyRestrictions?api-version=2023-03-01
URI Parameters
Name | In | Required | Type | Description |
---|---|---|---|---|
resource
|
path | True |
string |
The name of the resource group. The name is case insensitive. |
subscription
|
path | True |
string |
The ID of the target subscription. |
api-version
|
query | True |
string |
The API version to use for this operation. |
Request Body
Name | Required | Type | Description |
---|---|---|---|
resourceDetails | True |
The information about the resource that will be evaluated. |
|
includeAuditEffect |
boolean |
Whether to include policies with the 'audit' effect in the results. Defaults to false. |
|
pendingFields |
The list of fields and values that should be evaluated for potential restrictions. |
Responses
Name | Type | Description |
---|---|---|
200 OK |
The restrictions that will be placed on the resource by Azure Policy. |
|
Other Status Codes |
Error response describing why the operation failed. |
Security
azure_auth
Azure Active Directory OAuth2 Flow
Type:
oauth2
Flow:
implicit
Authorization URL:
https://login.microsoftonline.com/common/oauth2/authorize
Scopes
Name | Description |
---|---|
user_impersonation | impersonate your user account |
Examples
Check policy restrictions at resource group scope |
Check policy restrictions at resource group scope including audit effect |
Check policy restrictions at resource group scope
Sample request
POST https://management.azure.com/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/vmRg/providers/Microsoft.PolicyInsights/checkPolicyRestrictions?api-version=2023-03-01
{
"resourceDetails": {
"resourceContent": {
"type": "Microsoft.Compute/virtualMachines",
"properties": {
"priority": "Spot"
}
},
"apiVersion": "2019-12-01"
},
"pendingFields": [
{
"field": "name",
"values": [
"myVMName"
]
},
{
"field": "location",
"values": [
"eastus",
"westus",
"westus2",
"westeurope"
]
},
{
"field": "tags"
}
]
}
Sample response
{
"fieldRestrictions": [
{
"field": "tags.newtag",
"restrictions": [
{
"result": "Required",
"defaultValue": "defaultVal",
"policy": {
"policyDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyDefinitions/1D0906C3",
"policyAssignmentId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyAssignments/57DAC8A0",
"policySetDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policySetDefinitions/05D92080",
"policyDefinitionReferenceId": "DefRef"
},
"policyEffect": "Deny",
"reason": "tags.newtag is required"
}
]
},
{
"field": "tags.environment",
"restrictions": [
{
"result": "Required",
"values": [
"Prod",
"Int",
"Test"
],
"policy": {
"policyDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyDefinitions/30BD79F6",
"policyAssignmentId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyAssignments/7EB1508A",
"policySetDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policySetDefinitions/735551F1",
"policyDefinitionReferenceId": "DefRef"
},
"policyEffect": "Deny",
"reason": "tags.environment is required"
}
]
},
{
"field": "location",
"restrictions": [
{
"result": "Deny",
"values": [
"west europe"
],
"policy": {
"policyDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyDefinitions/0711CCC1",
"policyAssignmentId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyAssignments/1563EBD3",
"policySetDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policySetDefinitions/1E17783A",
"policyDefinitionReferenceId": "DefRef"
},
"policyEffect": "Deny",
"reason": "location must be one of the following: eastus, westus, westus2"
},
{
"result": "Deny",
"values": [
"eastus",
"westus"
],
"policy": {
"policyDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyDefinitions/25C9F66B",
"policyAssignmentId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyAssignments/5382A69D",
"policySetDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policySetDefinitions/392D107B",
"policyDefinitionReferenceId": "DefRef"
},
"policyEffect": "Deny",
"reason": "location must be one of the following: westus2"
}
]
}
],
"contentEvaluationResult": {
"policyEvaluations": [
{
"policyInfo": {
"policyDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyDefinitions/435CAE41",
"policySetDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policySetDefinitions/2162358E",
"policyDefinitionReferenceId": "defref222",
"policyAssignmentId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyAssignments/2FF66C37"
},
"evaluationResult": "NonCompliant",
"evaluationDetails": {
"evaluatedExpressions": [
{
"result": "True",
"expressionKind": "field",
"expression": "type",
"path": "type",
"expressionValue": "microsoft.compute/virtualmachines",
"targetValue": "microsoft.compute/virtualmachines",
"operator": "equals"
}
]
},
"effectDetails": {
"policyEffect": "Deny"
}
}
]
}
}
Check policy restrictions at resource group scope including audit effect
Sample request
POST https://management.azure.com/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/vmRg/providers/Microsoft.PolicyInsights/checkPolicyRestrictions?api-version=2023-03-01
{
"resourceDetails": {
"resourceContent": {
"type": "Microsoft.Compute/virtualMachines",
"properties": {
"priority": "Spot"
}
},
"apiVersion": "2019-12-01"
},
"pendingFields": [
{
"field": "name",
"values": [
"myVMName"
]
},
{
"field": "location",
"values": [
"eastus",
"westus",
"westus2",
"westeurope"
]
},
{
"field": "tags"
}
],
"includeAuditEffect": true
}
Sample response
{
"fieldRestrictions": [
{
"field": "tags.newtag",
"restrictions": [
{
"result": "Required",
"defaultValue": "defaultVal",
"policy": {
"policyDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyDefinitions/1D0906C3",
"policyAssignmentId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyAssignments/57DAC8A0",
"policySetDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policySetDefinitions/05D92080",
"policyDefinitionReferenceId": "DefRef"
},
"policyEffect": "Deny",
"reason": "tags.newtag is required"
}
]
},
{
"field": "tags.environment",
"restrictions": [
{
"result": "Required",
"values": [
"Prod",
"Int",
"Test"
],
"policy": {
"policyDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyDefinitions/30BD79F6",
"policyAssignmentId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyAssignments/7EB1508A",
"policySetDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policySetDefinitions/735551F1",
"policyDefinitionReferenceId": "DefRef"
},
"policyEffect": "Audit",
"reason": "tags.environment is required"
}
]
},
{
"field": "location",
"restrictions": [
{
"result": "Deny",
"values": [
"west europe"
],
"policy": {
"policyDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyDefinitions/0711CCC1",
"policyAssignmentId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyAssignments/1563EBD3",
"policySetDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policySetDefinitions/1E17783A",
"policyDefinitionReferenceId": "DefRef"
},
"policyEffect": "Deny",
"reason": "The selected location is not allowed"
},
{
"result": "Audit",
"values": [
"eastus",
"westus"
],
"policy": {
"policyDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyDefinitions/25C9F66B",
"policyAssignmentId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyAssignments/5382A69D",
"policySetDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policySetDefinitions/392D107B",
"policyDefinitionReferenceId": "DefRef"
},
"policyEffect": "Audit",
"reason": "The selected location is not allowed"
}
]
}
],
"contentEvaluationResult": {
"policyEvaluations": [
{
"policyInfo": {
"policyDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyDefinitions/435CAE41",
"policySetDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policySetDefinitions/2162358E",
"policyDefinitionReferenceId": "defref222",
"policyAssignmentId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyAssignments/2FF66C37"
},
"evaluationResult": "NonCompliant",
"evaluationDetails": {
"evaluatedExpressions": [
{
"result": "True",
"expressionKind": "field",
"expression": "type",
"path": "type",
"expressionValue": "microsoft.compute/virtualmachines",
"targetValue": "microsoft.compute/virtualmachines",
"operator": "equals"
}
],
"reason": "Resource creation of the selected type is not allowed"
},
"effectDetails": {
"policyEffect": "Audit"
}
}
]
}
}
Definitions
Name | Description |
---|---|
Check |
Policy evaluation details. |
Check |
The check policy restrictions parameters describing the resource that is being evaluated. |
Check |
The information about the resource that will be evaluated. |
Check |
The result of a check policy restrictions evaluation on a resource. |
Content |
Evaluation results for the provided partial resource content. |
Error |
Error definition. |
Error |
Error response. |
Expression |
Evaluation details of policy language expressions. |
Field |
The restrictions on a field imposed by a specific policy. |
Field |
The type of restriction that is imposed on the field. |
Field |
The restrictions that will be placed on a field in the resource by policy. |
If |
Evaluation details of IfNotExists effect. |
Pending |
A field that should be evaluated against Azure Policy to determine restrictions. |
Policy |
The details of the effect that was applied to the resource. |
Policy |
The result of a non-compliant policy evaluation against the given resource content. |
Policy |
Resource identifiers for a policy. |
Typed |
Scenario specific error details. |
CheckRestrictionEvaluationDetails
Policy evaluation details.
Name | Type | Description |
---|---|---|
evaluatedExpressions |
Details of the evaluated expressions. |
|
ifNotExistsDetails |
Evaluation details of IfNotExists effect. |
|
reason |
string |
The reason for the evaluation result. |
CheckRestrictionsRequest
The check policy restrictions parameters describing the resource that is being evaluated.
Name | Type | Default value | Description |
---|---|---|---|
includeAuditEffect |
boolean |
False |
Whether to include policies with the 'audit' effect in the results. Defaults to false. |
pendingFields |
The list of fields and values that should be evaluated for potential restrictions. |
||
resourceDetails |
The information about the resource that will be evaluated. |
CheckRestrictionsResourceDetails
The information about the resource that will be evaluated.
Name | Type | Description |
---|---|---|
apiVersion |
string |
The api-version of the resource content. |
resourceContent |
object |
The resource content. This should include whatever properties are already known and can be a partial set of all resource properties. |
scope |
string |
The scope where the resource is being created. For example, if the resource is a child resource this would be the parent resource's resource ID. |
CheckRestrictionsResult
The result of a check policy restrictions evaluation on a resource.
Name | Type | Description |
---|---|---|
contentEvaluationResult |
Evaluation results for the provided partial resource content. |
|
fieldRestrictions |
The restrictions that will be placed on various fields in the resource by policy. |
ContentEvaluationResult
Evaluation results for the provided partial resource content.
Name | Type | Description |
---|---|---|
policyEvaluations |
Policy evaluation results against the given resource content. This will indicate if the partial content that was provided will be denied as-is. |
ErrorDefinition
Error definition.
Name | Type | Description |
---|---|---|
additionalInfo |
Additional scenario specific error details. |
|
code |
string |
Service specific error code which serves as the substatus for the HTTP error code. |
details |
Internal error details. |
|
message |
string |
Description of the error. |
target |
string |
The target of the error. |
ErrorResponse
Error response.
Name | Type | Description |
---|---|---|
error |
The error details. |
ExpressionEvaluationDetails
Evaluation details of policy language expressions.
Name | Type | Description |
---|---|---|
expression |
string |
Expression evaluated. |
expressionKind |
string |
The kind of expression that was evaluated. |
expressionValue |
object |
Value of the expression. |
operator |
string |
Operator to compare the expression value and the target value. |
path |
string |
Property path if the expression is a field or an alias. |
result |
string |
Evaluation result. |
targetValue |
object |
Target value to be compared with the expression value. |
FieldRestriction
The restrictions on a field imposed by a specific policy.
Name | Type | Description |
---|---|---|
defaultValue |
string |
The value that policy will set for the field if the user does not provide a value. |
policy |
The details of the policy that is causing the field restriction. |
|
policyEffect |
string |
The effect of the policy that is causing the field restriction. http://aka.ms/policyeffects |
reason |
string |
The reason for the restriction. |
result |
The type of restriction that is imposed on the field. |
|
values |
string[] |
The values that policy either requires or denies for the field. |
FieldRestrictionResult
The type of restriction that is imposed on the field.
Name | Type | Description |
---|---|---|
Audit |
string |
The field and/or values will be audited by policy. |
Deny |
string |
The field and/or values will be denied by policy. |
Removed |
string |
The field will be removed by policy. |
Required |
string |
The field and/or values are required by policy. |
FieldRestrictions
The restrictions that will be placed on a field in the resource by policy.
Name | Type | Description |
---|---|---|
field |
string |
The name of the field. This can be a top-level property like 'name' or 'type' or an Azure Policy field alias. |
restrictions |
The restrictions placed on that field by policy. |
IfNotExistsEvaluationDetails
Evaluation details of IfNotExists effect.
Name | Type | Description |
---|---|---|
resourceId |
string |
ID of the last evaluated resource for IfNotExists effect. |
totalResources |
integer |
Total number of resources to which the existence condition is applicable. |
PendingField
A field that should be evaluated against Azure Policy to determine restrictions.
Name | Type | Description |
---|---|---|
field |
string |
The name of the field. This can be a top-level property like 'name' or 'type' or an Azure Policy field alias. |
values |
string[] |
The list of potential values for the field that should be evaluated against Azure Policy. |
PolicyEffectDetails
The details of the effect that was applied to the resource.
Name | Type | Description |
---|---|---|
policyEffect |
string |
The effect that was applied to the resource. http://aka.ms/policyeffects |
PolicyEvaluationResult
The result of a non-compliant policy evaluation against the given resource content.
Name | Type | Description |
---|---|---|
effectDetails |
The details of the effect that was applied to the resource. |
|
evaluationDetails |
The detailed results of the policy expressions and values that were evaluated. |
|
evaluationResult |
string |
The result of the policy evaluation against the resource. This will typically be 'NonCompliant' but may contain other values if errors were encountered. |
policyInfo |
The details of the policy that was evaluated. |
PolicyReference
Resource identifiers for a policy.
Name | Type | Description |
---|---|---|
policyAssignmentId |
string |
The resource identifier of the policy assignment. |
policyDefinitionId |
string |
The resource identifier of the policy definition. |
policyDefinitionReferenceId |
string |
The reference identifier of a specific policy definition within a policy set definition. |
policySetDefinitionId |
string |
The resource identifier of the policy set definition. |
TypedErrorInfo
Scenario specific error details.
Name | Type | Description |
---|---|---|
info |
|
The scenario specific error details. |
type |
string |
The type of included error details. |