Policy Definitions - Create Or Update
Creates or updates a policy definition in a subscription.
This operation creates or updates a policy definition in the given subscription with the given name.
PUT https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/policyDefinitions/{policyDefinitionName}?api-version=2023-04-01URI Parameters
| Name | In | Required | Type | Description |
|---|---|---|---|---|
|
policy
|
path | True |
string |
The name of the policy definition to create. Regex pattern: |
|
subscription
|
path | True |
string uuid |
The ID of the target subscription. The value must be an UUID. |
|
api-version
|
query | True |
string |
The API version to use for this operation. |
Request Body
| Name | Type | Description |
|---|---|---|
| properties.description |
string |
The policy definition description. |
| properties.displayName |
string |
The display name of the policy definition. |
| properties.metadata |
object |
The policy definition metadata. Metadata is an open ended object and is typically a collection of key value pairs. |
| properties.mode |
string |
The policy definition mode. Some examples are All, Indexed, Microsoft.KeyVault.Data. |
| properties.parameters |
<string,
Parameter |
The parameter definitions for parameters used in the policy rule. The keys are the parameter names. |
| properties.policyRule |
object |
The policy rule. |
| properties.policyType |
The type of policy definition. Possible values are NotSpecified, BuiltIn, Custom, and Static. |
|
| properties.version |
string |
The policy definition version in #.#.# format. |
| properties.versions |
string[] |
A list of available versions for this policy definition. |
Responses
| Name | Type | Description |
|---|---|---|
| 201 Created |
Created - Returns information about the policy definition. |
|
| Other Status Codes |
Error response describing why the operation failed. |
Security
azure_auth
Azure Active Directory OAuth2 Flow.
Type:
oauth2
Flow:
implicit
Authorization URL:
https://login.microsoftonline.com/common/oauth2/authorize
Scopes
| Name | Description |
|---|---|
| user_impersonation | impersonate your user account |
Examples
| Create or update a policy definition |
| Create or update a policy definition with advanced parameters |
Create or update a policy definition
Sample request
PUT https://management.azure.com/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyDefinitions/ResourceNaming?api-version=2023-04-01
{
"properties": {
"mode": "All",
"displayName": "Enforce resource naming convention",
"description": "Force resource names to begin with given 'prefix' and/or end with given 'suffix'",
"metadata": {
"category": "Naming"
},
"policyRule": {
"if": {
"not": {
"field": "name",
"like": "[concat(parameters('prefix'), '*', parameters('suffix'))]"
}
},
"then": {
"effect": "deny"
}
},
"parameters": {
"prefix": {
"type": "String",
"metadata": {
"displayName": "Prefix",
"description": "Resource name prefix"
}
},
"suffix": {
"type": "String",
"metadata": {
"displayName": "Suffix",
"description": "Resource name suffix"
}
}
}
}
}
Sample response
{
"id": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyDefinitions/ResourceNaming",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "ResourceNaming",
"properties": {
"mode": "All",
"displayName": "Naming Convention",
"description": "Force resource names to begin with 'prefix' and end with 'suffix'",
"metadata": {
"category": "Naming"
},
"version": "1.2.1",
"versions": [
"1.2.1",
"1.0.0"
],
"policyRule": {
"if": {
"not": {
"field": "name",
"like": "[concat(parameters('prefix'), '*', parameters('suffix'))]"
}
},
"then": {
"effect": "deny"
}
},
"parameters": {
"prefix": {
"type": "String",
"metadata": {
"displayName": "Prefix",
"description": "Resource name prefix"
}
},
"suffix": {
"type": "String",
"metadata": {
"displayName": "Suffix",
"description": "Resource name suffix"
}
}
},
"policyType": "Custom"
}
}Create or update a policy definition with advanced parameters
Sample request
PUT https://management.azure.com/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyDefinitions/EventHubDiagnosticLogs?api-version=2023-04-01
{
"properties": {
"mode": "Indexed",
"displayName": "Event Hubs should have diagnostic logging enabled",
"description": "Audit enabling of logs and retain them up to a year. This enables recreation of activity trails for investigation purposes when a security incident occurs or your network is compromised",
"metadata": {
"category": "Event Hub"
},
"policyRule": {
"if": {
"field": "type",
"equals": "Microsoft.EventHub/namespaces"
},
"then": {
"effect": "AuditIfNotExists",
"details": {
"type": "Microsoft.Insights/diagnosticSettings",
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled",
"equals": "true"
},
{
"field": "Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days",
"equals": "[parameters('requiredRetentionDays')]"
}
]
}
}
}
},
"parameters": {
"requiredRetentionDays": {
"type": "Integer",
"defaultValue": 365,
"allowedValues": [
0,
30,
90,
180,
365
],
"metadata": {
"displayName": "Required retention (days)",
"description": "The required diagnostic logs retention in days"
}
}
}
}
}
Sample response
{
"id": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyDefinitions/ResourceNaming",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "ResourceNaming",
"properties": {
"mode": "Indexed",
"displayName": "Event Hubs should have diagnostic logging enabled",
"description": "Audit enabling of logs and retain them up to a year. This enables recreation of activity trails for investigation purposes when a security incident occurs or your network is compromised",
"metadata": {
"category": "Event Hub"
},
"version": "1.2.1",
"versions": [
"1.2.1",
"1.0.0"
],
"policyRule": {
"if": {
"field": "type",
"equals": "Microsoft.EventHub/namespaces"
},
"then": {
"effect": "AuditIfNotExists",
"details": {
"type": "Microsoft.Insights/diagnosticSettings",
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled",
"equals": "true"
},
{
"field": "Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days",
"equals": "[parameters('requiredRetentionDays')]"
}
]
}
}
}
},
"parameters": {
"requiredRetentionDays": {
"type": "Integer",
"defaultValue": 365,
"allowedValues": [
0,
30,
90,
180,
365
],
"metadata": {
"displayName": "Required retention (days)",
"description": "The required diagnostic logs retention in days"
}
}
}
}
}Definitions
| Name | Description |
|---|---|
|
Cloud |
An error response from a policy operation. |
|
created |
The type of identity that created the resource. |
|
Error |
The resource management error additional info. |
|
Error |
Error Response |
| Metadata |
General metadata for the parameter. |
|
Parameter |
The definition of a parameter that can be provided to the policy. |
|
parameter |
The data type of the parameter. |
|
Policy |
The policy definition. |
|
policy |
The type of policy definition. Possible values are NotSpecified, BuiltIn, Custom, and Static. |
|
system |
Metadata pertaining to creation and last modification of the resource. |
CloudError
An error response from a policy operation.
| Name | Type | Description |
|---|---|---|
| error |
Error Response |
createdByType
The type of identity that created the resource.
| Value | Description |
|---|---|
| Application | |
| Key | |
| ManagedIdentity | |
| User |
ErrorAdditionalInfo
The resource management error additional info.
| Name | Type | Description |
|---|---|---|
| info |
object |
The additional info. |
| type |
string |
The additional info type. |
ErrorResponse
Error Response
| Name | Type | Description |
|---|---|---|
| additionalInfo |
The error additional info. |
|
| code |
string |
The error code. |
| details |
The error details. |
|
| message |
string |
The error message. |
| target |
string |
The error target. |
Metadata
General metadata for the parameter.
| Name | Type | Description |
|---|---|---|
| assignPermissions |
boolean |
Set to true to have Azure portal create role assignments on the resource ID or resource scope value of this parameter during policy assignment. This property is useful in case you wish to assign permissions outside the assignment scope. |
| description |
string |
The description of the parameter. |
| displayName |
string |
The display name for the parameter. |
| strongType |
string |
Used when assigning the policy definition through the portal. Provides a context aware list of values for the user to choose from. |
ParameterDefinitionsValue
The definition of a parameter that can be provided to the policy.
| Name | Type | Description |
|---|---|---|
| allowedValues |
object[] |
The allowed values for the parameter. |
| defaultValue |
object |
The default value for the parameter if no value is provided. |
| metadata |
General metadata for the parameter. |
|
| schema |
object |
Provides validation of parameter inputs during assignment using a self-defined JSON schema. This property is only supported for object-type parameters and follows the Json.NET Schema 2019-09 implementation. You can learn more about using schemas at https://json-schema.org/ and test draft schemas at https://www.jsonschemavalidator.net/. |
| type |
The data type of the parameter. |
parameterType
The data type of the parameter.
| Value | Description |
|---|---|
| Array | |
| Boolean | |
| DateTime | |
| Float | |
| Integer | |
| Object | |
| String |
PolicyDefinition
The policy definition.
| Name | Type | Default value | Description |
|---|---|---|---|
| id |
string |
The ID of the policy definition. |
|
| name |
string |
The name of the policy definition. |
|
| properties.description |
string |
The policy definition description. |
|
| properties.displayName |
string |
The display name of the policy definition. |
|
| properties.metadata |
object |
The policy definition metadata. Metadata is an open ended object and is typically a collection of key value pairs. |
|
| properties.mode |
string |
Indexed |
The policy definition mode. Some examples are All, Indexed, Microsoft.KeyVault.Data. |
| properties.parameters |
<string,
Parameter |
The parameter definitions for parameters used in the policy rule. The keys are the parameter names. |
|
| properties.policyRule |
object |
The policy rule. |
|
| properties.policyType |
The type of policy definition. Possible values are NotSpecified, BuiltIn, Custom, and Static. |
||
| properties.version |
string |
The policy definition version in #.#.# format. |
|
| properties.versions |
string[] |
A list of available versions for this policy definition. |
|
| systemData |
The system metadata relating to this resource. |
||
| type |
string |
The type of the resource (Microsoft.Authorization/policyDefinitions). |
policyType
The type of policy definition. Possible values are NotSpecified, BuiltIn, Custom, and Static.
| Value | Description |
|---|---|
| BuiltIn | |
| Custom | |
| NotSpecified | |
| Static |
systemData
Metadata pertaining to creation and last modification of the resource.
| Name | Type | Description |
|---|---|---|
| createdAt |
string |
The timestamp of resource creation (UTC). |
| createdBy |
string |
The identity that created the resource. |
| createdByType |
The type of identity that created the resource. |
|
| lastModifiedAt |
string |
The timestamp of resource last modification (UTC) |
| lastModifiedBy |
string |
The identity that last modified the resource. |
| lastModifiedByType |
The type of identity that last modified the resource. |