Policy Restrictions - Check At Management Group Scope
Checks what restrictions Azure Policy will place on resources within a management group.
POST https://management.azure.com/providers/Microsoft.Management/managementGroups/{managementGroupId}/providers/Microsoft.PolicyInsights/checkPolicyRestrictions?api-version=2023-03-01URI Parameters
| Name | In | Required | Type | Description |
|---|---|---|---|---|
|
management
|
path | True |
string |
Management group ID. |
|
management
|
path | True |
The namespace for Microsoft Management RP; only "Microsoft.Management" is allowed. |
|
|
api-version
|
query | True |
string |
The API version to use for this operation. |
Request Body
| Name | Type | Description |
|---|---|---|
| pendingFields |
The list of fields and values that should be evaluated for potential restrictions. |
|
| resourceDetails |
The information about the resource that will be evaluated. |
Responses
| Name | Type | Description |
|---|---|---|
| 200 OK |
The restrictions that will be placed on the resource by Azure Policy. |
|
| Other Status Codes |
Error response describing why the operation failed. |
Security
azure_auth
Azure Active Directory OAuth2 Flow
Type:
oauth2
Flow:
implicit
Authorization URL:
https://login.microsoftonline.com/common/oauth2/authorize
Scopes
| Name | Description |
|---|---|
| user_impersonation | impersonate your user account |
Examples
Check policy restrictions at management group scope
Sample request
POST https://management.azure.com/providers/Microsoft.Management/managementGroups/financeMg/providers/Microsoft.PolicyInsights/checkPolicyRestrictions?api-version=2023-03-01
{
"pendingFields": [
{
"field": "type"
}
]
}
Sample response
{
"fieldRestrictions": [
{
"field": "type",
"restrictions": [
{
"result": "Required",
"values": [
"Microsoft.Compute/virtualMachines"
],
"policy": {
"policyDefinitionId": "/providers/Microsoft.Management/managementGroups/financeMg/providers/microsoft.authorization/policyDefinitions/allowedTypes",
"policyAssignmentId": "/providers/Microsoft.Management/managementGroups/financeMg/providers/microsoft.authorization/policyAssignments/7EB1508A",
"policySetDefinitionId": "/providers/Microsoft.Management/managementGroups/financeMg/providers/microsoft.authorization/policySetDefinitions/735551F1",
"policyDefinitionReferenceId": "DefRef"
},
"policyEffect": "Deny",
"reason": "type not allowed"
}
]
}
],
"contentEvaluationResult": {
"policyEvaluations": []
}
}Definitions
| Name | Description |
|---|---|
|
Check |
The check policy restrictions parameters describing the resource that is being evaluated. |
|
Check |
Policy evaluation details. |
|
Check |
The information about the resource that will be evaluated. |
|
Check |
The result of a check policy restrictions evaluation on a resource. |
|
Content |
Evaluation results for the provided partial resource content. |
|
Error |
Error definition. |
|
Error |
Error response. |
|
Expression |
Evaluation details of policy language expressions. |
|
Field |
The restrictions on a field imposed by a specific policy. |
|
Field |
The type of restriction that is imposed on the field. |
|
Field |
The restrictions that will be placed on a field in the resource by policy. |
|
If |
Evaluation details of IfNotExists effect. |
|
Management |
The namespace for Microsoft Management RP; only "Microsoft.Management" is allowed. |
|
Pending |
A field that should be evaluated against Azure Policy to determine restrictions. |
|
Policy |
The details of the effect that was applied to the resource. |
|
Policy |
The result of a non-compliant policy evaluation against the given resource content. |
|
Policy |
Resource identifiers for a policy. |
|
Typed |
Scenario specific error details. |
CheckManagementGroupRestrictionsRequest
The check policy restrictions parameters describing the resource that is being evaluated.
| Name | Type | Description |
|---|---|---|
| pendingFields |
The list of fields and values that should be evaluated for potential restrictions. |
|
| resourceDetails |
The information about the resource that will be evaluated. |
CheckRestrictionEvaluationDetails
Policy evaluation details.
| Name | Type | Description |
|---|---|---|
| evaluatedExpressions |
Details of the evaluated expressions. |
|
| ifNotExistsDetails |
Evaluation details of IfNotExists effect. |
|
| reason |
string |
The reason for the evaluation result. |
CheckRestrictionsResourceDetails
The information about the resource that will be evaluated.
| Name | Type | Description |
|---|---|---|
| apiVersion |
string |
The api-version of the resource content. |
| resourceContent |
object |
The resource content. This should include whatever properties are already known and can be a partial set of all resource properties. |
| scope |
string |
The scope where the resource is being created. For example, if the resource is a child resource this would be the parent resource's resource ID. |
CheckRestrictionsResult
The result of a check policy restrictions evaluation on a resource.
| Name | Type | Description |
|---|---|---|
| contentEvaluationResult |
Evaluation results for the provided partial resource content. |
|
| fieldRestrictions |
The restrictions that will be placed on various fields in the resource by policy. |
ContentEvaluationResult
Evaluation results for the provided partial resource content.
| Name | Type | Description |
|---|---|---|
| policyEvaluations |
Policy evaluation results against the given resource content. This will indicate if the partial content that was provided will be denied as-is. |
ErrorDefinition
Error definition.
| Name | Type | Description |
|---|---|---|
| additionalInfo |
Additional scenario specific error details. |
|
| code |
string |
Service specific error code which serves as the substatus for the HTTP error code. |
| details |
Internal error details. |
|
| message |
string |
Description of the error. |
| target |
string |
The target of the error. |
ErrorResponse
Error response.
| Name | Type | Description |
|---|---|---|
| error |
The error details. |
ExpressionEvaluationDetails
Evaluation details of policy language expressions.
| Name | Type | Description |
|---|---|---|
| expression |
string |
Expression evaluated. |
| expressionKind |
string |
The kind of expression that was evaluated. |
| expressionValue |
object |
Value of the expression. |
| operator |
string |
Operator to compare the expression value and the target value. |
| path |
string |
Property path if the expression is a field or an alias. |
| result |
string |
Evaluation result. |
| targetValue |
object |
Target value to be compared with the expression value. |
FieldRestriction
The restrictions on a field imposed by a specific policy.
| Name | Type | Description |
|---|---|---|
| defaultValue |
string |
The value that policy will set for the field if the user does not provide a value. |
| policy |
The details of the policy that is causing the field restriction. |
|
| policyEffect |
string |
The effect of the policy that is causing the field restriction. http://aka.ms/policyeffects |
| reason |
string |
The reason for the restriction. |
| result |
The type of restriction that is imposed on the field. |
|
| values |
string[] |
The values that policy either requires or denies for the field. |
FieldRestrictionResult
The type of restriction that is imposed on the field.
| Name | Type | Description |
|---|---|---|
| Audit |
string |
The field and/or values will be audited by policy. |
| Deny |
string |
The field and/or values will be denied by policy. |
| Removed |
string |
The field will be removed by policy. |
| Required |
string |
The field and/or values are required by policy. |
FieldRestrictions
The restrictions that will be placed on a field in the resource by policy.
| Name | Type | Description |
|---|---|---|
| field |
string |
The name of the field. This can be a top-level property like 'name' or 'type' or an Azure Policy field alias. |
| restrictions |
The restrictions placed on that field by policy. |
IfNotExistsEvaluationDetails
Evaluation details of IfNotExists effect.
| Name | Type | Description |
|---|---|---|
| resourceId |
string |
ID of the last evaluated resource for IfNotExists effect. |
| totalResources |
integer |
Total number of resources to which the existence condition is applicable. |
ManagementGroupsNamespaceType
The namespace for Microsoft Management RP; only "Microsoft.Management" is allowed.
| Name | Type | Description |
|---|---|---|
| Microsoft.Management |
string |
PendingField
A field that should be evaluated against Azure Policy to determine restrictions.
| Name | Type | Description |
|---|---|---|
| field |
string |
The name of the field. This can be a top-level property like 'name' or 'type' or an Azure Policy field alias. |
| values |
string[] |
The list of potential values for the field that should be evaluated against Azure Policy. |
PolicyEffectDetails
The details of the effect that was applied to the resource.
| Name | Type | Description |
|---|---|---|
| policyEffect |
string |
The effect that was applied to the resource. http://aka.ms/policyeffects |
PolicyEvaluationResult
The result of a non-compliant policy evaluation against the given resource content.
| Name | Type | Description |
|---|---|---|
| effectDetails |
The details of the effect that was applied to the resource. |
|
| evaluationDetails |
The detailed results of the policy expressions and values that were evaluated. |
|
| evaluationResult |
string |
The result of the policy evaluation against the resource. This will typically be 'NonCompliant' but may contain other values if errors were encountered. |
| policyInfo |
The details of the policy that was evaluated. |
PolicyReference
Resource identifiers for a policy.
| Name | Type | Description |
|---|---|---|
| policyAssignmentId |
string |
The resource identifier of the policy assignment. |
| policyDefinitionId |
string |
The resource identifier of the policy definition. |
| policyDefinitionReferenceId |
string |
The reference identifier of a specific policy definition within a policy set definition. |
| policySetDefinitionId |
string |
The resource identifier of the policy set definition. |
TypedErrorInfo
Scenario specific error details.
| Name | Type | Description |
|---|---|---|
| info |
|
The scenario specific error details. |
| type |
string |
The type of included error details. |