Rediger

Del via


Authorization actions and attributes

Authorization actions

This section lists the supported authorization actions you can target for conditions.

Create or update role assignments

Property Value
Display name Create or update role assignments
Description Control plane action for creating role assignments
Action Microsoft.Authorization/roleAssignments/write
Resource attributes
Request attributes Role definition ID
Principal ID
Principal type
Examples !(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})
Example: Constrain roles

Delete a role assignment

Property Value
Display name Delete a role assignment
Description Control plane action for deleting role assignments
Action Microsoft.Authorization/roleAssignments/delete
Resource attributes Role definition ID
Principal ID
Principal type
Request attributes
Examples !(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})
Example: Constrain roles

Authorization attributes

This section lists the authorization attributes you can use in your condition expressions depending on the action you target. If you select multiple actions for a single condition, there might be fewer attributes to choose from for your condition because the attributes must be available across the selected actions.

Role definition ID

Property Value
Display name Role definition ID
Description The role definition ID used in the role assignment
Attribute Microsoft.Authorization/roleAssignments:RoleDefinitionId
Attribute source Request
Resource
Attribute type GUID
Operators GuidEquals
GuidNotEquals
ForAnyOfAnyValues:GuidEquals
ForAnyOfAllValues:GuidNotEquals
Examples @Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {b24988ac-6180-42a0-ab88-20f7382dd24c, acdd72a7-3385-48ef-bd42-f606fba81ae7}
Example: Constrain roles

Principal ID

Property Value
Display name Principal ID
Description The principal ID assigned to the role. This maps to the ID inside the Active Directory. It can point to a user, service principal, or security group
Attribute Microsoft.Authorization/roleAssignments:PrincipalId
Attribute source Request
Resource
Attribute type GUID
Operators GuidEquals
GuidNotEquals
ForAnyOfAnyValues:GuidEquals
ForAnyOfAllValues:GuidNotEquals
Examples @Request[Microsoft.Authorization/roleAssignments:PrincipalId] ForAnyOfAnyValues:GuidEquals {28c35fea-2099-4cf5-8ad9-473547bc9423, 86951b8b-723a-407b-a74a-1bca3f0c95d0}
Example: Constrain roles and specific groups

Principal type

Property Value
Display name Principal type
Description Principal type represents a user, group, service principal, or managed identity that is requesting access to Azure resources. You can assign a role to any of these security principals
Attribute Microsoft.Authorization/roleAssignments:PrincipalType
Attribute source Request
Resource
Attribute type STRING
Values User
ServicePrincipal
Group
Operators StringEqualsIgnoreCase
StringNotEqualsIgnoreCase
ForAnyOfAnyValues:StringEqualsIgnoreCase
ForAnyOfAllValues:StringNotEqualsIgnoreCase
Examples @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'User', 'Group'}
Example: Constrain roles and principal types

Next steps