Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Bicep resource definition
The denyAssignments resource type can be deployed with operations that target:
- Tenant - See tenant deployment commands* Management groups - See management group deployment commands* Subscription - See subscription deployment commands* Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Authorization/denyAssignments resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.Authorization/denyAssignments@2024-07-01-preview' = {
scope: resourceSymbolicName or scope
name: 'string'
properties: {
condition: 'string'
conditionVersion: 'string'
denyAssignmentEffect: 'string'
denyAssignmentName: 'string'
description: 'string'
doNotApplyToChildScopes: bool
excludePrincipals: [
{
id: 'string'
type: 'string'
}
]
isSystemProtected: bool
permissions: [
{
actions: [
'string'
]
condition: 'string'
conditionVersion: 'string'
dataActions: [
'string'
]
notActions: [
'string'
]
notDataActions: [
'string'
]
}
]
principals: [
{
id: 'string'
type: 'string'
}
]
}
}
Property Values
Microsoft.Authorization/denyAssignments
| Name | Description | Value |
|---|---|---|
| name | The resource name | string (required) |
| properties | Deny assignment properties. | DenyAssignmentProperties |
| scope | Use when creating a resource at a scope that is different than the deployment scope. | Set this property to the symbolic name of a resource to apply the extension resource. |
DenyAssignmentPermission
| Name | Description | Value |
|---|---|---|
| actions | Actions to which the deny assignment does not grant access. | string[] |
| condition | The conditions on the Deny assignment permission. This limits the resources it applies to. | string |
| conditionVersion | Version of the condition. | string |
| dataActions | Data actions to which the deny assignment does not grant access. | string[] |
| notActions | Actions to exclude from that the deny assignment does not grant access. | string[] |
| notDataActions | Data actions to exclude from that the deny assignment does not grant access. | string[] |
DenyAssignmentPrincipal
| Name | Description | Value |
|---|---|---|
| id | The object ID of the principal. | string |
| type | The type of the principal such as user, group, servicePrincipal, etc. | string |
DenyAssignmentProperties
| Name | Description | Value |
|---|---|---|
| condition | The conditions on the deny assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase 'foo_storage_container' | string |
| conditionVersion | Version of the condition. | string |
| denyAssignmentEffect | The effect of the deny assignment. 'enforced' blocks access, 'audit' logs without blocking. | 'audit' 'enforced' |
| denyAssignmentName | The display name of the deny assignment. | string |
| description | The description of the deny assignment. | string |
| doNotApplyToChildScopes | Determines if the deny assignment applies to child scopes. Default value is false. | bool |
| excludePrincipals | Array of principals to which the deny assignment does not apply. | DenyAssignmentPrincipal[] |
| isSystemProtected | Specifies whether this deny assignment was created by Azure and cannot be edited or deleted. | bool |
| permissions | An array of permissions that are denied by the deny assignment. | DenyAssignmentPermission[] |
| principals | Array of principals to which the deny assignment applies. | DenyAssignmentPrincipal[] |
ARM template resource definition
The denyAssignments resource type can be deployed with operations that target:
- Tenant - See tenant deployment commands* Management groups - See management group deployment commands* Subscription - See subscription deployment commands* Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Authorization/denyAssignments resource, add the following JSON to your template.
{
"type": "Microsoft.Authorization/denyAssignments",
"apiVersion": "2024-07-01-preview",
"name": "string",
"properties": {
"condition": "string",
"conditionVersion": "string",
"denyAssignmentEffect": "string",
"denyAssignmentName": "string",
"description": "string",
"doNotApplyToChildScopes": "bool",
"excludePrincipals": [
{
"id": "string",
"type": "string"
}
],
"isSystemProtected": "bool",
"permissions": [
{
"actions": [ "string" ],
"condition": "string",
"conditionVersion": "string",
"dataActions": [ "string" ],
"notActions": [ "string" ],
"notDataActions": [ "string" ]
}
],
"principals": [
{
"id": "string",
"type": "string"
}
]
}
}
Property Values
Microsoft.Authorization/denyAssignments
| Name | Description | Value |
|---|---|---|
| apiVersion | The api version | '2024-07-01-preview' |
| name | The resource name | string (required) |
| properties | Deny assignment properties. | DenyAssignmentProperties |
| type | The resource type | 'Microsoft.Authorization/denyAssignments' |
DenyAssignmentPermission
| Name | Description | Value |
|---|---|---|
| actions | Actions to which the deny assignment does not grant access. | string[] |
| condition | The conditions on the Deny assignment permission. This limits the resources it applies to. | string |
| conditionVersion | Version of the condition. | string |
| dataActions | Data actions to which the deny assignment does not grant access. | string[] |
| notActions | Actions to exclude from that the deny assignment does not grant access. | string[] |
| notDataActions | Data actions to exclude from that the deny assignment does not grant access. | string[] |
DenyAssignmentPrincipal
| Name | Description | Value |
|---|---|---|
| id | The object ID of the principal. | string |
| type | The type of the principal such as user, group, servicePrincipal, etc. | string |
DenyAssignmentProperties
| Name | Description | Value |
|---|---|---|
| condition | The conditions on the deny assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase 'foo_storage_container' | string |
| conditionVersion | Version of the condition. | string |
| denyAssignmentEffect | The effect of the deny assignment. 'enforced' blocks access, 'audit' logs without blocking. | 'audit' 'enforced' |
| denyAssignmentName | The display name of the deny assignment. | string |
| description | The description of the deny assignment. | string |
| doNotApplyToChildScopes | Determines if the deny assignment applies to child scopes. Default value is false. | bool |
| excludePrincipals | Array of principals to which the deny assignment does not apply. | DenyAssignmentPrincipal[] |
| isSystemProtected | Specifies whether this deny assignment was created by Azure and cannot be edited or deleted. | bool |
| permissions | An array of permissions that are denied by the deny assignment. | DenyAssignmentPermission[] |
| principals | Array of principals to which the deny assignment applies. | DenyAssignmentPrincipal[] |
Usage Examples
Terraform (AzAPI provider) resource definition
The denyAssignments resource type can be deployed with operations that target:
- Tenant* Management groups* Subscription* Resource groups
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Authorization/denyAssignments resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
type = "Microsoft.Authorization/denyAssignments@2024-07-01-preview"
name = "string"
parent_id = "string"
body = {
properties = {
condition = "string"
conditionVersion = "string"
denyAssignmentEffect = "string"
denyAssignmentName = "string"
description = "string"
doNotApplyToChildScopes = bool
excludePrincipals = [
{
id = "string"
type = "string"
}
]
isSystemProtected = bool
permissions = [
{
actions = [
"string"
]
condition = "string"
conditionVersion = "string"
dataActions = [
"string"
]
notActions = [
"string"
]
notDataActions = [
"string"
]
}
]
principals = [
{
id = "string"
type = "string"
}
]
}
}
}
Property Values
Microsoft.Authorization/denyAssignments
| Name | Description | Value |
|---|---|---|
| name | The resource name | string (required) |
| parent_id | The ID of the resource to apply this extension resource to. | string (required) |
| properties | Deny assignment properties. | DenyAssignmentProperties |
| type | The resource type | "Microsoft.Authorization/denyAssignments@2024-07-01-preview" |
DenyAssignmentPermission
| Name | Description | Value |
|---|---|---|
| actions | Actions to which the deny assignment does not grant access. | string[] |
| condition | The conditions on the Deny assignment permission. This limits the resources it applies to. | string |
| conditionVersion | Version of the condition. | string |
| dataActions | Data actions to which the deny assignment does not grant access. | string[] |
| notActions | Actions to exclude from that the deny assignment does not grant access. | string[] |
| notDataActions | Data actions to exclude from that the deny assignment does not grant access. | string[] |
DenyAssignmentPrincipal
| Name | Description | Value |
|---|---|---|
| id | The object ID of the principal. | string |
| type | The type of the principal such as user, group, servicePrincipal, etc. | string |
DenyAssignmentProperties
| Name | Description | Value |
|---|---|---|
| condition | The conditions on the deny assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase 'foo_storage_container' | string |
| conditionVersion | Version of the condition. | string |
| denyAssignmentEffect | The effect of the deny assignment. 'enforced' blocks access, 'audit' logs without blocking. | 'audit' 'enforced' |
| denyAssignmentName | The display name of the deny assignment. | string |
| description | The description of the deny assignment. | string |
| doNotApplyToChildScopes | Determines if the deny assignment applies to child scopes. Default value is false. | bool |
| excludePrincipals | Array of principals to which the deny assignment does not apply. | DenyAssignmentPrincipal[] |
| isSystemProtected | Specifies whether this deny assignment was created by Azure and cannot be edited or deleted. | bool |
| permissions | An array of permissions that are denied by the deny assignment. | DenyAssignmentPermission[] |
| principals | Array of principals to which the deny assignment applies. | DenyAssignmentPrincipal[] |