Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Bicep resource definition
The policyEnrollments resource type can be deployed with operations that target:
- Tenant - See tenant deployment commands* Management groups - See management group deployment commands* Subscription - See subscription deployment commands* Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Authorization/policyEnrollments resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.Authorization/policyEnrollments@2026-01-01-preview' = {
scope: resourceSymbolicName or scope
eTag: 'string'
name: 'string'
properties: {
assignmentScopeValidation: 'string'
description: 'string'
displayName: 'string'
metadata: any(...)
policyAssignmentId: 'string'
policyDefinitionReferenceIds: [
'string'
]
resourceSelectors: [
{
name: 'string'
selectors: [
{
in: [
'string'
]
kind: 'string'
notIn: [
'string'
]
}
]
}
]
}
}
Property Values
Microsoft.Authorization/policyEnrollments
| Name | Description | Value |
|---|---|---|
| eTag | The ETag for the policy enrollment. | string |
| name | The resource name | string Constraints: Pattern = ^[^<>*%&:\?.+/]*[^<>*%&:\?.+/ ]+$ (required) |
| properties | The properties of the policy enrollment. | PolicyEnrollmentProperties |
| scope | Use when creating a resource at a scope that is different than the deployment scope. | Set this property to the symbolic name of a resource to apply the extension resource. |
PolicyEnrollmentProperties
| Name | Description | Value |
|---|---|---|
| assignmentScopeValidation | The option whether to validate the enrollment is at or under the assignment scope. | 'Default' 'DoNotValidate' |
| description | The description of the policy enrollment. | string |
| displayName | The display name of the policy enrollment. | string |
| metadata | The policy enrollment metadata. Metadata is an open ended object and is typically a collection of key value pairs. | any |
| policyAssignmentId | The ID of the policy assignment that is being enrolled. | string (required) |
| policyDefinitionReferenceIds | The policy definition reference IDs for policy definitions in an assigned policy set definition. These IDs correspond to a subset of policyDefinitions[*].policyDefinitionReferenceId in the policy set definition.When specified and not empty, only the referenced policy definitions will be enrolled to. Otherwise, the entire policy set is enrolled to |
string[] |
| resourceSelectors | The resource selector list to filter policies by resource properties. | ResourceSelector[] |
ResourceSelector
| Name | Description | Value |
|---|---|---|
| name | The name of the resource selector. | string |
| selectors | The list of the selector expressions. | Selector[] |
Selector
| Name | Description | Value |
|---|---|---|
| in | The list of values to filter in. | string[] |
| kind | The selector kind. | 'groupPrincipalId' 'policyDefinitionReferenceId' 'resourceLocation' 'resourceType' 'resourceWithoutLocation' 'userPrincipalId' |
| notIn | The list of values to filter out. | string[] |
ARM template resource definition
The policyEnrollments resource type can be deployed with operations that target:
- Tenant - See tenant deployment commands* Management groups - See management group deployment commands* Subscription - See subscription deployment commands* Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Authorization/policyEnrollments resource, add the following JSON to your template.
{
"type": "Microsoft.Authorization/policyEnrollments",
"apiVersion": "2026-01-01-preview",
"name": "string",
"eTag": "string",
"properties": {
"assignmentScopeValidation": "string",
"description": "string",
"displayName": "string",
"metadata": {},
"policyAssignmentId": "string",
"policyDefinitionReferenceIds": [ "string" ],
"resourceSelectors": [
{
"name": "string",
"selectors": [
{
"in": [ "string" ],
"kind": "string",
"notIn": [ "string" ]
}
]
}
]
}
}
Property Values
Microsoft.Authorization/policyEnrollments
| Name | Description | Value |
|---|---|---|
| apiVersion | The api version | '2026-01-01-preview' |
| eTag | The ETag for the policy enrollment. | string |
| name | The resource name | string Constraints: Pattern = ^[^<>*%&:\?.+/]*[^<>*%&:\?.+/ ]+$ (required) |
| properties | The properties of the policy enrollment. | PolicyEnrollmentProperties |
| type | The resource type | 'Microsoft.Authorization/policyEnrollments' |
PolicyEnrollmentProperties
| Name | Description | Value |
|---|---|---|
| assignmentScopeValidation | The option whether to validate the enrollment is at or under the assignment scope. | 'Default' 'DoNotValidate' |
| description | The description of the policy enrollment. | string |
| displayName | The display name of the policy enrollment. | string |
| metadata | The policy enrollment metadata. Metadata is an open ended object and is typically a collection of key value pairs. | any |
| policyAssignmentId | The ID of the policy assignment that is being enrolled. | string (required) |
| policyDefinitionReferenceIds | The policy definition reference IDs for policy definitions in an assigned policy set definition. These IDs correspond to a subset of policyDefinitions[*].policyDefinitionReferenceId in the policy set definition.When specified and not empty, only the referenced policy definitions will be enrolled to. Otherwise, the entire policy set is enrolled to |
string[] |
| resourceSelectors | The resource selector list to filter policies by resource properties. | ResourceSelector[] |
ResourceSelector
| Name | Description | Value |
|---|---|---|
| name | The name of the resource selector. | string |
| selectors | The list of the selector expressions. | Selector[] |
Selector
| Name | Description | Value |
|---|---|---|
| in | The list of values to filter in. | string[] |
| kind | The selector kind. | 'groupPrincipalId' 'policyDefinitionReferenceId' 'resourceLocation' 'resourceType' 'resourceWithoutLocation' 'userPrincipalId' |
| notIn | The list of values to filter out. | string[] |
Usage Examples
Terraform (AzAPI provider) resource definition
The policyEnrollments resource type can be deployed with operations that target:
- Tenant* Management groups* Subscription* Resource groups
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Authorization/policyEnrollments resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
type = "Microsoft.Authorization/policyEnrollments@2026-01-01-preview"
name = "string"
parent_id = "string"
body = {
eTag = "string"
properties = {
assignmentScopeValidation = "string"
description = "string"
displayName = "string"
metadata = ?
policyAssignmentId = "string"
policyDefinitionReferenceIds = [
"string"
]
resourceSelectors = [
{
name = "string"
selectors = [
{
in = [
"string"
]
kind = "string"
notIn = [
"string"
]
}
]
}
]
}
}
}
Property Values
Microsoft.Authorization/policyEnrollments
| Name | Description | Value |
|---|---|---|
| eTag | The ETag for the policy enrollment. | string |
| name | The resource name | string Constraints: Pattern = ^[^<>*%&:\?.+/]*[^<>*%&:\?.+/ ]+$ (required) |
| parent_id | The ID of the resource to apply this extension resource to. | string (required) |
| properties | The properties of the policy enrollment. | PolicyEnrollmentProperties |
| type | The resource type | "Microsoft.Authorization/policyEnrollments@2026-01-01-preview" |
PolicyEnrollmentProperties
| Name | Description | Value |
|---|---|---|
| assignmentScopeValidation | The option whether to validate the enrollment is at or under the assignment scope. | 'Default' 'DoNotValidate' |
| description | The description of the policy enrollment. | string |
| displayName | The display name of the policy enrollment. | string |
| metadata | The policy enrollment metadata. Metadata is an open ended object and is typically a collection of key value pairs. | any |
| policyAssignmentId | The ID of the policy assignment that is being enrolled. | string (required) |
| policyDefinitionReferenceIds | The policy definition reference IDs for policy definitions in an assigned policy set definition. These IDs correspond to a subset of policyDefinitions[*].policyDefinitionReferenceId in the policy set definition.When specified and not empty, only the referenced policy definitions will be enrolled to. Otherwise, the entire policy set is enrolled to |
string[] |
| resourceSelectors | The resource selector list to filter policies by resource properties. | ResourceSelector[] |
ResourceSelector
| Name | Description | Value |
|---|---|---|
| name | The name of the resource selector. | string |
| selectors | The list of the selector expressions. | Selector[] |
Selector
| Name | Description | Value |
|---|---|---|
| in | The list of values to filter in. | string[] |
| kind | The selector kind. | 'groupPrincipalId' 'policyDefinitionReferenceId' 'resourceLocation' 'resourceType' 'resourceWithoutLocation' 'userPrincipalId' |
| notIn | The list of values to filter out. | string[] |