Note
Access to this page requires authorization. You can try signing in or .
Access to this page requires authorization. You can try .
Microsoft.Authorization denyAssignments 2024-07-01-preview
Bicep resource definition
The denyAssignments resource type can be deployed with operations that target:
- Tenant - See tenant deployment commands* Management groups - See management group deployment commands* Subscription - See subscription deployment commands* Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Authorization/denyAssignments resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.Authorization/denyAssignments@2024-07-01-preview' = {
scope: resourceSymbolicName or scope
name: 'string'
properties: {
condition: 'string'
conditionVersion: 'string'
denyAssignmentEffect: 'string'
denyAssignmentName: 'string'
description: 'string'
doNotApplyToChildScopes: bool
excludePrincipals: [
{
id: 'string'
type: 'string'
}
]
isSystemProtected: bool
permissions: [
{
actions: [
'string'
]
condition: 'string'
conditionVersion: 'string'
dataActions: [
'string'
]
notActions: [
'string'
]
notDataActions: [
'string'
]
}
]
principals: [
{
id: 'string'
type: 'string'
}
]
}
}
Property Values
Microsoft.Authorization/denyAssignments
| Name | Description | Value |
|---|---|---|
| name | The resource name | string (required) |
| properties | Deny assignment properties. | DenyAssignmentProperties |
| scope | Use when creating a resource at a scope that is different than the deployment scope. | Set this property to the symbolic name of a resource to apply the extension resource. |
DenyAssignmentPermission
| Name | Description | Value |
|---|---|---|
| actions | Actions to which the deny assignment does not grant access. | string[] |
| condition | The conditions on the Deny assignment permission. This limits the resources it applies to. | string |
| conditionVersion | Version of the condition. | string |
| dataActions | Data actions to which the deny assignment does not grant access. | string[] |
| notActions | Actions to exclude from that the deny assignment does not grant access. | string[] |
| notDataActions | Data actions to exclude from that the deny assignment does not grant access. | string[] |
DenyAssignmentPrincipal
| Name | Description | Value |
|---|---|---|
| id | The object ID of the principal. | string |
| type | The type of the principal such as user, group, servicePrincipal, etc. | string |
DenyAssignmentProperties
| Name | Description | Value |
|---|---|---|
| condition | The conditions on the deny assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase 'foo_storage_container' | string |
| conditionVersion | Version of the condition. | string |
| denyAssignmentEffect | The effect of the deny assignment. 'enforced' blocks access, 'audit' logs without blocking. | 'audit' 'enforced' |
| denyAssignmentName | The display name of the deny assignment. | string |
| description | The description of the deny assignment. | string |
| doNotApplyToChildScopes | Determines if the deny assignment applies to child scopes. Default value is false. | bool |
| excludePrincipals | Array of principals to which the deny assignment does not apply. | DenyAssignmentPrincipal[] |
| isSystemProtected | Specifies whether this deny assignment was created by Azure and cannot be edited or deleted. | bool |
| permissions | An array of permissions that are denied by the deny assignment. | DenyAssignmentPermission[] |
| principals | Array of principals to which the deny assignment applies. | DenyAssignmentPrincipal[] |
ARM template resource definition
The denyAssignments resource type can be deployed with operations that target:
- Tenant - See tenant deployment commands* Management groups - See management group deployment commands* Subscription - See subscription deployment commands* Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Authorization/denyAssignments resource, add the following JSON to your template.
{
"type": "Microsoft.Authorization/denyAssignments",
"apiVersion": "2024-07-01-preview",
"name": "string",
"properties": {
"condition": "string",
"conditionVersion": "string",
"denyAssignmentEffect": "string",
"denyAssignmentName": "string",
"description": "string",
"doNotApplyToChildScopes": "bool",
"excludePrincipals": [
{
"id": "string",
"type": "string"
}
],
"isSystemProtected": "bool",
"permissions": [
{
"actions": [ "string" ],
"condition": "string",
"conditionVersion": "string",
"dataActions": [ "string" ],
"notActions": [ "string" ],
"notDataActions": [ "string" ]
}
],
"principals": [
{
"id": "string",
"type": "string"
}
]
}
}
Property Values
Microsoft.Authorization/denyAssignments
| Name | Description | Value |
|---|---|---|
| apiVersion | The api version | '2024-07-01-preview' |
| name | The resource name | string (required) |
| properties | Deny assignment properties. | DenyAssignmentProperties |
| type | The resource type | 'Microsoft.Authorization/denyAssignments' |
DenyAssignmentPermission
| Name | Description | Value |
|---|---|---|
| actions | Actions to which the deny assignment does not grant access. | string[] |
| condition | The conditions on the Deny assignment permission. This limits the resources it applies to. | string |
| conditionVersion | Version of the condition. | string |
| dataActions | Data actions to which the deny assignment does not grant access. | string[] |
| notActions | Actions to exclude from that the deny assignment does not grant access. | string[] |
| notDataActions | Data actions to exclude from that the deny assignment does not grant access. | string[] |
DenyAssignmentPrincipal
| Name | Description | Value |
|---|---|---|
| id | The object ID of the principal. | string |
| type | The type of the principal such as user, group, servicePrincipal, etc. | string |
DenyAssignmentProperties
| Name | Description | Value |
|---|---|---|
| condition | The conditions on the deny assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase 'foo_storage_container' | string |
| conditionVersion | Version of the condition. | string |
| denyAssignmentEffect | The effect of the deny assignment. 'enforced' blocks access, 'audit' logs without blocking. | 'audit' 'enforced' |
| denyAssignmentName | The display name of the deny assignment. | string |
| description | The description of the deny assignment. | string |
| doNotApplyToChildScopes | Determines if the deny assignment applies to child scopes. Default value is false. | bool |
| excludePrincipals | Array of principals to which the deny assignment does not apply. | DenyAssignmentPrincipal[] |
| isSystemProtected | Specifies whether this deny assignment was created by Azure and cannot be edited or deleted. | bool |
| permissions | An array of permissions that are denied by the deny assignment. | DenyAssignmentPermission[] |
| principals | Array of principals to which the deny assignment applies. | DenyAssignmentPrincipal[] |
Usage Examples
Terraform (AzAPI provider) resource definition
The denyAssignments resource type can be deployed with operations that target:
- Tenant* Management groups* Subscription* Resource groups
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Authorization/denyAssignments resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
type = "Microsoft.Authorization/denyAssignments@2024-07-01-preview"
name = "string"
parent_id = "string"
body = {
properties = {
condition = "string"
conditionVersion = "string"
denyAssignmentEffect = "string"
denyAssignmentName = "string"
description = "string"
doNotApplyToChildScopes = bool
excludePrincipals = [
{
id = "string"
type = "string"
}
]
isSystemProtected = bool
permissions = [
{
actions = [
"string"
]
condition = "string"
conditionVersion = "string"
dataActions = [
"string"
]
notActions = [
"string"
]
notDataActions = [
"string"
]
}
]
principals = [
{
id = "string"
type = "string"
}
]
}
}
}
Property Values
Microsoft.Authorization/denyAssignments
| Name | Description | Value |
|---|---|---|
| name | The resource name | string (required) |
| parent_id | The ID of the resource to apply this extension resource to. | string (required) |
| properties | Deny assignment properties. | DenyAssignmentProperties |
| type | The resource type | "Microsoft.Authorization/denyAssignments@2024-07-01-preview" |
DenyAssignmentPermission
| Name | Description | Value |
|---|---|---|
| actions | Actions to which the deny assignment does not grant access. | string[] |
| condition | The conditions on the Deny assignment permission. This limits the resources it applies to. | string |
| conditionVersion | Version of the condition. | string |
| dataActions | Data actions to which the deny assignment does not grant access. | string[] |
| notActions | Actions to exclude from that the deny assignment does not grant access. | string[] |
| notDataActions | Data actions to exclude from that the deny assignment does not grant access. | string[] |
DenyAssignmentPrincipal
| Name | Description | Value |
|---|---|---|
| id | The object ID of the principal. | string |
| type | The type of the principal such as user, group, servicePrincipal, etc. | string |
DenyAssignmentProperties
| Name | Description | Value |
|---|---|---|
| condition | The conditions on the deny assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase 'foo_storage_container' | string |
| conditionVersion | Version of the condition. | string |
| denyAssignmentEffect | The effect of the deny assignment. 'enforced' blocks access, 'audit' logs without blocking. | 'audit' 'enforced' |
| denyAssignmentName | The display name of the deny assignment. | string |
| description | The description of the deny assignment. | string |
| doNotApplyToChildScopes | Determines if the deny assignment applies to child scopes. Default value is false. | bool |
| excludePrincipals | Array of principals to which the deny assignment does not apply. | DenyAssignmentPrincipal[] |
| isSystemProtected | Specifies whether this deny assignment was created by Azure and cannot be edited or deleted. | bool |
| permissions | An array of permissions that are denied by the deny assignment. | DenyAssignmentPermission[] |
| principals | Array of principals to which the deny assignment applies. | DenyAssignmentPrincipal[] |
Feedback
Was this page helpful?