az role deny-assignment

Manage deny assignments.

Deny assignments block users from performing specific Azure resource actions even if a role assignment grants them access. User-assigned deny assignments can be created to deny write, delete, and action operations at a given scope while excluding specific principals.

Commands

Name Description Type Status
az role deny-assignment create

Create a user-assigned deny assignment.

Core GA
az role deny-assignment delete

Delete a user-assigned deny assignment.

Core GA
az role deny-assignment list

List deny assignments.

Core GA
az role deny-assignment show

Get a deny assignment.

Core GA

az role deny-assignment create

Create a user-assigned deny assignment.

Creates a deny assignment that blocks specific actions at the given scope. Two modes are supported: (1) Everyone mode (default) — denies actions for all principals, requiring at least one excluded principal; (2) Per-principal mode — denies actions for a specific User or ServicePrincipal specified via --principal-object-id. DataActions are not supported, DoNotApplyToChildScopes is not supported, read actions (*/read) are not permitted, and Group type principals are not allowed.

az role deny-assignment create [--acquire-policy-token]
                               [--actions]
                               [--assignment-name]
                               [--change-reference]
                               [--description]
                               [--exclude-principal-ids]
                               [--exclude-principal-types]
                               [--name]
                               [--not-actions]
                               [--principal-object-id]
                               [--principal-type {ServicePrincipal, User}]
                               [--scope]

Examples

Create a deny assignment blocking role assignment writes for everyone, excluding a service principal.

az role deny-assignment create --name "Block role assignment changes" --scope /subscriptions/00000000-0000-0000-0000-000000000000 --actions "Microsoft.Authorization/roleAssignments/write" "Microsoft.Authorization/roleAssignments/delete" --exclude-principal-ids 00000000-0000-0000-0000-000000000001 --exclude-principal-types ServicePrincipal

Create a deny assignment targeting a specific user.

az role deny-assignment create --name "Deny resource deletion for user" --scope /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myGroup --actions "*/delete" --principal-object-id 00000000-0000-0000-0000-000000000001 --principal-type User

Create a deny assignment targeting a specific service principal with exclusions.

az role deny-assignment create --name "Deny write actions for app" --scope /subscriptions/00000000-0000-0000-0000-000000000000 --actions "*/write" --principal-object-id 00000000-0000-0000-0000-000000000001 --principal-type ServicePrincipal --exclude-principal-ids 00000000-0000-0000-0000-000000000002 --exclude-principal-types ServicePrincipal --description "Block write operations for this application"

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--acquire-policy-token

Acquiring an Azure Policy token automatically for this resource operation.

Property Value
Parameter group: Global Policy Arguments
--actions

Space-separated list of actions to deny, e.g. "Microsoft.Authorization/roleAssignments/write". Note: read actions (*/read) are not permitted for user-assigned deny assignments.

--assignment-name

A GUID for the deny assignment. If omitted, a new GUID is generated.

--change-reference

The related change reference ID for this resource operation.

Property Value
Parameter group: Global Policy Arguments
--description

Description of the deny assignment.

--exclude-principal-ids

Space-separated list of principal object IDs to exclude from the deny. Required when no --principal-object-id is specified (Everyone mode). Optional when --principal-object-id is specified.

--exclude-principal-types

Space-separated list of principal types corresponding to --exclude-principal-ids. Accepted values: User, Group, ServicePrincipal.

--name -n

The display name of the deny assignment.

--not-actions

Space-separated list of actions to exclude from the deny.

--principal-object-id

The object ID of a specific User or ServicePrincipal to deny. If omitted, the deny assignment applies to Everyone (all principals) and --exclude-principal-ids is required. Group principals are not permitted.

--principal-type

The type of the principal specified by --principal-object-id. Required when --principal-object-id is provided. Accepted values: User, ServicePrincipal.

Property Value
Accepted values: ServicePrincipal, User
--scope

Scope at which the deny assignment applies. For example, /subscriptions/00000000-0000-0000-0000-000000000000 or /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myGroup.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

Property Value
Default value: False
--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property Value
Default value: False
--output -o

Output format.

Property Value
Default value: json
Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property Value
Default value: False

az role deny-assignment delete

Delete a user-assigned deny assignment.

az role deny-assignment delete [--acquire-policy-token]
                               [--change-reference]
                               [--id]
                               [--name]
                               [--scope]
                               [--yes]

Examples

Delete a deny assignment by its fully qualified ID.

az role deny-assignment delete --id /subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/denyAssignments/00000000-0000-0000-0000-000000000001

Delete a deny assignment by name and scope.

az role deny-assignment delete --name 00000000-0000-0000-0000-000000000001 --scope /subscriptions/00000000-0000-0000-0000-000000000000

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--acquire-policy-token

Acquiring an Azure Policy token automatically for this resource operation.

Property Value
Parameter group: Global Policy Arguments
--change-reference

The related change reference ID for this resource operation.

Property Value
Parameter group: Global Policy Arguments
--id

The fully qualified ID of the deny assignment to delete.

--name -n

The name (GUID) of the deny assignment to delete.

--scope

Scope at which the deny assignment applies. For example, /subscriptions/00000000-0000-0000-0000-000000000000 or /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myGroup.

--yes -y

Do not prompt for confirmation.

Property Value
Default value: False
Global Parameters
--debug

Increase logging verbosity to show all debug logs.

Property Value
Default value: False
--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property Value
Default value: False
--output -o

Output format.

Property Value
Default value: json
Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property Value
Default value: False

az role deny-assignment list

List deny assignments.

az role deny-assignment list [--filter]
                             [--scope]

Examples

List deny assignments at the subscription scope.

az role deny-assignment list --scope /subscriptions/00000000-0000-0000-0000-000000000000

List all deny assignments in the current subscription.

az role deny-assignment list

List deny assignments at a resource group scope.

az role deny-assignment list --scope /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myGroup

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--filter

OData filter expression to apply. For example, "atScope()" to list at the current scope, or "gdprExportPrincipalId eq '{objectId}'" to list for a specific principal.

--scope

Scope at which the deny assignment applies. For example, /subscriptions/00000000-0000-0000-0000-000000000000 or /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myGroup.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

Property Value
Default value: False
--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property Value
Default value: False
--output -o

Output format.

Property Value
Default value: json
Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property Value
Default value: False

az role deny-assignment show

Get a deny assignment.

az role deny-assignment show [--id]
                             [--name]
                             [--scope]

Examples

Show a deny assignment by its fully qualified ID.

az role deny-assignment show --id /subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/denyAssignments/00000000-0000-0000-0000-000000000001

Show a deny assignment by name and scope.

az role deny-assignment show --name 00000000-0000-0000-0000-000000000001 --scope /subscriptions/00000000-0000-0000-0000-000000000000

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--id

The fully qualified ID of the deny assignment including scope, e.g. /subscriptions/{id}/providers/Microsoft.Authorization/denyAssignments/{denyAssignmentId}.

--name -n

The name (GUID) of the deny assignment.

--scope

Scope at which the deny assignment applies. For example, /subscriptions/00000000-0000-0000-0000-000000000000 or /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myGroup.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

Property Value
Default value: False
--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property Value
Default value: False
--output -o

Output format.

Property Value
Default value: json
Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property Value
Default value: False