az role deny-assignment
Manage deny assignments.
Deny assignments block users from performing specific Azure resource actions even if a role assignment grants them access. User-assigned deny assignments can be created to deny write, delete, and action operations at a given scope while excluding specific principals.
Commands
| Name | Description | Type | Status |
|---|---|---|---|
| az role deny-assignment create |
Create a user-assigned deny assignment. |
Core | GA |
| az role deny-assignment delete |
Delete a user-assigned deny assignment. |
Core | GA |
| az role deny-assignment list |
List deny assignments. |
Core | GA |
| az role deny-assignment show |
Get a deny assignment. |
Core | GA |
az role deny-assignment create
Create a user-assigned deny assignment.
Creates a deny assignment that blocks specific actions at the given scope. Two modes are supported: (1) Everyone mode (default) — denies actions for all principals, requiring at least one excluded principal; (2) Per-principal mode — denies actions for a specific User or ServicePrincipal specified via --principal-object-id. DataActions are not supported, DoNotApplyToChildScopes is not supported, read actions (*/read) are not permitted, and Group type principals are not allowed.
az role deny-assignment create [--acquire-policy-token]
[--actions]
[--assignment-name]
[--change-reference]
[--description]
[--exclude-principal-ids]
[--exclude-principal-types]
[--name]
[--not-actions]
[--principal-object-id]
[--principal-type {ServicePrincipal, User}]
[--scope]
Examples
Create a deny assignment blocking role assignment writes for everyone, excluding a service principal.
az role deny-assignment create --name "Block role assignment changes" --scope /subscriptions/00000000-0000-0000-0000-000000000000 --actions "Microsoft.Authorization/roleAssignments/write" "Microsoft.Authorization/roleAssignments/delete" --exclude-principal-ids 00000000-0000-0000-0000-000000000001 --exclude-principal-types ServicePrincipal
Create a deny assignment targeting a specific user.
az role deny-assignment create --name "Deny resource deletion for user" --scope /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myGroup --actions "*/delete" --principal-object-id 00000000-0000-0000-0000-000000000001 --principal-type User
Create a deny assignment targeting a specific service principal with exclusions.
az role deny-assignment create --name "Deny write actions for app" --scope /subscriptions/00000000-0000-0000-0000-000000000000 --actions "*/write" --principal-object-id 00000000-0000-0000-0000-000000000001 --principal-type ServicePrincipal --exclude-principal-ids 00000000-0000-0000-0000-000000000002 --exclude-principal-types ServicePrincipal --description "Block write operations for this application"
Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
Acquiring an Azure Policy token automatically for this resource operation.
| Property | Value |
|---|---|
| Parameter group: | Global Policy Arguments |
Space-separated list of actions to deny, e.g. "Microsoft.Authorization/roleAssignments/write". Note: read actions (*/read) are not permitted for user-assigned deny assignments.
A GUID for the deny assignment. If omitted, a new GUID is generated.
The related change reference ID for this resource operation.
| Property | Value |
|---|---|
| Parameter group: | Global Policy Arguments |
Description of the deny assignment.
Space-separated list of principal object IDs to exclude from the deny. Required when no --principal-object-id is specified (Everyone mode). Optional when --principal-object-id is specified.
Space-separated list of principal types corresponding to --exclude-principal-ids. Accepted values: User, Group, ServicePrincipal.
The display name of the deny assignment.
Space-separated list of actions to exclude from the deny.
The object ID of a specific User or ServicePrincipal to deny. If omitted, the deny assignment applies to Everyone (all principals) and --exclude-principal-ids is required. Group principals are not permitted.
The type of the principal specified by --principal-object-id. Required when --principal-object-id is provided. Accepted values: User, ServicePrincipal.
| Property | Value |
|---|---|
| Accepted values: | ServicePrincipal, User |
Scope at which the deny assignment applies. For example, /subscriptions/00000000-0000-0000-0000-000000000000 or /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myGroup.
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value |
|---|---|
| Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value |
|---|---|
| Default value: | False |
Output format.
| Property | Value |
|---|---|
| Default value: | json |
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value |
|---|---|
| Default value: | False |
az role deny-assignment delete
Delete a user-assigned deny assignment.
az role deny-assignment delete [--acquire-policy-token]
[--change-reference]
[--id]
[--name]
[--scope]
[--yes]
Examples
Delete a deny assignment by its fully qualified ID.
az role deny-assignment delete --id /subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/denyAssignments/00000000-0000-0000-0000-000000000001
Delete a deny assignment by name and scope.
az role deny-assignment delete --name 00000000-0000-0000-0000-000000000001 --scope /subscriptions/00000000-0000-0000-0000-000000000000
Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
Acquiring an Azure Policy token automatically for this resource operation.
| Property | Value |
|---|---|
| Parameter group: | Global Policy Arguments |
The related change reference ID for this resource operation.
| Property | Value |
|---|---|
| Parameter group: | Global Policy Arguments |
The fully qualified ID of the deny assignment to delete.
The name (GUID) of the deny assignment to delete.
Scope at which the deny assignment applies. For example, /subscriptions/00000000-0000-0000-0000-000000000000 or /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myGroup.
Do not prompt for confirmation.
| Property | Value |
|---|---|
| Default value: | False |
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value |
|---|---|
| Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value |
|---|---|
| Default value: | False |
Output format.
| Property | Value |
|---|---|
| Default value: | json |
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value |
|---|---|
| Default value: | False |
az role deny-assignment list
List deny assignments.
az role deny-assignment list [--filter]
[--scope]
Examples
List deny assignments at the subscription scope.
az role deny-assignment list --scope /subscriptions/00000000-0000-0000-0000-000000000000
List all deny assignments in the current subscription.
az role deny-assignment list
List deny assignments at a resource group scope.
az role deny-assignment list --scope /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myGroup
Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
OData filter expression to apply. For example, "atScope()" to list at the current scope, or "gdprExportPrincipalId eq '{objectId}'" to list for a specific principal.
Scope at which the deny assignment applies. For example, /subscriptions/00000000-0000-0000-0000-000000000000 or /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myGroup.
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value |
|---|---|
| Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value |
|---|---|
| Default value: | False |
Output format.
| Property | Value |
|---|---|
| Default value: | json |
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value |
|---|---|
| Default value: | False |
az role deny-assignment show
Get a deny assignment.
az role deny-assignment show [--id]
[--name]
[--scope]
Examples
Show a deny assignment by its fully qualified ID.
az role deny-assignment show --id /subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/denyAssignments/00000000-0000-0000-0000-000000000001
Show a deny assignment by name and scope.
az role deny-assignment show --name 00000000-0000-0000-0000-000000000001 --scope /subscriptions/00000000-0000-0000-0000-000000000000
Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
The fully qualified ID of the deny assignment including scope, e.g. /subscriptions/{id}/providers/Microsoft.Authorization/denyAssignments/{denyAssignmentId}.
The name (GUID) of the deny assignment.
Scope at which the deny assignment applies. For example, /subscriptions/00000000-0000-0000-0000-000000000000 or /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myGroup.
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value |
|---|---|
| Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value |
|---|---|
| Default value: | False |
Output format.
| Property | Value |
|---|---|
| Default value: | json |
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value |
|---|---|
| Default value: | False |