Deny Assignments - List

Gets all deny assignments for the subscription.

GET https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/denyAssignments?api-version=2022-04-01
GET https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/denyAssignments?api-version=2022-04-01&$filter={$filter}

URI Parameters

Name In Required Type Description
subscriptionId
path True

string

The ID of the target subscription.

api-version
query True

string

The API version to use for this operation.

$filter
query

string

The filter to apply on the operation. Use $filter=atScope() to return all deny assignments at or above the scope. Use $filter=denyAssignmentName eq '{name}' to search deny assignments by name at specified scope. Use $filter=principalId eq '{id}' to return all deny assignments at, above and below the scope for the specified principal. Use $filter=gdprExportPrincipalId eq '{id}' to return all deny assignments at, above and below the scope for the specified principal. This filter is different from the principalId filter as it returns not only those deny assignments that contain the specified principal is the Principals list but also those deny assignments that contain the specified principal is the ExcludePrincipals list. Additionally, when gdprExportPrincipalId filter is used, only the deny assignment name and description properties are returned.

Responses

Name Type Description
200 OK

DenyAssignmentListResult

OK - Returns an array of deny assignments.

Other Status Codes

ErrorResponse

Error response describing why the operation failed.

Permissions

To call this API, you must be assigned a role that has the following permissions. For more information, see Azure built-in roles.

Microsoft.Authorization/denyAssignments/read

Security

azure_auth

Azure Active Directory OAuth2 Flow

Type: oauth2
Flow: implicit
Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize

Scopes

Name Description
user_impersonation impersonate your user account

Examples

List deny assignments for subscription

Sample request

GET https://management.azure.com/subscriptions/subId/providers/Microsoft.Authorization/denyAssignments?api-version=2022-04-01

Sample response

{
  "value": [
    {
      "properties": {
        "denyAssignmentName": "Deny assignment name",
        "description": "Deny assignment description",
        "permissions": [
          {
            "actions": [
              "action"
            ],
            "notActions": [],
            "dataActions": [
              "action"
            ],
            "notDataActions": []
          }
        ],
        "scope": "/subscriptions/subId",
        "doNotApplyToChildScopes": false,
        "principals": [
          {
            "id": "principalId1",
            "type": "principalType1"
          }
        ],
        "excludePrincipals": [
          {
            "id": "principalId2",
            "type": "principalType2"
          }
        ],
        "isSystemProtected": true
      },
      "id": "/subscriptions/subId/providers/Microsoft.Authorization/denyAssignments/denyAssignmentId",
      "type": "Microsoft.Authorization/denyAssignments",
      "name": "denyAssignmentId"
    }
  ]
}

Definitions

Name Description
DenyAssignment

Deny Assignment

DenyAssignmentListResult

Deny assignment list operation result.

DenyAssignmentPermission

Deny assignment permissions.

ErrorAdditionalInfo

The resource management error additional info.

ErrorDetail

The error detail.

ErrorResponse

Error response

Principal

The name of the entity last modified it

DenyAssignment

Deny Assignment

Name Type Description
id

string

The deny assignment ID.

name

string

The deny assignment name.

properties.condition

string

The conditions on the deny assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase 'foo_storage_container'

properties.conditionVersion

string

Version of the condition.

properties.createdBy

string

Id of the user who created the assignment

properties.createdOn

string

Time it was created

properties.denyAssignmentName

string

The display name of the deny assignment.

properties.description

string

The description of the deny assignment.

properties.doNotApplyToChildScopes

boolean

Determines if the deny assignment applies to child scopes. Default value is false.

properties.excludePrincipals

Principal[]

Array of principals to which the deny assignment does not apply.

properties.isSystemProtected

boolean

Specifies whether this deny assignment was created by Azure and cannot be edited or deleted.

properties.permissions

DenyAssignmentPermission[]

An array of permissions that are denied by the deny assignment.

properties.principals

Principal[]

Array of principals to which the deny assignment applies.

properties.scope

string

The deny assignment scope.

properties.updatedBy

string

Id of the user who updated the assignment

properties.updatedOn

string

Time it was updated

type

string

The deny assignment type.

DenyAssignmentListResult

Deny assignment list operation result.

Name Type Description
nextLink

string

The URL to use for getting the next set of results.

value

DenyAssignment[]

Deny assignment list.

DenyAssignmentPermission

Deny assignment permissions.

Name Type Description
actions

string[]

Actions to which the deny assignment does not grant access.

condition

string

The conditions on the Deny assignment permission. This limits the resources it applies to.

conditionVersion

string

Version of the condition.

dataActions

string[]

Data actions to which the deny assignment does not grant access.

notActions

string[]

Actions to exclude from that the deny assignment does not grant access.

notDataActions

string[]

Data actions to exclude from that the deny assignment does not grant access.

ErrorAdditionalInfo

The resource management error additional info.

Name Type Description
info

object

The additional info.

type

string

The additional info type.

ErrorDetail

The error detail.

Name Type Description
additionalInfo

ErrorAdditionalInfo[]

The error additional info.

code

string

The error code.

details

ErrorDetail[]

The error details.

message

string

The error message.

target

string

The error target.

ErrorResponse

Error response

Name Type Description
error

ErrorDetail

The error object.

Principal

The name of the entity last modified it

Name Type Description
displayName

string

The name of the principal made changes

email

string

Email of principal

id

string

The id of the principal made changes

type

string

Type of principal such as user , group etc