Skip to content

Files

Latest commit

ff620b3 · Jan 25, 2022

History

History
111 lines (80 loc) · 5.13 KB

deny-assignments-rest.md

File metadata and controls

111 lines (80 loc) · 5.13 KB
title description services documentationcenter author manager editor ms.assetid ms.service ms.workload ms.tgt_pltfrm ms.topic ms.date ms.author ms.reviewer
List Azure deny assignments using the REST API - Azure RBAC
Learn how to list Azure deny assignments for users, groups, and applications using the REST API and Azure role-based access control (Azure RBAC).
active-directory
na
rolyon
karenhoran
role-based-access-control
multiple
rest-api
how-to
01/24/2022
rolyon
bagovind

List Azure deny assignments using the REST API

Azure deny assignments block users from performing specific Azure resource actions even if a role assignment grants them access. This article describes how to list deny assignments using the REST API.

Note

You can't directly create your own deny assignments. For more information, see Azure deny assignments.

Prerequisites

To get information about a deny assignment, you must have:

  • Microsoft.Authorization/denyAssignments/read permission, which is included in most Azure built-in roles.

List a single deny assignment

  1. Start with the following request:

    GET https://management.azure.com/{scope}/providers/Microsoft.Authorization/denyAssignments/{deny-assignment-id}?api-version=2018-07-01-preview
  2. Within the URI, replace {scope} with the scope for which you want to list the deny assignments.

    [!div class="mx-tableFixed"]

    Scope Type
    subscriptions/{subscriptionId} Subscription
    subscriptions/{subscriptionId}/resourceGroups/myresourcegroup1 Resource group
    subscriptions/{subscriptionId}/resourceGroups/myresourcegroup1/providers/Microsoft.Web/sites/mysite1 Resource
  3. Replace {deny-assignment-id} with the deny assignment identifier you want to retrieve.

List multiple deny assignments

  1. Start with one of the following requests:

    GET https://management.azure.com/{scope}/providers/Microsoft.Authorization/denyAssignments?api-version=2018-07-01-preview

    With optional parameters:

    GET https://management.azure.com/{scope}/providers/Microsoft.Authorization/denyAssignments?api-version=2018-07-01-preview&$filter={filter}
  2. Within the URI, replace {scope} with the scope for which you want to list the deny assignments.

    [!div class="mx-tableFixed"]

    Scope Type
    subscriptions/{subscriptionId} Subscription
    subscriptions/{subscriptionId}/resourceGroups/myresourcegroup1 Resource group
    subscriptions/{subscriptionId}/resourceGroups/myresourcegroup1/providers/Microsoft.Web/sites/mysite1 Resource
  3. Replace {filter} with the condition that you want to apply to filter the deny assignment list.

    [!div class="mx-tableFixed"]

    Filter Description
    (no filter) Lists all deny assignments at, above, and below the specified scope.
    $filter=atScope() Lists deny assignments for only the specified scope and above. Does not include the deny assignments at subscopes.
    $filter=assignedTo('{objectId}') Lists deny assignments for the specified user or service principal.
    If the user is a member of a group that has a deny assignment, that deny assignment is also listed. This filter is transitive for groups which means that if the user is a member of a group and that group is a member of another group that has a deny assignment, that deny assignment is also listed.
    This filter only accepts an object ID for a user or a service principal. You cannot pass an object ID for a group.
    $filter=atScope()+and+assignedTo('{objectId}') Lists deny assignments for the specified user or service principal and at the specified scope.
    $filter=denyAssignmentName+eq+'{deny-assignment-name}' Lists deny assignments with the specified name.
    $filter=principalId+eq+'{objectId}' Lists deny assignments for the specified user, group, or service principal.

List deny assignments at the root scope (/)

  1. Elevate your access as described in Elevate access to manage all Azure subscriptions and management groups.

  2. Use the following request:

    GET https://management.azure.com/providers/Microsoft.Authorization/denyAssignments?api-version=2018-07-01-preview&$filter={filter}
  3. Replace {filter} with the condition that you want to apply to filter the deny assignment list. A filter is required.

    [!div class="mx-tableFixed"]

    Filter Description
    $filter=atScope() List deny assignments for only the root scope. Does not include the deny assignments at subscopes.
    $filter=denyAssignmentName+eq+'{deny-assignment-name}' List deny assignments with the specified name.
  4. Remove elevated access.

Next steps