title | description | services | documentationcenter | author | manager | editor | ms.assetid | ms.service | ms.workload | ms.tgt_pltfrm | ms.topic | ms.date | ms.author | ms.reviewer |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
List Azure deny assignments using the REST API - Azure RBAC |
Learn how to list Azure deny assignments for users, groups, and applications using the REST API and Azure role-based access control (Azure RBAC). |
active-directory |
na |
rolyon |
karenhoran |
role-based-access-control |
multiple |
rest-api |
how-to |
01/24/2022 |
rolyon |
bagovind |
Azure deny assignments block users from performing specific Azure resource actions even if a role assignment grants them access. This article describes how to list deny assignments using the REST API.
Note
You can't directly create your own deny assignments. For more information, see Azure deny assignments.
To get information about a deny assignment, you must have:
Microsoft.Authorization/denyAssignments/read
permission, which is included in most Azure built-in roles.
-
Start with the following request:
GET https://management.azure.com/{scope}/providers/Microsoft.Authorization/denyAssignments/{deny-assignment-id}?api-version=2018-07-01-preview
-
Within the URI, replace {scope} with the scope for which you want to list the deny assignments.
[!div class="mx-tableFixed"]
Scope Type subscriptions/{subscriptionId}
Subscription subscriptions/{subscriptionId}/resourceGroups/myresourcegroup1
Resource group subscriptions/{subscriptionId}/resourceGroups/myresourcegroup1/providers/Microsoft.Web/sites/mysite1
Resource -
Replace {deny-assignment-id} with the deny assignment identifier you want to retrieve.
-
Start with one of the following requests:
GET https://management.azure.com/{scope}/providers/Microsoft.Authorization/denyAssignments?api-version=2018-07-01-preview
With optional parameters:
GET https://management.azure.com/{scope}/providers/Microsoft.Authorization/denyAssignments?api-version=2018-07-01-preview&$filter={filter}
-
Within the URI, replace {scope} with the scope for which you want to list the deny assignments.
[!div class="mx-tableFixed"]
Scope Type subscriptions/{subscriptionId}
Subscription subscriptions/{subscriptionId}/resourceGroups/myresourcegroup1
Resource group subscriptions/{subscriptionId}/resourceGroups/myresourcegroup1/providers/Microsoft.Web/sites/mysite1
Resource -
Replace {filter} with the condition that you want to apply to filter the deny assignment list.
[!div class="mx-tableFixed"]
Filter Description (no filter) Lists all deny assignments at, above, and below the specified scope. $filter=atScope()
Lists deny assignments for only the specified scope and above. Does not include the deny assignments at subscopes. $filter=assignedTo('{objectId}')
Lists deny assignments for the specified user or service principal.
If the user is a member of a group that has a deny assignment, that deny assignment is also listed. This filter is transitive for groups which means that if the user is a member of a group and that group is a member of another group that has a deny assignment, that deny assignment is also listed.
This filter only accepts an object ID for a user or a service principal. You cannot pass an object ID for a group.$filter=atScope()+and+assignedTo('{objectId}')
Lists deny assignments for the specified user or service principal and at the specified scope. $filter=denyAssignmentName+eq+'{deny-assignment-name}'
Lists deny assignments with the specified name. $filter=principalId+eq+'{objectId}'
Lists deny assignments for the specified user, group, or service principal.
-
Elevate your access as described in Elevate access to manage all Azure subscriptions and management groups.
-
Use the following request:
GET https://management.azure.com/providers/Microsoft.Authorization/denyAssignments?api-version=2018-07-01-preview&$filter={filter}
-
Replace {filter} with the condition that you want to apply to filter the deny assignment list. A filter is required.
[!div class="mx-tableFixed"]
Filter Description $filter=atScope()
List deny assignments for only the root scope. Does not include the deny assignments at subscopes. $filter=denyAssignmentName+eq+'{deny-assignment-name}'
List deny assignments with the specified name. -
Remove elevated access.