| title | description | services | documentationcenter | author | manager | ms.assetid | ms.service | ms.topic | ms.tgt_pltfrm | ms.workload | ms.date | ms.author | ms.reviewer | ms.custom |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Understand Azure deny assignments - Azure RBAC |
Learn about Azure deny assignments in Azure role-based access control (Azure RBAC). |
active-directory |
rolyon |
karenhoran |
role-based-access-control |
conceptual |
na |
identity |
03/25/2022 |
rolyon |
bagovind |
Similar to a role assignment, a deny assignment attaches a set of deny actions to a user, group, or service principal at a particular scope for the purpose of denying access. Deny assignments block users from performing specific Azure resource actions even if a role assignment grants them access.
This article describes how deny assignments are defined.
Deny assignments are created and managed by Azure to protect resources. Azure Blueprints and Azure managed apps use deny assignments to protect system-managed resources. Azure Blueprints and Azure managed apps are the only way that deny assignments are used within Azure. You can't directly create your own deny assignments. Azure Blueprints uses deny assignments to lock resources, but just for resources deployed as part of a blueprint. For more information, see Understand resource locking in Azure Blueprints.
Note
You can't directly create your own deny assignments.
Deny assignments follow a similar pattern as role assignments, but also have some differences.
| Capability | Role assignment | Deny assignment |
|---|---|---|
| Grant access | ✔️ | |
| Deny access | ✔️ | |
| Can be directly created | ✔️ | |
| Apply at a scope | ✔️ | ✔️ |
| Exclude principals | ✔️ | |
| Prevent inheritance to child scopes | ✔️ | |
| Apply to classic subscription administrator assignments | ✔️ |
A deny assignment has the following properties:
[!div class="mx-tableFixed"]
Property Required Type Description DenyAssignmentNameYes String The display name of the deny assignment. Names must be unique for a given scope. DescriptionNo String The description of the deny assignment. Permissions.ActionsAt least one Actions or one DataActions String[] An array of strings that specify the control plane actions to which the deny assignment blocks access. Permissions.NotActionsNo String[] An array of strings that specify the control plane action to exclude from the deny assignment. Permissions.DataActionsAt least one Actions or one DataActions String[] An array of strings that specify the data plane actions to which the deny assignment blocks access. Permissions.NotDataActionsNo String[] An array of strings that specify the data plane actions to exclude from the deny assignment. ScopeNo String A string that specifies the scope that the deny assignment applies to. DoNotApplyToChildScopesNo Boolean Specifies whether the deny assignment applies to child scopes. Default value is false. Principals[i].IdYes String[] An array of Azure AD principal object IDs (user, group, service principal, or managed identity) to which the deny assignment applies. Set to an empty GUID 00000000-0000-0000-0000-000000000000to represent all principals.Principals[i].TypeNo String[] An array of object types represented by Principals[i].Id. Set to SystemDefinedto represent all principals.ExcludePrincipals[i].IdNo String[] An array of Azure AD principal object IDs (user, group, service principal, or managed identity) to which the deny assignment does not apply. ExcludePrincipals[i].TypeNo String[] An array of object types represented by ExcludePrincipals[i].Id. IsSystemProtectedNo Boolean Specifies whether this deny assignment was created by Azure and cannot be edited or deleted. Currently, all deny assignments are system protected.
To support deny assignments, a system-defined principal named All Principals has been introduced. This principal represents all users, groups, service principals, and managed identities in an Azure AD directory. If the principal ID is a zero GUID 00000000-0000-0000-0000-000000000000 and the principal type is SystemDefined, the principal represents all principals. In Azure PowerShell output, All Principals looks like the following:
Principals : {
DisplayName: All Principals
ObjectType: SystemDefined
ObjectId: 00000000-0000-0000-0000-000000000000
}
All Principals can be combined with ExcludePrincipals to deny all principals except some users. All Principals has the following constraints:
- Can be used only in
Principalsand cannot be used inExcludePrincipals. Principals[i].Typemust be set toSystemDefined.