Skip to content

Latest commit

 

History

History
332 lines (238 loc) · 18.9 KB

deny-assignments.md

File metadata and controls

332 lines (238 loc) · 18.9 KB
Raw
title description author manager ms.service ms.topic ms.date ms.author ms.reviewer
List Azure deny assignments - Azure RBAC
Learn how to list Azure deny assignments in Azure role-based access control (Azure RBAC).
rolyon
amycolannino
role-based-access-control
conceptual
03/12/2024
rolyon
bagovind

List Azure deny assignments

Similar to a role assignment, a deny assignment attaches a set of deny actions to a user, group, or service principal at a particular scope for the purpose of denying access. Deny assignments block users from performing specific Azure resource actions even if a role assignment grants them access.

This article describes how to list deny assignments.

Important

You can't directly create your own deny assignments. Deny assignments are created and managed by Azure.

How deny assignments are created

Deny assignments are created and managed by Azure to protect resources. You can't directly create your own deny assignments. However, you can specify deny settings when creating a deployment stack, which creates a deny assignment that is owned by the deployment stack resources. Deployment stacks is currently in preview. For more information, see Protect managed resources against deletion.

Compare role assignments and deny assignments

Deny assignments follow a similar pattern as role assignments, but also have some differences.

Capability Role assignment Deny assignment
Grant access
Deny access
Can be directly created
Apply at a scope
Exclude principals
Prevent inheritance to child scopes
Apply to classic subscription administrator assignments

Deny assignment properties

A deny assignment has the following properties:

[!div class="mx-tableFixed"]

Property Required Type Description
DenyAssignmentName Yes String The display name of the deny assignment. Names must be unique for a given scope.
Description No String The description of the deny assignment.
Permissions.Actions At least one Actions or one DataActions String[] An array of strings that specify the control plane actions to which the deny assignment blocks access.
Permissions.NotActions No String[] An array of strings that specify the control plane action to exclude from the deny assignment.
Permissions.DataActions At least one Actions or one DataActions String[] An array of strings that specify the data plane actions to which the deny assignment blocks access.
Permissions.NotDataActions No String[] An array of strings that specify the data plane actions to exclude from the deny assignment.
Scope No String A string that specifies the scope that the deny assignment applies to.
DoNotApplyToChildScopes No Boolean Specifies whether the deny assignment applies to child scopes. Default value is false.
Principals[i].Id Yes String[] An array of Microsoft Entra principal object IDs (user, group, service principal, or managed identity) to which the deny assignment applies. Set to an empty GUID 00000000-0000-0000-0000-000000000000 to represent all principals.
Principals[i].Type No String[] An array of object types represented by Principals[i].Id. Set to SystemDefined to represent all principals.
ExcludePrincipals[i].Id No String[] An array of Microsoft Entra principal object IDs (user, group, service principal, or managed identity) to which the deny assignment does not apply.
ExcludePrincipals[i].Type No String[] An array of object types represented by ExcludePrincipals[i].Id.
IsSystemProtected No Boolean Specifies whether this deny assignment was created by Azure and cannot be edited or deleted. Currently, all deny assignments are system protected.

The All Principals principal

To support deny assignments, a system-defined principal named All Principals has been introduced. This principal represents all users, groups, service principals, and managed identities in a Microsoft Entra directory. If the principal ID is a zero GUID 00000000-0000-0000-0000-000000000000 and the principal type is SystemDefined, the principal represents all principals. In Azure PowerShell output, All Principals looks like the following:

Principals              : {
                          DisplayName:  All Principals
                          ObjectType:   SystemDefined
                          ObjectId:     00000000-0000-0000-0000-000000000000
                          }

All Principals can be combined with ExcludePrincipals to deny all principals except some users. All Principals has the following constraints:

  • Can be used only in Principals and cannot be used in ExcludePrincipals.
  • Principals[i].Type must be set to SystemDefined.

List deny assignments

Follow these steps to list deny assignments.

Important

You can't directly create your own deny assignments. Deny assignments are created and managed by Azure. For more information, see Protect managed resources against deletion.

Azure portal

Prerequisites

To get information about a deny assignment, you must have:

  • Microsoft.Authorization/denyAssignments/read permission, which is included in most Azure built-in roles.

List deny assignments in the Azure portal

Follow these steps to list deny assignments at the subscription or management group scope.

  1. In the Azure portal, open the selected scope, such as resource group or subscription.

  2. Select Access control (IAM).

  3. Select the Deny assignments tab (or select the View button on the View deny assignments tile).

    If there are any deny assignments at this scope or inherited to this scope, they'll be listed.

    :::image type="content" source="./media/deny-assignments/access-control-deny-assignments.png" alt-text="Screenshot of Access control (IAM) page and Deny assignments tab that lists deny assignments at the selected scope." lightbox="./media/deny-assignments/access-control-deny-assignments.png":::

  4. To display additional columns, select Edit Columns.

    :::image type="content" source="./media/deny-assignments/deny-assignments-columns.png" alt-text="Screenshot of deny assignments columns pane that shows how to add columns to list of deny assignments." lightbox="./media/deny-assignments/deny-assignments-columns.png":::

    Column Description
    Name Name of the deny assignment.
    Principal type User, group, system-defined group, or service principal.
    Denied Name of the security principal that is included in the deny assignment.
    Id Unique identifier for the deny assignment.
    Excluded principals Whether there are security principals that are excluded from the deny assignment.
    Does not apply to children Whether the deny assignment is inherited to subscopes.
    System protected Whether the deny assignment is managed by Azure. Currently, always Yes.
    Scope Management group, subscription, resource group, or resource.

  5. Add a checkmark to any of the enabled items and then select OK to display the selected columns.

List details about a deny assignment

Follow these steps to list additional details about a deny assignment.

  1. Open the Deny assignments pane as described in the previous section.

  2. Select the deny assignment name to open the Users page.

    :::image type="content" source="./media/deny-assignments/deny-assignment-users.png" alt-text="Screenshot of Users page for a deny assignment that lists the applies to and excludes." lightbox="./media/deny-assignments/deny-assignment-users.png":::

    The Users page includes the following two sections.

    Deny setting Description
    Deny assignment applies to Security principals that the deny assignment applies to.
    Deny assignment excludes Security principals that are excluded from the deny assignment.

    System-Defined Principal represents all users, groups, service principals, and managed identities in an Azure AD directory.

  3. To see a list of the permissions that are denied, select Denied Permissions.

    :::image type="content" source="./media/deny-assignments/deny-assignment-denied-permissions.png" alt-text="Screenshot of Denied Permissions page for a deny assignment that lists the permissions that are denied." lightbox="./media/deny-assignments/deny-assignment-denied-permissions.png":::

    Action type Description
    Actions Denied control plane actions.
    NotActions Control plane actions excluded from denied control plane actions.
    DataActions Denied data plane actions.
    NotDataActions Data plane actions excluded from denied data plane actions.

    For the example shown in the previous screenshot, the following are the effective permissions:

    • All storage actions on the data plane are denied except for compute actions.

  4. To see the properties for a deny assignment, select Properties.

    :::image type="content" source="./media/deny-assignments/deny-assignment-properties.png" alt-text="Screenshot of Properties page for a deny assignment that lists the properties." lightbox="./media/deny-assignments/deny-assignment-properties.png":::

    On the Properties page, you can see the deny assignment name, ID, description, and scope. The Does not apply to children switch indicates whether the deny assignment is inherited to subscopes. The System protected switch indicates whether this deny assignment is managed by Azure. Currently, this is Yes in all cases.

Azure PowerShell

Prerequisites

To get information about a deny assignment, you must have:

List all deny assignments

To list all deny assignments for the current subscription, use Get-AzDenyAssignment.

Get-AzDenyAssignment

PS C:\> Get-AzDenyAssignment
Id                      : /subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/demoRg/providers/Microsoft.Storage/storageAccounts/storef2dfaqv5dzzfy/providers/Microsoft.Authorization/denyAssignments/6d266d71-a890-53b7-b0d8-2af6769ac019
DenyAssignmentName      : Deny assignment '6d266d71-a890-53b7-b0d8-2af6769ac019' created by Deployment Stack '/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/demoRg/providers/Microsoft.Resources/deploymentStacks/demoStack'.
Description             : Created by Deployment Stack '/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/demoRg/providers/Microsoft.Resources/deploymentStacks/demoStack'.
Actions                 : {*/delete}
NotActions              : {Microsoft.Authorization/locks/delete, Microsoft.Storage/storageAccounts/delete}
DataActions             : {}
NotDataActions          : {}
Scope                   : /subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/demoRg/providers/Microsoft.Storage/storageAccounts/storef2dfaqv5dzzfy
DoNotApplyToChildScopes : True
Principals              : {
                          DisplayName:  All Principals
                          ObjectType:   SystemDefined
                          ObjectId:     00000000-0000-0000-0000-000000000000
                          }
ExcludePrincipals       : {
                          DisplayName:  User1
                          ObjectType:   User
                          ObjectId:     675986ff-5b6a-448c-9a22-fd2a65100221
                          }
IsSystemProtected       : True

Id                      : /subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/demoRg/providers/Microsoft.Network/virtualNetworks/vnetf2dfaqv5dzzfy/providers/Microsoft.Authorization/denyAssignments/36a162b5-ddcc-529a-9deb-673250f90ba7
DenyAssignmentName      : Deny assignment '36a162b5-ddcc-529a-9deb-673250f90ba7' created by Deployment Stack '/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/demoRg/providers/Microsoft.Resources/deploymentStacks/demoStack'.
Description             : Created by Deployment Stack '/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/demoRg/providers/Microsoft.Resources/deploymentStacks/demoStack'.
Actions                 : {*/delete}
NotActions              : {Microsoft.Authorization/locks/delete, Microsoft.Storage/storageAccounts/delete}
DataActions             : {}
NotDataActions          : {}
Scope                   : /subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/demoRg/providers/Microsoft.Network/virtualNetworks/vnetf2dfaqv5dzzfy
DoNotApplyToChildScopes : True
Principals              : {
                          DisplayName:  All Principals
                          ObjectType:   SystemDefined
                          ObjectId:     00000000-0000-0000-0000-000000000000
                          }
ExcludePrincipals       : {
                          DisplayName:  User1
                          ObjectType:   User
                          ObjectId:     675986ff-5b6a-448c-9a22-fd2a65100221
                          }
IsSystemProtected       : True

List deny assignments at a resource group scope

To list all deny assignments at a resource group scope, use Get-AzDenyAssignment.

Get-AzDenyAssignment -ResourceGroupName <resource_group_name>

List deny assignments at a subscription scope

To list all deny assignments at a subscription scope, use Get-AzDenyAssignment. To get the subscription ID, you can find it on the Subscriptions page in the Azure portal or you can use Get-AzSubscription.

Get-AzDenyAssignment -Scope /subscriptions/<subscription_id>

REST API

Prerequisites

To get information about a deny assignment, you must have:

  • Microsoft.Authorization/denyAssignments/read permission, which is included in most Azure built-in roles.

You must use the following version:

  • 2018-07-01-preview or later
  • 2022-04-01 is the first stable version

List a single deny assignment

To list a single deny assignment, use the Deny Assignments - Get REST API.

  1. Start with the following request:

    GET https://management.azure.com/{scope}/providers/Microsoft.Authorization/denyAssignments/{deny-assignment-id}?api-version=2022-04-01

  2. Within the URI, replace {scope} with the scope for which you want to list the deny assignments.

    [!div class="mx-tableFixed"]

    Scope Type
    subscriptions/{subscriptionId} Subscription
    subscriptions/{subscriptionId}/resourceGroups/myresourcegroup1 Resource group
    subscriptions/{subscriptionId}/resourceGroups/myresourcegroup1/providers/Microsoft.Web/sites/mysite1 Resource

  3. Replace {deny-assignment-id} with the deny assignment identifier you want to retrieve.

List multiple deny assignments

To list multiple deny assignments, use the Deny Assignments - List REST API.

  1. Start with one of the following requests:

    GET https://management.azure.com/{scope}/providers/Microsoft.Authorization/denyAssignments?api-version=2022-04-01

    With optional parameters:

    GET https://management.azure.com/{scope}/providers/Microsoft.Authorization/denyAssignments?api-version=2022-04-01&$filter={filter}

  2. Within the URI, replace {scope} with the scope for which you want to list the deny assignments.

    [!div class="mx-tableFixed"]

    Scope Type
    subscriptions/{subscriptionId} Subscription
    subscriptions/{subscriptionId}/resourceGroups/myresourcegroup1 Resource group
    subscriptions/{subscriptionId}/resourceGroups/myresourcegroup1/providers/Microsoft.Web/sites/mysite1 Resource

  3. Replace {filter} with the condition that you want to apply to filter the deny assignment list.

    [!div class="mx-tableFixed"]

    Filter Description
    (no filter) Lists all deny assignments at, above, and below the specified scope.
    $filter=atScope() Lists deny assignments for only the specified scope and above. Does not include the deny assignments at subscopes.
    $filter=assignedTo('{objectId}') Lists deny assignments for the specified user or service principal.
    If the user is a member of a group that has a deny assignment, that deny assignment is also listed. This filter is transitive for groups which means that if the user is a member of a group and that group is a member of another group that has a deny assignment, that deny assignment is also listed.
    This filter only accepts an object ID for a user or a service principal. You cannot pass an object ID for a group.
    $filter=atScope()+and+assignedTo('{objectId}') Lists deny assignments for the specified user or service principal and at the specified scope.
    $filter=denyAssignmentName+eq+'{deny-assignment-name}' Lists deny assignments with the specified name.
    $filter=principalId+eq+'{objectId}' Lists deny assignments for the specified user, group, or service principal.

List deny assignments at the root scope (/)

  1. Elevate your access as described in Elevate access to manage all Azure subscriptions and management groups.

  2. Use the following request:

    GET https://management.azure.com/providers/Microsoft.Authorization/denyAssignments?api-version=2022-04-01&$filter={filter}

  3. Replace {filter} with the condition that you want to apply to filter the deny assignment list. A filter is required.

    [!div class="mx-tableFixed"]

    Filter Description
    $filter=atScope() List deny assignments for only the root scope. Does not include the deny assignments at subscopes.
    $filter=denyAssignmentName+eq+'{deny-assignment-name}' List deny assignments with the specified name.

  4. Remove elevated access.

Next steps