Programmatically Azure Policy Assignment with Exclusions

Question

I couldn't find any programmatic way to add exclusions to Azure policy assignment. Is it possible to create Azure policy assignment with exclusions or add exclusions to existing assignment using PowerShell, Azure CLI or Rest Api etc ?

question from:https://stackoverflow.com/questions/65600528/programmatically-azure-policy-assignment-with-exclusions

Answer 1

I will try and answer this as best I can, but this is worded a bit vaguely.

If you are referring to the Roles you can assign via RBAC at the resource group/resource level then there are predefined Roles that can be assigned via ARM Template deployments, PowerShell, Azure CLI etc.

There are also custom roles you can create via Azure CLI, Powershell, REST API, and ARM Template Deployments. These custom roles can include any of the permissions you so choose.

These roles can be used to give permissions or deny permissions to a subscription, resource group, or resource.

Refer to these Microsoft document links for creating custom roles programmatically, paying special attention to the "NotAction" and "NotDataAction" properties since your question is regarding exclusions

Powershell Tutorial

Azure CLI Tutorial

REST API

ARM Template

Refer to these Microsoft document links for adding/removing roles programmatically:

Powershell assign/remove roles

Azure CLI assign/remove roles

Azure REST API add/remove roles

ARM Template Deployment add/remove roles **Cannot remove Role Assignment via ARM Template currently

By using both of these together you should be able to create custom roles, and assign those roles to Principals/Users to allow for customized permissions.