| title | description | services | documentationcenter | author | manager | editor | ms.assetid | ms.service | ms.workload | ms.tgt_pltfrm | ms.devlang | ms.topic | ms.date | ms.author | ms.reviewer |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
List deny assignments using RBAC and the REST API - Azure | Microsoft Docs |
Learn how to list deny assignments for users, groups, and applications, using role-based access control (RBAC) and the REST API. |
active-directory |
na |
rolyon |
mtillman |
role-based-access-control |
multiple |
rest-api |
na |
conceptual |
09/24/2018 |
rolyon |
bagovind |
Currently, deny assignments are read-only and can only be set by Azure. Even though you can't create your own deny assignments, you can list deny assignments because they could impact your effective permissions. This article describes how you to list deny assignments using RBAC and the REST API.
-
Start with the following request:
GET https://management.azure.com/{scope}/providers/Microsoft.Authorization/denyAssignments/{deny-assignment-id}?api-version=2018-07-01-preview
-
Within the URI, replace {scope} with the scope for which you want to list the deny assignments.
Scope Type subscriptions/{subscriptionId}Subscription subscriptions/{subscriptionId}/resourceGroups/myresourcegroup1Resource group subscriptions/{subscriptionId}/resourceGroups/myresourcegroup1/ providers/Microsoft.Web/sites/mysite1Resource -
Replace {deny-assignment-id} with the deny assignment identifier you want to retrieve.
-
Start with one of the following requests:
GET https://management.azure.com/{scope}/providers/Microsoft.Authorization/denyAssignments?api-version=2018-07-01-preview
With optional parameters:
GET https://management.azure.com/{scope}/providers/Microsoft.Authorization/denyAssignments?api-version=2018-07-01-preview&$filter={filter}
-
Within the URI, replace {scope} with the scope for which you want to list the deny assignments.
Scope Type subscriptions/{subscriptionId}Subscription subscriptions/{subscriptionId}/resourceGroups/myresourcegroup1Resource group subscriptions/{subscriptionId}/resourceGroups/myresourcegroup1/ providers/Microsoft.Web/sites/mysite1Resource -
Replace {filter} with the condition that you want to apply to filter the deny assignment list.
Filter Description (no filter) List all deny assignments at, above, and below the specified scope. $filter=atScope()List deny assignments for only the specified scope and above. Does not include the deny assignments at subscopes. $filter=denyAssignmentName%20eq%20'{deny-assignment-name}'List deny assignments with the specified name.
-
Elevate your access as described in Elevate access for a Global Administrator in Azure Active Directory.
-
Use the following request:
GET https://management.azure.com/providers/Microsoft.Authorization/denyAssignments?api-version=2018-07-01-preview&$filter={filter}
-
Replace {filter} with the condition that you want to apply to filter the deny assignment list. A filter is required.
Filter Description $filter=atScope()List deny assignments for only the root scope. Does not include the deny assignments at subscopes. $filter=denyAssignmentName%20eq%20'{deny-assignment-name}'List deny assignments with the specified name. -
Remove elevated access.