Merge pull request #77026 from rolyon/rolyon-rbac-deny-powershell

atookey · web-flow · commit 7bc83651a080 · 2019-06-13T10:40:37.000-07:00
[Azure RBAC] Deny assignments using PowerShell
diff --git a/articles/role-based-access-control/TOC.yml b/articles/role-based-access-control/TOC.yml
@@ -54,6 +54,8 @@
       href: deny-assignments.md
     - name: Portal
       href: deny-assignments-portal.md
+    - name: PowerShell
+      href: deny-assignments-powershell.md
     - name: REST API
       href: deny-assignments-rest.md
   - name: Custom roles
diff --git a/articles/role-based-access-control/deny-assignments-portal.md b/articles/role-based-access-control/deny-assignments-portal.md
@@ -1,6 +1,6 @@
 ---
-title: View deny assignments for Azure resources using the Azure portal | Microsoft Docs
-description: Learn how to view the users, groups, service principals, and managed identities that have been denied access to specific Azure resource actions at particular scope using the Azure portal.
+title: List deny assignments for Azure resources using the Azure portal | Microsoft Docs
+description: Learn how to list the users, groups, service principals, and managed identities that have been denied access to specific Azure resource actions at particular scopes using the Azure portal.
 services: active-directory
 documentationcenter: ''
 author: rolyon
@@ -12,31 +12,31 @@ ms.devlang: na
 ms.topic: conceptual
 ms.tgt_pltfrm: na
 ms.workload: identity
-ms.date: 03/13/2019
+ms.date: 06/10/2019
 ms.author: rolyon
 ms.reviewer: bagovind
 ---
 
-# View deny assignments for Azure resources using the Azure portal
+# List deny assignments for Azure resources using the Azure portal
 
-[Deny assignments](deny-assignments.md) block users from performing specific Azure resource actions even if a role assignment grants them access. This article describes how to use the Azure portal to view deny assignments.
+[Deny assignments](deny-assignments.md) block users from performing specific Azure resource actions even if a role assignment grants them access. This article describes how to list deny assignments using the Azure portal.
 
 > [!NOTE]
-> At this time, the only way you can add your own deny assignments is by using Azure Blueprints. For more information, see [Protect new resources with Azure Blueprints resource locks](../governance/blueprints/tutorials/protect-new-resources.md).
+> You can't directly create your own deny assignments. For information about how deny assignments are created, see [Deny assignments](deny-assignments.md).
 
 ## Prerequisites
 
 To get information about a deny assignment, you must have:
 
 - `Microsoft.Authorization/denyAssignments/read` permission, which is included in most [built-in roles for Azure resources](built-in-roles.md).
 
-## View deny assignments
+## List deny assignments
 
-Follow these steps to view deny assignments at the subscription or management group scope.
+Follow these steps to list deny assignments at the subscription or management group scope.
 
 1. In the Azure portal, click **All services** and then **Management groups** or **Subscriptions**.
 
-1. Click the management group or subscription you want to view.
+1. Click the management group or subscription you want to list.
 
 1. Click **Access control (IAM)**.
 
@@ -63,9 +63,9 @@ Follow these steps to view deny assignments at the subscription or management gr
 
 1. Add a checkmark to any of the enabled items and then click **OK** to display the selected columns.
 
-## View details about a deny assignment
+## List details about a deny assignment
 
-Follow these steps to view additional details about a deny assignment.
+Follow these steps to list additional details about a deny assignment.
 
 1. Open the **Deny assignments** pane as described in the previous section.
 
@@ -106,4 +106,4 @@ Follow these steps to view additional details about a deny assignment.
 ## Next steps
 
 * [Understand deny assignments for Azure resources](deny-assignments.md)
-* [List deny assignments for Azure resources using the REST API](deny-assignments-rest.md)
+* [List deny assignments for Azure resources using Azure PowerShell](deny-assignments-powershell.md)
diff --git a/articles/role-based-access-control/deny-assignments-powershell.md b/articles/role-based-access-control/deny-assignments-powershell.md
@@ -0,0 +1,126 @@
+---
+title: List deny assignments for Azure resources using Azure PowerShell | Microsoft Docs
+description: Learn how to list the users, groups, service principals, and managed identities that have been denied access to specific Azure resource actions at particular scopes using Azure PowerShell.
+services: active-directory
+documentationcenter: ''
+author: rolyon
+manager: mtillman
+
+ms.service: role-based-access-control
+ms.devlang: na
+ms.topic: conceptual
+ms.tgt_pltfrm: na
+ms.workload: identity
+ms.date: 06/12/2019
+ms.author: rolyon
+ms.reviewer: bagovind
+---
+
+# List deny assignments for Azure resources using Azure PowerShell
+
+[Deny assignments](deny-assignments.md) block users from performing specific Azure resource actions even if a role assignment grants them access. This article describes how to list deny assignments using Azure PowerShell.
+
+> [!NOTE]
+> You can't directly create your own deny assignments. For information about how deny assignments are created, see [Deny assignments](deny-assignments.md).
+
+## Prerequisites
+
+To get information about a deny assignment, you must have:
+
+- `Microsoft.Authorization/denyAssignments/read` permission, which is included in most [built-in roles for Azure resources](built-in-roles.md)
+- [PowerShell in Azure Cloud Shell](/azure/cloud-shell/overview) or [Azure PowerShell](/powershell/azure/install-az-ps)
+
+## List deny assignments
+
+### List all deny assignments
+
+To list all deny assignments for the current subscription, use [Get-AzDenyAssignment](/powershell/module/az.resources/get-azdenyassignment).
+
+```azurepowershell
+Get-AzDenyAssignment
+```
+
+```Example
+PS C:\> Get-AzDenyAssignment
+
+Id                      : 22222222-2222-2222-2222-222222222222
+DenyAssignmentName      : Deny assignment '22222222-2222-2222-2222-222222222222' created by Blueprint Assignment
+                          '/subscriptions/11111111-1111-1111-1111-111111111111/providers/Microsoft.Blueprint/blueprintAssignments/assignment-locked-storageaccount-TestingBPLocks'.
+Description             : Created by Blueprint Assignment '/subscriptions/11111111-1111-1111-1111-111111111111/providers/Microsoft.Blueprint/blueprintAssignments/assignment-locked-storageaccount-TestingBPLocks'.
+Actions                 : {*}
+NotActions              : {*/read}
+DataActions             : {}
+NotDataActions          : {}
+Scope                   : /subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/TestingBPLocks
+DoNotApplyToChildScopes : True
+Principals              : {
+                          DisplayName:  All Principals
+                          ObjectType:   SystemDefined
+                          ObjectId:     00000000-0000-0000-0000-000000000000
+                          }
+ExcludePrincipals       : {
+                          ObjectType:   ServicePrincipal
+                          }
+IsSystemProtected       : True
+
+Id                      : 33333333-3333-3333-3333-333333333333
+DenyAssignmentName      : Deny assignment '33333333-3333-3333-3333-333333333333' created by Blueprint Assignment
+                          '/subscriptions/11111111-1111-1111-1111-111111111111/providers/Microsoft.Blueprint/blueprintAssignments/assignment-locked-storageaccount-TestingBPLocks'.
+Description             : Created by Blueprint Assignment '/subscriptions/11111111-1111-1111-1111-111111111111/providers/Microsoft.Blueprint/blueprintAssignments/assignment-locked-storageaccount-TestingBPLocks'.
+Actions                 : {*}
+NotActions              : {*/read}
+DataActions             : {}
+NotDataActions          : {}
+Scope                   : /subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/TestingBPLocks/providers/Microsoft.Storage/storageAccounts/storep6vkuxmu4m4pq
+DoNotApplyToChildScopes : True
+Principals              : {
+                          DisplayName:  All Principals
+                          ObjectType:   SystemDefined
+                          ObjectId:     00000000-0000-0000-0000-000000000000
+                          }
+ExcludePrincipals       : {
+                          DisplayName:  assignment-locked-storageaccount-TestingBPLocks
+                          ObjectType:   ServicePrincipal
+                          ObjectId:     2311a0b7-657a-4ca2-af6f-d1c33f6d2fff
+                          }
+IsSystemProtected       : True
+```
+
+### List deny assignments at a resource group scope
+
+To list all deny assignments at a resource group scope, use [Get-AzDenyAssignment](/powershell/module/az.resources/get-azdenyassignment).
+
+```azurepowershell
+Get-AzDenyAssignment -ResourceGroupName <resource_group_name>
+```
+
+```Example
+PS C:\> Get-AzDenyAssignment -ResourceGroupName TestingBPLocks | FL DenyAssignmentName, Scope
+
+DenyAssignmentName : Deny assignment '22222222-2222-2222-2222-222222222222' created by Blueprint Assignment
+                     '/subscriptions/11111111-1111-1111-1111-111111111111/providers/Microsoft.Blueprint/blueprintAssignments/assignment-locked-storageaccount-TestingBPLocks'.
+Scope              : /subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/TestingBPLocks
+Principals         : {
+                     DisplayName:       All Principals
+                     ObjectType:        SystemDefined
+                     ObjectId:  00000000-0000-0000-0000-000000000000
+                     }
+```
+
+### List deny assignments at a subscription scope
+
+To list all deny assignments at a subscription scope, use [Get-AzDenyAssignment](/powershell/module/az.resources/get-azdenyassignment). To get the subscription ID, you can find it on the **Subscriptions** blade in the Azure portal or you can use [Get-AzSubscription](/powershell/module/Az.Accounts/Get-AzSubscription).
+
+```azurepowershell
+Get-AzDenyAssignment -Scope /subscriptions/<subscription_id>
+```
+
+```Example
+PS C:\> Get-AzDenyAssignment -Scope /subscriptions/11111111-1111-1111-1111-111111111111
+```
+
+## Next steps
+
+- [Understand deny assignments for Azure resources](deny-assignments.md)
+- [List deny assignments for Azure resources using the Azure portal](deny-assignments-portal.md)
+- [List deny assignments for Azure resources using the REST API](deny-assignments-rest.md)
diff --git a/articles/role-based-access-control/deny-assignments-rest.md b/articles/role-based-access-control/deny-assignments-rest.md
@@ -1,6 +1,6 @@
 ---
 title: List deny assignments for Azure resources using the REST API - Azure | Microsoft Docs
-description: Learn how to list deny assignments for users, groups, and applications, using role-based access control (RBAC) for Azure resources and the REST API.
+description: Learn how to list deny assignments for users, groups, and applications using role-based access control (RBAC) for Azure resources and the REST API.
 services: active-directory
 documentationcenter: na
 author: rolyon
@@ -13,17 +13,17 @@ ms.workload: multiple
 ms.tgt_pltfrm: rest-api
 ms.devlang: na
 ms.topic: conceptual
-ms.date: 03/13/2019
+ms.date: 06/10/2019
 ms.author: rolyon
 ms.reviewer: bagovind
 
 ---
 # List deny assignments for Azure resources using the REST API
 
-[Deny assignments](deny-assignments.md) block users from performing specific Azure resource actions even if a role assignment grants them access. This article describes how to use the REST API to list deny assignments.
+[Deny assignments](deny-assignments.md) block users from performing specific Azure resource actions even if a role assignment grants them access. This article describes how to list deny assignments using the REST API.
 
 > [!NOTE]
-> At this time, the only way you can add your own deny assignments is by using Azure Blueprints. For more information, see [Protect new resources with Azure Blueprints resource locks](../governance/blueprints/tutorials/protect-new-resources.md).
+> You can't directly create your own deny assignments. For information about how deny assignments are created, see [Deny assignments](deny-assignments.md).
 
 ## Prerequisites
 
diff --git a/articles/role-based-access-control/deny-assignments.md b/articles/role-based-access-control/deny-assignments.md
@@ -12,21 +12,34 @@ ms.devlang: na
 ms.topic: conceptual
 ms.tgt_pltfrm: na
 ms.workload: identity
-ms.date: 03/13/2019
+ms.date: 06/13/2019
 ms.author: rolyon
 ms.reviewer: bagovind
 ms.custom: 
 ---
 # Understand deny assignments for Azure resources
 
-Similar to a role assignment, a *deny assignment* attaches a set of deny actions to a user, group, or service principal at a particular scope for the purpose of denying access. Deny assignments block users from performing specific Azure resource actions even if a role assignment grants them access. Some resource providers in Azure now include deny assignments.
-
-In some ways, deny assignments are different than role assignments. Deny assignments can exclude principals and prevent inheritance to child scopes. Deny assignments also apply to [classic subscription administrator](rbac-and-directory-admin-roles.md) assignments.
+Similar to a role assignment, a *deny assignment* attaches a set of deny actions to a user, group, or service principal at a particular scope for the purpose of denying access. Deny assignments block users from performing specific Azure resource actions even if a role assignment grants them access.
 
 This article describes how deny assignments are defined.
 
-> [!NOTE]
-> At this time, the only way you can add your own deny assignments is by using Azure Blueprints. For more information, see [Protect new resources with Azure Blueprints resource locks](../governance/blueprints/tutorials/protect-new-resources.md).
+## How deny assignments are created
+
+Deny assignments are created and managed by Azure to protect resources. For example, Azure Blueprints and Azure managed apps use deny assignments to protect system-managed resources. For more information, see [Protect new resources with Azure Blueprints resource locks](../governance/blueprints/tutorials/protect-new-resources.md).
+
+## Compare role assignments and deny assignments
+
+Deny assignments follow a similar pattern as deny assignments, but also have some differences.
+
+| Capability | Role assignment | Deny assignment |
+| --- | --- | --- |
+| Grant access | :heavy_check_mark: |  |
+| Deny access |  | :heavy_check_mark: |
+| Can be directly created | :heavy_check_mark: |  |
+| Apply at a scope | :heavy_check_mark: | :heavy_check_mark: |
+| Exclude principals |  | :heavy_check_mark: |
+| Prevent inheritance to child scopes |  | :heavy_check_mark: |
+| Apply to [classic subscription administrator](rbac-and-directory-admin-roles.md) assignments |  | :heavy_check_mark: |
 
 ## Deny assignment properties
 
@@ -49,14 +62,24 @@ This article describes how deny assignments are defined.
 > | `ExcludePrincipals[i].Type` | No | String[] | An array of object types represented by ExcludePrincipals[i].Id. |
 > | `IsSystemProtected` | No | Boolean | Specifies whether this deny assignment was created by Azure and cannot be edited or deleted. Currently, all deny assignments are system protected. |
 
-## System-Defined Principal
+## The All Principals principal
+
+To support deny assignments, a system-defined principal named *All Principals* has been introduced. This principal represents all users, groups, service principals, and managed identities in an Azure AD directory. If the principal ID is a zero GUID `00000000-0000-0000-0000-000000000000` and the principal type is `SystemDefined`, the principal represents all principals. In Azure PowerShell output, All Principals looks like the following:
+
+```azurepowershell
+Principals              : {
+                          DisplayName:  All Principals
+                          ObjectType:   SystemDefined
+                          ObjectId:     00000000-0000-0000-0000-000000000000
+                          }
+```
 
-To support deny assignments, the **System-Defined Principal** has been introduced. This principal represents all users, groups, service principals, and managed identities in an Azure AD directory. If the principal ID is a zero GUID `00000000-0000-0000-0000-000000000000` and the principal type is `SystemDefined`, the principal represents all principals. `SystemDefined` can be combined with `ExcludePrincipals` to deny all principals except some users. `SystemDefined` has the following constraints:
+All Principals can be combined with `ExcludePrincipals` to deny all principals except some users. All Principals has the following constraints:
 
 - Can be used only in `Principals` and cannot be used in `ExcludePrincipals`.
 - `Principals[i].Type` must be set to `SystemDefined`.
 
 ## Next steps
 
-* [View deny assignments for Azure resources using the Azure portal](deny-assignments-portal.md)
+* [List deny assignments for Azure resources using the Azure portal](deny-assignments-portal.md)
 * [Understand role definitions for Azure resources](role-definitions.md)
diff --git a/articles/role-based-access-control/overview.md b/articles/role-based-access-control/overview.md
@@ -12,7 +12,7 @@ ms.devlang: na
 ms.topic: overview
 ms.tgt_pltfrm: na
 ms.workload: identity
-ms.date: 03/13/2019
+ms.date: 06/12/2019
 ms.author: rolyon
 ms.reviewer: bagovind
 
@@ -106,10 +106,7 @@ So what happens if you have multiple overlapping role assignments? RBAC is an ad
 
 ## Deny assignments
 
-Previously, RBAC was an allow-only model with no deny, but now RBAC supports deny assignments in a limited way. Similar to a role assignment, a *deny assignment* attaches a set of deny actions to a user, group, service principal, or managed identity at a particular scope for the purpose of denying access. A role assignment defines a set of actions that are *allowed*, while a deny assignment defines a set of actions that are *not allowed*. In other words, deny assignments block users from performing specified actions even if a role assignment grants them access. Deny assignments take precedence over role assignments. For more information, see [Understand deny assignments for Azure resources](deny-assignments.md) and [View deny assignments for Azure resources using the Azure portal](deny-assignments-portal.md).
-
-> [!NOTE]
-> At this time, the only way you can add your own deny assignments is by using Azure Blueprints. For more information, see [Protect new resources with Azure Blueprints resource locks](../governance/blueprints/tutorials/protect-new-resources.md).
+Previously, RBAC was an allow-only model with no deny, but now RBAC supports deny assignments in a limited way. Similar to a role assignment, a *deny assignment* attaches a set of deny actions to a user, group, service principal, or managed identity at a particular scope for the purpose of denying access. A role assignment defines a set of actions that are *allowed*, while a deny assignment defines a set of actions that are *not allowed*. In other words, deny assignments block users from performing specified actions even if a role assignment grants them access. Deny assignments take precedence over role assignments. For more information, see [Understand deny assignments for Azure resources](deny-assignments.md).
 
 ## How RBAC determines if a user has access to a resource
 
