Add or edit Azure role assignment conditions using Azure PowerShell
An Azure role assignment condition is an additional check that you can optionally add to your role assignment to provide more fine-grained access control. For example, you can add a condition that requires an object to have a specific tag to read the object. This article describes how to add, edit, list, or delete conditions for your role assignments using Azure PowerShell.
Prerequisites
For information about the prerequisites to add or edit role assignment conditions, see Conditions prerequisites.
Add a condition
To add a role assignment condition, use New-AzRoleAssignment. The New-AzRoleAssignment command includes the following parameters related to conditions.
Parameter | Type | Description |
---|---|---|
Condition |
String | Condition under which the user can be granted permission. |
ConditionVersion |
String | Version of the condition syntax. Must be set to 2.0. If Condition is specified, ConditionVersion must also be specified. |
The following example shows how to initialize the variables to assign the Storage Blob Data Reader role with a condition. The condition checks whether container name equals 'blobs-example-container'.
$subscriptionId = "<subscriptionId>"
$resourceGroup = "<resourceGroup>"
$roleDefinitionName = "Storage Blob Data Reader"
$roleDefinitionId = "2a2b9908-6ea1-4ae2-8e65-a410df84e7d1"
$userObjectId = "<userObjectId>"
$scope = "/subscriptions/$subscriptionId/resourceGroups/$resourceGroup"
$description = "Read access if container name equals blobs-example-container"
$condition = "((!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'})) OR (@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'blobs-example-container'))"
$conditionVersion = "2.0"
Use New-AzRoleAssignment to assign the role with a condition.
New-AzRoleAssignment -ObjectId $userObjectId -Scope $scope -RoleDefinitionId $roleDefinitionId -Description $description -Condition $condition -ConditionVersion $conditionVersion
Here's an example of the output:
RoleAssignmentId : /subscriptions/<subscriptionId>/resourceGroups/<resourceGroup>/providers/Microsoft.Authorization/roleAssignments/<roleAssignmentId>
Scope : /subscriptions/<subscriptionId>/resourceGroups/<resourceGroup>
DisplayName : User1
SignInName : [email protected]
RoleDefinitionName : Storage Blob Data Reader
RoleDefinitionId : 2a2b9908-6ea1-4ae2-8e65-a410df84e7d1
ObjectId : <userObjectId>
ObjectType : User
CanDelegate : False
Description : Read access if container name equals blobs-example-container
ConditionVersion : 2.0
Condition : ((!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'})) OR (@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'blobs-example-container'))
In PowerShell, if your condition includes a dollar sign ($), you must prefix it with a backtick (`). For example, the following condition uses dollar signs to delineate the tag key name. For more information about rules for quotation marks in PowerShell, see About Quoting Rules.
$condition = "((!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND NOT SubOperationMatches{'Blob.List'})) OR (@Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags:Project<`$key_case_sensitive`$>] StringEquals 'Cascade'))"
Edit a condition
To edit an existing role assignment condition, use Set-AzRoleAssignment. Only the Condition
, ConditionVersion
, and Description
properties can be edited. The -PassThru
parameter causes Set-AzRoleAssignment to return the updated role assignment, which allows visualization or storage in a variable for further use.
There are two ways to edit a condition. You can use the PSRoleAssignment
object or a JSON file.
Edit a condition using the PSRoleAssignment object
Use Get-AzRoleAssignment to get the existing role assignment with a condition as a
PSRoleAssignment
object.$testRa = Get-AzRoleAssignment -Scope $scope -RoleDefinitionName $roleDefinitionName -ObjectId $userObjectId
Edit the condition.
$condition = "((!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'})) OR (@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'blobs-example-container' OR @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'blobs-example-container2'))"
Initialize the condition and description.
$testRa.Condition = $condition $testRa.Description = "Read access if container name equals blobs-example-container or blobs-example-container2"
Use Set-AzRoleAssignment to update the condition for the role assignment.
Set-AzRoleAssignment -InputObject $testRa -PassThru
Here's an example of the output:
RoleAssignmentId : /subscriptions/<subscriptionId>/resourceGroups/<resourceGroup>/providers/Microsoft.Authorization/roleAssignments/<roleAssignmentId> Scope : /subscriptions/<subscriptionId>/resourceGroups/<resourceGroup> DisplayName : User1 SignInName : [email protected] RoleDefinitionName : Storage Blob Data Reader RoleDefinitionId : 2a2b9908-6ea1-4ae2-8e65-a410df84e7d1 ObjectId : <userObjectId> ObjectType : User CanDelegate : False Description : Read access if container name equals blobs-example-container or blobs-example-container2 ConditionVersion : 2.0 Condition : ((!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'})) OR (@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'blobs-example-container' OR @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'blobs-example-container2'))
Edit a condition using a JSON file
To edit a condition, you can also provide a JSON file as input. The following shows an example JSON file where Condition
and Description
are updated. You must specify all the properties in the JSON file to update a condition.
{
"RoleDefinitionId": "2a2b9908-6ea1-4ae2-8e65-a410df84e7d1",
"ObjectId": "<userObjectId>",
"ObjectType": "User",
"Scope": "/subscriptions/<subscriptionId>/resourceGroups/<resourceGroup>",
"Condition": "((!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'})) OR (@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'blobs-example-container' OR @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'blobs-example-container2'))",
"ConditionVersion": "2.0",
"CanDelegate": false,
"Description": "Read access if container name equals blobs-example-container or blobs-example-container2",
"RoleAssignmentId": "/subscriptions/<subscriptionId>/resourceGroups/<resourceGroup>/providers/Microsoft.Authorization/roleAssignments/<roleAssignmentId>"
}
Use Set-AzRoleAssignment to update the condition for the role assignment.
Set-AzRoleAssignment -InputFile "C:\path\roleassignment.json" -PassThru
Here's an example of the output:
RoleAssignmentId : /subscriptions/<subscriptionId>/resourceGroups/<resourceGroup>/providers/Microsoft.Authorization/roleAssignments/<roleAssignmentId>
Scope : /subscriptions/<subscriptionId>/resourceGroups/<resourceGroup>
DisplayName : User1
SignInName : [email protected]
RoleDefinitionName : Storage Blob Data Reader
RoleDefinitionId : 2a2b9908-6ea1-4ae2-8e65-a410df84e7d1
ObjectId : <userObjectId>
ObjectType : User
CanDelegate : False
Description : Read access if container name equals blobs-example-container or blobs-example-container2
ConditionVersion : 2.0
Condition : ((!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'})) OR (@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'blobs-example-container' OR @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'blobs-example-container2'))
Edit conditions in multiple role assignments
If you need to make the same update to multiple role assignments, you can use a loop. The following commands perform the following task:
Finds role assignments in a subscription with
<find-condition-string-1>
or<find-condition-string-2>
strings in the condition.$tenantId = "<your-tenant-id>" $subscriptionId = "<your-subscription-id>"; $scope = "/subscriptions/$subscriptionId" $findConditionString1 = "<find-condition-string-1>" $findConditionString2 = "<find-condition-string-2>" Connect-AzAccount -TenantId $tenantId -SubscriptionId $subscriptionId $roleAssignments = Get-AzRoleAssignment -Scope $scope $foundRoleAssignments = $roleAssignments | Where-Object { ($_.Condition -Match $findConditionString1) -Or ($_.Condition -Match $findConditionString2) }
The following commands perform the following tasks:
In the condition of the found role assignments, replaces
<condition-string>
with<replace-condition-string>
.Updates the role assignments with the changes.
$conditionString = "<condition-string>" $conditionStringReplacement = "<condition-string-replacement>" $updatedRoleAssignments = $foundRoleAssignments | ForEach-Object { $_.Condition = $_.Condition -replace $conditionString, $conditionStringReplacement; $_ } $updatedRoleAssignments | ForEach-Object { Set-AzRoleAssignment -InputObject $_ -PassThru }
If strings include special characters, such as square brackets ([ ]), you'll need to escape these characters with a backslash (\).
List a condition
To list a role assignment condition, use Get-AzRoleAssignment. For more information, see List Azure role assignments using Azure PowerShell.
Delete a condition
To delete a role assignment condition, edit the role assignment condition and set both the Condition
and ConditionVersion
properties to either an empty string (""
) or $null
.
Alternatively, if you want to delete both the role assignment and the condition, you can use the Remove-AzRoleAssignment command. For more information, see Remove Azure role assignments.