Use Role Management Policies to manage rules for each role within each resource
Role Management Policies help you govern the rules for any role eligibility request or role assignment request. For example, you can set the maximum duration for which an assignment can be active, or you can even allow permanent assignment. You can update the notification settings for each assignment. You can also set approvers for each role activation.
List role management policies for a resource
To list role management policies, you can use Role Management Policies - List For Scope REST API. To refine your results, you specify a scope and an optional filter. To call the API, you must have access to the Microsoft.Authorization/roleAssignments/read
operation at the specified scope. All built-in roles are granted access to this operation.
Important
You do not need to Create role management policies as each role within each resource has a default policy
Start with the following request:
GET https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleManagementPolicies?api-version=2020-10-01&$filter={filter}
Within the URI, replace {scope} with the scope for which you want to list the role management policies.
Scope Type providers/Microsoft.Management/managementGroups/{mg-name}
Management Group subscriptions/{subscriptionId}
Subscription subscriptions/{subscriptionId}/resourceGroups/myresourcegroup1
Resource group subscriptions/{subscriptionId}/resourceGroups/myresourcegroup1/providers/Microsoft.Web/sites/mysite1
Resource Replace {filter} with the condition that you want to apply to filter the role assignment list.
Filter Description $filter=roleDefinitionId%20eq%20'{scope}/providers/Microsoft.Authorization/roleDefinitions/{roleDefinitionId}'
List role management policy for a specified role definition within the resource scope.
Update a role management policy
Choose the rule(s) that you want to update. These are the types of rule -
Rule Type Description RoleManagementPolicyEnablementRule Enable MFA, Justification on assignments or Ticketing information RoleManagementPolicyExpirationRule Specify maximum duration of a role assignment or activation RoleManagementPolicyNotificationRule Configure email notification settings for assignments, activations and approvals RoleManagementPolicyApprovalRule Configure approval settings for a role activation RoleManagementPolicyAuthenticationContextRule Configure the ACRS rule for Conditional Access Policy Use the following request:
PATCH https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleManagementPolicies/{roleManagementPolicyId}?api-version=2020-10-01
{ "properties": { "rules": [ { "isExpirationRequired": false, "maximumDuration": "P180D", "id": "Expiration_Admin_Eligibility", "ruleType": "RoleManagementPolicyExpirationRule", "target": { "caller": "Admin", "operations": [ "All" ], "level": "Eligibility", "targetObjects": null, "inheritableSettings": null, "enforcedSettings": null } }, { "notificationType": "Email", "recipientType": "Admin", "isDefaultRecipientsEnabled": false, "notificationLevel": "Critical", "notificationRecipients": [ "[email protected]" ], "id": "Notification_Admin_Admin_Eligibility", "ruleType": "RoleManagementPolicyNotificationRule", "target": { "caller": "Admin", "operations": [ "All" ], "level": "Eligibility", "targetObjects": null, "inheritableSettings": null, "enforcedSettings": null } }, { "enabledRules": [ "Justification", "MultiFactorAuthentication", "Ticketing" ], "id": "Enablement_EndUser_Assignment", "ruleType": "RoleManagementPolicyEnablementRule", "target": { "caller": "EndUser", "operations": [ "All" ], "level": "Assignment", "targetObjects": null, "inheritableSettings": null, "enforcedSettings": null } }, { "setting": { "isApprovalRequired": true, "isApprovalRequiredForExtension": false, "isRequestorJustificationRequired": true, "approvalMode": "SingleStage", "approvalStages": [ { "approvalStageTimeOutInDays": 1, "isApproverJustificationRequired": true, "escalationTimeInMinutes": 0, "primaryApprovers": [ { "id": "2385b0f3-5fa9-43cf-8ca4-b01dc97298cd", "description": "amansw_new_group", "isBackup": false, "userType": "Group" } ], "isEscalationEnabled": false, "escalationApprovers": null } ] }, "id": "Approval_EndUser_Assignment", "ruleType": "RoleManagementPolicyApprovalRule", "target": { "caller": "EndUser", "operations": [ "All" ], "level": "Assignment", "targetObjects": null, "inheritableSettings": null, "enforcedSettings": null } } ] } }