0
# Azure Authorization Management
1
2
A comprehensive Python SDK for Azure Role-Based Access Control (RBAC) and authorization management. This library enables developers to manage role assignments, role definitions, deny assignments, Privileged Identity Management (PIM), access reviews, and security alerts across Azure resources. It supports multiple API versions and provides both synchronous and asynchronous operations.
3
4
## Package Information
5
6
- **Package Name**: azure-mgmt-authorization
7
- **Package Type**: pip
8
- **Language**: Python
9
- **Installation**: `pip install azure-mgmt-authorization`
10
11
## Core Imports
12
13
```python
14
from azure.mgmt.authorization import AuthorizationManagementClient
15
```
16
17
For specific API versions:
18
19
```python
20
from azure.mgmt.authorization.v2022_04_01 import AuthorizationManagementClient
21
```
22
23
## Basic Usage
24
25
```python
26
from azure.mgmt.authorization import AuthorizationManagementClient
27
from azure.identity import DefaultAzureCredential
28
29
# Initialize client with default credentials
30
credential = DefaultAzureCredential()
31
client = AuthorizationManagementClient(
32
credential=credential,
33
subscription_id="your-subscription-id"
34
)
35
36
# List role assignments for subscription
37
role_assignments = client.role_assignments.list_for_subscription()
38
for assignment in role_assignments:
39
print(f"Principal: {assignment.principal_id}")
40
print(f"Role: {assignment.role_definition_id}")
41
print(f"Scope: {assignment.scope}")
42
43
# Get a specific role definition
44
role_def = client.role_definitions.get(
45
scope="/subscriptions/your-subscription-id",
46
role_definition_id="role-definition-id"
47
)
48
print(f"Role Name: {role_def.role_name}")
49
print(f"Description: {role_def.description}")
50
```
51
52
## Architecture
53
54
The Azure Authorization Management SDK follows Azure's ARM (Azure Resource Manager) design patterns:
55
56
- **Multi-API Client**: Supports 17 API versions with intelligent version selection
57
- **Operation Groups**: Functionality organized into 40+ operation groups for different authorization areas
58
- **ARM Pipeline**: Built on Azure's ARM pipeline for consistent authentication, retry policies, and error handling
59
- **Model Hierarchy**: Comprehensive data models with full type definitions and serialization support
60
- **Async Support**: Complete async/await support via `aio` submodules
61
62
The SDK provides three main authorization management areas:
63
- **Core RBAC**: Role assignments, definitions, permissions, and deny assignments
64
- **Privileged Identity Management (PIM)**: Time-bound access, approval workflows, and eligibility management
65
- **Compliance & Reviews**: Access reviews, alerts, and audit capabilities
66
67
## Capabilities
68
69
### Core RBAC Operations
70
71
Essential role-based access control functionality including role assignments, role definitions, permissions management, and deny assignments. These operations form the foundation of Azure authorization management.
72
73
```python { .api }
74
# Role Assignments
75
client.role_assignments.create(scope, role_assignment_name, parameters)
76
client.role_assignments.delete(scope, role_assignment_name)
77
client.role_assignments.get(scope, role_assignment_name)
78
client.role_assignments.list_for_scope(scope)
79
80
# Role Definitions
81
client.role_definitions.create_or_update(scope, role_definition_id, parameters)
82
client.role_definitions.delete(scope, role_definition_id)
83
client.role_definitions.get(scope, role_definition_id)
84
client.role_definitions.list(scope)
85
```
86
87
[Core RBAC Operations](./core-rbac.md)
88
89
### Privileged Identity Management
90
91
Advanced access control with time-bound assignments, approval workflows, eligibility management, and policy enforcement. PIM enables just-in-time access and comprehensive access governance with scope-specific approval operations.
92
93
```python { .api }
94
# Role Assignment Scheduling
95
client.role_assignment_schedule_requests.create(scope, role_assignment_schedule_request_name, parameters)
96
client.role_assignment_schedules.list_for_scope(scope)
97
98
# Role Eligibility Management
99
client.role_eligibility_schedule_requests.create(scope, role_eligibility_schedule_request_name, parameters)
100
client.role_eligibility_schedules.list_for_scope(scope)
101
102
# Policy Management
103
client.role_management_policies.update(scope, role_management_policy_name, parameters)
104
client.role_management_policy_assignments.create(scope, role_management_policy_assignment_name, parameters)
105
106
# Scope-specific Approval Operations
107
client.scope_role_assignment_approval.get_scope_approval(scope, role_assignment_schedule_request_name)
108
client.scope_role_assignment_approval_step.patch_scope_approval_step(scope, role_assignment_schedule_request_name, step_id, properties)
109
client.scope_role_assignment_approval_steps.list_scope_approval_steps(scope, role_assignment_schedule_request_name, filter)
110
```
111
112
[Privileged Identity Management](./pim.md)
113
114
### Access Reviews
115
116
Systematic access certification and compliance management with configurable review cycles, approval workflows, and automated remediation. Supports both scheduled and on-demand access reviews with comprehensive scope-specific and tenant-level operations.
117
118
```python { .api }
119
# Review Definitions
120
client.access_review_schedule_definitions.create_or_update_by_id(schedule_definition_id, properties)
121
client.access_review_schedule_definitions.list()
122
123
# Review Instances
124
client.access_review_instances.create(schedule_definition_id, id, properties)
125
client.access_review_instances.list(schedule_definition_id)
126
127
# Review Decisions
128
client.access_review_instance_decisions.list(schedule_definition_id, id)
129
client.access_review_instance_decisions.patch(schedule_definition_id, id, decision_id, properties)
130
131
# Scope-specific Operations
132
client.scope_access_review_schedule_definitions.create_scope_schedule_definition(scope, schedule_definition_id, properties)
133
client.scope_access_review_instances.list_scope_instances(scope, filter)
134
client.scope_access_review_instance_decisions.list_scope_instance_decisions(scope, schedule_definition_id, id, filter)
135
136
# History Export and Compliance
137
client.access_review_history_definitions.create(history_definition_id, properties)
138
client.access_review_history_definition_instances.list(definition_id)
139
client.scope_access_review_history_definitions.create_scope_history_definition(scope, history_definition_id, properties)
140
```
141
142
[Access Reviews](./access-reviews.md)
143
144
### Security Alerts
145
146
Real-time security monitoring and alerting for privileged access with configurable alert definitions, incident management, and automated remediation capabilities.
147
148
```python { .api }
149
# Alert Management
150
client.alerts.list_for_scope(scope)
151
client.alerts.get(scope, alert_id)
152
client.alerts.update(scope, alert_id, parameters)
153
154
# Alert Configuration
155
client.alert_configurations.list_for_scope(scope)
156
client.alert_configurations.update(scope, alert_id, parameters)
157
158
# Incident Management
159
client.alert_incidents.list_for_scope(scope)
160
client.alert_incidents.remediate(scope, alert_id, alert_incident_id)
161
```
162
163
[Security Alerts](./alerts.md)
164
165
### Authentication and Client Configuration
166
167
Azure authentication patterns, client initialization options, and configuration management for optimal SDK usage across different Azure environments.
168
169
```python { .api }
170
class AuthorizationManagementClient:
171
def __init__(
172
credential: TokenCredential,
173
subscription_id: str,
174
api_version: Optional[str] = None,
175
base_url: str = "https://management.azure.com",
176
profile: KnownProfiles = KnownProfiles.default,
177
**kwargs
178
)
179
```
180
181
[Authentication and Configuration](./auth-config.md)
182
183
### Legacy Administration
184
185
Classic subscription administrators and global administrator operations for managing legacy Azure administration scenarios and elevated access.
186
187
```python { .api }
188
# Classic Administrators
189
client.classic_administrators.list()
190
191
# Global Administrator Access
192
client.global_administrator.elevate_access()
193
```
194
195
[Legacy Administration](./legacy-admin.md)
196
197
### Metrics and Monitoring
198
199
Role assignment metrics and operational monitoring capabilities for analyzing authorization usage patterns and performance.
200
201
```python { .api }
202
# Role Assignment Metrics
203
client.role_assignment_metrics.get_metrics_for_subscription()
204
205
# Operation Monitoring
206
client.operations.list()
207
```
208
209
[Metrics and Monitoring](./metrics.md)
210
211
## Types
212
213
### Core RBAC Types
214
215
```python { .api }
216
class RoleAssignment:
217
id: Optional[str]
218
name: Optional[str]
219
type: Optional[str]
220
scope: Optional[str]
221
role_definition_id: Optional[str]
222
principal_id: Optional[str]
223
principal_type: Optional[str]
224
description: Optional[str]
225
226
class RoleDefinition:
227
id: Optional[str]
228
name: Optional[str]
229
type: Optional[str]
230
role_name: Optional[str]
231
description: Optional[str]
232
role_type: Optional[str]
233
permissions: Optional[List[Permission]]
234
assignable_scopes: Optional[List[str]]
235
236
class Permission:
237
actions: Optional[List[str]]
238
not_actions: Optional[List[str]]
239
data_actions: Optional[List[str]]
240
not_data_actions: Optional[List[str]]
241
242
class DenyAssignment:
243
id: Optional[str]
244
name: Optional[str]
245
type: Optional[str]
246
deny_assignment_name: Optional[str]
247
description: Optional[str]
248
permissions: Optional[List[DenyAssignmentPermission]]
249
scope: Optional[str]
250
principals: Optional[List[Principal]]
251
exclude_principals: Optional[List[Principal]]
252
```
253
254
### PIM Types
255
256
```python { .api }
257
class RoleAssignmentScheduleRequest:
258
id: Optional[str]
259
name: Optional[str]
260
type: Optional[str]
261
request_type: Optional[str]
262
principal_id: Optional[str]
263
role_definition_id: Optional[str]
264
scope: Optional[str]
265
justification: Optional[str]
266
schedule_info: Optional[RoleAssignmentScheduleRequestPropertiesScheduleInfo]
267
268
class RoleEligibilityScheduleRequest:
269
id: Optional[str]
270
name: Optional[str]
271
type: Optional[str]
272
request_type: Optional[str]
273
principal_id: Optional[str]
274
role_definition_id: Optional[str]
275
scope: Optional[str]
276
justification: Optional[str]
277
schedule_info: Optional[RoleEligibilityScheduleRequestPropertiesScheduleInfo]
278
279
class RoleManagementPolicy:
280
id: Optional[str]
281
name: Optional[str]
282
type: Optional[str]
283
scope: Optional[str]
284
display_name: Optional[str]
285
description: Optional[str]
286
rules: Optional[List[RoleManagementPolicyRule]]
287
```
288
289
### Access Review Types
290
291
```python { .api }
292
class AccessReviewScheduleDefinition:
293
id: Optional[str]
294
name: Optional[str]
295
type: Optional[str]
296
display_name: Optional[str]
297
description: Optional[str]
298
settings: Optional[AccessReviewScheduleSettings]
299
reviewers: Optional[List[AccessReviewReviewer]]
300
instances: Optional[List[AccessReviewInstance]]
301
302
class AccessReviewInstance:
303
id: Optional[str]
304
name: Optional[str]
305
type: Optional[str]
306
status: Optional[str]
307
start_date_time: Optional[datetime]
308
end_date_time: Optional[datetime]
309
reviewers: Optional[List[AccessReviewReviewer]]
310
311
class AccessReviewDecision:
312
id: Optional[str]
313
name: Optional[str]
314
type: Optional[str]
315
decision: Optional[str]
316
justification: Optional[str]
317
reviewed_date_time: Optional[datetime]
318
principal: Optional[AccessReviewDecisionPrincipal]
319
```
320
321
### Alert Types
322
323
```python { .api }
324
class Alert:
325
id: Optional[str]
326
name: Optional[str]
327
type: Optional[str]
328
alert_definition_id: Optional[str]
329
scope: Optional[str]
330
alert_incidents: Optional[List[AlertIncident]]
331
last_scanned_date_time: Optional[datetime]
332
333
class AlertConfiguration:
334
id: Optional[str]
335
name: Optional[str]
336
type: Optional[str]
337
alert_definition: Optional[AlertDefinition]
338
scope: Optional[str]
339
is_enabled: Optional[bool]
340
341
class AlertIncident:
342
id: Optional[str]
343
name: Optional[str]
344
type: Optional[str]
345
alert_incident_id: Optional[str]
346
alert_id: Optional[str]
347
state: Optional[str]
348
reason: Optional[str]
349
```
350
351
## Constants and Enumerations
352
353
```python { .api }
354
class PrincipalType:
355
USER = "User"
356
GROUP = "Group"
357
SERVICE_PRINCIPAL = "ServicePrincipal"
358
FOREIGN_GROUP = "ForeignGroup"
359
DEVICE = "Device"
360
361
class RequestType:
362
ADMIN_ASSIGN = "AdminAssign"
363
ADMIN_REMOVE = "AdminRemove"
364
ADMIN_UPDATE = "AdminUpdate"
365
ADMIN_EXTEND = "AdminExtend"
366
ADMIN_RENEW = "AdminRenew"
367
SELF_ACTIVATE = "SelfActivate"
368
SELF_DEACTIVATE = "SelfDeactivate"
369
SELF_EXTEND = "SelfExtend"
370
SELF_RENEW = "SelfRenew"
371
372
class AccessReviewResult:
373
APPROVE = "Approve"
374
DENY = "Deny"
375
NOT_REVIEWED = "NotReviewed"
376
DONT_KNOW = "DontKnow"
377
378
class AlertSeverity:
379
HIGH = "High"
380
MEDIUM = "Medium"
381
LOW = "Low"
382
```