0
# Policy Restrictions Operations
1
2
## Overview
3
4
Policy Restrictions operations enable checking what policy restrictions would apply to resource operations before attempting to perform them, providing proactive compliance validation across different Azure scopes.
5
6
## Core Functionality
7
8
### Restriction Check Operations
9
10
#### check_at_subscription_scope
11
12
```python
13
def check_at_subscription_scope(
14
subscription_id: str,
15
parameters: CheckRestrictionsRequest,
16
**kwargs
17
) -> CheckRestrictionsResult
18
```
19
{ .api }
20
21
Check policy restrictions at subscription scope.
22
23
**Parameters:**
24
- `subscription_id`: Azure subscription ID
25
- `parameters`: CheckRestrictionsRequest with resource details
26
27
**Returns:** CheckRestrictionsResult with restriction information
28
29
#### check_at_resource_group_scope
30
31
```python
32
def check_at_resource_group_scope(
33
subscription_id: str,
34
resource_group_name: str,
35
parameters: CheckRestrictionsRequest,
36
**kwargs
37
) -> CheckRestrictionsResult
38
```
39
{ .api }
40
41
Check policy restrictions at resource group scope.
42
43
**Parameters:**
44
- `subscription_id`: Azure subscription ID
45
- `resource_group_name`: Resource group name
46
- `parameters`: CheckRestrictionsRequest with resource details
47
48
**Returns:** CheckRestrictionsResult with restriction information
49
50
#### check_at_management_group_scope
51
52
```python
53
def check_at_management_group_scope(
54
management_group_id: str,
55
parameters: CheckRestrictionsRequest,
56
**kwargs
57
) -> CheckRestrictionsResult
58
```
59
{ .api }
60
61
Check policy restrictions at management group scope.
62
63
**Parameters:**
64
- `management_group_id`: Management group ID
65
- `parameters`: CheckRestrictionsRequest with resource details
66
67
**Returns:** CheckRestrictionsResult with restriction information
68
69
## Related Types
70
71
### CheckRestrictionsRequest
72
73
```python
74
class CheckRestrictionsRequest:
75
resource_details: CheckRestrictionsResourceDetails
76
pending_fields: Optional[List[PendingField]]
77
```
78
{ .api }
79
80
### CheckRestrictionsResourceDetails
81
82
```python
83
class CheckRestrictionsResourceDetails:
84
resource_content: Dict[str, Any]
85
api_version: Optional[str]
86
scope: Optional[str]
87
```
88
{ .api }
89
90
### CheckRestrictionsResult
91
92
```python
93
class CheckRestrictionsResult:
94
field_restrictions: Optional[List[FieldRestrictions]]
95
content_evaluation_result: Optional[CheckRestrictionsResultContentEvaluationResult]
96
```
97
{ .api }
98
99
### FieldRestrictions
100
101
```python
102
class FieldRestrictions:
103
field: Optional[str]
104
restrictions: Optional[List[FieldRestriction]]
105
```
106
{ .api }
107
108
### FieldRestriction
109
110
```python
111
class FieldRestriction:
112
result: Optional[Union[str, FieldRestrictionResult]]
113
default_value: Optional[str]
114
values: Optional[List[str]]
115
policy: Optional[PolicyReference]
116
```
117
{ .api }
118
119
### PendingField
120
121
```python
122
class PendingField:
123
field: str
124
values: Optional[List[str]]
125
```
126
{ .api }
127
128
### CheckRestrictionsResultContentEvaluationResult
129
130
```python
131
class CheckRestrictionsResultContentEvaluationResult:
132
policy_evaluations: Optional[List[PolicyEvaluationResult]]
133
```
134
{ .api }
135
136
### PolicyEvaluationResult
137
138
```python
139
class PolicyEvaluationResult:
140
policy_info: Optional[PolicyReference]
141
evaluation_result: Optional[str]
142
evaluation_details: Optional[PolicyEvaluationDetails]
143
```
144
{ .api }
145
146
### PolicyReference
147
148
```python
149
class PolicyReference:
150
policy_definition_id: Optional[str]
151
policy_set_definition_id: Optional[str]
152
policy_definition_reference_id: Optional[str]
153
policy_assignment_id: Optional[str]
154
```
155
{ .api }
156
157
### FieldRestrictionResult Enum
158
159
```python
160
class FieldRestrictionResult(str, Enum):
161
REQUIRED = "Required"
162
REMOVED = "Removed"
163
DENY = "Deny"
164
```
165
{ .api }
166
167
## Usage Examples
168
169
### Check Storage Account Creation Restrictions
170
171
```python
172
from azure.mgmt.policyinsights.models import (
173
CheckRestrictionsRequest,
174
CheckRestrictionsResourceDetails
175
)
176
177
# Check what restrictions apply to creating a storage account
178
resource_content = {
179
"type": "Microsoft.Storage/storageAccounts",
180
"location": "eastus",
181
"sku": {
182
"name": "Standard_LRS"
183
},
184
"kind": "StorageV2",
185
"properties": {
186
"supportsHttpsTrafficOnly": False, # This might be restricted
187
"minimumTlsVersion": "TLS1_0" # This might be restricted
188
}
189
}
190
191
request = CheckRestrictionsRequest(
192
resource_details=CheckRestrictionsResourceDetails(
193
resource_content=resource_content,
194
api_version="2021-04-01"
195
)
196
)
197
198
restrictions = client.policy_restrictions.check_at_subscription_scope(
199
subscription_id=subscription_id,
200
parameters=request
201
)
202
203
# Analyze field restrictions
204
if restrictions.field_restrictions:
205
print("Policy restrictions found:")
206
for field_restriction in restrictions.field_restrictions:
207
print(f"\nField: {field_restriction.field}")
208
for restriction in field_restriction.restrictions:
209
print(f" - Result: {restriction.result}")
210
if restriction.values:
211
print(f" Allowed values: {restriction.values}")
212
if restriction.default_value:
213
print(f" Default value: {restriction.default_value}")
214
if restriction.policy:
215
print(f" Policy: {restriction.policy.policy_definition_id}")
216
else:
217
print("No field restrictions apply to this resource")
218
```
219
220
### Validate VM Configuration
221
222
```python
223
# Check restrictions for VM creation with specific configuration
224
vm_config = {
225
"type": "Microsoft.Compute/virtualMachines",
226
"location": "westus2",
227
"properties": {
228
"hardwareProfile": {
229
"vmSize": "Standard_D4s_v3" # Check if this size is allowed
230
},
231
"osProfile": {
232
"computerName": "myVM",
233
"adminUsername": "azureuser"
234
},
235
"storageProfile": {
236
"imageReference": {
237
"publisher": "Canonical",
238
"offer": "UbuntuServer",
239
"sku": "18.04-LTS",
240
"version": "latest"
241
},
242
"osDisk": {
243
"createOption": "FromImage",
244
"managedDisk": {
245
"storageAccountType": "Premium_LRS"
246
}
247
}
248
}
249
}
250
}
251
252
request = CheckRestrictionsRequest(
253
resource_details=CheckRestrictionsResourceDetails(
254
resource_content=vm_config,
255
api_version="2021-07-01"
256
)
257
)
258
259
restrictions = client.policy_restrictions.check_at_resource_group_scope(
260
subscription_id=subscription_id,
261
resource_group_name="production-rg",
262
parameters=request
263
)
264
265
# Check for any restrictions
266
if restrictions.field_restrictions:
267
print("VM configuration restrictions:")
268
for field_restriction in restrictions.field_restrictions:
269
field_name = field_restriction.field
270
print(f"\n{field_name}:")
271
272
for restriction in field_restriction.restrictions:
273
if restriction.result == "Deny":
274
print(f" β DENIED - This value is not allowed")
275
elif restriction.result == "Required":
276
print(f" β οΈ REQUIRED - This field must be specified")
277
if restriction.values:
278
print(f" Allowed values: {', '.join(restriction.values)}")
279
elif restriction.result == "Removed":
280
print(f" π MODIFIED - This field will be removed/modified")
281
if restriction.default_value:
282
print(f" Will be set to: {restriction.default_value}")
283
```
284
285
### Batch Check Multiple Resources
286
287
```python
288
# Check restrictions for multiple resource types
289
resource_configs = [
290
{
291
"name": "Storage Account",
292
"config": {
293
"type": "Microsoft.Storage/storageAccounts",
294
"location": "eastus",
295
"sku": {"name": "Standard_LRS"},
296
"properties": {"supportsHttpsTrafficOnly": True}
297
}
298
},
299
{
300
"name": "Key Vault",
301
"config": {
302
"type": "Microsoft.KeyVault/vaults",
303
"location": "eastus",
304
"properties": {
305
"enableSoftDelete": False, # Might be restricted
306
"publicNetworkAccess": "Enabled"
307
}
308
}
309
}
310
]
311
312
for resource_info in resource_configs:
313
print(f"\nChecking restrictions for {resource_info['name']}:")
314
315
request = CheckRestrictionsRequest(
316
resource_details=CheckRestrictionsResourceDetails(
317
resource_content=resource_info['config'],
318
api_version="2021-04-01"
319
)
320
)
321
322
restrictions = client.policy_restrictions.check_at_subscription_scope(
323
subscription_id=subscription_id,
324
parameters=request
325
)
326
327
if restrictions.field_restrictions:
328
for field_restriction in restrictions.field_restrictions:
329
print(f" Field '{field_restriction.field}' has restrictions")
330
else:
331
print(f" β No restrictions")
332
```
333
334
### Check with Pending Fields
335
336
```python
337
from azure.mgmt.policyinsights.models import PendingField
338
339
# Check restrictions while specifying potential values for certain fields
340
pending_fields = [
341
PendingField(
342
field="location",
343
values=["eastus", "westus2", "centralus"] # Consider these locations
344
),
345
PendingField(
346
field="properties.supportsHttpsTrafficOnly",
347
values=["true", "false"] # Consider both options
348
)
349
]
350
351
request = CheckRestrictionsRequest(
352
resource_details=CheckRestrictionsResourceDetails(
353
resource_content={
354
"type": "Microsoft.Storage/storageAccounts",
355
"sku": {"name": "Standard_LRS"}
356
},
357
api_version="2021-04-01"
358
),
359
pending_fields=pending_fields
360
)
361
362
restrictions = client.policy_restrictions.check_at_subscription_scope(
363
subscription_id=subscription_id,
364
parameters=request
365
)
366
367
print("Restrictions considering pending field values:")
368
if restrictions.field_restrictions:
369
for field_restriction in restrictions.field_restrictions:
370
print(f"\nField: {field_restriction.field}")
371
for restriction in field_restriction.restrictions:
372
print(f" Result: {restriction.result}")
373
if restriction.values:
374
allowed_values = [v for v in restriction.values]
375
print(f" Allowed from pending values: {allowed_values}")
376
```
377
378
### Validate Against Management Group Policies
379
380
```python
381
# Check restrictions at management group level (inherits all policies)
382
request = CheckRestrictionsRequest(
383
resource_details=CheckRestrictionsResourceDetails(
384
resource_content={
385
"type": "Microsoft.Compute/virtualMachines",
386
"location": "eastus",
387
"properties": {
388
"hardwareProfile": {"vmSize": "Standard_B1s"}
389
}
390
},
391
api_version="2021-07-01"
392
)
393
)
394
395
restrictions = client.policy_restrictions.check_at_management_group_scope(
396
management_group_id="my-management-group",
397
parameters=request
398
)
399
400
# Check content evaluation results
401
if restrictions.content_evaluation_result:
402
eval_result = restrictions.content_evaluation_result
403
if eval_result.policy_evaluations:
404
print("Policy evaluations:")
405
for evaluation in eval_result.policy_evaluations:
406
print(f" Policy: {evaluation.policy_info.policy_definition_id}")
407
print(f" Result: {evaluation.evaluation_result}")
408
409
if evaluation.evaluation_details:
410
details = evaluation.evaluation_details
411
print(f" Details: {details}")
412
413
print(f"\nField restrictions: {len(restrictions.field_restrictions or [])}")
414
```