![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 57.00000000000001%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERS%3C/text%3E%3C/svg%3E)
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
996 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 38%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
To create a custom role that allows assigning Azure Policy at the management group level, you'll need to include specific ARM permissions related to:
- Reading and writing policy definitions and assignments
- Reading and managing management groups
- Assigning roles (if necessary)
Here are the minimum required actions to include in your custom role:
"actions": [
"Microsoft.Management/managementGroups/read",
"Microsoft.Authorization/policyDefinitions/read",
"Microsoft.Authorization/policyDefinitions/write",
"Microsoft.Authorization/policySetDefinitions/read",
"Microsoft.Authorization/policySetDefinitions/write",
"Microsoft.Authorization/policyAssignments/read",
"Microsoft.Authorization/policyAssignments/write",
"Microsoft.Authorization/policyAssignments/delete"
]
If your policy assignment includes a managed identity or you want to allow role assignments, include:
"Microsoft.Authorization/roleAssignments/write",
"Microsoft.Authorization/roleAssignments/delete"
Set the AssignableScopes to a management group scope, like this:
"AssignableScopes": [
"/providers/Microsoft.Management/managementGroups/your-mg-id"
]
If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.
hth
Marcin
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 31%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVP%3C/text%3E%3C/svg%3E)