Azure · Juliehzl · Feb 24, 2020 · Feb 6, 2020 · Feb 11, 2020 · Feb 12, 2020
@@ -619,13 +619,21 @@ def _resolve_policy_id(cmd, policy, policy_set_definition, client):
 
 
 def _parse_management_group_reference(name):
-    if name.lower().startswith('/providers/microsoft.management/managementgroups'):
+    if _is_management_group_scope(name):
         parts = name.split('/')
         if len(parts) >= 9:
             return parts[4], parts[8]
     return None, name
 
 
+def _parse_management_group_id(scope):
+    if _is_management_group_scope(scope):
+        parts = scope.split('/')
+        if len(parts) >= 5:
+            return parts[4]
+    return None
+
+
 def _get_custom_or_builtin_policy(cmd, client, name, subscription=None, management_group=None, for_policy_set=False):
     from msrest.exceptions import HttpOperationError
     from msrestazure.azure_exceptions import CloudError
@@ -1388,8 +1396,11 @@ def list_policy_assignment(cmd, disable_scope_strict_match=None, resource_group_
     resource_group = id_parts.get('resource_group')
     resource_type = id_parts.get('child_type_1') or id_parts.get('type')
     resource_name = id_parts.get('child_name_1') or id_parts.get('name')
+    management_group = _parse_management_group_id(scope)
 
-    if all([resource_type, resource_group, subscription]):
+    if management_group:
+        result = policy_client.policy_assignments.list_for_management_group(management_group_id=management_group, filter='atScope()')
+    elif all([resource_type, resource_group, subscription]):
         namespace = id_parts.get('namespace')
         parent_resource_path = '' if not id_parts.get('child_name_1') else (id_parts['type'] + '/' + id_parts['name'])
         result = policy_client.policy_assignments.list_for_resource(
@@ -1402,10 +1413,10 @@ def list_policy_assignment(cmd, disable_scope_strict_match=None, resource_group_
     elif scope:
         raise CLIError('usage error `--scope`: must be a fully qualified ARM ID.')
     else:
-        raise CLIError('usage error: --scope ARM_ID | --resource-group NAME | --subscription ID')
+        raise CLIError('usage error: --scope ARM_ID | --resource-group NAME')
 
     if not disable_scope_strict_match:
-        result = [i for i in result if _scope.lower() == i.scope.lower()]
+        result = [i for i in result if _scope.lower().strip('/') == i.scope.lower().strip('/')]
 
     return result
 
@@ -1649,11 +1660,15 @@ def _get_subscription_id_from_subscription(cli_ctx, subscription):  # pylint: di
 
 
 def _get_parent_id_from_parent(parent):
-    if parent is None or parent.startswith("/providers/Microsoft.Management/managementGroups/"):
+    if parent is None or _is_management_group_scope(parent):
         return parent
     return "/providers/Microsoft.Management/managementGroups/" + parent
 
 
+def _is_management_group_scope(scope):
+    return scope is not None and scope.lower().startswith("/providers/microsoft.management/managementgroups")
+
+
 def cli_managementgroups_group_list(cmd, client):
     _register_rp(cmd.cli_ctx)
     return client.list()

@@ -681,7 +681,7 @@ interactions:
       x-content-type-options:
       - nosniff
       x-ms-ratelimit-remaining-subscription-writes:
-      - '1197'
+      - '1199'
     status:
       code: 201
       message: Created
@@ -1717,7 +1717,7 @@ interactions:
       cache-control:
       - no-cache
       content-length:
-      - '1049'
+      - '1048'
       content-type:
       - application/json; charset=utf-8
       date:
@@ -2521,7 +2521,7 @@ interactions:
       cache-control:
       - no-cache
       content-length:
-      - '1049'
+      - '1048'
       content-type:
       - application/json; charset=utf-8
       date:

@@ -760,6 +760,9 @@ def applyPolicyAtScope(self, scope, policyId, enforcementMode='Default'):
             self.check('enforcementMode', '{em}')
         ])
 
+        # ensure the policy assignment shows up in the list result
+        self.cmd('policy assignment list --scope {scope}', checks=self.check("length([?name=='{pan}'])", 1))
+
         # delete the assignment and validate it's gone
         self.cmd('policy assignment delete -n {pan} --scope {scope}')
         self.cmd('policy assignment list --disable-scope-strict-match', checks=self.check("length([?name=='{pan}'])", 0))
@@ -778,6 +781,7 @@ def resource_policy_operations(self, resource_group, management_group=None, subs
             'metadata': 'test',
             'updated_metadata': 'test2',
         })
+
         if (management_group):
             self.kwargs.update({'mg': management_group})
         if (subscription):
@@ -932,6 +936,9 @@ def resource_policyset_operations(self, resource_group, management_group=None, s
                 self.check('sku.tier', 'Free'),
             ])
 
+            # ensure the assignment appears in the list results
+            self.cmd('policy assignment list --resource-group {rg}', checks=self.check("length([?name=='{pan}'])", 1))
+
             # delete the assignment and validate it's gone
             self.cmd('policy assignment delete -n {pan} -g {rg}')
             self.cmd('policy assignment list --disable-scope-strict-match', checks=self.check("length([?name=='{pan}'])", 0))
@@ -1101,6 +1108,10 @@ def test_resource_policy_management_group(self, resource_group):
         self.cmd('account management-group create -n ' + management_group_name)
         try:
             self.resource_policy_operations(resource_group, management_group_name)
+
+            # Attempt to get a policy definition at an invalid management group scope
+            with self.assertRaises(IncorrectUsageError):
+                self.cmd(self.cmdstring('policy definition show -n "/providers/microsoft.management/managementgroups/myMg/providers/microsoft.authorization/missingsegment"'))
         finally:
             self.cmd('account management-group delete -n ' + management_group_name)