Support per-principal deny assignments (User/ServicePrincipal)

Update create command to support two modes:
- Everyone mode (default): denies all principals, requires exclude-principal-ids
- Per-principal mode: denies a specific User or ServicePrincipal via --principal-id/--principal-type

API changes from DA PR msazure/One#15293894:
- 3P UADA can now target specific User and ServicePrincipal principals
- Group type principals are explicitly disallowed
- Single-principal-per-UADA constraint enforced

Changes:
- custom.py: Add principal_id/principal_type params, dual-mode logic, Group rejection
- _params.py: Add --principal-id and --principal-type (enum) arguments
- _help.py: Update long-summary and examples for both modes
- tests: Add per-principal CRUD, Group rejection, missing-param validation tests

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: Jonathan Ruttle

src/azure-cli/azure/cli/command_modules/role/_help.py

@@ -853,29 +853,39 @@
 type: command
 short-summary: Create a user-assigned deny assignment.
 long-summary: >-
-    Creates a deny assignment that blocks specific actions for all principals at the given scope,
-    excluding the specified principals. This is a PP1 (Private Preview 1) feature with the following constraints:
-    principals are always Everyone (SystemDefined), at least one excluded principal is required,
-    DataActions are not supported, DoNotApplyToChildScopes is not supported, and read actions (*/read)
-    are not permitted.
+    Creates a deny assignment that blocks specific actions at the given scope. Two modes are supported:
+    (1) Everyone mode (default) — denies actions for all principals, requiring at least one excluded principal;
+    (2) Per-principal mode — denies actions for a specific User or ServicePrincipal specified via --principal-id.
+    DataActions are not supported, DoNotApplyToChildScopes is not supported, read actions (*/read) are not
+    permitted, and Group type principals are not allowed.
 examples:
-  - name: Create a deny assignment that blocks role assignment writes, excluding a specific service principal.
+  - name: Create a deny assignment blocking role assignment writes for everyone, excluding a service principal.
     text: >-
         az role deny-assignment create
         --name "Block role assignment changes"
         --scope /subscriptions/00000000-0000-0000-0000-000000000000
         --actions "Microsoft.Authorization/roleAssignments/write" "Microsoft.Authorization/roleAssignments/delete"
         --exclude-principal-ids 00000000-0000-0000-0000-000000000001
         --exclude-principal-types ServicePrincipal
-  - name: Create a deny assignment with multiple excluded principals and a description.
+  - name: Create a deny assignment targeting a specific user.
     text: >-
         az role deny-assignment create
-        --name "Deny resource deletion"
+        --name "Deny resource deletion for user"
         --scope /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myGroup
         --actions "*/delete"
-        --description "Prevent accidental resource deletion"
-        --exclude-principal-ids 00000000-0000-0000-0000-000000000001 00000000-0000-0000-0000-000000000002
-        --exclude-principal-types ServicePrincipal User
+        --principal-id 00000000-0000-0000-0000-000000000001
+        --principal-type User
+  - name: Create a deny assignment targeting a specific service principal with exclusions.
+    text: >-
+        az role deny-assignment create
+        --name "Deny write actions for app"
+        --scope /subscriptions/00000000-0000-0000-0000-000000000000
+        --actions "*/write"
+        --principal-id 00000000-0000-0000-0000-000000000001
+        --principal-type ServicePrincipal
+        --exclude-principal-ids 00000000-0000-0000-0000-000000000002
+        --exclude-principal-types ServicePrincipal
+        --description "Block write operations for this application"
 """
 
 helps['role deny-assignment delete'] = """

src/azure-cli/azure/cli/command_modules/role/_params.py

@@ -420,9 +420,18 @@ class PrincipalType(str, Enum):
                         'Note: read actions (*/read) are not permitted for user-assigned deny assignments.')
         c.argument('not_actions', nargs='+',
                    help='Space-separated list of actions to exclude from the deny.')
+        c.argument('principal_id', options_list=['--principal-id'],
+                   help='The object ID of a specific User or ServicePrincipal to deny. '
+                        'If omitted, the deny assignment applies to Everyone (all principals) and '
+                        '--exclude-principal-ids is required. Group principals are not permitted.')
+        c.argument('principal_type', options_list=['--principal-type'],
+                   arg_type=get_enum_type(['User', 'ServicePrincipal']),
+                   help='The type of the principal specified by --principal-id. '
+                        'Required when --principal-id is provided. Accepted values: User, ServicePrincipal.')
         c.argument('exclude_principal_ids', nargs='+', options_list=['--exclude-principal-ids'],
                    help='Space-separated list of principal object IDs to exclude from the deny. '
-                        'At least one is required for user-assigned deny assignments.')
+                        'Required when no --principal-id is specified (Everyone mode). '
+                        'Optional when --principal-id is specified.')
         c.argument('exclude_principal_types', nargs='+', options_list=['--exclude-principal-types'],
                    help='Space-separated list of principal types corresponding to --exclude-principal-ids. '
                         'Accepted values: User, Group, ServicePrincipal.')

src/azure-cli/azure/cli/command_modules/role/custom.py

@@ -578,16 +578,22 @@ def show_deny_assignment(cmd, deny_assignment_id=None, deny_assignment_name=None
 def create_deny_assignment(cmd, scope=None, deny_assignment_name=None,
                            actions=None, not_actions=None,
                            description=None,
+                           principal_id=None, principal_type=None,
                            exclude_principal_ids=None, exclude_principal_types=None,
                            assignment_name=None):
-    """Create a user-assigned deny assignment (PP1).
+    """Create a user-assigned deny assignment.
 
-    Under PP1 constraints:
-    - Principals is always Everyone (SystemDefined, 00000000-0000-0000-0000-000000000000)
-    - ExcludePrincipals is required (at least one)
+    Two modes are supported:
+    - Everyone mode (default): Denies actions for all principals at the scope. Requires at least one
+      excluded principal via --exclude-principal-ids.
+    - Per-principal mode: Denies actions for a specific User or ServicePrincipal. Specify the target
+      with --principal-id and --principal-type. Excluded principals are optional in this mode.
+
+    Constraints:
     - DataActions and NotDataActions are not supported
     - DoNotApplyToChildScopes is not supported
     - Read actions (*/read) are not permitted
+    - Group type principals are not permitted
     """
     if not scope:
         raise CLIError('--scope is required for creating a deny assignment.')
@@ -601,33 +607,48 @@ def create_deny_assignment(cmd, scope=None, deny_assignment_name=None,
     if not actions:
         raise CLIError('At least one action is required via --actions.')
 
-    if not exclude_principal_ids:
-        raise CLIError('At least one excluded principal is required via --exclude-principal-ids. '
-                       'User-assigned deny assignments deny Everyone and require at least one exclusion.')
-
     # Validate no read actions
     for action in actions:
         if action.lower().endswith('/read'):
             raise CLIError(f"Read actions are not permitted for user-assigned deny assignments: '{action}'. "
                            "Only write, delete, and action operations can be denied.")
 
+    # Build principals list
+    if principal_type and not principal_id:
+        raise CLIError('--principal-id is required when --principal-type is specified. '
+                       'Provide both --principal-id and --principal-type together, '
+                       'or omit both for Everyone mode.')
+    if principal_id:
+        if not principal_type:
+            raise CLIError('--principal-type is required when --principal-id is specified. '
+                           'Accepted values: User, ServicePrincipal.')
+        if principal_type == 'Group':
+            raise CLIError('Group type principals are not permitted for user-assigned deny assignments. '
+                           'Use User or ServicePrincipal instead.')
+        principals = [{'id': principal_id, 'type': principal_type}]
+    else:
+        # Everyone mode — deny applies to all principals at the scope
+        if not exclude_principal_ids:
+            raise CLIError('At least one excluded principal is required via --exclude-principal-ids '
+                           'when using Everyone mode (no --principal-id specified). '
+                           'User-assigned deny assignments that deny Everyone require at least one exclusion.')
+        principals = [{'id': '00000000-0000-0000-0000-000000000000', 'type': 'SystemDefined'}]
+
     if not assignment_name:
         assignment_name = str(uuid.uuid4())
 
     # Build exclude principals list
     exclude_principals = []
-    if exclude_principal_types and len(exclude_principal_types) != len(exclude_principal_ids):
-        raise CLIError('--exclude-principal-types must have the same number of entries as --exclude-principal-ids.')
-
-    for i, pid in enumerate(exclude_principal_ids):
-        principal = {
-            'id': pid,
-            'type': exclude_principal_types[i] if exclude_principal_types else 'ServicePrincipal'
-        }
-        exclude_principals.append(principal)
-
-    # PP1: Principals must be Everyone (SystemDefined)
-    principals = [{'id': '00000000-0000-0000-0000-000000000000', 'type': 'SystemDefined'}]
+    if exclude_principal_ids:
+        if exclude_principal_types and len(exclude_principal_types) != len(exclude_principal_ids):
+            raise CLIError('--exclude-principal-types must have the same number of entries as --exclude-principal-ids.')
+
+        for i, pid in enumerate(exclude_principal_ids):
+            principal = {
+                'id': pid,
+                'type': exclude_principal_types[i] if exclude_principal_types else 'ServicePrincipal'
+            }
+            exclude_principals.append(principal)
 
     deny_assignment_params = {
         'deny_assignment_name': deny_assignment_name,

src/azure-cli/azure/cli/command_modules/role/tests/latest/test_deny_assignment.py

@@ -47,28 +47,27 @@ class DenyAssignmentCrudTest(LiveScenarioTest):
 
     These are LiveScenarioTest because they require:
     - A subscription with UserAssignedDenyAssignment feature flag enabled
-    - Real Azure API calls (PP1 feature, not in recordings)
+    - Real Azure API calls (not in recordings)
     """
 
-    def test_deny_assignment_create_and_delete(self):
-        """Create a deny assignment, show it, then delete it."""
+    def test_deny_assignment_create_everyone_and_delete(self):
+        """Create a deny assignment in Everyone mode (default), show it, then delete it."""
         self.kwargs.update({
             'scope': '/subscriptions/{sub}',
-            'name': 'CLI Test Deny Assignment',
+            'name': 'CLI Test Deny Assignment Everyone',
             'action': 'Microsoft.Authorization/roleAssignments/write',
-            # Use a well-known object ID for exclusion (replace with a real SP in your test env)
             'exclude_id': self.create_guid()
         })
 
-        # Create
+        # Create in Everyone mode (no --principal-id)
         result = self.cmd(
             'role deny-assignment create '
             '--name "{name}" '
             '--scope {scope} '
             '--actions {action} '
             '--exclude-principal-ids {exclude_id} '
             '--exclude-principal-types ServicePrincipal '
-            '--description "CLI test deny assignment"',
+            '--description "CLI test deny assignment - Everyone mode"',
             checks=[
                 self.check('denyAssignmentName', '{name}'),
                 self.exists('name')
@@ -94,6 +93,35 @@ def test_deny_assignment_create_and_delete(self):
         # Delete by name + scope
         self.cmd('role deny-assignment delete --name {da_name} --scope {scope} --yes')
 
+    def test_deny_assignment_create_per_principal_and_delete(self):
+        """Create a deny assignment targeting a specific User principal, then delete it."""
+        self.kwargs.update({
+            'scope': '/subscriptions/{sub}',
+            'name': 'CLI Test Deny Assignment Per-Principal',
+            'action': 'Microsoft.Authorization/roleAssignments/write',
+            'principal_id': self.create_guid()
+        })
+
+        # Create in per-principal mode
+        result = self.cmd(
+            'role deny-assignment create '
+            '--name "{name}" '
+            '--scope {scope} '
+            '--actions {action} '
+            '--principal-id {principal_id} '
+            '--principal-type User '
+            '--description "CLI test deny assignment - per-principal mode"',
+            checks=[
+                self.check('denyAssignmentName', '{name}'),
+                self.exists('name')
+            ]
+        ).get_output_in_json()
+
+        self.kwargs['da_name'] = result['name']
+
+        # Delete
+        self.cmd('role deny-assignment delete --name {da_name} --scope {scope} --yes')
+
     def test_deny_assignment_create_validation_no_actions(self):
         """Should fail if no actions are provided."""
         with self.assertRaises(SystemExit):
@@ -104,8 +132,8 @@ def test_deny_assignment_create_validation_no_actions(self):
                 '--exclude-principal-ids 00000000-0000-0000-0000-000000000001'
             )
 
-    def test_deny_assignment_create_validation_no_exclusions(self):
-        """Should fail if no excluded principals are provided."""
+    def test_deny_assignment_create_validation_no_exclusions_everyone_mode(self):
+        """Should fail if no excluded principals are provided in Everyone mode."""
         with self.assertRaises(SystemExit):
             self.cmd(
                 'role deny-assignment create '
@@ -124,3 +152,38 @@ def test_deny_assignment_create_validation_read_action(self):
                 '--actions "Microsoft.Authorization/roleAssignments/read" '
                 '--exclude-principal-ids 00000000-0000-0000-0000-000000000001'
             )
+
+    def test_deny_assignment_create_validation_group_rejected(self):
+        """Should fail if Group principal type is specified."""
+        with self.assertRaises(SystemExit):
+            self.cmd(
+                'role deny-assignment create '
+                '--name "Test" '
+                '--scope /subscriptions/{sub} '
+                '--actions "Microsoft.Authorization/roleAssignments/write" '
+                '--principal-id 00000000-0000-0000-0000-000000000001 '
+                '--principal-type Group'
+            )
+
+    def test_deny_assignment_create_validation_principal_type_required(self):
+        """Should fail if --principal-id is given without --principal-type."""
+        with self.assertRaises(SystemExit):
+            self.cmd(
+                'role deny-assignment create '
+                '--name "Test" '
+                '--scope /subscriptions/{sub} '
+                '--actions "Microsoft.Authorization/roleAssignments/write" '
+                '--principal-id 00000000-0000-0000-0000-000000000001'
+            )
+
+    def test_deny_assignment_create_validation_principal_id_required(self):
+        """Should fail if --principal-type is given without --principal-id."""
+        with self.assertRaises(SystemExit):
+            self.cmd(
+                'role deny-assignment create '
+                '--name "Test" '
+                '--scope /subscriptions/{sub} '
+                '--actions "Microsoft.Authorization/roleAssignments/write" '
+                '--principal-type User '
+                '--exclude-principal-ids 00000000-0000-0000-0000-000000000001'
+            )