[Identity] az identity create/update: Add --resource-restriction parameter to support identity assignment restrictions

src/azure-cli/azure/cli/command_modules/identity/_help.py

@@ -23,6 +23,10 @@
   - name: Create an identity with regional assignment restrictions.
     text: |
         az identity create --name MyIdentity --resource-group MyResourceGroup --isolation-scope Regional
+
+  - name: Create an identity with resource assignment restrictions.
+    text: |
+        az identity create --name MyIdentity --resource-group MyResourceGroup --resource-restriction '{"providers": ["Microsoft.Compute", "Microsoft.Storage/Accounts"]}'
 """
 
 helps['identity update'] = """
@@ -32,6 +36,10 @@
   - name: Update an identity to restrict assignment within an Azure region.
     text: |
         az identity update --name MyIdentity --resource-group MyResourceGroup --isolation-scope Regional
+
+  - name: Update an identity to restrict assignment to specific resources.
+    text: |
+        az identity update --name MyIdentity --resource-group MyResourceGroup --resource-restriction '{"providers": ["Microsoft.Compute", "Microsoft.Storage/Accounts"]}'
 """
 
 helps['identity list'] = """

src/azure-cli/azure/cli/command_modules/identity/_params.py

@@ -21,7 +21,9 @@ def load_arguments(self, _):
         c.argument('location', get_location_type(self.cli_ctx), required=False)
         c.argument('tags', tags_type)
         c.argument('isolation_scope', get_enum_type(['None', 'Regional']), required=False, help='Identity isolation scope, used to restrict identity assignment within an Azure region.')
+        c.argument('resource_restriction', help='Identity resource restriction, used to restrict the resources that can be assigned to the identity.')
 
     with self.argument_context('identity update') as c:
         c.argument('tags', tags_type)
         c.argument('isolation_scope', get_enum_type(['None', 'Regional']), required=False, help='Identity isolation scope, used to restrict identity assignment within an Azure region.')
+        c.argument('resource_restriction', help='Identity resource restriction, used to restrict the resources that can be assigned to the identity.')

src/azure-cli/azure/cli/command_modules/identity/aaz/latest/identity/__init__.py

@@ -9,3 +9,7 @@
 # flake8: noqa
 
 from .__cmd_group import *
+from ._create import *
+from ._delete import *
+from ._show import *
+from ._update import *

src/azure-cli/azure/cli/command_modules/identity/aaz/latest/identity/_create.py

@@ -0,0 +1,315 @@
+# --------------------------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+#
+# Code generated by aaz-dev-tools
+# --------------------------------------------------------------------------------------------
+
+# pylint: skip-file
+# flake8: noqa
+
+from azure.cli.core.aaz import *
+
+
+@register_command(
+    "identity create",
+)
+class Create(AAZCommand):
+    """Create an identity in the specified subscription and resource group.
+
+     :example: Create an identity with a name and a resource group.
+        az identity create --name myIdentityName --resource-group myResourceGroup
+
+    :example: Create an identity using the resource restrictions and isolation scope parameter.
+        az identity create --name myIdentityName --resource-group myResourceGroup --resource-restriction {"providers":["Microsoft.Compute"]} --isolation-scope Regional
+    """
+
+    _aaz_info = {
+        "version": "2025-05-31-preview",
+        "resources": [
+            ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.managedidentity/userassignedidentities/{}", "2025-05-31-preview"],
+        ]
+    }
+
+    def _handler(self, command_args):
+        super()._handler(command_args)
+        self._execute_operations()
+        return self._output()
+
+    _args_schema = None
+
+    @classmethod
+    def _build_arguments_schema(cls, *args, **kwargs):
+        if cls._args_schema is not None:
+            return cls._args_schema
+        cls._args_schema = super()._build_arguments_schema(*args, **kwargs)
+
+        # define Arg Group ""
+
+        _args_schema = cls._args_schema
+        _args_schema.resource_group = AAZResourceGroupNameArg(
+            required=True,
+        )
+        _args_schema.resource_name = AAZStrArg(
+            options=["-n", "--name", "--resource-name"],
+            help="The name of the identity resource.",
+            required=True,
+        )
+
+        # define Arg Group "Parameters"
+
+        _args_schema = cls._args_schema
+        _args_schema.location = AAZResourceLocationArg(
+            arg_group="Parameters",
+            help="The geo-location where the resource lives",
+            required=True,
+            fmt=AAZResourceLocationArgFormat(
+                resource_group_arg="resource_group",
+            ),
+        )
+        _args_schema.tags = AAZDictArg(
+            options=["--tags"],
+            arg_group="Parameters",
+            help="Resource tags.",
+        )
+
+        tags = cls._args_schema.tags
+        tags.Element = AAZStrArg()
+
+        # define Arg Group "Properties"
+
+        _args_schema = cls._args_schema
+        _args_schema.assignment_restrictions = AAZObjectArg(
+            options=["--resource-restriction"],
+            arg_group="Properties",
+            help="Restrictions on which resource providers this identity can be assigned to.",
+        )
+        _args_schema.isolation_scope = AAZStrArg(
+            options=["--isolation-scope"],
+            arg_group="Properties",
+            help="Enum to configure regional restrictions on identity assignment, as necessary.",
+            enum={"None": "None", "Regional": "Regional"},
+        )
+
+        assignment_restrictions = cls._args_schema.assignment_restrictions
+        assignment_restrictions.providers = AAZListArg(
+            options=["providers"],
+            help="List of resource provider types that this identity can be assigned to (case-insensitive). Examples: 'Microsoft.Compute', 'Microsoft.Storage/Accounts', 'Microsoft.Network/VirtualNetworks'.",
+            fmt=AAZListArgFormat(
+                unique=True,
+            ),
+        )
+
+        providers = cls._args_schema.assignment_restrictions.providers
+        providers.Element = AAZStrArg()
+        return cls._args_schema
+
+    def _execute_operations(self):
+        self.pre_operations()
+        self.UserAssignedIdentitiesCreateOrUpdate(ctx=self.ctx)()
+        self.post_operations()
+
+    @register_callback
+    def pre_operations(self):
+        pass
+
+    @register_callback
+    def post_operations(self):
+        pass
+
+    def _output(self, *args, **kwargs):
+        result = self.deserialize_output(self.ctx.vars.instance, client_flatten=True)
+        return result
+
+    class UserAssignedIdentitiesCreateOrUpdate(AAZHttpOperation):
+        CLIENT_TYPE = "MgmtClient"
+
+        def __call__(self, *args, **kwargs):
+            request = self.make_request()
+            session = self.client.send_request(request=request, stream=False, **kwargs)
+            if session.http_response.status_code in [200, 201]:
+                return self.on_200_201(session)
+
+            return self.on_error(session.http_response)
+
+        @property
+        def url(self):
+            return self.client.format_url(
+                "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{resourceName}",
+                **self.url_parameters
+            )
+
+        @property
+        def method(self):
+            return "PUT"
+
+        @property
+        def error_format(self):
+            return "ODataV4Format"
+
+        @property
+        def url_parameters(self):
+            parameters = {
+                **self.serialize_url_param(
+                    "resourceGroupName", self.ctx.args.resource_group,
+                    required=True,
+                ),
+                **self.serialize_url_param(
+                    "resourceName", self.ctx.args.resource_name,
+                    required=True,
+                ),
+                **self.serialize_url_param(
+                    "subscriptionId", self.ctx.subscription_id,
+                    required=True,
+                ),
+            }
+            return parameters
+
+        @property
+        def query_parameters(self):
+            parameters = {
+                **self.serialize_query_param(
+                    "api-version", "2025-05-31-preview",
+                    required=True,
+                ),
+            }
+            return parameters
+
+        @property
+        def header_parameters(self):
+            parameters = {
+                **self.serialize_header_param(
+                    "Content-Type", "application/json",
+                ),
+                **self.serialize_header_param(
+                    "Accept", "application/json",
+                ),
+            }
+            return parameters
+
+        @property
+        def content(self):
+            _content_value, _builder = self.new_content_builder(
+                self.ctx.args,
+                typ=AAZObjectType,
+                typ_kwargs={"flags": {"required": True, "client_flatten": True}}
+            )
+            _builder.set_prop("location", AAZStrType, ".location", typ_kwargs={"flags": {"required": True}})
+            _builder.set_prop("properties", AAZObjectType, typ_kwargs={"flags": {"client_flatten": True}})
+            _builder.set_prop("tags", AAZDictType, ".tags")
+
+            properties = _builder.get(".properties")
+            if properties is not None:
+                properties.set_prop("assignmentRestrictions", AAZObjectType, ".assignment_restrictions")
+                properties.set_prop("isolationScope", AAZStrType, ".isolation_scope")
+
+            assignment_restrictions = _builder.get(".properties.assignmentRestrictions")
+            if assignment_restrictions is not None:
+                assignment_restrictions.set_prop("providers", AAZListType, ".providers")
+
+            providers = _builder.get(".properties.assignmentRestrictions.providers")
+            if providers is not None:
+                providers.set_elements(AAZStrType, ".")
+
+            tags = _builder.get(".tags")
+            if tags is not None:
+                tags.set_elements(AAZStrType, ".")
+
+            return self.serialize_content(_content_value)
+
+        def on_200_201(self, session):
+            data = self.deserialize_http_content(session)
+            self.ctx.set_var(
+                "instance",
+                data,
+                schema_builder=self._build_schema_on_200_201
+            )
+
+        _schema_on_200_201 = None
+
+        @classmethod
+        def _build_schema_on_200_201(cls):
+            if cls._schema_on_200_201 is not None:
+                return cls._schema_on_200_201
+
+            cls._schema_on_200_201 = AAZObjectType()
+
+            _schema_on_200_201 = cls._schema_on_200_201
+            _schema_on_200_201.id = AAZStrType(
+                flags={"read_only": True},
+            )
+            _schema_on_200_201.location = AAZStrType(
+                flags={"required": True},
+            )
+            _schema_on_200_201.name = AAZStrType(
+                flags={"read_only": True},
+            )
+            _schema_on_200_201.properties = AAZObjectType(
+                flags={"client_flatten": True},
+            )
+            _schema_on_200_201.system_data = AAZObjectType(
+                serialized_name="systemData",
+                flags={"read_only": True},
+            )
+            _schema_on_200_201.tags = AAZDictType()
+            _schema_on_200_201.type = AAZStrType(
+                flags={"read_only": True},
+            )
+
+            properties = cls._schema_on_200_201.properties
+            properties.assignment_restrictions = AAZObjectType(
+                serialized_name="assignmentRestrictions",
+            )
+            properties.client_id = AAZStrType(
+                serialized_name="clientId",
+                flags={"read_only": True},
+            )
+            properties.isolation_scope = AAZStrType(
+                serialized_name="isolationScope",
+            )
+            properties.principal_id = AAZStrType(
+                serialized_name="principalId",
+                flags={"read_only": True},
+            )
+            properties.tenant_id = AAZStrType(
+                serialized_name="tenantId",
+                flags={"read_only": True},
+            )
+
+            assignment_restrictions = cls._schema_on_200_201.properties.assignment_restrictions
+            assignment_restrictions.providers = AAZListType()
+
+            providers = cls._schema_on_200_201.properties.assignment_restrictions.providers
+            providers.Element = AAZStrType()
+
+            system_data = cls._schema_on_200_201.system_data
+            system_data.created_at = AAZStrType(
+                serialized_name="createdAt",
+            )
+            system_data.created_by = AAZStrType(
+                serialized_name="createdBy",
+            )
+            system_data.created_by_type = AAZStrType(
+                serialized_name="createdByType",
+            )
+            system_data.last_modified_at = AAZStrType(
+                serialized_name="lastModifiedAt",
+            )
+            system_data.last_modified_by = AAZStrType(
+                serialized_name="lastModifiedBy",
+            )
+            system_data.last_modified_by_type = AAZStrType(
+                serialized_name="lastModifiedByType",
+            )
+
+            tags = cls._schema_on_200_201.tags
+            tags.Element = AAZStrType()
+
+            return cls._schema_on_200_201
+
+
+class _CreateHelper:
+    """Helper class for Create"""
+
+
+__all__ = ["Create"]