diff --git a/azurerm/internal/provider/services.go b/azurerm/internal/provider/services.go
index a74a4f7983dd..cf8732f360af 100644
--- a/azurerm/internal/provider/services.go
+++ b/azurerm/internal/provider/services.go
@@ -103,6 +103,7 @@ func SupportedTypedServices() []sdk.TypedServiceRegistration {
 	return []sdk.TypedServiceRegistration{
 		eventhub.Registration{},
 		loadbalancer.Registration{},
+		policy.Registration{},
 		resource.Registration{},
 		web.Registration{},
 	}
diff --git a/azurerm/internal/sdk/service_registration.go b/azurerm/internal/sdk/service_registration.go
index 94a283b4e725..269c24a0a32e 100644
--- a/azurerm/internal/sdk/service_registration.go
+++ b/azurerm/internal/sdk/service_registration.go
@@ -11,9 +11,6 @@ type TypedServiceRegistration interface {
 	// Name is the name of this Service
 	Name() string
 
-	// PackagePath is the relative path to this package
-	PackagePath() string
-
 	// DataSources returns a list of Data Sources supported by this Service
 	DataSources() []DataSource
 
diff --git a/azurerm/internal/sdk/wrapper_data_source.go b/azurerm/internal/sdk/wrapper_data_source.go
index 16fee73ad135..9f8e79bbaff7 100644
--- a/azurerm/internal/sdk/wrapper_data_source.go
+++ b/azurerm/internal/sdk/wrapper_data_source.go
@@ -31,8 +31,10 @@ func (dw *DataSourceWrapper) DataSource() (*schema.Resource, error) {
 	}
 
 	modelObj := dw.dataSource.ModelObject()
-	if err := ValidateModelObject(&modelObj); err != nil {
-		return nil, fmt.Errorf("validating model for %q: %+v", dw.dataSource.ResourceType(), err)
+	if modelObj != nil {
+		if err := ValidateModelObject(&modelObj); err != nil {
+			return nil, fmt.Errorf("validating model for %q: %+v", dw.dataSource.ResourceType(), err)
+		}
 	}
 
 	d := func(duration time.Duration) *time.Duration {
diff --git a/azurerm/internal/sdk/wrapper_resource.go b/azurerm/internal/sdk/wrapper_resource.go
index 48509a3b9c53..206515256077 100644
--- a/azurerm/internal/sdk/wrapper_resource.go
+++ b/azurerm/internal/sdk/wrapper_resource.go
@@ -34,8 +34,10 @@ func (rw *ResourceWrapper) Resource() (*schema.Resource, error) {
 	}
 
 	modelObj := rw.resource.ModelObject()
-	if err := ValidateModelObject(&modelObj); err != nil {
-		return nil, fmt.Errorf("validating model for %q: %+v", rw.resource.ResourceType(), err)
+	if modelObj != nil {
+		if err := ValidateModelObject(&modelObj); err != nil {
+			return nil, fmt.Errorf("validating model for %q: %+v", rw.resource.ResourceType(), err)
+		}
 	}
 
 	d := func(duration time.Duration) *time.Duration {
diff --git a/azurerm/internal/services/eventhub/registration.go b/azurerm/internal/services/eventhub/registration.go
index 925ae6354c15..c3b6b53f5ce6 100644
--- a/azurerm/internal/services/eventhub/registration.go
+++ b/azurerm/internal/services/eventhub/registration.go
@@ -44,11 +44,6 @@ func (r Registration) SupportedResources() map[string]*pluginsdk.Resource {
 	}
 }
 
-// PackagePath is the relative path to this package
-func (r Registration) PackagePath() string {
-	return "TODO"
-}
-
 // DataSources returns a list of Data Sources supported by this Service
 func (r Registration) DataSources() []sdk.DataSource {
 	return []sdk.DataSource{}
diff --git a/azurerm/internal/services/loadbalancer/registration.go b/azurerm/internal/services/loadbalancer/registration.go
index 98862829f576..51b7a883879a 100644
--- a/azurerm/internal/services/loadbalancer/registration.go
+++ b/azurerm/internal/services/loadbalancer/registration.go
@@ -49,11 +49,6 @@ func (r Registration) SupportedResources() map[string]*pluginsdk.Resource {
 	}
 }
 
-// PackagePath is the relative path to this package
-func (r Registration) PackagePath() string {
-	return "TODO: do we need this?"
-}
-
 // Resources returns a list of Resources supported by this Service
 func (r Registration) Resources() []sdk.Resource {
 	return []sdk.Resource{
diff --git a/azurerm/internal/services/logic/logic_app_workflow_resource.go b/azurerm/internal/services/logic/logic_app_workflow_resource.go
index 314cc9a17a5a..8b5e53e08c7a 100644
--- a/azurerm/internal/services/logic/logic_app_workflow_resource.go
+++ b/azurerm/internal/services/logic/logic_app_workflow_resource.go
@@ -81,7 +81,7 @@ func resourceLogicAppWorkflow() *pluginsdk.Resource {
 				Type:     pluginsdk.TypeString,
 				Optional: true,
 				ForceNew: true,
-				Default:  "https://pluginsdk.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
+				Default:  "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
 			},
 
 			"workflow_version": {
diff --git a/azurerm/internal/services/managedapplications/managed_application_definition_resource_test.go b/azurerm/internal/services/managedapplications/managed_application_definition_resource_test.go
index 33b371b415f8..b5219f53f9bd 100644
--- a/azurerm/internal/services/managedapplications/managed_application_definition_resource_test.go
+++ b/azurerm/internal/services/managedapplications/managed_application_definition_resource_test.go
@@ -167,7 +167,7 @@ resource "azurerm_managed_application_definition" "test" {
 
   create_ui_definition = <<CREATE_UI_DEFINITION
     {
-      "$schema": "https://pluginsdk.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
+      "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
       "handler": "Microsoft.Azure.CreateUIDef",
 	  "version": "0.1.2-preview",
 	  "parameters": {
@@ -216,7 +216,7 @@ resource "azurerm_managed_application_definition" "test" {
 
   main_template = <<MAIN_TEMPLATE
     {
-      "$schema": "https://pluginsdk.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+      "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
       "contentVersion": "1.0.0.0",
       "parameters": {
          "storageAccountNamePrefix": {
diff --git a/azurerm/internal/services/policy/assignment.go b/azurerm/internal/services/policy/assignment.go
new file mode 100644
index 000000000000..6048cf77b7ce
--- /dev/null
+++ b/azurerm/internal/services/policy/assignment.go
@@ -0,0 +1,58 @@
+package policy
+
+import (
+	"context"
+	"fmt"
+	"strconv"
+	"time"
+
+	"github.com/Azure/azure-sdk-for-go/services/resources/mgmt/2019-09-01/policy"
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/services/policy/parse"
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/tf/pluginsdk"
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/utils"
+)
+
+func convertEnforcementMode(mode bool) policy.EnforcementMode {
+	if mode {
+		return policy.Default
+	} else {
+		return policy.DoNotEnforce
+	}
+}
+
+func waitForPolicyAssignmentToStabilize(ctx context.Context, client *policy.AssignmentsClient, id parse.PolicyAssignmentId, shouldExist bool) error {
+	deadline, ok := ctx.Deadline()
+	if !ok {
+		return fmt.Errorf("context was missing a deadline")
+	}
+	stateConf := &pluginsdk.StateChangeConf{
+		Pending: []string{"404"},
+		Target:  []string{"200"},
+		Refresh: func() (interface{}, string, error) {
+			resp, err := client.Get(ctx, id.Scope, id.Name)
+			if err != nil {
+				if utils.ResponseWasNotFound(resp.Response) {
+					return resp, strconv.Itoa(resp.StatusCode), nil
+				}
+
+				return nil, strconv.Itoa(resp.StatusCode), fmt.Errorf("polling for %s: %+v", id, err)
+			}
+
+			return resp, strconv.Itoa(resp.StatusCode), nil
+		},
+		MinTimeout:                10 * time.Second,
+		ContinuousTargetOccurence: 20,
+		PollInterval:              5 * time.Second,
+		Timeout:                   time.Until(deadline),
+	}
+	if !shouldExist {
+		stateConf.Pending = []string{"200"}
+		stateConf.Target = []string{"404"}
+	}
+
+	if _, err := stateConf.WaitForStateContext(ctx); err != nil {
+		return err
+	}
+
+	return nil
+}
diff --git a/azurerm/internal/services/policy/assignment_base_resource.go b/azurerm/internal/services/policy/assignment_base_resource.go
new file mode 100644
index 000000000000..8475a3477065
--- /dev/null
+++ b/azurerm/internal/services/policy/assignment_base_resource.go
@@ -0,0 +1,373 @@
+package policy
+
+import (
+	"context"
+	"fmt"
+	"log"
+	"time"
+
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/location"
+
+	"github.com/Azure/azure-sdk-for-go/services/resources/mgmt/2019-09-01/policy"
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/helpers/tf"
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/services/policy/parse"
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/utils"
+
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/helpers/azure"
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/services/policy/validate"
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/tf/validation"
+
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/identity"
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/tf/pluginsdk"
+
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/sdk"
+)
+
+type policyAssignmentIdentity = identity.SystemAssigned
+
+type assignmentBaseResource struct{}
+
+func (br assignmentBaseResource) createFunc(resourceName, scopeFieldName string) sdk.ResourceFunc {
+	return sdk.ResourceFunc{
+		Func: func(ctx context.Context, metadata sdk.ResourceMetaData) error {
+			client := metadata.Client.Policy.AssignmentsClient
+			id := parse.NewPolicyAssignmentId(metadata.ResourceData.Get(scopeFieldName).(string), metadata.ResourceData.Get("name").(string))
+			existing, err := client.Get(ctx, id.Scope, id.Name)
+			if err != nil {
+				if !utils.ResponseWasNotFound(existing.Response) {
+					return fmt.Errorf("checking for presence of existing %s: %+v", id, err)
+				}
+			}
+
+			if !utils.ResponseWasNotFound(existing.Response) {
+				return tf.ImportAsExistsError(resourceName, id.ID())
+			}
+
+			assignment := policy.Assignment{
+				AssignmentProperties: &policy.AssignmentProperties{
+					PolicyDefinitionID: utils.String(metadata.ResourceData.Get("policy_definition_id").(string)),
+					DisplayName:        utils.String(metadata.ResourceData.Get("display_name").(string)),
+					Scope:              utils.String(id.Scope),
+					EnforcementMode:    convertEnforcementMode(metadata.ResourceData.Get("enforce").(bool)),
+				},
+			}
+
+			if v := metadata.ResourceData.Get("description").(string); v != "" {
+				assignment.AssignmentProperties.Description = utils.String(v)
+			}
+
+			if v := metadata.ResourceData.Get("location").(string); v != "" {
+				assignment.Location = utils.String(azure.NormalizeLocation(v))
+			}
+
+			if v, ok := metadata.ResourceData.GetOk("identity"); ok {
+				if assignment.Location == nil {
+					return fmt.Errorf("`location` must be set when `identity` is assigned")
+				}
+				identity, err := br.expandIdentity(v.([]interface{}))
+				if err != nil {
+					return fmt.Errorf("expanding `identity`: %+v", err)
+				}
+				assignment.Identity = identity
+			}
+
+			if v := metadata.ResourceData.Get("parameters").(string); v != "" {
+				expandedParams, err := expandParameterValuesValueFromString(v)
+				if err != nil {
+					return fmt.Errorf("expanding JSON for `parameters` %q: %+v", v, err)
+				}
+
+				assignment.AssignmentProperties.Parameters = expandedParams
+			}
+
+			if metaDataString := metadata.ResourceData.Get("metadata").(string); metaDataString != "" {
+				metaData, err := pluginsdk.ExpandJsonFromString(metaDataString)
+				if err != nil {
+					return fmt.Errorf("unable to parse metadata: %s", err)
+				}
+				assignment.AssignmentProperties.Metadata = &metaData
+			}
+
+			if v, ok := metadata.ResourceData.GetOk("not_scopes"); ok {
+				assignment.AssignmentProperties.NotScopes = expandAzureRmPolicyNotScopes(v.([]interface{}))
+			}
+
+			if _, err := client.Create(ctx, id.Scope, id.Name, assignment); err != nil {
+				return fmt.Errorf("creating %s: %+v", id, err)
+			}
+
+			// Policy Assignments are eventually consistent; wait for them to stabilize
+			log.Printf("[DEBUG] Waiting for %s to become available..", id)
+			if err := waitForPolicyAssignmentToStabilize(ctx, client, id, true); err != nil {
+				return fmt.Errorf("waiting for %s to become available: %s", id, err)
+			}
+
+			metadata.SetID(id)
+			return nil
+		},
+		Timeout: 30 * time.Minute,
+	}
+}
+
+func (br assignmentBaseResource) deleteFunc() sdk.ResourceFunc {
+	return sdk.ResourceFunc{
+		Func: func(ctx context.Context, metadata sdk.ResourceMetaData) error {
+			client := metadata.Client.Policy.AssignmentsClient
+
+			id, err := parse.PolicyAssignmentID(metadata.ResourceData.Id())
+			if err != nil {
+				return err
+			}
+
+			if _, err := client.Delete(ctx, id.Scope, id.Name); err != nil {
+				return fmt.Errorf("deleting Policy Assignment %q: %+v", id, err)
+			}
+
+			// Policy Assignments are eventually consistent; wait for it to be gone
+			log.Printf("[DEBUG] Waiting for %s to disappear..", id)
+			if err := waitForPolicyAssignmentToStabilize(ctx, client, *id, false); err != nil {
+				return fmt.Errorf("waiting for the deletion of %s: %s", id, err)
+			}
+
+			return nil
+		},
+		Timeout: 30 * time.Minute,
+	}
+}
+
+func (br assignmentBaseResource) readFunc(scopeFieldName string) sdk.ResourceFunc {
+	return sdk.ResourceFunc{
+		Func: func(ctx context.Context, metadata sdk.ResourceMetaData) error {
+			client := metadata.Client.Policy.AssignmentsClient
+
+			id, err := parse.PolicyAssignmentID(metadata.ResourceData.Id())
+			if err != nil {
+				return err
+			}
+
+			resp, err := client.Get(ctx, id.Scope, id.Name)
+			if err != nil {
+				if utils.ResponseWasNotFound(resp.Response) {
+					return metadata.MarkAsGone(id)
+				}
+
+				return fmt.Errorf("reading %s: %+v", *id, err)
+			}
+
+			metadata.ResourceData.Set("name", id.Name)
+			metadata.ResourceData.Set(scopeFieldName, id.Scope)
+			metadata.ResourceData.Set("location", location.NormalizeNilable(resp.Location))
+
+			if err := metadata.ResourceData.Set("identity", br.flattenIdentity(resp.Identity)); err != nil {
+				return fmt.Errorf("setting `identity`: %+v", err)
+			}
+
+			if props := resp.AssignmentProperties; props != nil {
+				metadata.ResourceData.Set("description", props.Description)
+				metadata.ResourceData.Set("display_name", props.DisplayName)
+				metadata.ResourceData.Set("enforce", props.EnforcementMode == policy.Default)
+				metadata.ResourceData.Set("not_scopes", props.NotScopes)
+				metadata.ResourceData.Set("policy_definition_id", props.PolicyDefinitionID)
+
+				flattenedMetaData := flattenJSON(props.Metadata)
+				metadata.ResourceData.Set("metadata", flattenedMetaData)
+
+				flattenedParameters, err := flattenParameterValuesValueToString(props.Parameters)
+				if err != nil {
+					return fmt.Errorf("serializing JSON from `parameters`: %+v", err)
+				}
+				metadata.ResourceData.Set("parameters", flattenedParameters)
+			}
+
+			return nil
+		},
+		Timeout: 5 * time.Minute,
+	}
+}
+
+func (br assignmentBaseResource) updateFunc() sdk.ResourceFunc {
+	return sdk.ResourceFunc{
+		Func: func(ctx context.Context, metadata sdk.ResourceMetaData) error {
+			client := metadata.Client.Policy.AssignmentsClient
+
+			id, err := parse.PolicyAssignmentID(metadata.ResourceData.Id())
+			if err != nil {
+				return err
+			}
+
+			existing, err := client.Get(ctx, id.Scope, id.Name)
+			if err != nil {
+				return fmt.Errorf("retrieving %s: %+v", *id, err)
+			}
+			if existing.AssignmentProperties == nil {
+				return fmt.Errorf("retrieving %s: `properties` was nil", *id)
+			}
+
+			update := policy.Assignment{
+				Location:             existing.Location,
+				AssignmentProperties: existing.AssignmentProperties,
+			}
+			if existing.Identity != nil {
+				update.Identity = &policy.Identity{
+					Type: existing.Identity.Type,
+				}
+			}
+
+			if metadata.ResourceData.HasChange("description") {
+				update.AssignmentProperties.Description = utils.String(metadata.ResourceData.Get("description").(string))
+			}
+			if metadata.ResourceData.HasChange("display_name") {
+				update.AssignmentProperties.DisplayName = utils.String(metadata.ResourceData.Get("display_name").(string))
+			}
+			if metadata.ResourceData.HasChange("enforce") {
+				update.AssignmentProperties.EnforcementMode = convertEnforcementMode(metadata.ResourceData.Get("enforce").(bool))
+			}
+			if metadata.ResourceData.HasChange("location") {
+				update.Location = utils.String(metadata.ResourceData.Get("location").(string))
+			}
+			if metadata.ResourceData.HasChange("policy_definition_id") {
+				update.AssignmentProperties.PolicyDefinitionID = utils.String(metadata.ResourceData.Get("policy_definition_id").(string))
+			}
+
+			if metadata.ResourceData.HasChange("identity") {
+				if update.Location == nil {
+					return fmt.Errorf("`location` must be set when `identity` is assigned")
+				}
+				identityRaw := metadata.ResourceData.Get("identity").([]interface{})
+				identity, err := br.expandIdentity(identityRaw)
+				if err != nil {
+					return fmt.Errorf("expanding `identity`: %+v", err)
+				}
+				update.Identity = identity
+			}
+
+			if metadata.ResourceData.HasChange("metadata") {
+				v := metadata.ResourceData.Get("metadata").(string)
+				update.AssignmentProperties.Metadata = map[string]interface{}{}
+				if v != "" {
+					metaData, err := pluginsdk.ExpandJsonFromString(v)
+					if err != nil {
+						return fmt.Errorf("parsing metadata: %+v", err)
+					}
+					update.AssignmentProperties.Metadata = &metaData
+				}
+			}
+
+			if metadata.ResourceData.HasChange("not_scopes") {
+				update.AssignmentProperties.NotScopes = expandAzureRmPolicyNotScopes(metadata.ResourceData.Get("not_scopes").([]interface{}))
+			}
+
+			if metadata.ResourceData.HasChange("parameters") {
+				update.AssignmentProperties.Parameters = map[string]*policy.ParameterValuesValue{}
+
+				if v := metadata.ResourceData.Get("parameters").(string); v != "" {
+					expandedParams, err := expandParameterValuesValueFromString(v)
+					if err != nil {
+						return fmt.Errorf("expanding JSON for `parameters` %q: %+v", v, err)
+					}
+					update.AssignmentProperties.Parameters = expandedParams
+				}
+			}
+
+			// NOTE: there isn't an Update endpoint
+			if _, err := client.Create(ctx, id.Scope, id.Name, update); err != nil {
+				return fmt.Errorf("updating %s: %+v", *id, err)
+			}
+
+			// Policy Assignments are eventually consistent; wait for them to stabilize
+			log.Printf("[DEBUG] Waiting for %s to become available..", id)
+			if err := waitForPolicyAssignmentToStabilize(ctx, client, *id, true); err != nil {
+				return fmt.Errorf("waiting for %s to become available: %s", id, err)
+			}
+
+			return nil
+		},
+		Timeout: 30 * time.Minute,
+	}
+}
+
+func (br assignmentBaseResource) arguments(fields map[string]*pluginsdk.Schema) map[string]*pluginsdk.Schema {
+	output := map[string]*pluginsdk.Schema{
+		// NOTE: `name` isn't included since it varies depending on the resource, so it's expected to be passed in
+		"policy_definition_id": {
+			Type:     pluginsdk.TypeString,
+			Required: true,
+			ForceNew: true,
+			ValidateFunc: validation.Any(
+				validate.PolicyDefinitionID,
+				validate.PolicySetDefinitionID,
+			),
+		},
+
+		"description": {
+			Type:     pluginsdk.TypeString,
+			Optional: true,
+		},
+
+		"display_name": {
+			Type:     pluginsdk.TypeString,
+			Optional: true,
+		},
+
+		"location": azure.SchemaLocationOptional(),
+
+		"identity": policyAssignmentIdentity{}.Schema(),
+
+		"enforce": {
+			Type:     pluginsdk.TypeBool,
+			Optional: true,
+			Default:  true,
+		},
+
+		"metadata": metadataSchema(),
+
+		"not_scopes": {
+			Type:     pluginsdk.TypeList,
+			Optional: true,
+			Elem: &pluginsdk.Schema{
+				Type: pluginsdk.TypeString,
+			},
+		},
+
+		"parameters": {
+			Type:             pluginsdk.TypeString,
+			Optional:         true,
+			ForceNew:         true,
+			ValidateFunc:     validation.StringIsJSON,
+			DiffSuppressFunc: pluginsdk.SuppressJsonDiff,
+		},
+	}
+
+	for k, v := range fields {
+		output[k] = v
+	}
+
+	return output
+}
+
+func (br assignmentBaseResource) attributes() map[string]*pluginsdk.Schema {
+	return map[string]*pluginsdk.Schema{}
+}
+
+func (br assignmentBaseResource) expandIdentity(input []interface{}) (*policy.Identity, error) {
+	expanded, err := policyAssignmentIdentity{}.Expand(input)
+	if err != nil {
+		return nil, err
+	}
+
+	return &policy.Identity{
+		Type: policy.ResourceIdentityType(expanded.Type),
+	}, nil
+}
+
+func (br assignmentBaseResource) flattenIdentity(input *policy.Identity) []interface{} {
+	var config *identity.ExpandedConfig
+	if input != nil {
+		config = &identity.ExpandedConfig{
+			Type:        string(input.Type),
+			PrincipalId: input.PrincipalID,
+			TenantId:    input.TenantID,
+		}
+	}
+	return policyAssignmentIdentity{}.Flatten(config)
+}
diff --git a/azurerm/internal/services/policy/assignment_management_group_resource.go b/azurerm/internal/services/policy/assignment_management_group_resource.go
new file mode 100644
index 000000000000..b9c56a08059f
--- /dev/null
+++ b/azurerm/internal/services/policy/assignment_management_group_resource.go
@@ -0,0 +1,69 @@
+package policy
+
+import (
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/sdk"
+	managementGroupValidate "github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/services/managementgroup/validate"
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/services/policy/validate"
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/tf/pluginsdk"
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/tf/validation"
+)
+
+var _ sdk.ResourceWithUpdate = ManagementGroupAssignmentResource{}
+
+type ManagementGroupAssignmentResource struct {
+	base assignmentBaseResource
+}
+
+func (r ManagementGroupAssignmentResource) Arguments() map[string]*pluginsdk.Schema {
+	schema := map[string]*pluginsdk.Schema{
+		"management_group_id": {
+			Type:         pluginsdk.TypeString,
+			Required:     true,
+			ForceNew:     true,
+			ValidateFunc: managementGroupValidate.ManagementGroupID,
+		},
+		"name": {
+			Type:     pluginsdk.TypeString,
+			Required: true,
+			ForceNew: true,
+			ValidateFunc: validation.All(
+				validation.StringIsNotWhiteSpace,
+				validation.StringLenBetween(3, 24),
+				// The policy assignment name length must not exceed '24' characters.
+			),
+		},
+	}
+	return r.base.arguments(schema)
+}
+
+func (r ManagementGroupAssignmentResource) Attributes() map[string]*pluginsdk.Schema {
+	return r.base.attributes()
+}
+
+func (r ManagementGroupAssignmentResource) Create() sdk.ResourceFunc {
+	return r.base.createFunc(r.ResourceType(), "management_group_id")
+}
+
+func (r ManagementGroupAssignmentResource) Delete() sdk.ResourceFunc {
+	return r.base.deleteFunc()
+}
+
+func (r ManagementGroupAssignmentResource) IDValidationFunc() pluginsdk.SchemaValidateFunc {
+	return validate.ManagementGroupAssignmentID
+}
+
+func (r ManagementGroupAssignmentResource) ModelObject() interface{} {
+	return nil
+}
+
+func (r ManagementGroupAssignmentResource) Read() sdk.ResourceFunc {
+	return r.base.readFunc("management_group_id")
+}
+
+func (r ManagementGroupAssignmentResource) ResourceType() string {
+	return "azurerm_management_group_policy_assignment"
+}
+
+func (r ManagementGroupAssignmentResource) Update() sdk.ResourceFunc {
+	return r.base.updateFunc()
+}
diff --git a/azurerm/internal/services/policy/assignment_management_group_resource_test.go b/azurerm/internal/services/policy/assignment_management_group_resource_test.go
new file mode 100644
index 000000000000..a9adba8d065d
--- /dev/null
+++ b/azurerm/internal/services/policy/assignment_management_group_resource_test.go
@@ -0,0 +1,530 @@
+package policy_test
+
+import (
+	"context"
+	"fmt"
+	"testing"
+
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/acceptance"
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/acceptance/check"
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/clients"
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/services/policy/parse"
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/tf/pluginsdk"
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/utils"
+)
+
+type ManagementGroupAssignmentTestResource struct{}
+
+func TestAccManagementGroupPolicyAssignment_basicWithBuiltInPolicy(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azurerm_management_group_policy_assignment", "test")
+	r := ManagementGroupAssignmentTestResource{}
+
+	data.ResourceTest(t, r, []acceptance.TestStep{
+		{
+			Config: r.withBuiltInPolicyBasic(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+		{
+			Config: r.withBuiltInPolicyUpdated(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+		{
+			Config: r.withBuiltInPolicyBasic(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+	})
+}
+
+func TestAccManagementGroupPolicyAssignment_basicWithBuiltInPolicySet(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azurerm_management_group_policy_assignment", "test")
+	r := ManagementGroupAssignmentTestResource{}
+
+	data.ResourceTest(t, r, []acceptance.TestStep{
+		{
+			Config: r.withBuiltInPolicySetBasic(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+		{
+			Config: r.withBuiltInPolicySetUpdated(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+		{
+			Config: r.withBuiltInPolicySetBasic(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+	})
+}
+
+func TestAccManagementGroupPolicyAssignment_basicWithCustomPolicy(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azurerm_management_group_policy_assignment", "test")
+	r := ManagementGroupAssignmentTestResource{}
+
+	data.ResourceTest(t, r, []acceptance.TestStep{
+		{
+			Config: r.withCustomPolicyBasic(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+		{
+			Config: r.withCustomPolicyUpdated(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+		{
+			Config: r.withCustomPolicyBasic(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+	})
+}
+
+func TestAccManagementGroupPolicyAssignment_basicWithCustomPolicyRequiresImport(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azurerm_management_group_policy_assignment", "test")
+	r := ManagementGroupAssignmentTestResource{}
+
+	data.ResourceTest(t, r, []acceptance.TestStep{
+		{
+			Config: r.withCustomPolicyBasic(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+		data.RequiresImportErrorStep(r.withCustomPolicyRequiresImport),
+	})
+}
+
+func TestAccManagementGroupPolicyAssignment_basicWithCustomPolicyComplete(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azurerm_management_group_policy_assignment", "test")
+	r := ManagementGroupAssignmentTestResource{}
+
+	data.ResourceTest(t, r, []acceptance.TestStep{
+		{
+			Config: r.withCustomPolicyComplete(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+		{
+			Config: r.withCustomPolicyBasic(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+		{
+			Config: r.withCustomPolicyComplete(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+	})
+}
+
+func TestAccManagementGroupPolicyAssignment_basicComplexWithCustomPolicy(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azurerm_management_group_policy_assignment", "test")
+	r := ManagementGroupAssignmentTestResource{}
+
+	data.ResourceTest(t, r, []acceptance.TestStep{
+		{
+			Config: r.withComplexCustomPolicyAndParameters(data, "Acceptance"),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+		{
+			Config: r.withComplexCustomPolicyAndParameters(data, "Testing"),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+		{
+			Config: r.withComplexCustomPolicyAndParameters(data, "Acceptance Testing"),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+	})
+}
+
+func (r ManagementGroupAssignmentTestResource) Exists(ctx context.Context, client *clients.Client, state *pluginsdk.InstanceState) (*bool, error) {
+	id, err := parse.PolicyAssignmentID(state.ID)
+	if err != nil {
+		return nil, err
+	}
+
+	assignment, err := client.Policy.AssignmentsClient.Get(ctx, id.Scope, id.Name)
+	if err != nil {
+		if utils.ResponseWasNotFound(assignment.Response) {
+			return utils.Bool(false), nil
+		}
+
+		return nil, fmt.Errorf("retrieving %s: %+v", *id, err)
+	}
+
+	return utils.Bool(true), nil
+}
+
+func (r ManagementGroupAssignmentTestResource) withBuiltInPolicyBasic(data acceptance.TestData) string {
+	template := r.template(data)
+	return fmt.Sprintf(`
+provider "azurerm" {
+  features {}
+}
+
+%s
+
+data "azurerm_policy_definition" "test" {
+  display_name = "Allowed locations"
+}
+
+resource "azurerm_management_group_policy_assignment" "test" {
+  name                 = "acctestpol-%[2]s"
+  management_group_id  = azurerm_management_group.test.id
+  policy_definition_id = data.azurerm_policy_definition.test.id
+  parameters = jsonencode({
+    "listOfAllowedLocations" = {
+      "value" = ["%[3]s"]
+    }
+  })
+}
+`, template, data.RandomString, data.Locations.Primary)
+}
+
+func (r ManagementGroupAssignmentTestResource) withBuiltInPolicyUpdated(data acceptance.TestData) string {
+	template := r.template(data)
+	return fmt.Sprintf(`
+provider "azurerm" {
+  features {}
+}
+
+%s
+
+data "azurerm_policy_definition" "test" {
+  display_name = "Allowed locations"
+}
+
+resource "azurerm_management_group_policy_assignment" "test" {
+  name                 = "acctestpol-%[2]s"
+  management_group_id  = azurerm_management_group.test.id
+  policy_definition_id = data.azurerm_policy_definition.test.id
+  parameters = jsonencode({
+    "listOfAllowedLocations" = {
+      "value" = ["%[3]s", "%[4]s"]
+    }
+  })
+}
+`, template, data.RandomString, data.Locations.Primary, data.Locations.Secondary)
+}
+
+func (r ManagementGroupAssignmentTestResource) withBuiltInPolicySetBasic(data acceptance.TestData) string {
+	template := r.template(data)
+	return fmt.Sprintf(`
+provider "azurerm" {
+  features {}
+}
+
+%s
+
+data "azurerm_policy_set_definition" "test" {
+  display_name = "Audit machines with insecure password security settings"
+}
+
+resource "azurerm_management_group_policy_assignment" "test" {
+  name                 = "acctestpol-%[2]s"
+  management_group_id  = azurerm_management_group.test.id
+  policy_definition_id = data.azurerm_policy_set_definition.test.id
+  location             = %[3]q
+
+  identity {
+    type = "SystemAssigned"
+  }
+}
+`, template, data.RandomString, data.Locations.Primary)
+}
+
+func (r ManagementGroupAssignmentTestResource) withBuiltInPolicySetUpdated(data acceptance.TestData) string {
+	template := r.template(data)
+	return fmt.Sprintf(`
+provider "azurerm" {
+  features {}
+}
+
+%s
+
+data "azurerm_policy_set_definition" "test" {
+  display_name = "Audit machines with insecure password security settings"
+}
+
+resource "azurerm_management_group_policy_assignment" "test" {
+  name                 = "acctestpol-%[2]s"
+  management_group_id  = azurerm_management_group.test.id
+  policy_definition_id = data.azurerm_policy_set_definition.test.id
+  location             = %[3]q
+
+  identity {
+    type = "SystemAssigned"
+  }
+
+  metadata = jsonencode({
+    "category" : "Testing"
+  })
+}
+`, template, data.RandomString, data.Locations.Primary)
+}
+
+func (r ManagementGroupAssignmentTestResource) withCustomPolicyBasic(data acceptance.TestData) string {
+	template := r.templateWithCustomPolicy(data)
+	return fmt.Sprintf(`
+provider "azurerm" {
+  features {}
+}
+
+%s
+
+resource "azurerm_management_group_policy_assignment" "test" {
+  name                 = "acctestpol-%[2]s"
+  management_group_id  = azurerm_management_group.test.id
+  policy_definition_id = azurerm_policy_definition.test.id
+}
+`, template, data.RandomString)
+}
+
+func (r ManagementGroupAssignmentTestResource) withCustomPolicyComplete(data acceptance.TestData) string {
+	template := r.templateWithCustomPolicy(data)
+	// NOTE: we could include parameters here but it's tested extensively elsewhere
+	// NOTE: intentionally avoiding NotScopes for Management Groups since it's awkward to test, but
+	// this is covered in the other resources
+	return fmt.Sprintf(`
+provider "azurerm" {
+  features {}
+}
+
+%s
+
+resource "azurerm_management_group_policy_assignment" "test" {
+  name                 = "acctestpol-%[2]s"
+  management_group_id  = azurerm_management_group.test.id
+  policy_definition_id = azurerm_policy_definition.test.id
+  description          = "This is a policy assignment from an acceptance test"
+  display_name         = "AccTest Policy %[2]s"
+  enforce              = false
+  metadata = jsonencode({
+    "category" : "Testing"
+  })
+}
+`, template, data.RandomString)
+}
+
+func (r ManagementGroupAssignmentTestResource) withCustomPolicyRequiresImport(data acceptance.TestData) string {
+	template := r.withCustomPolicyBasic(data)
+	return fmt.Sprintf(`
+%s
+
+resource "azurerm_management_group_policy_assignment" "import" {
+  name                 = azurerm_management_group_policy_assignment.test.name
+  management_group_id  = azurerm_management_group_policy_assignment.test.management_group_id
+  policy_definition_id = azurerm_management_group_policy_assignment.test.policy_definition_id
+}
+`, template)
+}
+
+func (r ManagementGroupAssignmentTestResource) withComplexCustomPolicyAndParameters(data acceptance.TestData, metadataValue string) string {
+	template := r.template(data)
+	return fmt.Sprintf(`
+provider "azurerm" {
+  features {}
+}
+
+%[1]s
+
+resource "azurerm_policy_definition" "test" {
+  name                = "acctestpol-%[2]s"
+  policy_type         = "Custom"
+  mode                = "All"
+  display_name        = "acctestpol-%[2]s"
+  description         = "Description for %[2]s"
+  management_group_id = azurerm_management_group.test.group_id
+  metadata            = <<METADATA
+  {
+    "category": "%[3]s"
+  }
+METADATA
+
+  parameters = <<PARAMETERS
+  {
+    "effect": {
+      "type": "String",
+      "metadata": {
+        "displayName": "Effect",
+        "description": "Enable or disable the execution of the policy"
+      },
+      "allowedValues": [
+        "Deny",
+        "Audit",
+        "Disabled"
+      ],
+      "defaultValue": "Deny"
+    },
+    "sourceIp": {
+      "type": "Array",
+      "metadata": {
+        "displayName": "Source IP ranges",
+        "description": "The inbound IP range to deny. Default to *, ANY, Internet"
+      },
+      "defaultValue": [
+        "*",
+        "Any",
+        "Internet",
+        "0.0.0.0"
+      ]
+    }
+  }
+PARAMETERS
+
+  policy_rule = <<POLICY_RULE
+  {
+    "if": {
+      "allOf": [
+        {
+          "field": "type",
+          "equals": "Microsoft.Network/networkSecurityGroups/securityRules"
+        },
+        {
+          "allOf": [
+            {
+              "field": "Microsoft.Network/networkSecurityGroups/securityRules/access",
+              "equals": "Allow"
+            },
+            {
+              "field": "Microsoft.Network/networkSecurityGroups/securityRules/direction",
+              "equals": "Inbound"
+            },
+            {
+              "anyOf": [
+                {
+                  "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange",
+                  "equals": "*"
+                },
+                {
+                  "not": {
+                    "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]",
+                    "notEquals": "*"
+                  }
+                },
+                {
+                  "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix",
+                  "in": "[parameters('sourceIP')]"
+                },
+                {
+                  "not": {
+                    "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]",
+                    "notIn": "[parameters('sourceIP')]"
+                  }
+                }
+              ]
+            }
+          ]
+        }
+      ]
+    },
+    "then": {
+      "effect": "[parameters('effect')]"
+    }
+  }
+POLICY_RULE
+}
+
+resource "azurerm_management_group_policy_assignment" "test" {
+  name                 = "acctestpol-%[2]s"
+  management_group_id  = azurerm_management_group.test.id
+  policy_definition_id = azurerm_policy_definition.test.id
+}
+`, template, data.RandomString, metadataValue)
+}
+
+func (r ManagementGroupAssignmentTestResource) withCustomPolicyUpdated(data acceptance.TestData) string {
+	template := r.templateWithCustomPolicy(data)
+	return fmt.Sprintf(`
+provider "azurerm" {
+  features {}
+}
+
+%s
+
+resource "azurerm_management_group_policy_assignment" "test" {
+  name                 = "acctestpol-%[2]s"
+  management_group_id  = azurerm_management_group.test.id
+  policy_definition_id = azurerm_policy_definition.test.id
+  metadata = jsonencode({
+    "category" : "Testing"
+  })
+}
+`, template, data.RandomString)
+}
+
+func (r ManagementGroupAssignmentTestResource) templateWithCustomPolicy(data acceptance.TestData) string {
+	template := r.template(data)
+	return fmt.Sprintf(`
+%[1]s
+
+resource "azurerm_policy_definition" "test" {
+  name                = "acctestpol-%[2]s"
+  policy_type         = "Custom"
+  mode                = "All"
+  display_name        = "acctestpol-%[2]s"
+  management_group_id = azurerm_management_group.test.group_id
+
+  policy_rule = <<POLICY_RULE
+	{
+    "if": {
+      "not": {
+        "field": "name",
+        "equals": "bob"
+      }
+    },
+    "then": {
+      "effect": "audit"
+    }
+  }
+POLICY_RULE
+}
+`, template, data.RandomString)
+}
+
+func (r ManagementGroupAssignmentTestResource) template(data acceptance.TestData) string {
+	return fmt.Sprintf(`
+resource "azurerm_management_group" "test" {
+  display_name = "Acceptance Test MgmtGroup %[1]d"
+}
+`, data.RandomInteger)
+}
diff --git a/azurerm/internal/services/policy/assignment_resource.go b/azurerm/internal/services/policy/assignment_resource.go
new file mode 100644
index 000000000000..38c9145f0c6b
--- /dev/null
+++ b/azurerm/internal/services/policy/assignment_resource.go
@@ -0,0 +1,65 @@
+package policy
+
+import (
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/sdk"
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/services/policy/validate"
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/tf/pluginsdk"
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/tf/validation"
+)
+
+var _ sdk.ResourceWithUpdate = ResourceAssignmentResource{}
+
+type ResourceAssignmentResource struct {
+	base assignmentBaseResource
+}
+
+func (r ResourceAssignmentResource) Arguments() map[string]*pluginsdk.Schema {
+	schema := map[string]*pluginsdk.Schema{
+		"name": {
+			Type:         pluginsdk.TypeString,
+			Required:     true,
+			ForceNew:     true,
+			ValidateFunc: validation.StringIsNotWhiteSpace,
+		},
+		"resource_id": {
+			//TODO: tests for this
+			Type:         pluginsdk.TypeString,
+			Required:     true,
+			ForceNew:     true,
+			ValidateFunc: validate.ResourceAssignmentId(),
+		},
+	}
+	return r.base.arguments(schema)
+}
+
+func (r ResourceAssignmentResource) Attributes() map[string]*pluginsdk.Schema {
+	return r.base.attributes()
+}
+
+func (r ResourceAssignmentResource) Create() sdk.ResourceFunc {
+	return r.base.createFunc(r.ResourceType(), "resource_id")
+}
+
+func (r ResourceAssignmentResource) Delete() sdk.ResourceFunc {
+	return r.base.deleteFunc()
+}
+
+func (r ResourceAssignmentResource) IDValidationFunc() pluginsdk.SchemaValidateFunc {
+	return validate.ResourceAssignmentId()
+}
+
+func (r ResourceAssignmentResource) ModelObject() interface{} {
+	return nil
+}
+
+func (r ResourceAssignmentResource) Read() sdk.ResourceFunc {
+	return r.base.readFunc("resource_id")
+}
+
+func (r ResourceAssignmentResource) ResourceType() string {
+	return "azurerm_resource_policy_assignment"
+}
+
+func (r ResourceAssignmentResource) Update() sdk.ResourceFunc {
+	return r.base.updateFunc()
+}
diff --git a/azurerm/internal/services/policy/assignment_resource_group_resource.go b/azurerm/internal/services/policy/assignment_resource_group_resource.go
new file mode 100644
index 000000000000..4a3f106026fb
--- /dev/null
+++ b/azurerm/internal/services/policy/assignment_resource_group_resource.go
@@ -0,0 +1,65 @@
+package policy
+
+import (
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/sdk"
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/services/policy/validate"
+	resourceValidate "github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/services/resource/validate"
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/tf/pluginsdk"
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/tf/validation"
+)
+
+var _ sdk.ResourceWithUpdate = ResourceGroupAssignmentResource{}
+
+type ResourceGroupAssignmentResource struct {
+	base assignmentBaseResource
+}
+
+func (r ResourceGroupAssignmentResource) Arguments() map[string]*pluginsdk.Schema {
+	schema := map[string]*pluginsdk.Schema{
+		"name": {
+			Type:         pluginsdk.TypeString,
+			Required:     true,
+			ForceNew:     true,
+			ValidateFunc: validation.StringIsNotWhiteSpace,
+		},
+		"resource_group_id": {
+			Type:         pluginsdk.TypeString,
+			Required:     true,
+			ForceNew:     true,
+			ValidateFunc: resourceValidate.ResourceGroupID,
+		},
+	}
+	return r.base.arguments(schema)
+}
+
+func (r ResourceGroupAssignmentResource) Attributes() map[string]*pluginsdk.Schema {
+	return r.base.attributes()
+}
+
+func (r ResourceGroupAssignmentResource) Create() sdk.ResourceFunc {
+	return r.base.createFunc(r.ResourceType(), "resource_group_id")
+}
+
+func (r ResourceGroupAssignmentResource) Delete() sdk.ResourceFunc {
+	return r.base.deleteFunc()
+}
+
+func (r ResourceGroupAssignmentResource) IDValidationFunc() pluginsdk.SchemaValidateFunc {
+	return validate.ResourceGroupAssignmentID
+}
+
+func (r ResourceGroupAssignmentResource) ModelObject() interface{} {
+	return nil
+}
+
+func (r ResourceGroupAssignmentResource) Read() sdk.ResourceFunc {
+	return r.base.readFunc("resource_group_id")
+}
+
+func (r ResourceGroupAssignmentResource) ResourceType() string {
+	return "azurerm_resource_group_policy_assignment"
+}
+
+func (r ResourceGroupAssignmentResource) Update() sdk.ResourceFunc {
+	return r.base.updateFunc()
+}
diff --git a/azurerm/internal/services/policy/assignment_resource_group_resource_test.go b/azurerm/internal/services/policy/assignment_resource_group_resource_test.go
new file mode 100644
index 000000000000..b2b713d0efc8
--- /dev/null
+++ b/azurerm/internal/services/policy/assignment_resource_group_resource_test.go
@@ -0,0 +1,388 @@
+package policy_test
+
+import (
+	"context"
+	"fmt"
+	"testing"
+
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/acceptance"
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/acceptance/check"
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/clients"
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/services/policy/parse"
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/tf/pluginsdk"
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/utils"
+)
+
+type ResourceGroupAssignmentTestResource struct{}
+
+func TestAccResourceGroupPolicyAssignment_basicWithBuiltInPolicy(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azurerm_resource_group_policy_assignment", "test")
+	r := ResourceGroupAssignmentTestResource{}
+
+	data.ResourceTest(t, r, []acceptance.TestStep{
+		{
+			Config: r.withBuiltInPolicyBasic(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+		{
+			Config: r.withBuiltInPolicyUpdated(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+		{
+			Config: r.withBuiltInPolicyBasic(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+	})
+}
+
+func TestAccResourceGroupPolicyAssignment_basicWithBuiltInPolicySet(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azurerm_resource_group_policy_assignment", "test")
+	r := ResourceGroupAssignmentTestResource{}
+
+	data.ResourceTest(t, r, []acceptance.TestStep{
+		{
+			Config: r.withBuiltInPolicySetBasic(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+		{
+			Config: r.withBuiltInPolicySetUpdated(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+		{
+			Config: r.withBuiltInPolicySetBasic(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+	})
+}
+
+func TestAccResourceGroupPolicyAssignment_basicWithCustomPolicy(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azurerm_resource_group_policy_assignment", "test")
+	r := ResourceGroupAssignmentTestResource{}
+
+	data.ResourceTest(t, r, []acceptance.TestStep{
+		{
+			Config: r.withCustomPolicyBasic(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+		{
+			Config: r.withCustomPolicyUpdated(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+		{
+			Config: r.withCustomPolicyBasic(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+	})
+}
+
+func TestAccResourceGroupPolicyAssignment_basicWithCustomPolicyRequiresImport(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azurerm_resource_group_policy_assignment", "test")
+	r := ResourceGroupAssignmentTestResource{}
+
+	data.ResourceTest(t, r, []acceptance.TestStep{
+		{
+			Config: r.withCustomPolicyBasic(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+		data.RequiresImportErrorStep(r.withCustomPolicyRequiresImport),
+	})
+}
+
+func TestAccResourceGroupPolicyAssignment_basicWithCustomPolicyComplete(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azurerm_resource_group_policy_assignment", "test")
+	r := ResourceGroupAssignmentTestResource{}
+
+	data.ResourceTest(t, r, []acceptance.TestStep{
+		{
+			Config: r.withCustomPolicyComplete(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+		{
+			Config: r.withCustomPolicyBasic(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+		{
+			Config: r.withCustomPolicyComplete(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+	})
+}
+
+func (r ResourceGroupAssignmentTestResource) Exists(ctx context.Context, client *clients.Client, state *pluginsdk.InstanceState) (*bool, error) {
+	id, err := parse.PolicyAssignmentID(state.ID)
+	if err != nil {
+		return nil, err
+	}
+
+	assignment, err := client.Policy.AssignmentsClient.Get(ctx, id.Scope, id.Name)
+	if err != nil {
+		if utils.ResponseWasNotFound(assignment.Response) {
+			return utils.Bool(false), nil
+		}
+
+		return nil, fmt.Errorf("retrieving %s: %+v", *id, err)
+	}
+
+	return utils.Bool(true), nil
+}
+
+func (r ResourceGroupAssignmentTestResource) withBuiltInPolicyBasic(data acceptance.TestData) string {
+	template := r.template(data)
+	return fmt.Sprintf(`
+provider "azurerm" {
+  features {}
+}
+
+%s
+
+data "azurerm_policy_definition" "test" {
+  display_name = "Allowed locations"
+}
+
+resource "azurerm_resource_group_policy_assignment" "test" {
+  name                 = "acctestpa-%[2]d"
+  resource_group_id    = azurerm_resource_group.test.id
+  policy_definition_id = data.azurerm_policy_definition.test.id
+  parameters = jsonencode({
+    "listOfAllowedLocations" = {
+      "value" = [azurerm_resource_group.test.location]
+    }
+  })
+}
+`, template, data.RandomInteger)
+}
+
+func (r ResourceGroupAssignmentTestResource) withBuiltInPolicyUpdated(data acceptance.TestData) string {
+	template := r.template(data)
+	return fmt.Sprintf(`
+provider "azurerm" {
+  features {}
+}
+
+%s
+
+data "azurerm_policy_definition" "test" {
+  display_name = "Allowed locations"
+}
+
+resource "azurerm_resource_group_policy_assignment" "test" {
+  name                 = "acctestpa-%[2]d"
+  resource_group_id    = azurerm_resource_group.test.id
+  policy_definition_id = data.azurerm_policy_definition.test.id
+  parameters = jsonencode({
+    "listOfAllowedLocations" = {
+      "value" = [azurerm_resource_group.test.location, "%[3]s"]
+    }
+  })
+}
+`, template, data.RandomInteger, data.Locations.Secondary)
+}
+
+func (r ResourceGroupAssignmentTestResource) withBuiltInPolicySetBasic(data acceptance.TestData) string {
+	template := r.template(data)
+	return fmt.Sprintf(`
+provider "azurerm" {
+  features {}
+}
+
+%s
+
+data "azurerm_policy_set_definition" "test" {
+  display_name = "Audit machines with insecure password security settings"
+}
+
+resource "azurerm_resource_group_policy_assignment" "test" {
+  name                 = "acctestpa-%[2]d"
+  resource_group_id    = azurerm_resource_group.test.id
+  policy_definition_id = data.azurerm_policy_set_definition.test.id
+  location             = azurerm_resource_group.test.location
+
+  identity {
+    type = "SystemAssigned"
+  }
+}
+`, template, data.RandomInteger)
+}
+
+func (r ResourceGroupAssignmentTestResource) withBuiltInPolicySetUpdated(data acceptance.TestData) string {
+	template := r.template(data)
+	return fmt.Sprintf(`
+provider "azurerm" {
+  features {}
+}
+
+%s
+
+data "azurerm_policy_set_definition" "test" {
+  display_name = "Audit machines with insecure password security settings"
+}
+
+resource "azurerm_resource_group_policy_assignment" "test" {
+  name                 = "acctestpa-%[2]d"
+  resource_group_id    = azurerm_resource_group.test.id
+  policy_definition_id = data.azurerm_policy_set_definition.test.id
+  location             = azurerm_resource_group.test.location
+
+  identity {
+    type = "SystemAssigned"
+  }
+
+  metadata = jsonencode({
+    "category" : "Testing"
+  })
+}
+`, template, data.RandomInteger)
+}
+
+func (r ResourceGroupAssignmentTestResource) withCustomPolicyBasic(data acceptance.TestData) string {
+	template := r.templateWithCustomPolicy(data)
+	return fmt.Sprintf(`
+provider "azurerm" {
+  features {}
+}
+
+%s
+
+resource "azurerm_resource_group_policy_assignment" "test" {
+  name                 = "acctestpa-%[2]d"
+  resource_group_id    = azurerm_resource_group.test.id
+  policy_definition_id = azurerm_policy_definition.test.id
+}
+`, template, data.RandomInteger)
+}
+
+func (r ResourceGroupAssignmentTestResource) withCustomPolicyComplete(data acceptance.TestData) string {
+	template := r.templateWithCustomPolicy(data)
+	// NOTE: we could include parameters here but it's tested extensively elsewhere
+	return fmt.Sprintf(`
+provider "azurerm" {
+  features {}
+}
+
+%s
+
+resource "azurerm_resource_group_policy_assignment" "test" {
+  name                 = "acctestpa-%[2]d"
+  resource_group_id    = azurerm_resource_group.test.id
+  policy_definition_id = azurerm_policy_definition.test.id
+  description          = "This is a policy assignment from an acceptance test"
+  display_name         = "AccTest Policy %[2]d"
+  enforce              = false
+  not_scopes = [
+    format("%%s/virtualMachines/testvm1", azurerm_resource_group.test.id)
+  ]
+  metadata = jsonencode({
+    "category" : "Testing"
+  })
+}
+`, template, data.RandomInteger)
+}
+
+func (r ResourceGroupAssignmentTestResource) withCustomPolicyRequiresImport(data acceptance.TestData) string {
+	template := r.withCustomPolicyBasic(data)
+	return fmt.Sprintf(`
+%s
+
+resource "azurerm_resource_group_policy_assignment" "import" {
+  name                 = azurerm_resource_group_policy_assignment.test.name
+  resource_group_id    = azurerm_resource_group_policy_assignment.test.resource_group_id
+  policy_definition_id = azurerm_resource_group_policy_assignment.test.policy_definition_id
+}
+`, template)
+}
+
+func (r ResourceGroupAssignmentTestResource) withCustomPolicyUpdated(data acceptance.TestData) string {
+	template := r.templateWithCustomPolicy(data)
+	return fmt.Sprintf(`
+provider "azurerm" {
+  features {}
+}
+
+%s
+
+resource "azurerm_resource_group_policy_assignment" "test" {
+  name                 = "acctestpa-%[2]d"
+  resource_group_id    = azurerm_resource_group.test.id
+  policy_definition_id = azurerm_policy_definition.test.id
+  metadata = jsonencode({
+    "category" : "Testing"
+  })
+}
+`, template, data.RandomInteger)
+}
+
+func (r ResourceGroupAssignmentTestResource) templateWithCustomPolicy(data acceptance.TestData) string {
+	template := r.template(data)
+	return fmt.Sprintf(`
+%[1]s
+
+resource "azurerm_policy_definition" "test" {
+  name         = "acctestpol-%[2]d"
+  policy_type  = "Custom"
+  mode         = "All"
+  display_name = "acctestpol-%[2]d"
+
+  policy_rule = <<POLICY_RULE
+	{
+    "if": {
+      "not": {
+        "field": "name",
+        "equals": "bob"
+      }
+    },
+    "then": {
+      "effect": "audit"
+    }
+  }
+POLICY_RULE
+}
+`, template, data.RandomInteger)
+}
+
+func (r ResourceGroupAssignmentTestResource) template(data acceptance.TestData) string {
+	return fmt.Sprintf(`
+resource "azurerm_resource_group" "test" {
+  name     = "acctest%[1]d"
+  location = %[2]q
+}
+`, data.RandomInteger, data.Locations.Primary)
+}
diff --git a/azurerm/internal/services/policy/assignment_resource_test.go b/azurerm/internal/services/policy/assignment_resource_test.go
new file mode 100644
index 000000000000..317793bb3f37
--- /dev/null
+++ b/azurerm/internal/services/policy/assignment_resource_test.go
@@ -0,0 +1,395 @@
+package policy_test
+
+import (
+	"context"
+	"fmt"
+	"testing"
+
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/acceptance"
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/acceptance/check"
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/clients"
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/services/policy/parse"
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/tf/pluginsdk"
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/utils"
+)
+
+type ResourceAssignmentTestResource struct{}
+
+func TestAccResourcePolicyAssignment_basicWithBuiltInPolicy(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azurerm_resource_policy_assignment", "test")
+	r := ResourceAssignmentTestResource{}
+
+	data.ResourceTest(t, r, []acceptance.TestStep{
+		{
+			Config: r.withBuiltInPolicyBasic(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+		{
+			Config: r.withBuiltInPolicyUpdated(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+		{
+			Config: r.withBuiltInPolicyBasic(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+	})
+}
+
+func TestAccResourcePolicyAssignment_basicWithBuiltInPolicySet(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azurerm_resource_policy_assignment", "test")
+	r := ResourceAssignmentTestResource{}
+
+	data.ResourceTest(t, r, []acceptance.TestStep{
+		{
+			Config: r.withBuiltInPolicySetBasic(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+		{
+			Config: r.withBuiltInPolicySetUpdated(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+		{
+			Config: r.withBuiltInPolicySetBasic(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+	})
+}
+
+func TestAccResourcePolicyAssignment_basicWithCustomPolicy(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azurerm_resource_policy_assignment", "test")
+	r := ResourceAssignmentTestResource{}
+
+	data.ResourceTest(t, r, []acceptance.TestStep{
+		{
+			Config: r.withCustomPolicyBasic(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+		{
+			Config: r.withCustomPolicyUpdated(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+		{
+			Config: r.withCustomPolicyBasic(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+	})
+}
+
+func TestAccResourcePolicyAssignment_basicWithCustomPolicyRequiresImport(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azurerm_resource_policy_assignment", "test")
+	r := ResourceAssignmentTestResource{}
+
+	data.ResourceTest(t, r, []acceptance.TestStep{
+		{
+			Config: r.withCustomPolicyBasic(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+		data.RequiresImportErrorStep(r.withCustomPolicyRequiresImport),
+	})
+}
+
+func TestAccResourcePolicyAssignment_basicWithCustomPolicyComplete(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azurerm_resource_policy_assignment", "test")
+	r := ResourceAssignmentTestResource{}
+
+	data.ResourceTest(t, r, []acceptance.TestStep{
+		{
+			Config: r.withCustomPolicyComplete(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+		{
+			Config: r.withCustomPolicyBasic(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+		{
+			Config: r.withCustomPolicyComplete(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+	})
+}
+
+func (r ResourceAssignmentTestResource) Exists(ctx context.Context, client *clients.Client, state *pluginsdk.InstanceState) (*bool, error) {
+	id, err := parse.PolicyAssignmentID(state.ID)
+	if err != nil {
+		return nil, err
+	}
+
+	assignment, err := client.Policy.AssignmentsClient.Get(ctx, id.Scope, id.Name)
+	if err != nil {
+		if utils.ResponseWasNotFound(assignment.Response) {
+			return utils.Bool(false), nil
+		}
+
+		return nil, fmt.Errorf("retrieving %s: %+v", *id, err)
+	}
+
+	return utils.Bool(true), nil
+}
+
+func (r ResourceAssignmentTestResource) withBuiltInPolicyBasic(data acceptance.TestData) string {
+	template := r.template(data)
+	return fmt.Sprintf(`
+provider "azurerm" {
+  features {}
+}
+
+%s
+
+data "azurerm_policy_definition" "test" {
+  display_name = "Allowed locations"
+}
+
+resource "azurerm_resource_policy_assignment" "test" {
+  name                 = "acctestpa-%[2]d"
+  resource_id          = azurerm_virtual_network.test.id
+  policy_definition_id = data.azurerm_policy_definition.test.id
+  parameters = jsonencode({
+    "listOfAllowedLocations" = {
+      "value" = [azurerm_resource_group.test.location]
+    }
+  })
+}
+`, template, data.RandomInteger)
+}
+
+func (r ResourceAssignmentTestResource) withBuiltInPolicyUpdated(data acceptance.TestData) string {
+	template := r.template(data)
+	return fmt.Sprintf(`
+provider "azurerm" {
+  features {}
+}
+
+%s
+
+data "azurerm_policy_definition" "test" {
+  display_name = "Allowed locations"
+}
+
+resource "azurerm_resource_policy_assignment" "test" {
+  name                 = "acctestpa-%[2]d"
+  resource_id          = azurerm_virtual_network.test.id
+  policy_definition_id = data.azurerm_policy_definition.test.id
+  parameters = jsonencode({
+    "listOfAllowedLocations" = {
+      "value" = [azurerm_resource_group.test.location, "%[3]s"]
+    }
+  })
+}
+`, template, data.RandomInteger, data.Locations.Secondary)
+}
+
+func (r ResourceAssignmentTestResource) withBuiltInPolicySetBasic(data acceptance.TestData) string {
+	template := r.template(data)
+	return fmt.Sprintf(`
+provider "azurerm" {
+  features {}
+}
+
+%s
+
+data "azurerm_policy_set_definition" "test" {
+  display_name = "Audit machines with insecure password security settings"
+}
+
+resource "azurerm_resource_policy_assignment" "test" {
+  name                 = "acctestpa-%[2]d"
+  resource_id          = azurerm_virtual_network.test.id
+  policy_definition_id = data.azurerm_policy_set_definition.test.id
+  location             = azurerm_resource_group.test.location
+
+  identity {
+    type = "SystemAssigned"
+  }
+}
+`, template, data.RandomInteger)
+}
+
+func (r ResourceAssignmentTestResource) withBuiltInPolicySetUpdated(data acceptance.TestData) string {
+	template := r.template(data)
+	return fmt.Sprintf(`
+provider "azurerm" {
+  features {}
+}
+
+%s
+
+data "azurerm_policy_set_definition" "test" {
+  display_name = "Audit machines with insecure password security settings"
+}
+
+resource "azurerm_resource_policy_assignment" "test" {
+  name                 = "acctestpa-%[2]d"
+  resource_id          = azurerm_virtual_network.test.id
+  policy_definition_id = data.azurerm_policy_set_definition.test.id
+  location             = azurerm_resource_group.test.location
+
+  identity {
+    type = "SystemAssigned"
+  }
+
+  metadata = jsonencode({
+    "category" : "Testing"
+  })
+}
+`, template, data.RandomInteger)
+}
+
+func (r ResourceAssignmentTestResource) withCustomPolicyBasic(data acceptance.TestData) string {
+	template := r.templateWithCustomPolicy(data)
+	return fmt.Sprintf(`
+provider "azurerm" {
+  features {}
+}
+
+%s
+
+resource "azurerm_resource_policy_assignment" "test" {
+  name                 = "acctestpa-%[2]d"
+  resource_id          = azurerm_virtual_network.test.id
+  policy_definition_id = azurerm_policy_definition.test.id
+}
+`, template, data.RandomInteger)
+}
+
+func (r ResourceAssignmentTestResource) withCustomPolicyComplete(data acceptance.TestData) string {
+	template := r.templateWithCustomPolicy(data)
+	// NOTE: we could include parameters here but it's tested extensively elsewhere
+	return fmt.Sprintf(`
+provider "azurerm" {
+  features {}
+}
+
+%s
+
+resource "azurerm_resource_policy_assignment" "test" {
+  name                 = "acctestpa-%[2]d"
+  resource_id          = azurerm_virtual_network.test.id
+  policy_definition_id = azurerm_policy_definition.test.id
+  description          = "This is a policy assignment from an acceptance test"
+  display_name         = "AccTest Policy %[2]d"
+  enforce              = false
+  not_scopes = [
+    format("%%s/subnets/subnet1", azurerm_virtual_network.test.id)
+  ]
+  metadata = jsonencode({
+    "category" : "Testing"
+  })
+}
+`, template, data.RandomInteger)
+}
+
+func (r ResourceAssignmentTestResource) withCustomPolicyRequiresImport(data acceptance.TestData) string {
+	template := r.withCustomPolicyBasic(data)
+	return fmt.Sprintf(`
+%s
+
+resource "azurerm_resource_policy_assignment" "import" {
+  name                 = azurerm_resource_policy_assignment.test.name
+  resource_id          = azurerm_resource_policy_assignment.test.resource_id
+  policy_definition_id = azurerm_resource_policy_assignment.test.policy_definition_id
+}
+`, template)
+}
+
+func (r ResourceAssignmentTestResource) withCustomPolicyUpdated(data acceptance.TestData) string {
+	template := r.templateWithCustomPolicy(data)
+	return fmt.Sprintf(`
+provider "azurerm" {
+  features {}
+}
+
+%s
+
+resource "azurerm_resource_policy_assignment" "test" {
+  name                 = "acctestpa-%[2]d"
+  resource_id          = azurerm_virtual_network.test.id
+  policy_definition_id = azurerm_policy_definition.test.id
+  metadata = jsonencode({
+    "category" : "Testing"
+  })
+}
+`, template, data.RandomInteger)
+}
+
+func (r ResourceAssignmentTestResource) templateWithCustomPolicy(data acceptance.TestData) string {
+	template := r.template(data)
+	return fmt.Sprintf(`
+%[1]s
+
+resource "azurerm_policy_definition" "test" {
+  name         = "acctestpol-%[2]d"
+  policy_type  = "Custom"
+  mode         = "All"
+  display_name = "acctestpol-%[2]d"
+
+  policy_rule = <<POLICY_RULE
+	{
+    "if": {
+      "not": {
+        "field": "name",
+        "equals": "bob"
+      }
+    },
+    "then": {
+      "effect": "audit"
+    }
+  }
+POLICY_RULE
+}
+`, template, data.RandomInteger)
+}
+
+func (r ResourceAssignmentTestResource) template(data acceptance.TestData) string {
+	return fmt.Sprintf(`
+resource "azurerm_resource_group" "test" {
+  name     = "acctest%[1]d"
+  location = %[2]q
+}
+
+resource "azurerm_virtual_network" "test" {
+  name                = "acctestvn-%[1]d"
+  resource_group_name = azurerm_resource_group.test.name
+  location            = azurerm_resource_group.test.location
+  address_space       = ["10.0.0.0/16"]
+}
+`, data.RandomInteger, data.Locations.Primary)
+}
diff --git a/azurerm/internal/services/policy/assignment_subscription_resource.go b/azurerm/internal/services/policy/assignment_subscription_resource.go
new file mode 100644
index 000000000000..6f9e9badbbce
--- /dev/null
+++ b/azurerm/internal/services/policy/assignment_subscription_resource.go
@@ -0,0 +1,65 @@
+package policy
+
+import (
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/sdk"
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/services/policy/validate"
+	subscriptionValidate "github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/services/subscription/validate"
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/tf/pluginsdk"
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/tf/validation"
+)
+
+var _ sdk.ResourceWithUpdate = SubscriptionAssignmentResource{}
+
+type SubscriptionAssignmentResource struct {
+	base assignmentBaseResource
+}
+
+func (r SubscriptionAssignmentResource) Arguments() map[string]*pluginsdk.Schema {
+	schema := map[string]*pluginsdk.Schema{
+		"name": {
+			Type:         pluginsdk.TypeString,
+			Required:     true,
+			ForceNew:     true,
+			ValidateFunc: validation.StringIsNotWhiteSpace,
+		},
+		"subscription_id": {
+			Type:         pluginsdk.TypeString,
+			Required:     true,
+			ForceNew:     true,
+			ValidateFunc: subscriptionValidate.SubscriptionID,
+		},
+	}
+	return r.base.arguments(schema)
+}
+
+func (r SubscriptionAssignmentResource) Attributes() map[string]*pluginsdk.Schema {
+	return r.base.attributes()
+}
+
+func (r SubscriptionAssignmentResource) Create() sdk.ResourceFunc {
+	return r.base.createFunc(r.ResourceType(), "subscription_id")
+}
+
+func (r SubscriptionAssignmentResource) Delete() sdk.ResourceFunc {
+	return r.base.deleteFunc()
+}
+
+func (r SubscriptionAssignmentResource) IDValidationFunc() pluginsdk.SchemaValidateFunc {
+	return validate.SubscriptionAssignmentID
+}
+
+func (r SubscriptionAssignmentResource) ModelObject() interface{} {
+	return nil
+}
+
+func (r SubscriptionAssignmentResource) Read() sdk.ResourceFunc {
+	return r.base.readFunc("subscription_id")
+}
+
+func (r SubscriptionAssignmentResource) ResourceType() string {
+	return "azurerm_subscription_policy_assignment"
+}
+
+func (r SubscriptionAssignmentResource) Update() sdk.ResourceFunc {
+	return r.base.updateFunc()
+}
diff --git a/azurerm/internal/services/policy/assignment_subscription_resource_test.go b/azurerm/internal/services/policy/assignment_subscription_resource_test.go
new file mode 100644
index 000000000000..1dcc1ea3310d
--- /dev/null
+++ b/azurerm/internal/services/policy/assignment_subscription_resource_test.go
@@ -0,0 +1,382 @@
+package policy_test
+
+import (
+	"context"
+	"fmt"
+	"testing"
+
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/acceptance"
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/acceptance/check"
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/clients"
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/services/policy/parse"
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/tf/pluginsdk"
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/utils"
+)
+
+type SubscriptionAssignmentTestResource struct{}
+
+func TestAccSubscriptionPolicyAssignment_basicWithBuiltInPolicy(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azurerm_subscription_policy_assignment", "test")
+	r := SubscriptionAssignmentTestResource{}
+
+	data.ResourceTest(t, r, []acceptance.TestStep{
+		{
+			Config: r.withBuiltInPolicyBasic(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+		{
+			Config: r.withBuiltInPolicyUpdated(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+		{
+			Config: r.withBuiltInPolicyBasic(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+	})
+}
+
+func TestAccSubscriptionPolicyAssignment_basicWithBuiltInPolicySet(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azurerm_subscription_policy_assignment", "test")
+	r := SubscriptionAssignmentTestResource{}
+
+	data.ResourceTest(t, r, []acceptance.TestStep{
+		{
+			Config: r.withBuiltInPolicySetBasic(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+		{
+			Config: r.withBuiltInPolicySetUpdated(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+		{
+			Config: r.withBuiltInPolicySetBasic(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+	})
+}
+
+func TestAccSubscriptionPolicyAssignment_basicWithCustomPolicy(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azurerm_subscription_policy_assignment", "test")
+	r := SubscriptionAssignmentTestResource{}
+
+	data.ResourceTest(t, r, []acceptance.TestStep{
+		{
+			Config: r.withCustomPolicyBasic(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+		{
+			Config: r.withCustomPolicyUpdated(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+		{
+			Config: r.withCustomPolicyBasic(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+	})
+}
+
+func TestAccSubscriptionPolicyAssignment_basicWithCustomPolicyComplete(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azurerm_subscription_policy_assignment", "test")
+	r := SubscriptionAssignmentTestResource{}
+
+	data.ResourceTest(t, r, []acceptance.TestStep{
+		{
+			Config: r.withCustomPolicyComplete(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+		{
+			Config: r.withCustomPolicyBasic(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+		{
+			Config: r.withCustomPolicyComplete(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+	})
+}
+
+func TestAccSubscriptionPolicyAssignment_basicWithCustomPolicyRequiresImport(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azurerm_subscription_policy_assignment", "test")
+	r := SubscriptionAssignmentTestResource{}
+
+	data.ResourceTest(t, r, []acceptance.TestStep{
+		{
+			Config: r.withCustomPolicyBasic(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+		data.RequiresImportErrorStep(r.withCustomPolicyRequiresImport),
+	})
+}
+
+func (r SubscriptionAssignmentTestResource) Exists(ctx context.Context, client *clients.Client, state *pluginsdk.InstanceState) (*bool, error) {
+	id, err := parse.PolicyAssignmentID(state.ID)
+	if err != nil {
+		return nil, err
+	}
+
+	assignment, err := client.Policy.AssignmentsClient.Get(ctx, id.Scope, id.Name)
+	if err != nil {
+		if utils.ResponseWasNotFound(assignment.Response) {
+			return utils.Bool(false), nil
+		}
+
+		return nil, fmt.Errorf("retrieving %s: %+v", *id, err)
+	}
+
+	return utils.Bool(true), nil
+}
+
+func (r SubscriptionAssignmentTestResource) withBuiltInPolicyBasic(data acceptance.TestData) string {
+	template := r.template()
+	return fmt.Sprintf(`
+provider "azurerm" {
+  features {}
+}
+
+%s
+
+data "azurerm_policy_definition" "test" {
+  display_name = "Allowed locations"
+}
+
+resource "azurerm_subscription_policy_assignment" "test" {
+  name                 = "acctestpa-%[2]d"
+  subscription_id      = data.azurerm_subscription.test.id
+  policy_definition_id = data.azurerm_policy_definition.test.id
+  parameters = jsonencode({
+    "listOfAllowedLocations" = {
+      "value" = ["%s"]
+    }
+  })
+}
+`, template, data.RandomInteger, data.Locations.Primary)
+}
+
+func (r SubscriptionAssignmentTestResource) withBuiltInPolicyUpdated(data acceptance.TestData) string {
+	template := r.template()
+	return fmt.Sprintf(`
+provider "azurerm" {
+  features {}
+}
+
+%s
+
+data "azurerm_policy_definition" "test" {
+  display_name = "Allowed locations"
+}
+
+resource "azurerm_subscription_policy_assignment" "test" {
+  name                 = "acctestpa-%[2]d"
+  subscription_id      = data.azurerm_subscription.test.id
+  policy_definition_id = data.azurerm_policy_definition.test.id
+  parameters = jsonencode({
+    "listOfAllowedLocations" = {
+      "value" = ["%[3]s", "%[4]s"]
+    }
+  })
+}
+`, template, data.RandomInteger, data.Locations.Primary, data.Locations.Secondary)
+}
+
+func (r SubscriptionAssignmentTestResource) withBuiltInPolicySetBasic(data acceptance.TestData) string {
+	template := r.template()
+	return fmt.Sprintf(`
+provider "azurerm" {
+  features {}
+}
+
+%s
+
+data "azurerm_policy_set_definition" "test" {
+  display_name = "Audit machines with insecure password security settings"
+}
+
+resource "azurerm_subscription_policy_assignment" "test" {
+  name                 = "acctestpa-%[2]d"
+  subscription_id      = data.azurerm_subscription.test.id
+  policy_definition_id = data.azurerm_policy_set_definition.test.id
+  location             = %[3]q
+
+  identity {
+    type = "SystemAssigned"
+  }
+}
+`, template, data.RandomInteger, data.Locations.Primary)
+}
+
+func (r SubscriptionAssignmentTestResource) withBuiltInPolicySetUpdated(data acceptance.TestData) string {
+	template := r.template()
+	return fmt.Sprintf(`
+provider "azurerm" {
+  features {}
+}
+
+%s
+
+data "azurerm_policy_set_definition" "test" {
+  display_name = "Audit machines with insecure password security settings"
+}
+
+resource "azurerm_subscription_policy_assignment" "test" {
+  name                 = "acctestpa-%[2]d"
+  subscription_id      = data.azurerm_subscription.test.id
+  policy_definition_id = data.azurerm_policy_set_definition.test.id
+  location             = %[3]q
+
+  identity {
+    type = "SystemAssigned"
+  }
+
+  metadata = jsonencode({
+    "category" : "Testing"
+  })
+}
+`, template, data.RandomInteger, data.Locations.Primary)
+}
+
+func (r SubscriptionAssignmentTestResource) withCustomPolicyBasic(data acceptance.TestData) string {
+	template := r.templateWithCustomPolicy(data)
+	return fmt.Sprintf(`
+provider "azurerm" {
+  features {}
+}
+
+%s
+
+resource "azurerm_subscription_policy_assignment" "test" {
+  name                 = "acctestpa-%[2]d"
+  subscription_id      = data.azurerm_subscription.test.id
+  policy_definition_id = azurerm_policy_definition.test.id
+}
+`, template, data.RandomInteger)
+}
+
+func (r SubscriptionAssignmentTestResource) withCustomPolicyComplete(data acceptance.TestData) string {
+	template := r.templateWithCustomPolicy(data)
+	// NOTE: we could include parameters here but it's tested extensively elsewhere
+	return fmt.Sprintf(`
+provider "azurerm" {
+  features {}
+}
+
+%s
+
+resource "azurerm_subscription_policy_assignment" "test" {
+  name                 = "acctestpa-%[2]d"
+  subscription_id      = data.azurerm_subscription.test.id
+  policy_definition_id = azurerm_policy_definition.test.id
+  description          = "This is a policy assignment from an acceptance test"
+  display_name         = "AccTest Policy %[2]d"
+  enforce              = false
+  not_scopes = [
+    format("%%s/resourceGroups/blah", data.azurerm_subscription.test.id)
+  ]
+  metadata = jsonencode({
+    "category" : "Testing"
+  })
+}
+`, template, data.RandomInteger)
+}
+
+func (r SubscriptionAssignmentTestResource) withCustomPolicyRequiresImport(data acceptance.TestData) string {
+	template := r.withCustomPolicyBasic(data)
+	return fmt.Sprintf(`
+%s
+
+resource "azurerm_subscription_policy_assignment" "import" {
+  name                 = azurerm_subscription_policy_assignment.test.name
+  subscription_id      = azurerm_subscription_policy_assignment.test.subscription_id
+  policy_definition_id = azurerm_subscription_policy_assignment.test.policy_definition_id
+}
+`, template)
+}
+func (r SubscriptionAssignmentTestResource) withCustomPolicyUpdated(data acceptance.TestData) string {
+	template := r.templateWithCustomPolicy(data)
+	return fmt.Sprintf(`
+provider "azurerm" {
+  features {}
+}
+
+%s
+
+resource "azurerm_subscription_policy_assignment" "test" {
+  name                 = "acctestpa-%[2]d"
+  subscription_id      = data.azurerm_subscription.test.id
+  policy_definition_id = azurerm_policy_definition.test.id
+  metadata = jsonencode({
+    "category" : "Testing"
+  })
+}
+`, template, data.RandomInteger)
+}
+
+func (r SubscriptionAssignmentTestResource) templateWithCustomPolicy(data acceptance.TestData) string {
+	template := r.template()
+	return fmt.Sprintf(`
+%[1]s
+
+resource "azurerm_policy_definition" "test" {
+  name         = "acctestpol-%[2]d"
+  policy_type  = "Custom"
+  mode         = "All"
+  display_name = "acctestpol-%[2]d"
+
+  policy_rule = <<POLICY_RULE
+	{
+    "if": {
+      "not": {
+        "field": "name",
+        "equals": "bob"
+      }
+    },
+    "then": {
+      "effect": "audit"
+    }
+  }
+POLICY_RULE
+}
+`, template, data.RandomInteger)
+}
+
+func (r SubscriptionAssignmentTestResource) template() string {
+	return `data "azurerm_subscription" "test" {}`
+}
diff --git a/azurerm/internal/services/policy/metadata.go b/azurerm/internal/services/policy/metadata.go
new file mode 100644
index 000000000000..633ac5d39763
--- /dev/null
+++ b/azurerm/internal/services/policy/metadata.go
@@ -0,0 +1,45 @@
+package policy
+
+import (
+	"encoding/json"
+	"reflect"
+
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/tf/validation"
+
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/tf/pluginsdk"
+)
+
+func metadataDiffSuppressFunc(_, old, new string, _ *pluginsdk.ResourceData) bool {
+	var oldPolicyAssignmentsMetadata map[string]interface{}
+	errOld := json.Unmarshal([]byte(old), &oldPolicyAssignmentsMetadata)
+	if errOld != nil {
+		return false
+	}
+
+	var newPolicyAssignmentsMetadata map[string]interface{}
+	if new != "" {
+		errNew := json.Unmarshal([]byte(new), &newPolicyAssignmentsMetadata)
+		if errNew != nil {
+			return false
+		}
+	}
+
+	// Ignore the following keys if they're found in the metadata JSON
+	ignoreKeys := [5]string{"assignedBy", "createdBy", "createdOn", "updatedBy", "updatedOn"}
+	for _, key := range ignoreKeys {
+		delete(oldPolicyAssignmentsMetadata, key)
+		delete(newPolicyAssignmentsMetadata, key)
+	}
+
+	return reflect.DeepEqual(oldPolicyAssignmentsMetadata, newPolicyAssignmentsMetadata)
+}
+
+func metadataSchema() *pluginsdk.Schema {
+	return &pluginsdk.Schema{
+		Type:             pluginsdk.TypeString,
+		Optional:         true,
+		Computed:         true,
+		ValidateFunc:     validation.StringIsJSON,
+		DiffSuppressFunc: metadataDiffSuppressFunc,
+	}
+}
diff --git a/azurerm/internal/services/policy/parse/assignment.go b/azurerm/internal/services/policy/parse/assignment.go
index 80d608fbbc48..8271411eeb4e 100644
--- a/azurerm/internal/services/policy/parse/assignment.go
+++ b/azurerm/internal/services/policy/parse/assignment.go
@@ -3,11 +3,33 @@ package parse
 import (
 	"fmt"
 	"regexp"
+	"strings"
 )
 
 type PolicyAssignmentId struct {
-	Name string
-	PolicyScopeId
+	Name  string
+	Scope string
+}
+
+func (id PolicyAssignmentId) String() string {
+	segments := []string{
+		fmt.Sprintf("Assignment Name %q", id.Name),
+		fmt.Sprintf("Scope %q", id.Scope),
+	}
+	segmentsStr := strings.Join(segments, " / ")
+	return fmt.Sprintf("%s: (%s)", "Policy Assignment ID", segmentsStr)
+}
+
+func (id PolicyAssignmentId) ID() string {
+	fmtString := "%s/providers/Microsoft.Authorization/policyAssignments/%s"
+	return fmt.Sprintf(fmtString, id.Scope, id.Name)
+}
+
+func NewPolicyAssignmentId(scope, name string) PolicyAssignmentId {
+	return PolicyAssignmentId{
+		Name:  name,
+		Scope: scope,
+	}
 }
 
 // TODO: This paring function is currently suppressing every case difference due to github issue: https://github.com/Azure/azure-rest-api-specs/issues/8353
@@ -31,13 +53,8 @@ func PolicyAssignmentID(input string) (*PolicyAssignmentId, error) {
 		return nil, fmt.Errorf("unable to parse Policy Assignment ID %q: assignment name is empty", input)
 	}
 
-	scopeId, err := PolicyScopeID(scope)
-	if err != nil {
-		return nil, fmt.Errorf("unable to parse Policy Assignment ID %q: %+v", input, err)
-	}
-
 	return &PolicyAssignmentId{
-		Name:          name,
-		PolicyScopeId: scopeId,
+		Name:  name,
+		Scope: scope,
 	}, nil
 }
diff --git a/azurerm/internal/services/policy/parse/assignment_test.go b/azurerm/internal/services/policy/parse/assignment_test.go
index 979e1b78ec80..015d771f7e9e 100644
--- a/azurerm/internal/services/policy/parse/assignment_test.go
+++ b/azurerm/internal/services/policy/parse/assignment_test.go
@@ -1,7 +1,6 @@
 package parse
 
 import (
-	"reflect"
 	"testing"
 )
 
@@ -21,12 +20,8 @@ func TestPolicyAssignmentID(t *testing.T) {
 			Name:  "policy assignment in resource group",
 			Input: "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/foo/providers/Microsoft.Authorization/policyAssignments/assignment1",
 			Expected: &PolicyAssignmentId{
-				Name: "assignment1",
-				PolicyScopeId: ScopeAtResourceGroup{
-					scopeId:        "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/foo",
-					SubscriptionId: "00000000-0000-0000-0000-000000000000",
-					ResourceGroup:  "foo",
-				},
+				Name:  "assignment1",
+				Scope: "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/foo",
 			},
 		},
 		{
@@ -38,23 +33,16 @@ func TestPolicyAssignmentID(t *testing.T) {
 			Name:  "the returned value of policy assignment id may not keep its casing",
 			Input: "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/foo/providers/Microsoft.authorization/policyassignments/assignment1",
 			Expected: &PolicyAssignmentId{
-				Name: "assignment1",
-				PolicyScopeId: ScopeAtResourceGroup{
-					scopeId:        "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/foo",
-					SubscriptionId: "00000000-0000-0000-0000-000000000000",
-					ResourceGroup:  "foo",
-				},
+				Name:  "assignment1",
+				Scope: "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/foo",
 			},
 		},
 		{
 			Name:  "policy assignment in subscription",
 			Input: "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/assignment1",
 			Expected: &PolicyAssignmentId{
-				Name: "assignment1",
-				PolicyScopeId: ScopeAtSubscription{
-					scopeId:        "/subscriptions/00000000-0000-0000-0000-000000000000",
-					SubscriptionId: "00000000-0000-0000-0000-000000000000",
-				},
+				Name:  "assignment1",
+				Scope: "/subscriptions/00000000-0000-0000-0000-000000000000",
 			},
 		},
 		{
@@ -66,11 +54,8 @@ func TestPolicyAssignmentID(t *testing.T) {
 			Name:  "policy assignment in management group",
 			Input: "/providers/Microsoft.Management/managementGroups/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/assignment1",
 			Expected: &PolicyAssignmentId{
-				Name: "assignment1",
-				PolicyScopeId: ScopeAtManagementGroup{
-					scopeId:             "/providers/Microsoft.Management/managementGroups/00000000-0000-0000-0000-000000000000",
-					ManagementGroupName: "00000000-0000-0000-0000-000000000000",
-				},
+				Name:  "assignment1",
+				Scope: "/providers/Microsoft.Management/managementGroups/00000000-0000-0000-0000-000000000000",
 			},
 		},
 		{
@@ -82,10 +67,8 @@ func TestPolicyAssignmentID(t *testing.T) {
 			Name:  "policy assignment in resource",
 			Input: "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/foo/providers/Microsoft.Compute/virtualMachines/vm1/providers/Microsoft.Authorization/policyAssignments/assignment1",
 			Expected: &PolicyAssignmentId{
-				Name: "assignment1",
-				PolicyScopeId: ScopeAtResource{
-					scopeId: "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/foo/providers/Microsoft.Compute/virtualMachines/vm1",
-				},
+				Name:  "assignment1",
+				Scope: "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/foo/providers/Microsoft.Compute/virtualMachines/vm1",
 			},
 		},
 		{
@@ -111,8 +94,8 @@ func TestPolicyAssignmentID(t *testing.T) {
 			t.Fatalf("Expected %q but got %q", v.Expected.Name, actual.Name)
 		}
 
-		if !reflect.DeepEqual(v.Expected.PolicyScopeId, actual.PolicyScopeId) {
-			t.Fatalf("Expected %+v but got %+v", v.Expected.PolicyScopeId, actual.PolicyScopeId)
+		if v.Expected.Scope != actual.Scope {
+			t.Fatalf("Expected %+v but got %+v", v.Expected.Scope, actual.Scope)
 		}
 	}
 }
diff --git a/azurerm/internal/services/policy/parse/management_group_assignment.go b/azurerm/internal/services/policy/parse/management_group_assignment.go
new file mode 100644
index 000000000000..c40c3d180987
--- /dev/null
+++ b/azurerm/internal/services/policy/parse/management_group_assignment.go
@@ -0,0 +1,58 @@
+package parse
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/helpers/azure"
+)
+
+type ManagementGroupAssignmentId struct {
+	ManagementGroupName  string
+	PolicyAssignmentName string
+}
+
+func NewManagementGroupAssignmentID(managementGroupName, policyAssignmentName string) ManagementGroupAssignmentId {
+	return ManagementGroupAssignmentId{
+		ManagementGroupName:  managementGroupName,
+		PolicyAssignmentName: policyAssignmentName,
+	}
+}
+
+func (id ManagementGroupAssignmentId) String() string {
+	segments := []string{
+		fmt.Sprintf("Policy Assignment Name %q", id.PolicyAssignmentName),
+		fmt.Sprintf("Management Group Name %q", id.ManagementGroupName),
+	}
+	segmentsStr := strings.Join(segments, " / ")
+	return fmt.Sprintf("%s: (%s)", "Management Group Assignment", segmentsStr)
+}
+
+func (id ManagementGroupAssignmentId) ID() string {
+	fmtString := "/providers/Microsoft.Management/managementGroups/%s/providers/Microsoft.Authorization/policyAssignments/%s"
+	return fmt.Sprintf(fmtString, id.ManagementGroupName, id.PolicyAssignmentName)
+}
+
+// ManagementGroupAssignmentID parses a ManagementGroupAssignment ID into an ManagementGroupAssignmentId struct
+func ManagementGroupAssignmentID(input string) (*ManagementGroupAssignmentId, error) {
+	// TODO: the generator should support outputting this method too
+	id, err := azure.ParseAzureResourceIDWithoutSubscription(input)
+	if err != nil {
+		return nil, err
+	}
+
+	resourceId := ManagementGroupAssignmentId{}
+
+	if resourceId.ManagementGroupName, err = id.PopSegment("managementGroups"); err != nil {
+		return nil, err
+	}
+	if resourceId.PolicyAssignmentName, err = id.PopSegment("policyAssignments"); err != nil {
+		return nil, err
+	}
+
+	if err := id.ValidateNoEmptySegments(input); err != nil {
+		return nil, err
+	}
+
+	return &resourceId, nil
+}
diff --git a/azurerm/internal/services/policy/parse/management_group_assignment_test.go b/azurerm/internal/services/policy/parse/management_group_assignment_test.go
new file mode 100644
index 000000000000..0e737462e41e
--- /dev/null
+++ b/azurerm/internal/services/policy/parse/management_group_assignment_test.go
@@ -0,0 +1,94 @@
+package parse
+
+import (
+	"testing"
+
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/resourceid"
+)
+
+var _ resourceid.Formatter = ManagementGroupAssignmentId{}
+
+func TestManagementGroupAssignmentIDFormatter(t *testing.T) {
+	actual := NewManagementGroupAssignmentID("managementGroup1", "assignment1").ID()
+	expected := "/providers/Microsoft.Management/managementGroups/managementGroup1/providers/Microsoft.Authorization/policyAssignments/assignment1"
+	if actual != expected {
+		t.Fatalf("Expected %q but got %q", expected, actual)
+	}
+}
+
+func TestManagementGroupAssignmentID(t *testing.T) {
+	testData := []struct {
+		Input    string
+		Error    bool
+		Expected *ManagementGroupAssignmentId
+	}{
+
+		{
+			// empty
+			Input: "",
+			Error: true,
+		},
+
+		{
+			// missing ManagementGroupName
+			Input: "/providers/Microsoft.Management/",
+			Error: true,
+		},
+
+		{
+			// missing value for ManagementGroupName
+			Input: "/providers/Microsoft.Management/managementGroups/",
+			Error: true,
+		},
+
+		{
+			// missing PolicyAssignmentName
+			Input: "/providers/Microsoft.Management/managementGroups/managementGroup1/providers/Microsoft.Authorization/",
+			Error: true,
+		},
+
+		{
+			// missing value for PolicyAssignmentName
+			Input: "/providers/Microsoft.Management/managementGroups/managementGroup1/providers/Microsoft.Authorization/policyAssignments/",
+			Error: true,
+		},
+
+		{
+			// valid
+			Input: "/providers/Microsoft.Management/managementGroups/managementGroup1/providers/Microsoft.Authorization/policyAssignments/assignment1",
+			Expected: &ManagementGroupAssignmentId{
+				ManagementGroupName:  "managementGroup1",
+				PolicyAssignmentName: "assignment1",
+			},
+		},
+
+		{
+			// upper-cased
+			Input: "/PROVIDERS/MICROSOFT.MANAGEMENT/MANAGEMENTGROUPS/MANAGEMENTGROUP1/PROVIDERS/MICROSOFT.AUTHORIZATION/POLICYASSIGNMENTS/ASSIGNMENT1",
+			Error: true,
+		},
+	}
+
+	for _, v := range testData {
+		t.Logf("[DEBUG] Testing %q", v.Input)
+
+		actual, err := ManagementGroupAssignmentID(v.Input)
+		if err != nil {
+			if v.Error {
+				continue
+			}
+
+			t.Fatalf("Expect a value but got an error: %s", err)
+		}
+		if v.Error {
+			t.Fatal("Expect an error but didn't get one")
+		}
+
+		if actual.ManagementGroupName != v.Expected.ManagementGroupName {
+			t.Fatalf("Expected %q but got %q for ManagementGroupName", v.Expected.ManagementGroupName, actual.ManagementGroupName)
+		}
+		if actual.PolicyAssignmentName != v.Expected.PolicyAssignmentName {
+			t.Fatalf("Expected %q but got %q for PolicyAssignmentName", v.Expected.PolicyAssignmentName, actual.PolicyAssignmentName)
+		}
+	}
+}
diff --git a/azurerm/internal/services/policy/parse/resource_group_assignment.go b/azurerm/internal/services/policy/parse/resource_group_assignment.go
new file mode 100644
index 000000000000..a1cae3d86296
--- /dev/null
+++ b/azurerm/internal/services/policy/parse/resource_group_assignment.go
@@ -0,0 +1,69 @@
+package parse
+
+// NOTE: this file is generated via 'go:generate' - manual changes will be overwritten
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/helpers/azure"
+)
+
+type ResourceGroupAssignmentId struct {
+	SubscriptionId       string
+	ResourceGroup        string
+	PolicyAssignmentName string
+}
+
+func NewResourceGroupAssignmentID(subscriptionId, resourceGroup, policyAssignmentName string) ResourceGroupAssignmentId {
+	return ResourceGroupAssignmentId{
+		SubscriptionId:       subscriptionId,
+		ResourceGroup:        resourceGroup,
+		PolicyAssignmentName: policyAssignmentName,
+	}
+}
+
+func (id ResourceGroupAssignmentId) String() string {
+	segments := []string{
+		fmt.Sprintf("Policy Assignment Name %q", id.PolicyAssignmentName),
+		fmt.Sprintf("Resource Group %q", id.ResourceGroup),
+	}
+	segmentsStr := strings.Join(segments, " / ")
+	return fmt.Sprintf("%s: (%s)", "Resource Group Assignment", segmentsStr)
+}
+
+func (id ResourceGroupAssignmentId) ID() string {
+	fmtString := "/subscriptions/%s/resourceGroups/%s/providers/Microsoft.Authorization/policyAssignments/%s"
+	return fmt.Sprintf(fmtString, id.SubscriptionId, id.ResourceGroup, id.PolicyAssignmentName)
+}
+
+// ResourceGroupAssignmentID parses a ResourceGroupAssignment ID into an ResourceGroupAssignmentId struct
+func ResourceGroupAssignmentID(input string) (*ResourceGroupAssignmentId, error) {
+	id, err := azure.ParseAzureResourceID(input)
+	if err != nil {
+		return nil, err
+	}
+
+	resourceId := ResourceGroupAssignmentId{
+		SubscriptionId: id.SubscriptionID,
+		ResourceGroup:  id.ResourceGroup,
+	}
+
+	if resourceId.SubscriptionId == "" {
+		return nil, fmt.Errorf("ID was missing the 'subscriptions' element")
+	}
+
+	if resourceId.ResourceGroup == "" {
+		return nil, fmt.Errorf("ID was missing the 'resourceGroups' element")
+	}
+
+	if resourceId.PolicyAssignmentName, err = id.PopSegment("policyAssignments"); err != nil {
+		return nil, err
+	}
+
+	if err := id.ValidateNoEmptySegments(input); err != nil {
+		return nil, err
+	}
+
+	return &resourceId, nil
+}
diff --git a/azurerm/internal/services/policy/parse/resource_group_assignment_test.go b/azurerm/internal/services/policy/parse/resource_group_assignment_test.go
new file mode 100644
index 000000000000..d28300921924
--- /dev/null
+++ b/azurerm/internal/services/policy/parse/resource_group_assignment_test.go
@@ -0,0 +1,112 @@
+package parse
+
+// NOTE: this file is generated via 'go:generate' - manual changes will be overwritten
+
+import (
+	"testing"
+
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/resourceid"
+)
+
+var _ resourceid.Formatter = ResourceGroupAssignmentId{}
+
+func TestResourceGroupAssignmentIDFormatter(t *testing.T) {
+	actual := NewResourceGroupAssignmentID("12345678-1234-9876-4563-123456789012", "resGroup1", "assignment1").ID()
+	expected := "/subscriptions/12345678-1234-9876-4563-123456789012/resourceGroups/resGroup1/providers/Microsoft.Authorization/policyAssignments/assignment1"
+	if actual != expected {
+		t.Fatalf("Expected %q but got %q", expected, actual)
+	}
+}
+
+func TestResourceGroupAssignmentID(t *testing.T) {
+	testData := []struct {
+		Input    string
+		Error    bool
+		Expected *ResourceGroupAssignmentId
+	}{
+
+		{
+			// empty
+			Input: "",
+			Error: true,
+		},
+
+		{
+			// missing SubscriptionId
+			Input: "/",
+			Error: true,
+		},
+
+		{
+			// missing value for SubscriptionId
+			Input: "/subscriptions/",
+			Error: true,
+		},
+
+		{
+			// missing ResourceGroup
+			Input: "/subscriptions/12345678-1234-9876-4563-123456789012/",
+			Error: true,
+		},
+
+		{
+			// missing value for ResourceGroup
+			Input: "/subscriptions/12345678-1234-9876-4563-123456789012/resourceGroups/",
+			Error: true,
+		},
+
+		{
+			// missing PolicyAssignmentName
+			Input: "/subscriptions/12345678-1234-9876-4563-123456789012/resourceGroups/resGroup1/providers/Microsoft.Authorization/",
+			Error: true,
+		},
+
+		{
+			// missing value for PolicyAssignmentName
+			Input: "/subscriptions/12345678-1234-9876-4563-123456789012/resourceGroups/resGroup1/providers/Microsoft.Authorization/policyAssignments/",
+			Error: true,
+		},
+
+		{
+			// valid
+			Input: "/subscriptions/12345678-1234-9876-4563-123456789012/resourceGroups/resGroup1/providers/Microsoft.Authorization/policyAssignments/assignment1",
+			Expected: &ResourceGroupAssignmentId{
+				SubscriptionId:       "12345678-1234-9876-4563-123456789012",
+				ResourceGroup:        "resGroup1",
+				PolicyAssignmentName: "assignment1",
+			},
+		},
+
+		{
+			// upper-cased
+			Input: "/SUBSCRIPTIONS/12345678-1234-9876-4563-123456789012/RESOURCEGROUPS/RESGROUP1/PROVIDERS/MICROSOFT.AUTHORIZATION/POLICYASSIGNMENTS/ASSIGNMENT1",
+			Error: true,
+		},
+	}
+
+	for _, v := range testData {
+		t.Logf("[DEBUG] Testing %q", v.Input)
+
+		actual, err := ResourceGroupAssignmentID(v.Input)
+		if err != nil {
+			if v.Error {
+				continue
+			}
+
+			t.Fatalf("Expect a value but got an error: %s", err)
+		}
+		if v.Error {
+			t.Fatal("Expect an error but didn't get one")
+		}
+
+		if actual.SubscriptionId != v.Expected.SubscriptionId {
+			t.Fatalf("Expected %q but got %q for SubscriptionId", v.Expected.SubscriptionId, actual.SubscriptionId)
+		}
+		if actual.ResourceGroup != v.Expected.ResourceGroup {
+			t.Fatalf("Expected %q but got %q for ResourceGroup", v.Expected.ResourceGroup, actual.ResourceGroup)
+		}
+		if actual.PolicyAssignmentName != v.Expected.PolicyAssignmentName {
+			t.Fatalf("Expected %q but got %q for PolicyAssignmentName", v.Expected.PolicyAssignmentName, actual.PolicyAssignmentName)
+		}
+	}
+}
diff --git a/azurerm/internal/services/policy/parse/subscription_assignment.go b/azurerm/internal/services/policy/parse/subscription_assignment.go
new file mode 100644
index 000000000000..7b0b05545594
--- /dev/null
+++ b/azurerm/internal/services/policy/parse/subscription_assignment.go
@@ -0,0 +1,61 @@
+package parse
+
+// NOTE: this file is generated via 'go:generate' - manual changes will be overwritten
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/helpers/azure"
+)
+
+type SubscriptionAssignmentId struct {
+	SubscriptionId       string
+	PolicyAssignmentName string
+}
+
+func NewSubscriptionAssignmentID(subscriptionId, policyAssignmentName string) SubscriptionAssignmentId {
+	return SubscriptionAssignmentId{
+		SubscriptionId:       subscriptionId,
+		PolicyAssignmentName: policyAssignmentName,
+	}
+}
+
+func (id SubscriptionAssignmentId) String() string {
+	segments := []string{
+		fmt.Sprintf("Policy Assignment Name %q", id.PolicyAssignmentName),
+	}
+	segmentsStr := strings.Join(segments, " / ")
+	return fmt.Sprintf("%s: (%s)", "Subscription Assignment", segmentsStr)
+}
+
+func (id SubscriptionAssignmentId) ID() string {
+	fmtString := "/subscriptions/%s/providers/Microsoft.Authorization/policyAssignments/%s"
+	return fmt.Sprintf(fmtString, id.SubscriptionId, id.PolicyAssignmentName)
+}
+
+// SubscriptionAssignmentID parses a SubscriptionAssignment ID into an SubscriptionAssignmentId struct
+func SubscriptionAssignmentID(input string) (*SubscriptionAssignmentId, error) {
+	id, err := azure.ParseAzureResourceID(input)
+	if err != nil {
+		return nil, err
+	}
+
+	resourceId := SubscriptionAssignmentId{
+		SubscriptionId: id.SubscriptionID,
+	}
+
+	if resourceId.SubscriptionId == "" {
+		return nil, fmt.Errorf("ID was missing the 'subscriptions' element")
+	}
+
+	if resourceId.PolicyAssignmentName, err = id.PopSegment("policyAssignments"); err != nil {
+		return nil, err
+	}
+
+	if err := id.ValidateNoEmptySegments(input); err != nil {
+		return nil, err
+	}
+
+	return &resourceId, nil
+}
diff --git a/azurerm/internal/services/policy/parse/subscription_assignment_test.go b/azurerm/internal/services/policy/parse/subscription_assignment_test.go
new file mode 100644
index 000000000000..b0e5a3341084
--- /dev/null
+++ b/azurerm/internal/services/policy/parse/subscription_assignment_test.go
@@ -0,0 +1,96 @@
+package parse
+
+// NOTE: this file is generated via 'go:generate' - manual changes will be overwritten
+
+import (
+	"testing"
+
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/resourceid"
+)
+
+var _ resourceid.Formatter = SubscriptionAssignmentId{}
+
+func TestSubscriptionAssignmentIDFormatter(t *testing.T) {
+	actual := NewSubscriptionAssignmentID("12345678-1234-9876-4563-123456789012", "assignment1").ID()
+	expected := "/subscriptions/12345678-1234-9876-4563-123456789012/providers/Microsoft.Authorization/policyAssignments/assignment1"
+	if actual != expected {
+		t.Fatalf("Expected %q but got %q", expected, actual)
+	}
+}
+
+func TestSubscriptionAssignmentID(t *testing.T) {
+	testData := []struct {
+		Input    string
+		Error    bool
+		Expected *SubscriptionAssignmentId
+	}{
+
+		{
+			// empty
+			Input: "",
+			Error: true,
+		},
+
+		{
+			// missing SubscriptionId
+			Input: "/",
+			Error: true,
+		},
+
+		{
+			// missing value for SubscriptionId
+			Input: "/subscriptions/",
+			Error: true,
+		},
+
+		{
+			// missing PolicyAssignmentName
+			Input: "/subscriptions/12345678-1234-9876-4563-123456789012/providers/Microsoft.Authorization/",
+			Error: true,
+		},
+
+		{
+			// missing value for PolicyAssignmentName
+			Input: "/subscriptions/12345678-1234-9876-4563-123456789012/providers/Microsoft.Authorization/policyAssignments/",
+			Error: true,
+		},
+
+		{
+			// valid
+			Input: "/subscriptions/12345678-1234-9876-4563-123456789012/providers/Microsoft.Authorization/policyAssignments/assignment1",
+			Expected: &SubscriptionAssignmentId{
+				SubscriptionId:       "12345678-1234-9876-4563-123456789012",
+				PolicyAssignmentName: "assignment1",
+			},
+		},
+
+		{
+			// upper-cased
+			Input: "/SUBSCRIPTIONS/12345678-1234-9876-4563-123456789012/PROVIDERS/MICROSOFT.AUTHORIZATION/POLICYASSIGNMENTS/ASSIGNMENT1",
+			Error: true,
+		},
+	}
+
+	for _, v := range testData {
+		t.Logf("[DEBUG] Testing %q", v.Input)
+
+		actual, err := SubscriptionAssignmentID(v.Input)
+		if err != nil {
+			if v.Error {
+				continue
+			}
+
+			t.Fatalf("Expect a value but got an error: %s", err)
+		}
+		if v.Error {
+			t.Fatal("Expect an error but didn't get one")
+		}
+
+		if actual.SubscriptionId != v.Expected.SubscriptionId {
+			t.Fatalf("Expected %q but got %q for SubscriptionId", v.Expected.SubscriptionId, actual.SubscriptionId)
+		}
+		if actual.PolicyAssignmentName != v.Expected.PolicyAssignmentName {
+			t.Fatalf("Expected %q but got %q for PolicyAssignmentName", v.Expected.PolicyAssignmentName, actual.PolicyAssignmentName)
+		}
+	}
+}
diff --git a/azurerm/internal/services/policy/policy_assignment_resource.go b/azurerm/internal/services/policy/policy_assignment_resource.go
index 9ac2ea17cbec..3a9b2290de89 100644
--- a/azurerm/internal/services/policy/policy_assignment_resource.go
+++ b/azurerm/internal/services/policy/policy_assignment_resource.go
@@ -1,18 +1,16 @@
 package policy
 
 import (
-	"context"
-	"encoding/json"
 	"fmt"
 	"log"
-	"reflect"
-	"strconv"
+	"strings"
 	"time"
 
 	"github.com/Azure/azure-sdk-for-go/services/resources/mgmt/2019-09-01/policy"
 	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/helpers/azure"
 	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/helpers/tf"
 	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/clients"
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/location"
 	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/services/policy/parse"
 	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/services/policy/validate"
 	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/tf/pluginsdk"
@@ -23,8 +21,8 @@ import (
 
 func resourceArmPolicyAssignment() *pluginsdk.Resource {
 	return &pluginsdk.Resource{
-		Create: resourceArmPolicyAssignmentCreateUpdate,
-		Update: resourceArmPolicyAssignmentCreateUpdate,
+		Create: resourceArmPolicyAssignmentCreate,
+		Update: resourceArmPolicyAssignmentUpdate,
 		Read:   resourceArmPolicyAssignmentRead,
 		Delete: resourceArmPolicyAssignmentDelete,
 
@@ -33,6 +31,19 @@ func resourceArmPolicyAssignment() *pluginsdk.Resource {
 			return err
 		}),
 
+		DeprecationMessage: func() string {
+			msg := `The 'azurerm_policy_assignment' resource is deprecated in favour of the:
+
+- 'azurerm_management_group_policy_assignment'
+- 'azurerm_resource_policy_assignment'
+- 'azurerm_resource_group_policy_assignment'
+- 'azurerm_subscription_policy_assignment'
+
+resources and will be removed in version 3.0 of the Azure Provider.
+`
+			return strings.ReplaceAll(msg, "'", "`")
+		}(),
+
 		Timeouts: &pluginsdk.ResourceTimeout{
 			Create: pluginsdk.DefaultTimeout(30 * time.Minute),
 			Read:   pluginsdk.DefaultTimeout(5 * time.Minute),
@@ -121,71 +132,39 @@ func resourceArmPolicyAssignment() *pluginsdk.Resource {
 			"not_scopes": {
 				Type:     pluginsdk.TypeList,
 				Optional: true,
-				Elem:     &pluginsdk.Schema{Type: pluginsdk.TypeString},
+				Elem: &pluginsdk.Schema{
+					Type: pluginsdk.TypeString,
+				},
 			},
 
-			"metadata": {
-				Type:             pluginsdk.TypeString,
-				Optional:         true,
-				Computed:         true,
-				ValidateFunc:     validation.StringIsJSON,
-				DiffSuppressFunc: policyAssignmentsMetadataDiffSuppressFunc,
-			},
+			"metadata": metadataSchema(),
 		},
 	}
 }
 
-func policyAssignmentsMetadataDiffSuppressFunc(_, old, new string, _ *pluginsdk.ResourceData) bool {
-	var oldPolicyAssignmentsMetadata map[string]interface{}
-	errOld := json.Unmarshal([]byte(old), &oldPolicyAssignmentsMetadata)
-	if errOld != nil {
-		return false
-	}
-
-	var newPolicyAssignmentsMetadata map[string]interface{}
-	if new != "" {
-		errNew := json.Unmarshal([]byte(new), &newPolicyAssignmentsMetadata)
-		if errNew != nil {
-			return false
-		}
-	}
-
-	// Ignore the following keys if they're found in the metadata JSON
-	ignoreKeys := [5]string{"assignedBy", "createdBy", "createdOn", "updatedBy", "updatedOn"}
-	for _, key := range ignoreKeys {
-		delete(oldPolicyAssignmentsMetadata, key)
-		delete(newPolicyAssignmentsMetadata, key)
-	}
-
-	return reflect.DeepEqual(oldPolicyAssignmentsMetadata, newPolicyAssignmentsMetadata)
-}
-
-func resourceArmPolicyAssignmentCreateUpdate(d *pluginsdk.ResourceData, meta interface{}) error {
+func resourceArmPolicyAssignmentCreate(d *pluginsdk.ResourceData, meta interface{}) error {
 	client := meta.(*clients.Client).Policy.AssignmentsClient
-	ctx, cancel := timeouts.ForCreateUpdate(meta.(*clients.Client).StopContext, d)
+	ctx, cancel := timeouts.ForCreate(meta.(*clients.Client).StopContext, d)
 	defer cancel()
 
-	name := d.Get("name").(string)
-	scope := d.Get("scope").(string)
+	id := parse.NewPolicyAssignmentId(d.Get("scope").(string), d.Get("name").(string))
 
-	if d.IsNewResource() {
-		existing, err := client.Get(ctx, scope, name)
-		if err != nil {
-			if !utils.ResponseWasNotFound(existing.Response) {
-				return fmt.Errorf("checking for presence of existing Policy Assignment %q: %s", name, err)
-			}
+	existing, err := client.Get(ctx, id.Scope, id.Name)
+	if err != nil {
+		if !utils.ResponseWasNotFound(existing.Response) {
+			return fmt.Errorf("checking for presence of existing %s: %+v", id, err)
 		}
+	}
 
-		if existing.ID != nil && *existing.ID != "" {
-			return tf.ImportAsExistsError("azurerm_policy_assignment", *existing.ID)
-		}
+	if !utils.ResponseWasNotFound(existing.Response) {
+		return tf.ImportAsExistsError("azurerm_policy_assignment", id.ID())
 	}
 
 	assignment := policy.Assignment{
 		AssignmentProperties: &policy.AssignmentProperties{
 			PolicyDefinitionID: utils.String(d.Get("policy_definition_id").(string)),
 			DisplayName:        utils.String(d.Get("display_name").(string)),
-			Scope:              utils.String(scope),
+			Scope:              utils.String(id.Scope),
 			EnforcementMode:    convertEnforcementMode(d.Get("enforcement_mode").(bool)),
 		},
 	}
@@ -194,17 +173,17 @@ func resourceArmPolicyAssignmentCreateUpdate(d *pluginsdk.ResourceData, meta int
 		assignment.AssignmentProperties.Description = utils.String(v)
 	}
 
+	if v := d.Get("location").(string); v != "" {
+		assignment.Location = utils.String(azure.NormalizeLocation(v))
+	}
+
 	if v, ok := d.GetOk("identity"); ok {
-		if location := d.Get("location").(string); location == "" {
+		if assignment.Location == nil {
 			return fmt.Errorf("`location` must be set when `identity` is assigned")
 		}
 		assignment.Identity = expandAzureRmPolicyIdentity(v.([]interface{}))
 	}
 
-	if v := d.Get("location").(string); v != "" {
-		assignment.Location = utils.String(azure.NormalizeLocation(v))
-	}
-
 	if v := d.Get("parameters").(string); v != "" {
 		expandedParams, err := expandParameterValuesValueFromString(v)
 		if err != nil {
@@ -226,39 +205,110 @@ func resourceArmPolicyAssignmentCreateUpdate(d *pluginsdk.ResourceData, meta int
 		assignment.AssignmentProperties.NotScopes = expandAzureRmPolicyNotScopes(v.([]interface{}))
 	}
 
-	if _, err := client.Create(ctx, scope, name, assignment); err != nil {
-		return fmt.Errorf("creating/updating Policy Assignment %q (Scope %q): %+v", name, scope, err)
+	if _, err := client.Create(ctx, id.Scope, id.Name, assignment); err != nil {
+		return fmt.Errorf("creating %s: %+v", id, err)
 	}
 
 	// Policy Assignments are eventually consistent; wait for them to stabilize
-	log.Printf("[DEBUG] Waiting for Policy Assignment %q to become available", name)
-	stateConf := &pluginsdk.StateChangeConf{
-		Pending:                   []string{"404"},
-		Target:                    []string{"200"},
-		Refresh:                   policyAssignmentRefreshFunc(ctx, client, scope, name),
-		MinTimeout:                10 * time.Second,
-		ContinuousTargetOccurence: 10,
+	log.Printf("[DEBUG] Waiting for %s to become available..", id)
+	if err := waitForPolicyAssignmentToStabilize(ctx, client, id, true); err != nil {
+		return fmt.Errorf("waiting for %s to become available: %s", id, err)
 	}
 
-	if d.IsNewResource() {
-		stateConf.Timeout = d.Timeout(pluginsdk.TimeoutCreate)
-	} else {
-		stateConf.Timeout = d.Timeout(pluginsdk.TimeoutUpdate)
-	}
+	d.SetId(id.ID())
+	return resourceArmPolicyAssignmentRead(d, meta)
+}
+
+func resourceArmPolicyAssignmentUpdate(d *pluginsdk.ResourceData, meta interface{}) error {
+	client := meta.(*clients.Client).Policy.AssignmentsClient
+	ctx, cancel := timeouts.ForUpdate(meta.(*clients.Client).StopContext, d)
+	defer cancel()
 
-	if _, err := stateConf.WaitForStateContext(ctx); err != nil {
-		return fmt.Errorf("waiting for Policy Assignment %q to become available: %s", name, err)
+	id, err := parse.PolicyAssignmentID(d.Id())
+	if err != nil {
+		return err
 	}
 
-	resp, err := client.Get(ctx, scope, name)
+	existing, err := client.Get(ctx, id.Scope, id.Name)
 	if err != nil {
-		return fmt.Errorf("retrieving Policy Assignment %q (Scope %q): %+v", name, scope, err)
+		return fmt.Errorf("retrieving %s: %+v", *id, err)
+	}
+	if existing.AssignmentProperties == nil {
+		return fmt.Errorf("retrieving %s: `properties` was nil", *id)
+	}
+
+	update := policy.Assignment{
+		Location:             existing.Location,
+		AssignmentProperties: existing.AssignmentProperties,
+	}
+	if existing.Identity != nil {
+		update.Identity = &policy.Identity{
+			Type: existing.Identity.Type,
+		}
+	}
+
+	if d.HasChange("description") {
+		update.AssignmentProperties.Description = utils.String(d.Get("description").(string))
+	}
+	if d.HasChange("display_name") {
+		update.AssignmentProperties.DisplayName = utils.String(d.Get("display_name").(string))
+	}
+	if d.HasChange("enforcement_mode") {
+		update.AssignmentProperties.EnforcementMode = convertEnforcementMode(d.Get("enforcement_mode").(bool))
+	}
+	if d.HasChange("location") {
+		update.Location = utils.String(d.Get("location").(string))
+	}
+	if d.HasChange("policy_definition_id") {
+		update.AssignmentProperties.PolicyDefinitionID = utils.String(d.Get("policy_definition_id").(string))
+	}
+
+	if d.HasChange("identity") {
+		if update.Location == nil {
+			return fmt.Errorf("`location` must be set when `identity` is assigned")
+		}
+		identityRaw := d.Get("identity").([]interface{})
+		update.Identity = expandAzureRmPolicyIdentity(identityRaw)
+	}
+
+	if d.HasChange("metadata") {
+		v := d.Get("metadata").(string)
+		update.AssignmentProperties.Metadata = map[string]interface{}{}
+		if v != "" {
+			metaData, err := pluginsdk.ExpandJsonFromString(v)
+			if err != nil {
+				return fmt.Errorf("parsing metadata: %+v", err)
+			}
+			update.AssignmentProperties.Metadata = &metaData
+		}
+	}
+
+	if d.HasChange("not_scopes") {
+		update.AssignmentProperties.NotScopes = expandAzureRmPolicyNotScopes(d.Get("not_scopes").([]interface{}))
 	}
 
-	if resp.ID == nil || *resp.ID == "" {
-		return fmt.Errorf("empty or nil ID returned for Policy Assignment %q (Scope %q)", name, scope)
+	if d.HasChange("parameters") {
+		update.AssignmentProperties.Parameters = map[string]*policy.ParameterValuesValue{}
+
+		if v := d.Get("parameters").(string); v != "" {
+			expandedParams, err := expandParameterValuesValueFromString(v)
+			if err != nil {
+				return fmt.Errorf("expanding JSON for `parameters` %q: %+v", v, err)
+			}
+			update.AssignmentProperties.Parameters = expandedParams
+		}
+	}
+
+	// NOTE: there isn't an Update endpoint
+	if _, err := client.Create(ctx, id.Scope, id.Name, update); err != nil {
+		return fmt.Errorf("updating %s: %+v", *id, err)
+	}
+
+	// Policy Assignments are eventually consistent; wait for them to stabilize
+	log.Printf("[DEBUG] Waiting for %s to become available..", id)
+	if err := waitForPolicyAssignmentToStabilize(ctx, client, *id, true); err != nil {
+		return fmt.Errorf("waiting for %s to become available: %s", id, err)
 	}
-	d.SetId(*resp.ID)
 
 	return resourceArmPolicyAssignmentRead(d, meta)
 }
@@ -268,49 +318,43 @@ func resourceArmPolicyAssignmentRead(d *pluginsdk.ResourceData, meta interface{}
 	ctx, cancel := timeouts.ForRead(meta.(*clients.Client).StopContext, d)
 	defer cancel()
 
-	id := d.Id()
+	id, err := parse.PolicyAssignmentID(d.Id())
+	if err != nil {
+		return err
+	}
 
-	resp, err := client.GetByID(ctx, id)
+	resp, err := client.Get(ctx, id.Scope, id.Name)
 	if err != nil {
 		if utils.ResponseWasNotFound(resp.Response) {
-			log.Printf("[INFO] Error reading Policy Assignment %q - removing from state", id)
+			log.Printf("[INFO] %s was not found - removing from state", *id)
 			d.SetId("")
 			return nil
 		}
 
-		return fmt.Errorf("reading Policy Assignment %q: %+v", id, err)
+		return fmt.Errorf("reading %s: %+v", *id, err)
 	}
 
-	d.Set("name", resp.Name)
+	d.Set("name", id.Name)
+	d.Set("scope", id.Scope)
+	d.Set("location", location.NormalizeNilable(resp.Location))
 
 	if err := d.Set("identity", flattenAzureRmPolicyIdentity(resp.Identity)); err != nil {
 		return fmt.Errorf("setting `identity`: %+v", err)
 	}
 
-	if location := resp.Location; location != nil {
-		d.Set("location", azure.NormalizeLocation(*location))
-	}
-
 	if props := resp.AssignmentProperties; props != nil {
-		d.Set("scope", props.Scope)
 		d.Set("policy_definition_id", props.PolicyDefinitionID)
 		d.Set("description", props.Description)
 		d.Set("display_name", props.DisplayName)
 		d.Set("enforcement_mode", props.EnforcementMode == policy.Default)
+		d.Set("metadata", flattenJSON(props.Metadata))
 
-		if metadataStr := flattenJSON(props.Metadata); metadataStr != "" {
-			d.Set("metadata", metadataStr)
-		}
-
-		if params := props.Parameters; params != nil {
-			json, err := flattenParameterValuesValueToString(params)
-			if err != nil {
-				return fmt.Errorf("serializing JSON from `parameters`: %+v", err)
-			}
-
-			d.Set("parameters", json)
+		json, err := flattenParameterValuesValueToString(props.Parameters)
+		if err != nil {
+			return fmt.Errorf("serializing JSON from `parameters`: %+v", err)
 		}
 
+		d.Set("parameters", json)
 		d.Set("not_scopes", props.NotScopes)
 	}
 
@@ -322,29 +366,22 @@ func resourceArmPolicyAssignmentDelete(d *pluginsdk.ResourceData, meta interface
 	ctx, cancel := timeouts.ForDelete(meta.(*clients.Client).StopContext, d)
 	defer cancel()
 
-	id := d.Id()
-
-	resp, err := client.DeleteByID(ctx, id)
+	id, err := parse.PolicyAssignmentID(d.Id())
 	if err != nil {
-		if utils.ResponseWasNotFound(resp.Response) {
-			return nil
-		}
+		return err
+	}
 
+	if _, err := client.Delete(ctx, id.Scope, id.Name); err != nil {
 		return fmt.Errorf("deleting Policy Assignment %q: %+v", id, err)
 	}
 
-	return nil
-}
-
-func policyAssignmentRefreshFunc(ctx context.Context, client *policy.AssignmentsClient, scope string, name string) pluginsdk.StateRefreshFunc {
-	return func() (interface{}, string, error) {
-		res, err := client.Get(ctx, scope, name)
-		if err != nil {
-			return nil, strconv.Itoa(res.StatusCode), fmt.Errorf("issuing read request in policyAssignmentRefreshFunc for Policy Assignment %q (Scope: %q): %s", name, scope, err)
-		}
-
-		return res, strconv.Itoa(res.StatusCode), nil
+	// Policy Assignments are eventually consistent; wait for it to be gone
+	log.Printf("[DEBUG] Waiting for %s to disappear..", id)
+	if err := waitForPolicyAssignmentToStabilize(ctx, client, *id, false); err != nil {
+		return fmt.Errorf("waiting for the deletion of %s: %s", id, err)
 	}
+
+	return nil
 }
 
 func expandAzureRmPolicyIdentity(input []interface{}) *policy.Identity {
@@ -385,11 +422,3 @@ func expandAzureRmPolicyNotScopes(input []interface{}) *[]string {
 
 	return &notScopesRes
 }
-
-func convertEnforcementMode(mode bool) policy.EnforcementMode {
-	if mode {
-		return policy.Default
-	} else {
-		return policy.DoNotEnforce
-	}
-}
diff --git a/azurerm/internal/services/policy/policy_assignment_resource_test.go b/azurerm/internal/services/policy/policy_assignment_resource_test.go
index 7c3d53d75b2a..d0578a8dcafd 100644
--- a/azurerm/internal/services/policy/policy_assignment_resource_test.go
+++ b/azurerm/internal/services/policy/policy_assignment_resource_test.go
@@ -104,7 +104,7 @@ func TestAccAzureRMPolicyAssignment_complete(t *testing.T) {
 	})
 }
 
-func TestAccAzureRMPolicyAssignment_not_scopes(t *testing.T) {
+func TestAccAzureRMPolicyAssignment_notScopes(t *testing.T) {
 	data := acceptance.BuildTestData(t, "azurerm_policy_assignment", "test")
 	r := PolicyAssignmentResource{}
 
@@ -119,7 +119,7 @@ func TestAccAzureRMPolicyAssignment_not_scopes(t *testing.T) {
 	})
 }
 
-func TestAccAzureRMPolicyAssignment_enforcement_mode(t *testing.T) {
+func TestAccAzureRMPolicyAssignment_enforcementMode(t *testing.T) {
 	data := acceptance.BuildTestData(t, "azurerm_policy_assignment", "test")
 	r := PolicyAssignmentResource{}
 
@@ -299,7 +299,7 @@ resource "azurerm_policy_definition" "test" {
 				"properties": {
 					"mode": "incremental",
 					"template": {
-						"$schema": "http://pluginsdk.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+						"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
 						"contentVersion": "1.0.0.0",
 						"parameters": {
 							"fullDbName": {
diff --git a/azurerm/internal/services/policy/policy_definition_resource.go b/azurerm/internal/services/policy/policy_definition_resource.go
index ca5e4ebcd88a..a0a3c1391646 100644
--- a/azurerm/internal/services/policy/policy_definition_resource.go
+++ b/azurerm/internal/services/policy/policy_definition_resource.go
@@ -2,10 +2,8 @@ package policy
 
 import (
 	"context"
-	"encoding/json"
 	"fmt"
 	"log"
-	"reflect"
 	"strconv"
 	"time"
 
@@ -77,6 +75,7 @@ func resourceArmPolicyDefinition() *pluginsdk.Resource {
 				),
 			},
 
+			// TODO: deprecate Name in favour of this
 			"management_group_id": {
 				Type:          pluginsdk.TypeString,
 				Optional:      true,
@@ -118,40 +117,11 @@ func resourceArmPolicyDefinition() *pluginsdk.Resource {
 				DiffSuppressFunc: pluginsdk.SuppressJsonDiff,
 			},
 
-			"metadata": {
-				Type:             pluginsdk.TypeString,
-				Optional:         true,
-				Computed:         true,
-				ValidateFunc:     validation.StringIsJSON,
-				DiffSuppressFunc: policyDefinitionsMetadataDiffSuppressFunc,
-			},
+			"metadata": metadataSchema(),
 		},
 	}
 }
 
-func policyDefinitionsMetadataDiffSuppressFunc(_, old, new string, _ *pluginsdk.ResourceData) bool {
-	var oldPolicyDefinitionsMetadata map[string]interface{}
-	errOld := json.Unmarshal([]byte(old), &oldPolicyDefinitionsMetadata)
-	if errOld != nil {
-		return false
-	}
-
-	var newPolicyDefinitionsMetadata map[string]interface{}
-	errNew := json.Unmarshal([]byte(new), &newPolicyDefinitionsMetadata)
-	if errNew != nil {
-		return false
-	}
-
-	// Ignore the following keys if they're found in the metadata JSON
-	ignoreKeys := [4]string{"createdBy", "createdOn", "updatedBy", "updatedOn"}
-	for _, key := range ignoreKeys {
-		delete(oldPolicyDefinitionsMetadata, key)
-		delete(newPolicyDefinitionsMetadata, key)
-	}
-
-	return reflect.DeepEqual(oldPolicyDefinitionsMetadata, newPolicyDefinitionsMetadata)
-}
-
 func resourceArmPolicyDefinitionCreateUpdate(d *pluginsdk.ResourceData, meta interface{}) error {
 	client := meta.(*clients.Client).Policy.DefinitionsClient
 	ctx, cancel := timeouts.ForCreateUpdate(meta.(*clients.Client).StopContext, d)
diff --git a/azurerm/internal/services/policy/registration.go b/azurerm/internal/services/policy/registration.go
index 616723e21f80..56dd18ac4c27 100644
--- a/azurerm/internal/services/policy/registration.go
+++ b/azurerm/internal/services/policy/registration.go
@@ -1,11 +1,29 @@
 package policy
 
 import (
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/features"
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/sdk"
 	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/tf/pluginsdk"
 )
 
+var _ sdk.TypedServiceRegistration = Registration{}
+var _ sdk.UntypedServiceRegistration = Registration{}
+
 type Registration struct{}
 
+func (r Registration) DataSources() []sdk.DataSource {
+	return []sdk.DataSource{}
+}
+
+func (r Registration) Resources() []sdk.Resource {
+	return []sdk.Resource{
+		ManagementGroupAssignmentResource{},
+		ResourceAssignmentResource{},
+		ResourceGroupAssignmentResource{},
+		SubscriptionAssignmentResource{},
+	}
+}
+
 // Name is the name of this Service
 func (r Registration) Name() string {
 	return "Policy"
@@ -28,11 +46,16 @@ func (r Registration) SupportedDataSources() map[string]*pluginsdk.Resource {
 
 // SupportedResources returns the supported Resources supported by this Service
 func (r Registration) SupportedResources() map[string]*pluginsdk.Resource {
-	return map[string]*pluginsdk.Resource{
-		"azurerm_policy_assignment":                               resourceArmPolicyAssignment(),
+	resources := map[string]*pluginsdk.Resource{
 		"azurerm_policy_definition":                               resourceArmPolicyDefinition(),
 		"azurerm_policy_set_definition":                           resourceArmPolicySetDefinition(),
 		"azurerm_policy_remediation":                              resourceArmPolicyRemediation(),
 		"azurerm_virtual_machine_configuration_policy_assignment": resourceVirtualMachineConfigurationPolicyAssignment(),
 	}
+
+	if !features.ThreePointOh() {
+		resources["azurerm_policy_assignment"] = resourceArmPolicyAssignment()
+	}
+
+	return resources
 }
diff --git a/azurerm/internal/services/policy/resourceids.go b/azurerm/internal/services/policy/resourceids.go
index 88b846663765..b9bf545b473c 100644
--- a/azurerm/internal/services/policy/resourceids.go
+++ b/azurerm/internal/services/policy/resourceids.go
@@ -1,3 +1,5 @@
 package policy
 
+//go:generate go run ../../tools/generator-resource-id/main.go -path=./ -name=ResourceGroupAssignment -id=/subscriptions/12345678-1234-9876-4563-123456789012/resourceGroups/resGroup1/providers/Microsoft.Authorization/policyAssignments/assignment1
+//go:generate go run ../../tools/generator-resource-id/main.go -path=./ -name=SubscriptionAssignment -id=/subscriptions/12345678-1234-9876-4563-123456789012/providers/Microsoft.Authorization/policyAssignments/assignment1
 //go:generate go run ../../tools/generator-resource-id/main.go -path=./ -name=VirtualMachineConfigurationPolicyAssignment -id=/subscriptions/12345678-1234-9876-4563-123456789012/resourceGroups/resGroup1/providers/Microsoft.Compute/virtualMachines/vm1/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/assignment1 -rewrite=true
diff --git a/azurerm/internal/services/policy/validate/management_group_assignment_id.go b/azurerm/internal/services/policy/validate/management_group_assignment_id.go
new file mode 100644
index 000000000000..36fd6f0cd912
--- /dev/null
+++ b/azurerm/internal/services/policy/validate/management_group_assignment_id.go
@@ -0,0 +1,21 @@
+package validate
+
+import (
+	"fmt"
+
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/services/policy/parse"
+)
+
+func ManagementGroupAssignmentID(input interface{}, key string) (warnings []string, errors []error) {
+	v, ok := input.(string)
+	if !ok {
+		errors = append(errors, fmt.Errorf("expected %q to be a string", key))
+		return
+	}
+
+	if _, err := parse.ManagementGroupAssignmentID(v); err != nil {
+		errors = append(errors, err)
+	}
+
+	return
+}
diff --git a/azurerm/internal/services/policy/validate/management_group_assignment_id_test.go b/azurerm/internal/services/policy/validate/management_group_assignment_id_test.go
new file mode 100644
index 000000000000..c68b5677d5e4
--- /dev/null
+++ b/azurerm/internal/services/policy/validate/management_group_assignment_id_test.go
@@ -0,0 +1,62 @@
+package validate
+
+import "testing"
+
+func TestManagementGroupAssignmentID(t *testing.T) {
+	cases := []struct {
+		Input string
+		Valid bool
+	}{
+
+		{
+			// empty
+			Input: "",
+			Valid: false,
+		},
+
+		{
+			// missing ManagementGroupName
+			Input: "/providers/Microsoft.Management/",
+			Valid: false,
+		},
+
+		{
+			// missing value for ManagementGroupName
+			Input: "/providers/Microsoft.Management/managementGroups/",
+			Valid: false,
+		},
+
+		{
+			// missing PolicyAssignmentName
+			Input: "/providers/Microsoft.Management/managementGroups/managementGroup1/providers/Microsoft.Authorization/",
+			Valid: false,
+		},
+
+		{
+			// missing value for PolicyAssignmentName
+			Input: "/providers/Microsoft.Management/managementGroups/managementGroup1/providers/Microsoft.Authorization/policyAssignments/",
+			Valid: false,
+		},
+
+		{
+			// valid
+			Input: "/providers/Microsoft.Management/managementGroups/managementGroup1/providers/Microsoft.Authorization/policyAssignments/assignment1",
+			Valid: true,
+		},
+
+		{
+			// upper-cased
+			Input: "/PROVIDERS/MICROSOFT.MANAGEMENT/MANAGEMENTGROUPS/MANAGEMENTGROUP1/PROVIDERS/MICROSOFT.AUTHORIZATION/POLICYASSIGNMENTS/ASSIGNMENT1",
+			Valid: false,
+		},
+	}
+	for _, tc := range cases {
+		t.Logf("[DEBUG] Testing Value %s", tc.Input)
+		_, errors := ManagementGroupAssignmentID(tc.Input, "test")
+		valid := len(errors) == 0
+
+		if tc.Valid != valid {
+			t.Fatalf("Expected %t but got %t", tc.Valid, valid)
+		}
+	}
+}
diff --git a/azurerm/internal/services/policy/validate/resource_assignment_id.go b/azurerm/internal/services/policy/validate/resource_assignment_id.go
new file mode 100644
index 000000000000..493386ea2e75
--- /dev/null
+++ b/azurerm/internal/services/policy/validate/resource_assignment_id.go
@@ -0,0 +1,23 @@
+package validate
+
+import (
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/helpers/azure"
+	managementGroupValidate "github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/services/managementgroup/validate"
+	resourceValidate "github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/services/resource/validate"
+	subscriptionValidate "github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/services/subscription/validate"
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/tf/pluginsdk"
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/tf/validation"
+)
+
+func ResourceAssignmentId() pluginsdk.SchemaValidateFunc {
+	return validation.All(
+		validation.None(
+			map[string]func(interface{}, string) ([]string, []error){
+				"Management Group ID": managementGroupValidate.ManagementGroupID,
+				"Resource Group ID":   resourceValidate.ResourceGroupID,
+				"Subscription ID":     subscriptionValidate.SubscriptionID,
+			},
+		),
+		azure.ValidateResourceID,
+	)
+}
diff --git a/azurerm/internal/services/policy/validate/resource_group_assignment_id.go b/azurerm/internal/services/policy/validate/resource_group_assignment_id.go
new file mode 100644
index 000000000000..97b3595bc911
--- /dev/null
+++ b/azurerm/internal/services/policy/validate/resource_group_assignment_id.go
@@ -0,0 +1,23 @@
+package validate
+
+// NOTE: this file is generated via 'go:generate' - manual changes will be overwritten
+
+import (
+	"fmt"
+
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/services/policy/parse"
+)
+
+func ResourceGroupAssignmentID(input interface{}, key string) (warnings []string, errors []error) {
+	v, ok := input.(string)
+	if !ok {
+		errors = append(errors, fmt.Errorf("expected %q to be a string", key))
+		return
+	}
+
+	if _, err := parse.ResourceGroupAssignmentID(v); err != nil {
+		errors = append(errors, err)
+	}
+
+	return
+}
diff --git a/azurerm/internal/services/policy/validate/resource_group_assignment_id_test.go b/azurerm/internal/services/policy/validate/resource_group_assignment_id_test.go
new file mode 100644
index 000000000000..2633c81d21f9
--- /dev/null
+++ b/azurerm/internal/services/policy/validate/resource_group_assignment_id_test.go
@@ -0,0 +1,76 @@
+package validate
+
+// NOTE: this file is generated via 'go:generate' - manual changes will be overwritten
+
+import "testing"
+
+func TestResourceGroupAssignmentID(t *testing.T) {
+	cases := []struct {
+		Input string
+		Valid bool
+	}{
+
+		{
+			// empty
+			Input: "",
+			Valid: false,
+		},
+
+		{
+			// missing SubscriptionId
+			Input: "/",
+			Valid: false,
+		},
+
+		{
+			// missing value for SubscriptionId
+			Input: "/subscriptions/",
+			Valid: false,
+		},
+
+		{
+			// missing ResourceGroup
+			Input: "/subscriptions/12345678-1234-9876-4563-123456789012/",
+			Valid: false,
+		},
+
+		{
+			// missing value for ResourceGroup
+			Input: "/subscriptions/12345678-1234-9876-4563-123456789012/resourceGroups/",
+			Valid: false,
+		},
+
+		{
+			// missing PolicyAssignmentName
+			Input: "/subscriptions/12345678-1234-9876-4563-123456789012/resourceGroups/resGroup1/providers/Microsoft.Authorization/",
+			Valid: false,
+		},
+
+		{
+			// missing value for PolicyAssignmentName
+			Input: "/subscriptions/12345678-1234-9876-4563-123456789012/resourceGroups/resGroup1/providers/Microsoft.Authorization/policyAssignments/",
+			Valid: false,
+		},
+
+		{
+			// valid
+			Input: "/subscriptions/12345678-1234-9876-4563-123456789012/resourceGroups/resGroup1/providers/Microsoft.Authorization/policyAssignments/assignment1",
+			Valid: true,
+		},
+
+		{
+			// upper-cased
+			Input: "/SUBSCRIPTIONS/12345678-1234-9876-4563-123456789012/RESOURCEGROUPS/RESGROUP1/PROVIDERS/MICROSOFT.AUTHORIZATION/POLICYASSIGNMENTS/ASSIGNMENT1",
+			Valid: false,
+		},
+	}
+	for _, tc := range cases {
+		t.Logf("[DEBUG] Testing Value %s", tc.Input)
+		_, errors := ResourceGroupAssignmentID(tc.Input, "test")
+		valid := len(errors) == 0
+
+		if tc.Valid != valid {
+			t.Fatalf("Expected %t but got %t", tc.Valid, valid)
+		}
+	}
+}
diff --git a/azurerm/internal/services/policy/validate/subscription_assignment_id.go b/azurerm/internal/services/policy/validate/subscription_assignment_id.go
new file mode 100644
index 000000000000..61a71eea5b5b
--- /dev/null
+++ b/azurerm/internal/services/policy/validate/subscription_assignment_id.go
@@ -0,0 +1,23 @@
+package validate
+
+// NOTE: this file is generated via 'go:generate' - manual changes will be overwritten
+
+import (
+	"fmt"
+
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/services/policy/parse"
+)
+
+func SubscriptionAssignmentID(input interface{}, key string) (warnings []string, errors []error) {
+	v, ok := input.(string)
+	if !ok {
+		errors = append(errors, fmt.Errorf("expected %q to be a string", key))
+		return
+	}
+
+	if _, err := parse.SubscriptionAssignmentID(v); err != nil {
+		errors = append(errors, err)
+	}
+
+	return
+}
diff --git a/azurerm/internal/services/policy/validate/subscription_assignment_id_test.go b/azurerm/internal/services/policy/validate/subscription_assignment_id_test.go
new file mode 100644
index 000000000000..60fe71e661c4
--- /dev/null
+++ b/azurerm/internal/services/policy/validate/subscription_assignment_id_test.go
@@ -0,0 +1,64 @@
+package validate
+
+// NOTE: this file is generated via 'go:generate' - manual changes will be overwritten
+
+import "testing"
+
+func TestSubscriptionAssignmentID(t *testing.T) {
+	cases := []struct {
+		Input string
+		Valid bool
+	}{
+
+		{
+			// empty
+			Input: "",
+			Valid: false,
+		},
+
+		{
+			// missing SubscriptionId
+			Input: "/",
+			Valid: false,
+		},
+
+		{
+			// missing value for SubscriptionId
+			Input: "/subscriptions/",
+			Valid: false,
+		},
+
+		{
+			// missing PolicyAssignmentName
+			Input: "/subscriptions/12345678-1234-9876-4563-123456789012/providers/Microsoft.Authorization/",
+			Valid: false,
+		},
+
+		{
+			// missing value for PolicyAssignmentName
+			Input: "/subscriptions/12345678-1234-9876-4563-123456789012/providers/Microsoft.Authorization/policyAssignments/",
+			Valid: false,
+		},
+
+		{
+			// valid
+			Input: "/subscriptions/12345678-1234-9876-4563-123456789012/providers/Microsoft.Authorization/policyAssignments/assignment1",
+			Valid: true,
+		},
+
+		{
+			// upper-cased
+			Input: "/SUBSCRIPTIONS/12345678-1234-9876-4563-123456789012/PROVIDERS/MICROSOFT.AUTHORIZATION/POLICYASSIGNMENTS/ASSIGNMENT1",
+			Valid: false,
+		},
+	}
+	for _, tc := range cases {
+		t.Logf("[DEBUG] Testing Value %s", tc.Input)
+		_, errors := SubscriptionAssignmentID(tc.Input, "test")
+		valid := len(errors) == 0
+
+		if tc.Valid != valid {
+			t.Fatalf("Expected %t but got %t", tc.Valid, valid)
+		}
+	}
+}
diff --git a/azurerm/internal/services/resource/management_group_template_deployment_resource_test.go b/azurerm/internal/services/resource/management_group_template_deployment_resource_test.go
index 291416efc81a..7d5bf6290509 100644
--- a/azurerm/internal/services/resource/management_group_template_deployment_resource_test.go
+++ b/azurerm/internal/services/resource/management_group_template_deployment_resource_test.go
@@ -97,7 +97,7 @@ resource "azurerm_management_group_template_deployment" "test" {
 
   template_content = <<TEMPLATE
 {
- "$schema": "https://pluginsdk.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+ "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {},
  "variables": {},
@@ -129,7 +129,7 @@ resource "azurerm_management_group_template_deployment" "test" {
 
   template_content = <<TEMPLATE
 {
- "$schema": "https://pluginsdk.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+ "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {},
  "variables": {},
diff --git a/azurerm/internal/services/resource/registration.go b/azurerm/internal/services/resource/registration.go
index 0af28a060f63..ac3962eda181 100644
--- a/azurerm/internal/services/resource/registration.go
+++ b/azurerm/internal/services/resource/registration.go
@@ -46,11 +46,6 @@ func (r Registration) SupportedResources() map[string]*pluginsdk.Resource {
 	}
 }
 
-// PackagePath is the relative path to this package
-func (r Registration) PackagePath() string {
-	return "TODO: do we need this?"
-}
-
 // DataSources returns a list of Data Sources supported by this Service
 func (r Registration) DataSources() []sdk.DataSource {
 	return []sdk.DataSource{}
diff --git a/azurerm/internal/services/resource/resource_group_template_deployment_resource_test.go b/azurerm/internal/services/resource/resource_group_template_deployment_resource_test.go
index b6a6a2c6cfa8..afe5a38b032e 100644
--- a/azurerm/internal/services/resource/resource_group_template_deployment_resource_test.go
+++ b/azurerm/internal/services/resource/resource_group_template_deployment_resource_test.go
@@ -289,7 +289,7 @@ resource "azurerm_resource_group_template_deployment" "test" {
 
   template_content = <<TEMPLATE
 {
-  "$schema": "https://pluginsdk.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
   "contentVersion": "1.0.0.0",
   "parameters": {},
   "variables": {},
@@ -375,7 +375,7 @@ resource "azurerm_resource_group_template_deployment" "test" {
 
   template_content = <<TEMPLATE
 {
-  "$schema": "https://pluginsdk.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
   "contentVersion": "1.0.0.0",
   "parameters": {},
   "variables": {},
@@ -404,7 +404,7 @@ resource "azurerm_resource_group_template_deployment" "test" {
 
   template_content = <<TEMPLATE
 {
-  "$schema": "https://pluginsdk.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
   "contentVersion": "1.0.0.0",
   "parameters": {
     "someParam": {
@@ -471,7 +471,7 @@ resource "azurerm_resource_group_template_deployment" "test" {
 
   template_content = <<TEMPLATE
 {
-  "$schema": "https://pluginsdk.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
   "contentVersion": "1.0.0.0",
   "parameters": {
     "someParam": {
@@ -519,7 +519,7 @@ resource "azurerm_resource_group_template_deployment" "test" {
 
   template_content = <<TEMPLATE
 {
-  "$schema": "https://pluginsdk.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
   "contentVersion": "1.0.0.0",
   "parameters": {
     "someParam": {
@@ -565,7 +565,7 @@ resource "azurerm_resource_group_template_deployment" "test" {
 
   template_content = <<TEMPLATE
 {
-  "$schema": "https://pluginsdk.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
   "contentVersion": "1.0.0.0",
   "parameters": {},
   "variables": {},
@@ -607,7 +607,7 @@ resource "azurerm_resource_group_template_deployment" "test" {
 
   template_content = <<TEMPLATE
 {
-  "$schema": "https://pluginsdk.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
   "contentVersion": "1.0.0.0",
   "parameters": {},
   "variables": {},
@@ -642,7 +642,7 @@ resource "azurerm_resource_group_template_deployment" "test" {
 
   template_content = <<TEMPLATE
 {
-  "$schema": "https://pluginsdk.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
   "contentVersion": "1.0.0.0",
   "parameters": {},
   "variables": {},
@@ -696,7 +696,7 @@ resource "azurerm_resource_group_template_deployment" "test" {
 
   template_content = <<TEMPLATE
 {
-  "$schema": "https://pluginsdk.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
   "contentVersion": "1.0.0.0",
   "parameters": {},
   "variables": {},
@@ -775,7 +775,7 @@ resource "azurerm_resource_group_template_deployment" "test" {
 
   template_content = <<TEMPLATE
 {
-  "$schema": "https://pluginsdk.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
   "contentVersion": "1.0.0.0",
   "parameters": {},
   "variables": {},
diff --git a/azurerm/internal/services/resource/subscription_template_deployment_resource_test.go b/azurerm/internal/services/resource/subscription_template_deployment_resource_test.go
index 6eed8bc093a6..4152df0f5f14 100644
--- a/azurerm/internal/services/resource/subscription_template_deployment_resource_test.go
+++ b/azurerm/internal/services/resource/subscription_template_deployment_resource_test.go
@@ -162,7 +162,7 @@ resource "azurerm_subscription_template_deployment" "test" {
 
   template_content = <<TEMPLATE
 {
-  "$schema": "https://pluginsdk.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
   "contentVersion": "1.0.0.0",
   "parameters": {},
   "variables": {},
@@ -223,7 +223,7 @@ resource "azurerm_subscription_template_deployment" "test" {
 
   template_content = <<TEMPLATE
 {
-  "$schema": "https://pluginsdk.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
   "contentVersion": "1.0.0.0",
   "parameters": {},
   "variables": {},
@@ -246,7 +246,7 @@ resource "azurerm_subscription_template_deployment" "test" {
 
   template_content = <<TEMPLATE
 {
-  "$schema": "https://pluginsdk.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
   "contentVersion": "1.0.0.0",
   "parameters": {
     "someParam": {
@@ -288,7 +288,7 @@ resource "azurerm_subscription_template_deployment" "test" {
 
   template_content = <<TEMPLATE
 {
-  "$schema": "https://pluginsdk.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
   "contentVersion": "1.0.0.0",
   "parameters": {
     "someParam": {
@@ -328,7 +328,7 @@ resource "azurerm_subscription_template_deployment" "test" {
 
   template_content = <<TEMPLATE
 {
-  "$schema": "https://pluginsdk.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
   "contentVersion": "1.0.0.0",
   "parameters": {},
   "variables": {},
@@ -362,7 +362,7 @@ resource "azurerm_subscription_template_deployment" "test" {
 
   template_content = <<TEMPLATE
 {
-  "$schema": "https://pluginsdk.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
   "contentVersion": "1.0.0.0",
   "parameters": {},
   "variables": {},
diff --git a/azurerm/internal/services/resource/template_deployment_resource_test.go b/azurerm/internal/services/resource/template_deployment_resource_test.go
index 03d64a3d8605..717f97537bf1 100644
--- a/azurerm/internal/services/resource/template_deployment_resource_test.go
+++ b/azurerm/internal/services/resource/template_deployment_resource_test.go
@@ -223,7 +223,7 @@ resource "azurerm_template_deployment" "test" {
 
   template_body = <<DEPLOY
 {
-  "$schema": "https://pluginsdk.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
   "contentVersion": "1.0.0.0",
   "variables": {
     "location": "[resourceGroup().location]",
@@ -271,7 +271,7 @@ resource "azurerm_template_deployment" "test" {
 
   template_body = <<DEPLOY
 {
-  "$schema": "https://pluginsdk.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
   "contentVersion": "1.0.0.0",
   "parameters": {
     "storageAccountType": {
@@ -359,7 +359,7 @@ resource "azurerm_template_deployment" "test" {
 
   template_body = <<DEPLOY
 {
-  "$schema": "https://pluginsdk.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
   "contentVersion": "1.0.0.0",
   "parameters": {
   },
@@ -376,7 +376,7 @@ resource "azurerm_template_deployment" "test" {
       "properties": {
         "mode": "Incremental",
         "template": {
-          "$schema": "https://pluginsdk.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+          "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
           "contentVersion": "1.0.0.0",
           "variables": {
             "location": "[variables('location')]",
@@ -486,7 +486,7 @@ resource "azurerm_template_deployment" "test" {
 
   template_body = <<DEPLOY
 {
-  "$schema": "https://pluginsdk.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
   "contentVersion": "1.0.0.0",
   "parameters": {
     "storageAccountType": {
@@ -585,7 +585,7 @@ resource "azurerm_template_deployment" "test" {
 
   template_body = <<DEPLOY
 {
-  "$schema": "https://pluginsdk.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
   "contentVersion": "1.0.0.0",
   "parameters": {
     "storageAccountType": {
@@ -694,7 +694,7 @@ resource "azurerm_template_deployment" "test" {
 
   template_body = <<DEPLOY
 {
-  "$schema": "https://pluginsdk.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
   "contentVersion": "1.0.0.0",
   "parameters": {
     "storageAccountType": {
@@ -812,7 +812,7 @@ resource "azurerm_template_deployment" "test" {
 
   template_body = <<DEPLOY
 {
-  "$schema": "https://pluginsdk.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
   "contentVersion": "1.0.0.0",
   "parameters": {
     "storageAccountType": {
diff --git a/azurerm/internal/services/resource/tenant_template_deployment_resource_test.go b/azurerm/internal/services/resource/tenant_template_deployment_resource_test.go
index 311a378b8698..8a4463c7f7a3 100644
--- a/azurerm/internal/services/resource/tenant_template_deployment_resource_test.go
+++ b/azurerm/internal/services/resource/tenant_template_deployment_resource_test.go
@@ -68,7 +68,7 @@ resource "azurerm_tenant_template_deployment" "test" {
 
   template_content = <<TEMPLATE
 {
-  "$schema": "https://pluginsdk.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
   "contentVersion": "1.0.0.0",
   "parameters": {},
   "variables": {},
@@ -94,7 +94,7 @@ resource "azurerm_tenant_template_deployment" "test" {
 
   template_content = <<TEMPLATE
 {
- "$schema": "https://pluginsdk.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+ "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {},
  "variables": {},
diff --git a/azurerm/internal/services/web/registration.go b/azurerm/internal/services/web/registration.go
index 96139032d09a..30e15a8a308f 100644
--- a/azurerm/internal/services/web/registration.go
+++ b/azurerm/internal/services/web/registration.go
@@ -55,11 +55,6 @@ func (r Registration) SupportedResources() map[string]*pluginsdk.Resource {
 	}
 }
 
-// PackagePath is the relative path to this package
-func (r Registration) PackagePath() string {
-	return "TODO: do we need this?"
-}
-
 func (r Registration) DataSources() []sdk.DataSource {
 	return []sdk.DataSource{
 		AppServiceEnvironmentV3DataSource{},
diff --git a/azurerm/internal/tf/validation/pluginsdk.go b/azurerm/internal/tf/validation/pluginsdk.go
index 14989f2b20dd..03eca6ae3b36 100644
--- a/azurerm/internal/tf/validation/pluginsdk.go
+++ b/azurerm/internal/tf/validation/pluginsdk.go
@@ -1,6 +1,7 @@
 package validation
 
 import (
+	"fmt"
 	"regexp"
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
@@ -135,6 +136,22 @@ func IsUUID(i interface{}, k string) ([]string, []error) {
 	return validation.IsUUID(i, k)
 }
 
+// None returns a SchemaValidateFunc which tests if the provided value
+// returns errors for all of the provided SchemaValidateFunc
+func None(validators map[string]func(interface{}, string) ([]string, []error)) func(interface{}, string) ([]string, []error) {
+	return func(i interface{}, k string) ([]string, []error) {
+		var allErrors []error
+		var allWarnings []string
+		for name, validator := range validators {
+			validatorWarnings, validatorErrors := validator(i, k)
+			if len(validatorWarnings) == 0 && len(validatorErrors) == 0 {
+				allErrors = append(allErrors, fmt.Errorf("ID cannot be a %s", name))
+			}
+		}
+		return allWarnings, allErrors
+	}
+}
+
 // NoZeroValues is a SchemaValidateFunc which tests if the provided value is
 // not a zero value. It's useful in situations where you want to catch
 // explicit zero values on things like required fields during validation.
diff --git a/website/docs/r/api_management_api_operation_tag.html.markdown b/website/docs/r/api_management_api_operation_tag.html.markdown
index 1164c7a2e95c..432cc4777ac9 100644
--- a/website/docs/r/api_management_api_operation_tag.html.markdown
+++ b/website/docs/r/api_management_api_operation_tag.html.markdown
@@ -74,4 +74,4 @@ API Management API Operation Tags can be imported using the `resource id`, e.g.
 
 ```shell
 terraform import azurerm_api_management_api_operation_tag.example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/group1/providers/Microsoft.ApiManagement/service/service1/apis/api1/operations/operation1/tags/tag1
-```
\ No newline at end of file
+```
diff --git a/website/docs/r/management_group_policy_assignment.html.markdown b/website/docs/r/management_group_policy_assignment.html.markdown
new file mode 100644
index 000000000000..100dd09b3cad
--- /dev/null
+++ b/website/docs/r/management_group_policy_assignment.html.markdown
@@ -0,0 +1,113 @@
+---
+subcategory: "Policy"
+layout: "azurerm"
+page_title: "Azure Resource Manager: azurerm_management_group_policy_assignment"
+description: |-
+  Manages a Policy Assignment to a Management Group.
+---
+
+# azurerm_management_group_policy_assignment
+
+Manages a Policy Assignment to a Management Group.
+
+## Example Usage
+
+```hcl
+resource "azurerm_management_group" "example" {
+  display_name = "Some Management Group"
+}
+
+resource "azurerm_policy_definition" "example" {
+  name                = "only-deploy-in-westeurope"
+  policy_type         = "Custom"
+  mode                = "All"
+  management_group_id = azurerm_management_group.example.group_id
+
+  policy_rule = <<POLICY_RULE
+	{
+    "if": {
+      "not": {
+        "field": "location",
+        "equals": "westeurope"
+      }
+    },
+    "then": {
+      "effect": "Deny"
+    }
+  }
+POLICY_RULE
+}
+
+resource "azurerm_management_group_policy_assignment" "example" {
+  name                 = "example-policy"
+  policy_definition_id = azurerm_policy_definition.example.id
+  management_group_id  = azurerm_management_group.example.id
+}
+```
+
+## Arguments Reference
+
+The following arguments are supported:
+
+* `management_group_id` - (Required) The ID of the Management Group. Changing this forces a new Policy Assignment to be created.
+
+* `name` - (Required) The name which should be used for this Policy Assignment. Changing this forces a new Policy Assignment to be created.
+
+* `policy_definition_id` - (Required) The ID of the Policy Definition or Policy Definition Set. Changing this forces a new Policy Assignment to be created.
+
+---
+
+* `description` - (Optional) A description which should be used for this Policy Assignment.
+
+* `display_name` - (Optional) The Display Name for this Policy Assignment.
+
+* `enforce` - (Optional) Specifies if this Policy should be enforced or not?
+
+* `identity` - (Optional) A `identity` block as defined below.
+
+-> **Note:** The `location` field must also be specified when `identity` is specified.
+
+* `location` - (Optional) The Azure Region where the Policy Assignment should exist. Changing this forces a new Policy Assignment to be created.
+
+* `metadata` - (Optional) A JSON mapping of any Metadata for this Policy.
+
+* `not_scopes` - (Optional) Specifies a list of Resource Scopes (for example a Subscription, or a Resource Group) within this Management Group which are excluded from this Policy.
+
+* `parameters` - (Optional) A JSON mapping of any Parameters for this Policy. Changing this forces a new Management Group Policy Assignment to be created.
+
+---
+
+A `identity` block supports the following:
+
+* `type` - (Optional) The Type of Managed Identity which should be added to this Policy Definition. The only possible value is `SystemAssigned`.
+
+## Attributes Reference
+
+In addition to the Arguments listed above - the following Attributes are exported: 
+
+* `id` - The ID of the Management Group Policy Assignment.
+
+---
+
+The `identity` block exports the following:
+
+* `principal_id` - The Principal ID of the Policy Assignment for this Management Group.
+
+* `tenant_id` - The Tenant ID of the Policy Assignment for this Management Group.
+
+## Timeouts
+
+The `timeouts` block allows you to specify [timeouts](https://www.terraform.io/docs/configuration/resources.html#timeouts) for certain actions:
+
+* `create` - (Defaults to 30 minutes) Used when creating the Policy Assignment for this Management Group.
+* `read` - (Defaults to 5 minutes) Used when retrieving the Policy Assignment for this Management Group.
+* `update` - (Defaults to 30 minutes) Used when updating the Policy Assignment for this Management Group.
+* `delete` - (Defaults to 30 minutes) Used when deleting the Policy Assignment for this Management Group.
+
+## Import
+
+Management Group Policy Assignments can be imported using the `resource id`, e.g.
+
+```shell
+terraform import azurerm_management_group_policy_assignment.example /providers/Microsoft.Management/managementGroups/group1/providers/Microsoft.Authorization/policyAssignments/assignment1
+```
diff --git a/website/docs/r/policy_assignment.html.markdown b/website/docs/r/policy_assignment.html.markdown
index dc7d13d36c05..46f6a3b2b2d8 100644
--- a/website/docs/r/policy_assignment.html.markdown
+++ b/website/docs/r/policy_assignment.html.markdown
@@ -10,6 +10,8 @@ description: |-
 
 Configures the specified Policy Definition at the specified Scope. Also, Policy Set Definitions are supported.
 
+!> **Note:** The `azurerm_policy_assignment` resource has been deprecated in favour of the `azurerm_management_group_policy_assignment`, `azurerm_resource_policy_assignment`, `azurerm_resource_group_policy_assignment` and `azurerm_subscription_policy_assignment` resources and will be removed in v3.0 of the Azure Provider.
+
 ## Example Usage
 
 ```hcl
@@ -88,14 +90,20 @@ The following arguments are supported:
 
 * `policy_definition_id` - (Required) The ID of the Policy Definition to be applied at the specified Scope.
 
-* `identity` - (Optional) An `identity` block.
-
-* `location` - (Optional) The Azure location where this policy assignment should exist. This is required when an Identity is assigned. Changing this forces a new resource to be created.
+---
 
 * `description` - (Optional) A description to use for this Policy Assignment. Changing this forces a new resource to be created.
 
 * `display_name` - (Optional) A friendly display name to use for this Policy Assignment. Changing this forces a new resource to be created.
 
+* `enforcement_mode`- (Optional) Can be set to 'true' or 'false' to control whether the assignment is enforced (true) or not (false). Default is 'true'.
+
+* `location` - (Optional) The Azure location where this policy assignment should exist. This is required when an Identity is assigned. Changing this forces a new resource to be created.
+
+* `identity` - (Optional) An `identity` block.
+
+-> **Note:** When `identity` is set the `location` field must also be set.
+
 * `metadata` - (Optional) The metadata for the policy assignment. This is a JSON string representing additional metadata that should be stored with the policy assignment.
 
 * `parameters` - (Optional) Parameters for the policy definition. This field is a JSON string that maps to the Parameters field from the Policy Definition. Changing this forces a new resource to be created.
@@ -104,13 +112,11 @@ The following arguments are supported:
 
 * `not_scopes` - (Optional) A list of the Policy Assignment's excluded scopes. The list must contain Resource IDs (such as Subscriptions e.g. `/subscriptions/00000000-0000-0000-000000000000` or Resource Groups e.g.`/subscriptions/00000000-0000-0000-000000000000/resourceGroups/myResourceGroup`).
 
-* `enforcement_mode`- (Optional) Can be set to 'true' or 'false' to control whether the assignment is enforced (true) or not (false). Default is 'true'.
-
 ---
 
 An `identity` block supports the following:
 
-* `type` - (Required) The Managed Service Identity Type of this Policy Assignment. Possible values are `SystemAssigned` (where Azure will generate a Service Principal for you), or `None` (no use of a Managed Service Identity).
+* `type` - (Required) The type of Managed Identity for this Policy Assignment. Possible values are `SystemAssigned` (where Azure will generate a Service Principal for you).
 
 ~> **NOTE:** When `type` is set to `SystemAssigned`, identity the Principal ID can be retrieved after the policy has been assigned.
 
diff --git a/website/docs/r/resource_group_policy_assignment.html.markdown b/website/docs/r/resource_group_policy_assignment.html.markdown
new file mode 100644
index 000000000000..a7e10a0e3505
--- /dev/null
+++ b/website/docs/r/resource_group_policy_assignment.html.markdown
@@ -0,0 +1,113 @@
+---
+subcategory: "Policy"
+layout: "azurerm"
+page_title: "Azure Resource Manager: azurerm_resource_group_policy_assignment"
+description: |-
+  Manages a Resource Group Policy Assignment.
+---
+
+# azurerm_resource_group_policy_assignment
+
+Manages a Resource Group Policy Assignment.
+
+## Example Usage
+
+```hcl
+resource "azurerm_resource_group" "example" {
+  name     = "example-resources"
+  location = "West Europe"
+}
+
+resource "azurerm_policy_definition" "example" {
+  name        = "only-deploy-in-westeurope"
+  policy_type = "Custom"
+  mode        = "All"
+
+  policy_rule = <<POLICY_RULE
+	{
+    "if": {
+      "not": {
+        "field": "location",
+        "equals": "westeurope"
+      }
+    },
+    "then": {
+      "effect": "Deny"
+    }
+  }
+POLICY_RULE
+}
+
+resource "azurerm_resource_group_policy_assignment" "example" {
+  name                 = "example"
+  resource_group_id    = azurerm_resource_group.example.id
+  policy_definition_id = azurerm_policy_assignment.example.id
+}
+```
+
+## Arguments Reference
+
+The following arguments are supported:
+
+* `name` - (Required) The name which should be used for this Policy Assignment. Changing this forces a new Policy Assignment to be created.
+
+* `policy_definition_id` - (Required) The ID of the Policy Definition or Policy Definition Set. Changing this forces a new Policy Assignment to be created.
+
+* `resource_group_id` - (Required) The ID of the Resource Group where this Policy Assignment should be created. Changing this forces a new Policy Assignment to be created.
+
+---
+
+* `description` - (Optional) A description which should be used for this Policy Assignment.
+
+* `display_name` - (Optional) The Display Name for this Policy Assignment.
+
+* `enforce` - (Optional) Specifies if this Policy should be enforced or not?
+
+* `identity` - (Optional) A `identity` block as defined below.
+
+-> **Note:** The `location` field must also be specified when `identity` is specified.
+
+* `location` - (Optional) The Azure Region where the Policy Assignment should exist. Changing this forces a new Policy Assignment to be created.
+
+* `metadata` - (Optional) A JSON mapping of any Metadata for this Policy.
+
+* `not_scopes` - (Optional) Specifies a list of Resource Scopes (for example a Subscription, or a Resource Group) within this Management Group which are excluded from this Policy.
+
+* `parameters` - (Optional) A JSON mapping of any Parameters for this Policy. Changing this forces a new Management Group Policy Assignment to be created.
+
+---
+
+A `identity` block supports the following:
+
+* `type` - (Optional) The Type of Managed Identity which should be added to this Policy Definition. The only possible value is `SystemAssigned`.
+
+## Attributes Reference
+
+In addition to the Arguments listed above - the following Attributes are exported: 
+
+* `id` - The ID of the Resource Group Policy Assignment.
+
+---
+
+The `identity` block exports the following:
+
+* `principal_id` - The Principal ID of the Policy Assignment for this Resource Group.
+
+* `tenant_id` - The Tenant ID of the Policy Assignment for this Resource Group.
+
+## Timeouts
+
+The `timeouts` block allows you to specify [timeouts](https://www.terraform.io/docs/configuration/resources.html#timeouts) for certain actions:
+
+* `create` - (Defaults to 30 minutes) Used when creating the Policy Assignment for this Resource Group.
+* `read` - (Defaults to 5 minutes) Used when retrieving the Policy Assignment for this Resource Group.
+* `update` - (Defaults to 30 minutes) Used when updating the Policy Assignment for this Resource Group.
+* `delete` - (Defaults to 30 minutes) Used when deleting the Policy Assignment for this Resource Group.
+
+## Import
+
+Resource Group Policy Assignments can be imported using the `resource id`, e.g.
+
+```shell
+terraform import azurerm_resource_group_policy_assignment.example /subscriptions/00000000-0000-0000-000000000000/resourceGroups/group1/providers/Microsoft.Authorization/policyAssignments/assignment1
+```
diff --git a/website/docs/r/resource_policy_assignment.html.markdown b/website/docs/r/resource_policy_assignment.html.markdown
new file mode 100644
index 000000000000..1cc6a4a3bc05
--- /dev/null
+++ b/website/docs/r/resource_policy_assignment.html.markdown
@@ -0,0 +1,117 @@
+---
+subcategory: "Policy"
+layout: "azurerm"
+page_title: "Azure Resource Manager: azurerm_resource_policy_assignment"
+description: |-
+  Manages a Policy Assignment to a Resource.
+---
+
+# azurerm_resource_policy_assignment
+
+Manages a Policy Assignment to a Resource.
+
+## Example Usage
+
+```hcl
+data "azurerm_virtual_network" "example" {
+  name                = "production"
+  resource_group_name = "networking"
+}
+
+resource "azurerm_policy_definition" "example" {
+  name        = "only-deploy-in-westeurope"
+  policy_type = "Custom"
+  mode        = "All"
+
+  policy_rule = <<POLICY_RULE
+	{
+    "if": {
+      "not": {
+        "field": "location",
+        "equals": "westeurope"
+      }
+    },
+    "then": {
+      "effect": "Deny"
+    }
+  }
+POLICY_RULE
+}
+
+resource "azurerm_resource_policy_assignment" "example" {
+  name                 = "example-policy-assignment"
+  resource_id          = data.azurerm_virtual_network.example.id
+  policy_definition_id = azurerm_policy_definition.example.id
+}
+```
+
+## Arguments Reference
+
+The following arguments are supported:
+
+* `name` - (Required) The name which should be used for this Policy Assignment. Changing this forces a new Resource Policy Assignment to be created.
+
+* `policy_definition_id` - (Required) The ID of the Policy Definition or Policy Definition Set. Changing this forces a new Policy Assignment to be created.
+
+* `resource_id` - (Required) The ID of the Resource (or Resource Scope) where this should be applied. Changing this forces a new Resource Policy Assignment to be created.
+
+~> To create a Policy Assignment at a Management Group use the `azurerm_management_group_policy_assignment` resource, for a Resource Group use the `azurerm_resource_group_policy_assignment` and for a Subscription use the `azurerm_subscription_policy_assignment` resource.
+
+---
+
+* `description` - (Optional) A description which should be used for this Policy Assignment.
+
+* `display_name` - (Optional) The Display Name for this Policy Assignment.
+
+* `enforce` - (Optional) Specifies if this Policy should be enforced or not?
+
+* `identity` - (Optional) A `identity` block as defined below.
+
+-> **Note:** The `location` field must also be specified when `identity` is specified.
+
+* `location` - (Optional) The Azure Region where the Policy Assignment should exist. Changing this forces a new Policy Assignment to be created.
+
+* `metadata` - (Optional) A JSON mapping of any Metadata for this Policy.
+
+* `not_scopes` - (Optional) Specifies a list of Resource Scopes (for example a Subscription, or a Resource Group) within this Management Group which are excluded from this Policy.
+
+* `parameters` - (Optional) A JSON mapping of any Parameters for this Policy. Changing this forces a new Management Group Policy Assignment to be created.
+
+---
+
+A `identity` block supports the following:
+
+* `type` - (Optional) The Type of Managed Identity which should be added to this Policy Definition. The only possible value is `SystemAssigned`.
+
+## Attributes Reference
+
+In addition to the Arguments listed above - the following Attributes are exported: 
+
+* `id` - The ID of the Resource Policy Assignment.
+
+---
+
+The `identity` block exports the following:
+
+* `principal_id` - The Principal ID of the Policy Assignment for this Resource.
+
+* `tenant_id` - The Tenant ID of the Policy Assignment for this Resource.
+
+## Timeouts
+
+The `timeouts` block allows you to specify [timeouts](https://www.terraform.io/docs/configuration/resources.html#timeouts) for certain actions:
+
+* `create` - (Defaults to 30 minutes) Used when creating the Policy Assignment for this Resource.
+* `read` - (Defaults to 5 minutes) Used when retrieving the Policy Assignment for this Resource.
+* `update` - (Defaults to 30 minutes) Used when updating the Policy Assignment for this Resource.
+* `delete` - (Defaults to 30 minutes) Used when deleting the Policy Assignment for this Resource.
+
+## Import
+
+Resource Policy Assignments can be imported using the `resource id`, e.g.
+
+```shell
+terraform import azurerm_resource_policy_assignment.example "{resource}/providers/Microsoft.Authorization/policyAssignments/assignment1"
+```
+
+where `{resource}` is a Resource ID in the form `/subscriptions/00000000-0000-0000-000000000000/resourceGroups/group1/providers/Microsoft.Network/virtualNetworks/network1`.
diff --git a/website/docs/r/subscription_policy_assignment.html.markdown b/website/docs/r/subscription_policy_assignment.html.markdown
new file mode 100644
index 000000000000..69e56e956936
--- /dev/null
+++ b/website/docs/r/subscription_policy_assignment.html.markdown
@@ -0,0 +1,110 @@
+---
+subcategory: "Policy"
+layout: "azurerm"
+page_title: "Azure Resource Manager: azurerm_subscription_policy_assignment"
+description: |-
+  Manages a Subscription Policy Assignment.
+---
+
+# azurerm_subscription_policy_assignment
+
+Manages a Subscription Policy Assignment.
+
+## Example Usage
+
+```hcl
+data "azurerm_subscription" "current" {}
+
+resource "azurerm_policy_definition" "example" {
+  name        = "only-deploy-in-westeurope"
+  policy_type = "Custom"
+  mode        = "All"
+
+  policy_rule = <<POLICY_RULE
+	{
+    "if": {
+      "not": {
+        "field": "location",
+        "equals": "westeurope"
+      }
+    },
+    "then": {
+      "effect": "Deny"
+    }
+  }
+POLICY_RULE
+}
+
+resource "azurerm_subscription_policy_assignment" "example" {
+  name                 = "example"
+  policy_definition_id = azurerm_policy_definition.example.id
+  subscription_id      = azurerm_subscription.current.id
+}
+```
+
+## Arguments Reference
+
+The following arguments are supported:
+
+* `name` - (Required) The name which should be used for this Policy Assignment. Changing this forces a new Policy Assignment to be created.
+
+* `policy_definition_id` - (Required) The ID of the Policy Definition or Policy Definition Set. Changing this forces a new Policy Assignment to be created.
+
+* `subscription_id` - (Required) The ID of the Subscription where this Policy Assignment should be created. Changing this forces a new Policy Assignment to be created.
+
+---
+
+* `description` - (Optional) A description which should be used for this Policy Assignment.
+
+* `display_name` - (Optional) The Display Name for this Policy Assignment.
+
+* `enforce` - (Optional) Specifies if this Policy should be enforced or not?
+
+* `identity` - (Optional) A `identity` block as defined below.
+
+-> **Note:** The `location` field must also be specified when `identity` is specified.
+
+* `location` - (Optional) The Azure Region where the Policy Assignment should exist. Changing this forces a new Policy Assignment to be created.
+
+* `metadata` - (Optional) A JSON mapping of any Metadata for this Policy.
+
+* `not_scopes` - (Optional) Specifies a list of Resource Scopes (for example a Subscription, or a Resource Group) within this Management Group which are excluded from this Policy.
+
+* `parameters` - (Optional) A JSON mapping of any Parameters for this Policy. Changing this forces a new Management Group Policy Assignment to be created.
+
+---
+
+A `identity` block supports the following:
+
+* `type` - (Optional) The Type of Managed Identity which should be added to this Policy Definition. The only possible value is `SystemAssigned`.
+
+## Attributes Reference
+
+In addition to the Arguments listed above - the following Attributes are exported: 
+
+* `id` - The ID of the Subscription Policy Assignment.
+
+---
+
+The `identity` block exports the following:
+
+* `principal_id` - The Principal ID of the Policy Assignment for this Subscription.
+
+* `tenant_id` - The Tenant ID of the Policy Assignment for this Subscription.
+
+## Timeouts
+
+The `timeouts` block allows you to specify [timeouts](https://www.terraform.io/docs/configuration/resources.html#timeouts) for certain actions:
+
+* `create` - (Defaults to 30 minutes) Used when creating the Policy Assignment for this Subscription.
+* `read` - (Defaults to 5 minutes) Used when retrieving the Policy Assignment for this Subscription.
+* `update` - (Defaults to 30 minutes) Used when updating the Policy Assignment for this Subscription.
+* `delete` - (Defaults to 30 minutes) Used when deleting the Policy Assignment for this Subscription.
+
+## Import
+
+Subscription Policy Assignments can be imported using the `resource id`, e.g.
+
+```shell
+terraform import azurerm_subscription_policy_assignment.example /subscriptions/00000000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/assignment1
+```