A cloud-native solution that protects workloads across hybrid and multi-cloud environments with threat detection and security recommendations
Hello Mike Gu,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I got that you are asking about how Microsoft Cloud Security Benchmark (MCSB) recommendations are populated in Defender for Cloud (DfC), and whether exemptions applied at the management group level affect the recommendation status.
I will try to clarify your doubts below:
How does the DfC recommendations get populated?
- DfC recommendations are generated by the Azure Policy compliance engine. And for any given subscription, the compliance engine evaluates all resources against all assigned Policy Initiatives (the MCSB policies) that are scoped to that subscription, which includes assignments inherited from the Management Group hierarchy and any direct assignments at the Subscription level.
- Since you have two assignments (MG and Subscription), the resources in the subscription are assessed against the union of both initiative assignments. In practice, the policies are often identical, but both assignments contribute to the resource's compliance state. more at: https://learn.microsoft.com/en-us/azure/defender-for-cloud/security-policy-concept
Which benchmark policy initiative does it use - Management group or subscription level?
- It uses the effective policy assignment on the subscription, and the recommendations are generated from the security assessment of the resource against the Policy Definitions contained within the initiative.
- If you enable the same MCSB initiative at the MG and the Subscription, they both contribute. It is generally a best practice to only assign at the highest relevant Management Group and let it inherit to avoid policy duplication and confusion. more at: https://learn.microsoft.com/en-us/azure/defender-for-cloud/manage-mcsb
If I create an exemption to a policy at the management group initiative only (e.g "Storage accounts should prevent shared key access"), would the Recommendation section update it to Exempted?
- Yes, absolutely. An Azure Policy Exemption is a separate object that targets a policy assignment (the initiative assignment) and one or more policy definitions within it, at a specific scope (your subscription or a resource within it).
- Since the policy is assigned at the Management Group level, and that assignment applies to the child subscription, creating an exemption for that MG-level policy assignment at the Subscription level (or for a resource within the subscription) will exclude the resource from assessment for that specific policy.
- Defender for Cloud will then report the status of the recommendation based on the underlying Azure Policy compliance state. The resource's status in the DfC recommendation will change from Unhealthy to Not applicable (with an "Exempted" justification). more at: https://learn.microsoft.com/en-us/azure/defender-for-cloud/exempt-resource
Kindly let us know if the above helps or you need further assistance on this issue.
Please "Accept the answer" if the information helped you and 'upvote' for it. This will help us and others in the community as well.
Regards,
Monalisha