Microsoft Cloud Security Benchmark enablement in management group and subscription

Mike Gu 51 Reputation points
2025-09-29T14:22:29.09+00:00

Hi,

I am setting up Microsoft Cloud Security Benchmark in Defender for Cloud and managing recommendations. Currently I have enabled Microsoft cloud security benchmark both on the top management group and the subscription below.

My questions are

  • How does the DfC recommendations get populated? Which benchmark policy initiative does it use - Management group or subscription level?
  • If I create an exemption to a policy at the management group initiative only (e.g "Storage accounts should prevent shared key access"), would the Recommendation section update it to Exempted?User's image
Microsoft Security | Microsoft Defender | Microsoft Defender for Cloud
0 comments No comments

Answer accepted by question author

Anonymous
2025-09-30T10:10:37.0366667+00:00

Hello Mike Gu,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well. 

I got that you are asking about how Microsoft Cloud Security Benchmark (MCSB) recommendations are populated in Defender for Cloud (DfC), and whether exemptions applied at the management group level affect the recommendation status.

I will try to clarify your doubts below:

How does the DfC recommendations get populated?

  • DfC recommendations are generated by the Azure Policy compliance engine. And for any given subscription, the compliance engine evaluates all resources against all assigned Policy Initiatives (the MCSB policies) that are scoped to that subscription, which includes assignments inherited from the Management Group hierarchy and any direct assignments at the Subscription level.
  • Since you have two assignments (MG and Subscription), the resources in the subscription are assessed against the union of both initiative assignments. In practice, the policies are often identical, but both assignments contribute to the resource's compliance state. more at: https://learn.microsoft.com/en-us/azure/defender-for-cloud/security-policy-concept

Which benchmark policy initiative does it use - Management group or subscription level?

  • It uses the effective policy assignment on the subscription, and the recommendations are generated from the security assessment of the resource against the Policy Definitions contained within the initiative.
  • If you enable the same MCSB initiative at the MG and the Subscription, they both contribute. It is generally a best practice to only assign at the highest relevant Management Group and let it inherit to avoid policy duplication and confusion. more at: https://learn.microsoft.com/en-us/azure/defender-for-cloud/manage-mcsb

If I create an exemption to a policy at the management group initiative only (e.g "Storage accounts should prevent shared key access"), would the Recommendation section update it to Exempted?

  • Yes, absolutely. An Azure Policy Exemption is a separate object that targets a policy assignment (the initiative assignment) and one or more policy definitions within it, at a specific scope (your subscription or a resource within it).
  • Since the policy is assigned at the Management Group level, and that assignment applies to the child subscription, creating an exemption for that MG-level policy assignment at the Subscription level (or for a resource within the subscription) will exclude the resource from assessment for that specific policy.
  • Defender for Cloud will then report the status of the recommendation based on the underlying Azure Policy compliance state. The resource's status in the DfC recommendation will change from Unhealthy to Not applicable (with an "Exempted" justification). more at: https://learn.microsoft.com/en-us/azure/defender-for-cloud/exempt-resource

Kindly let us know if the above helps or you need further assistance on this issue. 

Please "Accept the answer" if the information helped you and 'upvote' for it. This will help us and others in the community as well. 

Regards,

Monalisha

Was this answer helpful?


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.