Edit

Review resources exempted from recommendations

  • Article

In Microsoft Defender for Cloud, you can exempt protected resources from Defender for Cloud security recommendations. This article describes how to review and work with exempted resources.

Review exempted resources in the portal

Once a resource has been exempted it will no longer be taken into account for security recommendation. You can review the exempted resources and manage each one in the Defender for Cloud portal.

Review exempted resources on the recommendations page

To review exempted resources:

  1. Sign in to the Azure portal.

  2. Navigate to Defender for Cloud > Recommendations.

  3. Select Recommendation status.

  4. Select Exempted.

  5. Select Apply.

    Screenshot of the recommendations page that shows where the recommendation status, exempted and apply button are located.

  6. Select a resource to review it.

Review exempted resources on the inventory page

You can also find all resources that are exempted from one or more recommendations on the Inventory page.

To review exempted resources on the Defender for Cloud's Inventory page:

  1. Sign in to the Azure portal.

  2. Navigate to Defender for Cloud > Inventory.

  3. Select Add filter

    Defender for Cloud's asset inventory page and the filter to find resources with exemptions.

  4. Select Contains Exemptions.

  5. Select Yes.

  6. Select OK.

Review exempted resources with Azure Resource Graph

Azure Resource Graph (ARG) provides instant access to resource information across your cloud environments with robust filtering, grouping, and sorting capabilities. It's a quick and efficient way to query information using Kusto Query Language (KQL).

To view all recommendations that have exemption rules:

  1. In the Recommendations page, select Open query.

  2. Enter the following query and select Run query.

    securityresources
| where type == "microsoft.security/assessments"
// Get recommendations in useful format
| project
['TenantID'] = tenantId,
['SubscriptionID'] = subscriptionId,
['AssessmentID'] = name,
['DisplayName'] = properties.displayName,
['ResourceType'] = tolower(split(properties.resourceDetails.Id,"/").[7]),
['ResourceName'] = tolower(split(properties.resourceDetails.Id,"/").[8]),
['ResourceGroup'] = resourceGroup,
['ContainsNestedRecom'] = tostring(properties.additionalData.subAssessmentsLink),
['StatusCode'] = properties.status.code,
['StatusDescription'] = properties.status.description,
['PolicyDefID'] = properties.metadata.policyDefinitionId,
['Description'] = properties.metadata.description,
['RecomType'] = properties.metadata.assessmentType,
['Remediation'] = properties.metadata.remediationDescription,
['Severity'] = properties.metadata.severity,
['Link'] = properties.links.azurePortal
| where StatusDescription contains "Exempt"

Get notified when exemptions are created

To keep track of how users are exempting resources from recommendations, we created an Azure Resource Manager (ARM) template that deploys a Logic App Playbook, and all necessary API connections to notify you when an exemption was created.

Next steps

Review security recommendations