Defender for Cloud: Removed default initiative assignment - how to recreate initial assignment?

Question

Defender for Cloud: Removed default initiative assignment - how to recreate initial assignment?

Wedding, Jan 20

Hi,

We were experimenting with Azure Security Center and during that, we deleted the default initiative assignment, so in Azure portal, it looks like this:

No Policy assignment.

When re-assigning / re-creating a new policy, it is kind of possible to get something assigned again, but unfortunately, it will not create the new assignment in the very same kind of format as the initial assignment. The initial assignment has an assignment ID in the format like this:

/subscriptions/00000000-aaaa-bbbb-cccc-dddddddddddd/providers/microsoft.authorization/policyassignments/securitycenterbuiltin

=> Name property = securitycenterbuiltin (hardcoded)

while a freshly, manually created one will receive an assignment ID like this:

/subscriptions/00000000-aaaa-bbbb-cccc-dddddddddddd/providers/microsoft.authorization/policyassignments/99999310d9840fab23e8888

=> Name property = 99999310d9840fab23e8888 (generated)

Question: How can I get it re-created in a way so that it is the very same as in the original assignment?

Background: We are using IaC approaches and want to avoid manually maintaining this ID/name property per subscription for getting this imported...

Givary-MSFT 35,626 Reputation points Microsoft Employee Moderator

2023-10-27T04:31:46.0933333+00:00

@Wedding, Jan Thank you for reaching out to us, As I understand you are trying to create a policy within Defender for Cloud, policy is getting created with a random guid, I tried the same at my end but for me it created with a name a instead.

How exactly you are creating the policy any specific article/steps you are following if you can share it with me so that I can review ?

In the meantime, let me check with my team on this issue and revert back.
Andrew Blumhardt 10,051 Reputation points Microsoft Employee

2023-10-27T12:19:51.6566667+00:00

So you deleted the default and want to make a custom policy look just like the old one? I am not sure if that is possible.

I don't understand why you would remove the default initiative. This removes the core recommendations which is a big chunk of the service offering. If I recall correctly, custom policies are not evaluated for secure score reporting. I assume you could copy in the same from another subscription if you need to restore. You could replace the subscription. You may also be able to rename the policy directly if needed.
Givary-MSFT 35,626 Reputation points Microsoft Employee Moderator

2023-11-10T03:44:36.8866667+00:00

@Wedding, Jan Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.

1 answer

Your answer

Givary-MSFT 35,626 Reputation points Microsoft Employee Moderator

2023-10-27T04:31:46.0933333+00:00

@Wedding, Jan Thank you for reaching out to us, As I understand you are trying to create a policy within Defender for Cloud, policy is getting created with a random guid, I tried the same at my end but for me it created with a name a instead.

How exactly you are creating the policy any specific article/steps you are following if you can share it with me so that I can review ?

In the meantime, let me check with my team on this issue and revert back.
Andrew Blumhardt 10,051 Reputation points Microsoft Employee

2023-10-27T12:19:51.6566667+00:00

So you deleted the default and want to make a custom policy look just like the old one? I am not sure if that is possible.

I don't understand why you would remove the default initiative. This removes the core recommendations which is a big chunk of the service offering. If I recall correctly, custom policies are not evaluated for secure score reporting. I assume you could copy in the same from another subscription if you need to restore. You could replace the subscription. You may also be able to rename the policy directly if needed.
Givary-MSFT 35,626 Reputation points Microsoft Employee Moderator

2023-11-10T03:44:36.8866667+00:00

@Wedding, Jan Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.

Answer 1

Hi,

so, the initial creation of this default assignment with the name (not display name!) securitycenterbuiltin "seems" to be happening on Tenant level, so out of the control of our single Subscription. Probably managed / configured somewhere - as said, out of our control. And since this String is found in many places in the internet, I doubt it is something, our internal teams is doing...

Anyway, you can still delete it directly from within the portal for a certain subscription. And after that, it does not get recreated anymore automatically... So we were using the "Assign Policy" button within the portal (see my screenshot from the initial post) allows to pass in the display name attribute only, but not the name attribute...

As said, it would be really helpful to get this consistently created as we are normally not using the Azure portal for creating resouces, but IaC approaches like Terraform.

Share via

Defender for Cloud: Removed default initiative assignment - how to recreate initial assignment?

1 answer

Your answer