question

GaneshShrivas-1319 avatar image
0 Votes"
GaneshShrivas-1319 asked AnuragSingh-MSFT commented

azure recommandation and complaince policy match

I am using azure recommendation API

https://docs.microsoft.com/en-us/rest/api/advisor/recommendations/list#code-try-0

this api will give me recommendation about resources

I need to match this security threads with azure compliance policy so that I can show recommended resource inside a particular policy

azure-policyazure-webapps-compliance-reports
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

AnuragSingh-MSFT avatar image
0 Votes"
AnuragSingh-MSFT answered AnuragSingh-MSFT commented

Hi @GaneshShrivas-1319,

Welcome to Microsoft Q&A! Thanks for posting the question.

Based on my understanding you are trying to map the recommendation obtained from Azure Advisor with the Azure Policy definition. Please note that these are 2 different services and serve specialized purpose. While Azure Policy helps to enforce organizational standards and to assess compliance at-scale, the Azure Advisor is a personalized cloud consultant that helps you follow best practices to optimize your Azure deployments.

Therefore, a 1-to-1 mapping is not possible with all the recommendation from Azure Advisor with a policy definition. For example, Azure Advisor can help you optimize and reduce your overall Azure spend by identifying idle and underutilized resources. There is no corresponding Azure Policy definition that can enforce it.

Hope that helps. In case I have misunderstood the question, can you please clarify it a bit further with relevant example.
Please let me know if you have any questions.


Please 'Accept as answer' and ‘Upvote’ if it helped so that it can help others in the community looking for help on similar topics.

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks @AnuragSingh-MSFT for quick response,

your understanding correct for my question. but My question is here recommendation comes when resource has some complains of any applied policy on portal. if resource not following policy completely than we get recommendation so I just want to get information for which policy complains we are getting recommendation.


Ex- if i ma getting recommendation problem 'Storage accounts should use private link' when any storage account use public link so in that case policy: 'Storage accounts should use private link' has complains for that resource. so I want information regarding that policy from recommendation API.

Hope this clear to you

0 Votes 0 ·

@ GaneshShrivas-1319, thank you for providing additional information. The "Azure Advisor" recommendation is not dependent on the applied Azure Policy. You may not have any policy applied and still may receive recommendations to enforce security, based on the usage scenario. However, if you have the Azure Policy "Storage accounts should use private link" applied to your resource/resourceGroup, then the corresponding notification will be obtained under Azure Policy's overview OR Compliance page.

Considering the example above, please note that the requirement to use "Private connection" would be scenario based and would not apply to all the use case. For example, you may still need access to storage account from public networks. Therefore, the Azure Policy will be used to enforce this policy on specific resources to ensure that these resources should not be accessible from public networks.

In certain scenarios, there may be some recommendations from Azure Advisor where some Policy might be a match. I don't think there is a way to do direct 1-1 connection. Also, I was able to find only a few of the Azure Policies listed for Azure Advisor - Subscription

Do you have a sample response where such recommendation was obtained from Advisor related to Azure policy?

0 Votes 0 ·

Thanks @AnuragSingh-MSFT for quick response

cany you please suggest me how can I show CIS complains resource in my application from rest API.

0 Votes 0 ·

@GaneshShrivas-1319, thank you for the reply.

You could do this by:
1. Assigning the relevant "CIS Microsoft Azure Foundation Benchmark" initiative to respective resource group.
206115-image.png

2. After the above initiative has been assigned, you could use the Azure Policy REST api to get the list of resources which are compliant. Ref: Policy States - List Query Results For Resource Group

Please feel free to open a new question Q&A so that we can keep this thread scoped to a single topic.

0 Votes 0 ·
image.png (38.9 KiB)