Exempting resources and recommendations from your secure score
A core priority of every security team is to ensure analysts can focus on the tasks and incidents that matter to the organization. Defender for Cloud has many features for customizing the experience and making sure your secure score reflects your organization's security priorities. The exempt option is one such feature.
When you investigate your security recommendations in Microsoft Defender for Cloud, one of the first pieces of information you review is the list of affected resources.
Occasionally, a resource will be listed that you feel shouldn't be included. Or a recommendation will show in a scope where you feel it doesn't belong. The resource might have been remediated by a process not tracked by Defender for Cloud. The recommendation might be inappropriate for a specific subscription. Or perhaps your organization has decided to accept the risks related to the specific resource or recommendation.
In such cases, you can create an exemption for a recommendation to:
Exempt a resource to ensure it isn't listed with the unhealthy resources in the future, and doesn't impact your secure score. The resource will be listed as not applicable and the reason will be shown as "exempted" with the specific justification you select.
Exempt a subscription or management group to ensure that the recommendation doesn't impact your secure score and won't be shown for the subscription or management group in the future. This relates to existing resources and any you create in the future. The recommendation will be marked with the specific justification you select for the scope that you selected.
The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
|Pricing:||This is a premium Azure Policy capability that's offered at no more cost for customers with Microsoft Defender for Cloud's enhanced security features enabled. For other users, charges might apply in the future.|
|Required roles and permissions:||Owner or Resource Policy Contributor to create an exemption
To create a rule, you need permissions to edit policies in Azure Policy.
Learn more in Azure RBAC permissions in Azure Policy.
|Limitations:||Exemptions can be created only for recommendations included in Defender for Cloud's default initiative, Microsoft cloud security benchmark, or any of the supplied regulatory standard initiatives. Recommendations that are generated from custom initiatives can't be exempted. Learn more about the relationships between policies, initiatives, and recommendations.|
National (Azure Government, Azure China 21Vianet)
Define an exemption
To fine-tune the security recommendations that Defender for Cloud makes for your subscriptions, management group, or resources, you can create an exemption rule to:
- Mark a specific recommendation or as "mitigated" or "risk accepted". You can create recommendation exemptions for a subscription, multiple subscriptions, or an entire management group.
- Mark one or more resources as "mitigated" or "risk accepted" for a specific recommendation.
Exemptions can be created only for recommendations included in Defender for Cloud's default initiative, Microsoft cloud security benchmark or any of the supplied regulatory standard initiatives. Recommendations that are generated from any custom initiatives assigned to your subscriptions cannot be exempted. Learn more about the relationships between policies, initiatives, and recommendations.
You can also create exemptions using the API. For an example JSON, and an explanation of the relevant structures see Azure Policy exemption structure.
To create an exemption rule:
Open the recommendations details page for the specific recommendation.
From the toolbar at the top of the page, select Exempt.
In the Exempt pane:
Select the scope for this exemption rule:
- If you select a management group, the recommendation will be exempted from all subscriptions within that group
- If you're creating this rule to exempt one or more resources from the recommendation, choose "Selected resources"" and select the relevant ones from the list
Enter a name for this exemption rule.
Optionally, set an expiration date.
Select the category for the exemption:
Resolved through 3rd party (mitigated) – if you're using a third-party service that Defender for Cloud hasn't identified.
When you exempt a recommendation as mitigated, you aren't given points towards your secure score. But because points aren't removed for the unhealthy resources, the result is that your score will increase.
Risk accepted (waiver) – if you’ve decided to accept the risk of not mitigating this recommendation
Enter a description.
When the exemption takes effect (it might take up to 30 minutes):
The recommendation or resources won't impact your secure score.
If you've exempted specific resources, they'll be listed in the Not applicable tab of the recommendation details page.
If you've exempted a recommendation, it will be hidden by default on Defender for Cloud's recommendations page. This is because the default options of the Recommendation status filter on that page are to exclude Not applicable recommendations. The same is true if you exempt all recommendations in a security control.
The information strip at the top of the recommendation details page updates the number of exempted resources:
To review your exempted resources, open the Not applicable tab:
The reason for each exemption is included in the table (1).
To modify or delete an exemption, select the ellipsis menu ("...") as shown (2).
To review all of the exemption rules on your subscription, select View exemptions from the information strip:
To see the specific exemptions relevant to one recommendation, filter the list according to the relevant scope and recommendation name.
Alternatively, use Azure Resource Graph to find recommendations with exemptions.
Monitor exemptions created in your subscriptions
As explained earlier on this page, exemption rules are a powerful tool providing granular control over the recommendations affecting resources in your subscriptions and management groups.
To keep track of how your users are exercising this capability, we've created an Azure Resource Manager (ARM) template that deploys a Logic App Playbook and all necessary API connections to notify you when an exemption has been created.
- To learn more about the playbook, see the tech community blog post How to keep track of Resource Exemptions in Microsoft Defender for Cloud
- You'll find the ARM template in the Microsoft Defender for Cloud GitHub repository
- To deploy all the necessary components, use this automated process
Use the inventory to find resources that have exemptions applied
The asset inventory page of Microsoft Defender for Cloud provides a single page for viewing the security posture of the resources you've connected to Defender for Cloud. Learn more in Explore and manage your resources with asset inventory.
The inventory page includes many filters to let you narrow the list of resources to the ones of most interest for any given scenario. One such filter is the Contains exemptions. Use this filter to find all resources that have been exempted from one or more recommendations.
Find recommendations with exemptions using Azure Resource Graph
Azure Resource Graph (ARG) provides instant access to resource information across your cloud environments with robust filtering, grouping, and sorting capabilities. It's a quick and efficient way to query information across Azure subscriptions programmatically or from within the Azure portal.
To view all recommendations that have exemption rules:
Open Azure Resource Graph Explorer.
Enter the following query and select Run query.
securityresources | where type == "microsoft.security/assessments" // Get recommendations in useful format | project ['TenantID'] = tenantId, ['SubscriptionID'] = subscriptionId, ['AssessmentID'] = name, ['DisplayName'] = properties.displayName, ['ResourceType'] = tolower(split(properties.resourceDetails.Id,"/").), ['ResourceName'] = tolower(split(properties.resourceDetails.Id,"/").), ['ResourceGroup'] = resourceGroup, ['ContainsNestedRecom'] = tostring(properties.additionalData.subAssessmentsLink), ['StatusCode'] = properties.status.code, ['StatusDescription'] = properties.status.description, ['PolicyDefID'] = properties.metadata.policyDefinitionId, ['Description'] = properties.metadata.description, ['RecomType'] = properties.metadata.assessmentType, ['Remediation'] = properties.metadata.remediationDescription, ['Severity'] = properties.metadata.severity, ['Link'] = properties.links.azurePortal | where StatusDescription contains "Exempt"
Learn more in the following pages:
- Learn more about Azure Resource Graph.
- How to create queries with Azure Resource Graph Explorer
- Kusto Query Language (KQL)
FAQ - Exemption rules
- What happens when one recommendation is in multiple policy initiatives?
- Are there any recommendations that don't support exemption?
What happens when one recommendation is in multiple policy initiatives?
Sometimes, a security recommendation appears in more than one policy initiative. If you've got multiple instances of the same recommendation assigned to the same subscription, and you create an exemption for the recommendation, it will affect all of the initiatives that you have permission to edit.
For example, the recommendation **** is part of the default policy initiative assigned to all Azure subscriptions by Microsoft Defender for Cloud. It's also in XXXXX.
If you try to create an exemption for this recommendation, you'll see one of the two following messages:
If you have the necessary permissions to edit both initiatives, you'll see:
This recommendation is included in several policy initiatives: [initiative names separated by comma]. Exemptions will be created on all of them.
If you don't have sufficient permissions on both initiatives, you'll see this message instead:
You have limited permissions to apply the exemption on all the policy initiatives, the exemptions will be created only on the initiatives with sufficient permissions.
Are there any recommendations that don't support exemption?
These generally available recommendations don't support exemption:
- All advanced threat protection types should be enabled in SQL managed instance advanced data security settings
- All advanced threat protection types should be enabled in SQL server advanced data security settings
- Container CPU and memory limits should be enforced
- Container images should be deployed from trusted registries only
- Container with privilege escalation should be avoided
- Containers sharing sensitive host namespaces should be avoided
- Containers should listen on allowed ports only
- Default IP Filter Policy should be Deny
- Immutable (read-only) root filesystem should be enforced for containers
- IoT Devices - Open Ports On Device
- IoT Devices - Permissive firewall policy in one of the chains was found
- IoT Devices - Permissive firewall rule in the input chain was found
- IoT Devices - Permissive firewall rule in the output chain was found
- IP Filter rule large IP range
- Least privileged Linux capabilities should be enforced for containers
- Machines should be configured securely
- Overriding or disabling of containers AppArmor profile should be restricted
- Privileged containers should be avoided
- Running containers as root user should be avoided
- Services should listen on allowed ports only
- SQL servers should have an Azure Active Directory administrator provisioned
- Usage of host networking and ports should be restricted
- Usage of pod HostPath volume mounts should be restricted to a known list to restrict node access from compromised containers
In this article, you learned how to exempt a resource from a recommendation so that it doesn't impact your secure score. For more information about secure score, see:
Submit and view feedback for