Exempting resources and recommendations from your secure score
A core priority of every security team is to ensure analysts can focus on the tasks and incidents that matter to the organization. Defender for Cloud has many features for customizing the experience and making sure your secure score reflects your organization's security priorities. The exempt option is one such feature.
When you investigate your security recommendations in Microsoft Defender for Cloud, one of the first pieces of information you review is the list of affected resources.
Occasionally, a resource will be listed that you feel shouldn't be included. Or a recommendation will show in a scope where you feel it doesn't belong. The resource might have been remediated by a process not tracked by Defender for Cloud. The recommendation might be inappropriate for a specific subscription. Or perhaps your organization has decided to accept the risks related to the specific resource or recommendation.
In such cases, you can create an exemption for a recommendation to:
Exempt a resource to ensure it isn't listed with the unhealthy resources in the future, and doesn't impact your secure score. The resource will be listed as not applicable and the reason will be shown as "exempted" with the specific justification you select.
Exempt a subscription or management group to ensure that the recommendation doesn't impact your secure score and won't be shown for the subscription or management group in the future. This relates to existing resources and any you create in the future. The recommendation will be marked with the specific justification you select for the scope that you selected.
The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
|Pricing:||This is a premium Azure Policy capability that's offered at no more cost for customers with Microsoft Defender for Cloud's enhanced security features enabled. For other users, charges might apply in the future.|
|Required roles and permissions:||Owner or Security Admin or Resource Policy Contributor to create an exemption
To create a rule, you need permissions to edit policies in Azure Policy.
Learn more in Azure RBAC permissions in Azure Policy.
|Limitations:||Exemptions can be created only for recommendations included in Defender for Cloud's default initiative, Microsoft cloud security benchmark, or any of the supplied regulatory standard initiatives. Recommendations that are generated from custom initiatives can't be exempted. Learn more about the relationships between policies, initiatives, and recommendations.|
National (Azure Government, Microsoft Azure operated by 21Vianet)
Define an exemption
To fine-tune the security recommendations that Defender for Cloud makes for your subscriptions, management group, or resources, you can create an exemption rule to:
- Mark a specific recommendation or as "mitigated" or "risk accepted". You can create recommendation exemptions for a subscription, multiple subscriptions, or an entire management group.
- Mark one or more resources as "mitigated" or "risk accepted" for a specific recommendation.
Exemptions can be created only for recommendations included in Defender for Cloud's default initiative, Microsoft cloud security benchmark or any of the supplied regulatory standard initiatives. Recommendations that are generated from any custom initiatives assigned to your subscriptions cannot be exempted. Learn more about the relationships between policies, initiatives, and recommendations.
You can also create exemptions using the API. For an example JSON, and an explanation of the relevant structures see Azure Policy exemption structure.
To create an exemption rule:
Open the recommendations details page for the specific recommendation.
From the toolbar at the top of the page, select Exempt.
In the Exempt pane:
Select the scope for this exemption rule:
- If you select a management group, the recommendation will be exempted from all subscriptions within that group
- If you're creating this rule to exempt one or more resources from the recommendation, choose "Selected resources" and select the relevant ones from the list
Enter a name for this exemption rule.
Optionally, set an expiration date.
Select the category for the exemption:
Resolved through 3rd party (mitigated) – if you're using a third-party service that Defender for Cloud hasn't identified.
When you exempt a recommendation as mitigated, you aren't given points towards your secure score. But because points aren't removed for the unhealthy resources, the result is that your score will increase.
Risk accepted (waiver) – if you’ve decided to accept the risk of not mitigating this recommendation
Enter a description.
When the exemption takes effect (it might take up to 30 minutes):
The recommendation or resources won't impact your secure score.
If you've exempted specific resources, they'll be listed in the Not applicable tab of the recommendation details page.
If you've exempted a recommendation, it will be hidden by default on Defender for Cloud's recommendations page. This is because the default options of the Recommendation status filter on that page are to exclude Not applicable recommendations. The same is true if you exempt all recommendations in a security control.
The information strip at the top of the recommendation details page updates the number of exempted resources:
To review your exempted resources, open the Not applicable tab:
The reason for each exemption is included in the table (1).
To modify or delete an exemption, select the ellipsis menu ("...") as shown (2).
To review all of the exemption rules on your subscription, select View exemptions from the information strip:
To see the specific exemptions relevant to one recommendation, filter the list according to the relevant scope and recommendation name.
Alternatively, use Azure Resource Graph to find recommendations with exemptions.
Monitor exemptions created in your subscriptions
As explained earlier on this page, exemption rules are a powerful tool providing granular control over the recommendations affecting resources in your subscriptions and management groups.
To keep track of how your users are exercising this capability, we've created an Azure Resource Manager (ARM) template that deploys a Logic App Playbook and all necessary API connections to notify you when an exemption has been created.
- To learn more about the playbook, see the tech community blog post How to keep track of Resource Exemptions in Microsoft Defender for Cloud.
- You'll find the ARM template in the Microsoft Defender for Cloud GitHub repository
- To deploy all the necessary components, use this automated process.
Use the inventory to find resources that have exemptions applied
The asset inventory page of Microsoft Defender for Cloud provides a single page for viewing the security posture of the resources you've connected to Defender for Cloud. Learn more in Explore and manage your resources with asset inventory.
The inventory page includes many filters to let you narrow the list of resources to the ones of most interest for any given scenario. One such filter is the Contains exemptions. Use this filter to find all resources that have been exempted from one or more recommendations.
Find recommendations with exemptions using Azure Resource Graph
Azure Resource Graph (ARG) provides instant access to resource information across your cloud environments with robust filtering, grouping, and sorting capabilities. It's a quick and efficient way to query information across Azure subscriptions programmatically or from within the Azure portal.
To view all recommendations that have exemption rules:
Open Azure Resource Graph Explorer.
Enter the following query and select Run query.
securityresources | where type == "microsoft.security/assessments" // Get recommendations in useful format | project ['TenantID'] = tenantId, ['SubscriptionID'] = subscriptionId, ['AssessmentID'] = name, ['DisplayName'] = properties.displayName, ['ResourceType'] = tolower(split(properties.resourceDetails.Id,"/").), ['ResourceName'] = tolower(split(properties.resourceDetails.Id,"/").), ['ResourceGroup'] = resourceGroup, ['ContainsNestedRecom'] = tostring(properties.additionalData.subAssessmentsLink), ['StatusCode'] = properties.status.code, ['StatusDescription'] = properties.status.description, ['PolicyDefID'] = properties.metadata.policyDefinitionId, ['Description'] = properties.metadata.description, ['RecomType'] = properties.metadata.assessmentType, ['Remediation'] = properties.metadata.remediationDescription, ['Severity'] = properties.metadata.severity, ['Link'] = properties.links.azurePortal | where StatusDescription contains "Exempt"
Learn more in the following pages:
- Learn more about Azure Resource Graph.
- How to create queries with Azure Resource Graph Explorer.
- Kusto Query Language (KQL).
In this article, you learned how to exempt a resource from a recommendation so that it doesn't impact your secure score. For more information about secure score, see Secure score in Microsoft Defender for Cloud.