Blog Post

Microsoft Defender for Cloud Blog
2 MIN READ

Centralized Policy Management in Microsoft Defender for Cloud using Management Groups

YuriDiogenes's avatar
YuriDiogenes
Icon for Microsoft rankMicrosoft
Apr 02, 2020

Large organizations that have multiple subscriptions in a single tenant environment are probably already using Azure Management Groups to organize their subscriptions according to the business needs, by creating a hierarchy that applies a policy that reflect the needs of those subscriptions. For example, a policy that limits VM locations to the US West Region in the group called "Production". This policy will inherit onto all the Enterprise Agreement (EA) subscriptions that are descendants of that management group and will apply to all VMs under those subscriptions. This security policy cannot be altered by the resource or subscription owner allowing for improved governance.

 

When organizations need to enable Microsoft Defender for Cloud across different subscriptions that have different workloads and therefore different assessment needs, it is also common that they want to customize its policies and control it in the Management Group level rather than in the subscription level. Let’s use the scenario below as an example:

 

 

In the example above, the Management Groups are reflecting the state where the company has branch offices and each subscription represents a department. Since each branch office may have different needs from the policy perspective, it is recommended to assign the Microsoft Defender for Cloud initiative to the Management Group level, and remove the default assignment from the Subscription level.

 

The Microsoft Defender for Cloud initiative that you should assign to the Management Group level is the following one:

 

 

Once you finish this assignment, you will notice that in Microsoft Defender for Cloud / Security Policy, your policy assignment will look like this:

 

 

In the right side of this page, you will see that the policy is now inherited from the Management Group level. However, you also see on the left, that there are two assignments to the subscription. To see these assignments, click View effective policy button. You will see the two initiatives* that are bound to this subscription are:

 

  • Microsoft Defender for Cloud Default (subscription_id): default initiative for the subscription.
  • Enable Monitoring in Microsoft Defender for Cloud: initiative that you assigned in the Management Group level.

*Note: in some circumstances, you may have more than two, it depends on how your subscription was configured. Before making changes, make sure you validate with your team that those initiatives are not in use anymore and can be removed.

 

You need to go to Azure Policy and remove the Microsoft Defender for Cloud Default assignment from the subscription level. This way you are going to always have centralized control in the Management Group level. If you have multiple subscriptions to remove the assignment, you can leverage this script. This assumes that you already configured the initiative in the Management Group level, so it will scan all subscriptions and remove the Microsoft Defender for Cloud Default policy from it.

 

Additional Readings

 

Reviewers

Miri Landau, Tal Rosler and Meital Taran- Gutman from the Microsoft Defender for Cloud Engineering Team

 

Script Referenced

Authored by Nathan Swift.

Updated Oct 24, 2021
Version 4.0
  • cloudguy000's avatar
    cloudguy000
    Copper Contributor

    Great article! Any idea why I am not seeing the 'MG Inherited' but I am seeing policies for the Subscription level when policies are only applied at the Management Group the subscription belongs to? YuriDiogenes 

  • shaunsat's avatar
    shaunsat
    Copper Contributor

    So from my usage this doesn't actually work. Removing the ASC default from the subscription causes Azure to complain, first it disables all the "Industry & regulatory standards" policies and then applies all the ones you have disabled. It also never seems to actually remove the default ASC it is lingering somewhere in the background. Then if you add it again it it allows you to enable/disable "Industry & regulatory standards" policies and even disable the ASC default (doesn't seem to actually disable) however it then conflicts against your MG policy. I have tried leaving for days and doing a policy trigger.

     

    Another issue I found is there is no way to actually script the settings, so I want to deploy the ASC default with some disabled and other changed to AuditIfNotExist, tried so many different ways without luck. Any ideas on that?