Blog Post

Microsoft Defender for Cloud Blog
5 MIN READ

Identifying Subscriptions that are not Managed by Microsoft Defender for Cloud

Safeena Begum Lepakshi's avatar
Feb 02, 2021

Microsoft Defender for Cloud continually assesses your subscriptions to identify resources and provide security recommendations for them. 

For the large organizations with many subscriptions, it is recommended to manage access and policies using Azure Management Groups to organize their subscriptions according to the business needs. By moving multiple subscriptions under that management group, you can create one Azure role assignment on the management group level, which will inherit that access to all the subscriptions. Every directory is given a single top-level management group called “Root” management group. This root management group is built into the hierarchy to have all management groups and subscriptions fold up to it. Similarly, when organizations need to enable Microsoft Defender for Cloud across different subscriptions that have different workloads and therefore different assessment needs, it is also common that they want to customize its policies and control it in the Management Group level rather than in the subscription level to maintain centralized policy management in Microsoft Defender for Cloud. Refer to this article if you haven’t already thought of this approach.

 

With the above understanding of Management Groups and visibility across multiple subscriptions, is important to always be aware of scenarios that a new subscriptions is created and by default stays in the Root Management Group. It is a common scenario for organizations provision new subscriptions on the daily basis and since those subscription will be added to the root management group, it creates a challenge to maintain them in the correct Management Group. This also creates a problem of monitored vs non-monitored subscriptions. In this blog, I’m introducing you to a workflow automation that helps you to identify subscriptions that are not monitored and take an action to fix the problem.

 

Prerequisites

The automation uses User Assigned Managed Identity to be able to query the Root management group. Please follow the below step by step instructions:

  1. Create User Assigned Managed Identity. Follow the instructions listed in the doc to create user-assigned managed identity 
  2. Once User-assigned managed identity is created, make sure to assign Reader Permissions to the Root Management Group (Please refer the section ‘Authorize the Tenant Root Group and Logic App’s managed identity’ for step-by-step instructions)
  3. Enable and add the above created User assigned Identity to the Logic App. Follow the instructions here to assign the User assigned identity to the Logic App or refer the section ‘Authorize the Tenant Root Group and Logic App’s managed identity’ for step-by-step instructions.

How to deploy the automation playbook

You can find an ARM template that will deploy the Logic App Playbook and all necessary API connections in the Microsoft Defender for Cloud GitHub repository. Once you have deployed the ARM template, you will have some manual steps to take before the tool will work as expected.

 

Make sure to authorize the Office 365 API connection

This API connection is used to send emails weekly. To authorize the API connection:

  1. Go to the Resource Group you have used to deploy the template resources.
  2. Select the Office365 API connection and press 'Edit API connection'.
  3. Press the 'Authorize' button.
  4. Make sure to authenticate against Azure AD.
  5. Press 'Save'.

Authorize the Tenant Root Group and Logic App’s managed identity

The Logic App is using a user assigned managed identity. For this purpose, you need to grant it the Reader role on tenant root management group, so it is able to query all the subscriptions.

 

Make sure you have User Access Administrator or Owner permissions for this scope.

  1. Go to the Management groups page.
  2. Click on the details in the ‘Tenant root group’
  3. Press 'Access Control (IAM)' on the navigation bar.
  4. Press '+Add' and 'Add role assignment'.
  5. Choose ‘Reader’ role.
  6. Assign access to User assigned managed identity.
  7. Choose the subscription where the logic app was deployed.
  8. Select the name of the User assigned identity.
  9. Press 'Save'.

Make sure you assign the User assigned managed identity to Logic App.

  1. Choose the logic app
  2. Select Identity under Settings
  3. Choose User assigned
  4. Click on ‘Add’ and select the User assigned managed identity you created in the pre-requisite section

 

How it works

By default this automation runs weekly and queries the Root Management group to identify any new subscription(s) that are directly assigned to the root management group. If one or more subscriptions are found in the Root management group, the Logic App will send an email with the following details: Subscription Name, Subscription ID, Action, Status of the subscription (If ASC is enabled or disabled). Image 1 has an example of how this email look like:

Image 1: Email Notification of subscription(s) assigned to Root Management Group

Make sure to add the subscription(s) to the Management Groups in order to start monitoring using Microsoft Defender for Cloud. The automation artifact also creates a Storage account with a table storage in it during the deployment of the template. If the intent of assigning the subscription to the root management group was on purpose, you could exclude the subscription from being displayed in the email on next run by just clicking on the hyperlink ‘Exclude <subscriptionname>’ under the Action column of Image 1. When you click on the hyperlink, the subscription name will be added to the table storage of the storage account. The successful addition to the exclusion list will be confirmed in the browser as shown in Image 2.

Image 2: Confirmation of subscription addition to Storage account’s Table Storage (Exclusion List)

With the help of Microsoft Azure Storage Explorer, you can connect to the storage account to confirm the subscription has been added successfully in the above step. Refer to the example in Image 3.

Image 3: Storage Explorer view

By doing so, during the next run of the logicapp, it queries the exclusion list (table storage) and incase the result matches to the subscription(s) already in the exclusion list, the logicapp does not alert you for that subscription(s) as it understands the assignment to the root management group was on purpose. This process makes it easy to the security admins to deal with monitored vs un-monitored subscriptions.

An example of next run is shown in the example screenshot Image 4 (Notice how ‘Azure Subscription 1’ is excluded and not notified in the email).

Image 4: Logic App next run result

It is very important to notice the ASC Enabled field and make sure the subscription is monitored with the help of Microsoft Defender for Cloud so that Security Center is able to assess your environment and enables you to understand the status of the resources and eventually help you increase your organization’s secure score.

 

Go ahead, deploy the workflow in your environment to prioritize monitoring security hygiene. Make sure to let us know what you think by commenting on this article.

 

This logic app as well as many other can be found here:

Direct Link to GitHub sample

Microsoft Defender for Cloud GitHub Repo

 

Reviewer

Special Thanks to ‘Nicholas DiCola, Partner Director’ & ‘Gilad Elyashar, Principal Group Program Manager’, for envisioning this wonderful automation idea.

Special Thanks to Yuri Diogenes, Principal PM Manager for reviewing this article and for the inputs.

Updated Oct 31, 2021
Version 2.0
  • Safeena Begum Lepakshi . A good article. Thanks for sharing. One thing once we receive the email for unmonitored subscription. Customer need to manually enable it and then add to exclusions ?  

  • Pavan_Gelli1910 Thank you for the feedback. The automation uses two logic apps, in an instance you receive an email with unmonitored subscription(s) and if you'd like to add the subscription(s) to the exclusion list, you simply have to click on the subscription ID hyperlink under 'Action' (in the email) and the 2nd logic app will be kicked-in automatically and adds that subscription to the exclusion list. 

    You can view the exclusions in the storage account that the logicapp creates automatically during the deployment.