Forum Discussion
Feedback: Some ASC policies do not work
Hi,
I want to flag this specific issues that I have encountered but I was not sure if this was very good for user voice. In ASC we have both recommendations and Security policies in Azure Policy. We can see that some of the recommendations are also available as policies. I do not know if the idea is that policies to replace recommendations or to compliment them but I've noticed this strange behavior. In ASC I have this recommendation:
but when I go to Azure Policy the policy that is the same for the recommendation I get compliant.
I think this issue is probably caused by the API the policy uses:
"then": { "effect": "[parameters('effect')]", "details": { "type": "Microsoft.Security/complianceResults", "name": "EnforceHttps", "existenceCondition": { "field": "Microsoft.Security/complianceResults/resourceStatus", "in": [ "Monitored", "NotApplicable", "OffByPolicy", "Healthy" ] } } } }
I am not sure what are not the acceptable values for this API but the resource in question is shown as Monitored by this API. There are a lot of policies build that way so may be if the API does not work for one recommendation does not work for all so all these policies might give wrong results.
- Rob_BurtonCopper Contributor
Another one that does not work is
[Preview]: Audit maximum number of owners for a subscription
"if": {
"field": "type",
"equals": "Microsoft.Resources/subscriptions"
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"type": "Microsoft.Security/complianceResults",
"name": "DesignateLessThanXOwners",
"existenceCondition": {
"field": "Microsoft.Security/complianceResults/resourceStatus",
"in": [
"Monitored",
"NotApplicable",
"OffByPolicy",
"Healty" <-------- Spelling mistake if you change to "Healthy" it reports correctly - Ryan HeffernanMicrosoft
Adding Ben Kliger and Meital Taran- Gutman. Can either of you speak to this?
- Meital Taran- GutmanMicrosoft
in the last few months, ASC moved to Azure Policy as the main platform for running its security assessments. This means that since then, all ASC recommendations are manifested as policy definitions in Azure Policy.
Unfortunately we had an issue of inconsistency between the compliance results shown in Policy vs. those shows in ASC. This has been fixed already. Can you confirm if this issue still reproduced in your environment?
Meital Taran- Gutman This policy still does not work and I never got reply on why is this. Are you looking into this problem?