%3CLINGO-SUB%20id%3D%22lingo-sub-1786008%22%20slang%3D%22en-US%22%3ERe%3A%20Centralized%20Policy%20Management%20in%20Azure%20Security%20Center%20using%20Management%20Groups%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1786008%22%20slang%3D%22en-US%22%3E%3CP%3EGreat%20article!%20Any%20idea%20why%20I%20am%20not%20seeing%20the%20'MG%20Inherited'%20but%20I%20am%20seeing%20policies%20for%20the%20Subscription%20level%20when%20policies%20are%20only%20applied%20at%20the%20Management%20Group%20the%20subscription%20belongs%20to%3F%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F124214%22%20target%3D%22_blank%22%3E%40Yuri%20Diogenes%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1789013%22%20slang%3D%22en-US%22%3ERe%3A%20Centralized%20Policy%20Management%20in%20Azure%20Security%20Center%20using%20Management%20Groups%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1789013%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F834258%22%20target%3D%22_blank%22%3E%40cloudguy000%3C%2FA%3E%26nbsp%3Bdid%20you%20completely%20remove%20the%20policy%20from%20the%20subscription%20level%3F%20If%20you%20didn't%2C%20it%20will%20still%20showing%20up%20there.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1276331%22%20slang%3D%22en-US%22%3ECentralized%20Policy%20Management%20in%20Azure%20Security%20Center%20using%20Management%20Groups%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1276331%22%20slang%3D%22en-US%22%3E%3CP%3ELarge%20organizations%20that%20have%20multiple%20subscriptions%20in%20a%20single%20tenant%20environment%20are%20probably%20already%20using%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fgovernance%2Fmanagement-groups%2Foverview%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%20target%3D%22_blank%22%3EAzure%20Management%20Groups%3C%2FA%3E%20to%20organize%20their%20subscriptions%20according%20to%20the%20business%20needs%2C%20by%20creating%20a%20hierarchy%20that%20applies%20a%20policy%20that%20reflect%20the%20needs%20of%20those%20subscriptions.%20For%20example%2C%20a%20policy%20that%20limits%20VM%20locations%20to%20the%20US%20West%20Region%20in%20the%20group%20called%20%22Production%22.%20This%20policy%20will%20inherit%20onto%20all%20the%20Enterprise%20Agreement%20(EA)%20subscriptions%20that%20are%20descendants%20of%20that%20management%20group%20and%20will%20apply%20to%20all%20VMs%20under%20those%20subscriptions.%20This%20security%20policy%20cannot%20be%20altered%20by%20the%20resource%20or%20subscription%20owner%20allowing%20for%20improved%20governance.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20organizations%20need%20to%20enable%20Azure%20Security%20Center%20across%20different%20subscriptions%20that%20have%20different%20workloads%20and%20therefore%20different%20assessment%20needs%2C%20it%20is%20also%20common%20that%20they%20want%20to%20customize%20its%20policies%20and%20control%20it%20in%20the%20Management%20Group%20level%20rather%20than%20in%20the%20subscription%20level.%20Let%E2%80%99s%20use%20the%20scenario%20below%20as%20an%20example%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20the%20example%20above%2C%20the%20Management%20Groups%20are%20reflecting%20the%20state%20where%20the%20company%20has%20branch%20offices%20and%20each%20subscription%20represents%20a%20department.%20Since%20each%20branch%20office%20may%20have%20different%20needs%20from%20the%20policy%20perspective%2C%20it%20is%20recommended%20to%20assign%20the%20Azure%20Security%20Center%20initiative%20to%20the%20Management%20Group%20level%2C%20and%20remove%20the%20default%20assignment%20from%20the%20Subscription%20level.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20Azure%20Security%20Center%20initiative%20that%20you%20should%20assign%20to%20the%20Management%20Group%20level%20is%20the%20following%20one%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOnce%20you%20finish%20this%20assignment%2C%20you%20will%20notice%20that%20in%20Azure%20Security%20Center%20%2F%20Security%20Policy%2C%20your%20policy%20assignment%20will%20look%20like%20this%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20the%20right%20side%20of%20this%20page%2C%20you%20will%20see%20that%20the%20policy%20is%20now%20inherited%20from%20the%20Management%20Group%20level.%20However%2C%20you%20also%20see%20on%20the%20left%2C%20that%20there%20are%20two%20assignments%20to%20the%20subscription.%20To%20see%20these%20assignments%2C%20click%20View%20effective%20policy%20button.%20You%20will%20see%20the%20two%20initiatives*%20that%20are%20bound%20to%20this%20subscription%20are%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3EASC%20Default%20(subscription_id)%3A%20default%20initiative%20for%20the%20subscription.%20Enable%20Monitoring%20in%20Azure%20Security%20Center%3A%20initiative%20that%20you%20assigned%20in%20the%20Management%20Group%20level.%3CP%3E*Note%3A%20in%20some%20circumstances%2C%20you%20may%20have%20more%20than%20two%2C%20it%20depends%20on%20how%20your%20subscription%20was%20configured.%20Before%20making%20changes%2C%20make%20sure%20you%20validate%20with%20your%20team%20that%20those%20initiatives%20are%20not%20in%20use%20anymore%20and%20can%20be%20removed.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20need%20to%20go%20to%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fgovernance%2Fpolicy%2Foverview%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%20target%3D%22_blank%22%3EAzure%20Policy%3C%2FA%3E%20and%20remove%20the%20ASC%20Default%20assignment%20from%20the%20subscription%20level.%20This%20way%20you%20are%20going%20to%20always%20have%20centralized%20control%20in%20the%20Management%20Group%20level.%20If%20you%20have%20multiple%20subscriptions%20to%20remove%20the%20assignment%2C%20you%20can%20leverage%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Security-Center%2Ftree%2Fmaster%2FSecurity%2520policy%2520configuration%2FRemove%2520ASC%2520Default%2520policy%2520assignment%2520from%2520Azure%2520subcription%2520if%2520it%2520exists%2520at%2520management%2520group%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%20target%3D%22_blank%22%3Ethis%20script%3C%2FA%3E.%20This%20assumes%20that%20you%20already%20configured%20the%20initiative%20in%20the%20Management%20Group%20level%2C%20so%20it%20will%20scan%20all%20subscriptions%20and%20remove%20the%20ASC%20Default%20policy%20from%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAdditional%20Readings%3C%2FP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Fsecurity-center-management-groups%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%20target%3D%22_blank%22%3EGain%20tenant-wide%20visibility%20for%20Azure%20Security%20Center%3C%2FA%3E%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Ftutorial-security-policy%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%20target%3D%22_blank%22%3EWorking%20with%20security%20policies%3C%2FA%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EReviewers%3C%2FP%3E%3CP%3EMiri%20Landau%2C%26nbsp%3BTal%20Rosler%20and%20Meital%20Taran-%20Gutman%20from%20the%20Azure%20Security%20Center%20Engineering%20Team%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EScript%20Referenced%3C%2FP%3E%3CP%3EAuthored%20by%20Nathan%26nbsp%3BSwift.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

Large organizations that have multiple subscriptions in a single tenant environment are probably already using Azure Management Groups to organize their subscriptions according to the business needs, by creating a hierarchy that applies a policy that reflect the needs of those subscriptions. For example, a policy that limits VM locations to the US West Region in the group called "Production". This policy will inherit onto all the Enterprise Agreement (EA) subscriptions that are descendants of that management group and will apply to all VMs under those subscriptions. This security policy cannot be altered by the resource or subscription owner allowing for improved governance.

 

When organizations need to enable Azure Security Center across different subscriptions that have different workloads and therefore different assessment needs, it is also common that they want to customize its policies and control it in the Management Group level rather than in the subscription level. Let’s use the scenario below as an example:

 

diagram.JPG

 

In the example above, the Management Groups are reflecting the state where the company has branch offices and each subscription represents a department. Since each branch office may have different needs from the policy perspective, it is recommended to assign the Azure Security Center initiative to the Management Group level, and remove the default assignment from the Subscription level.

 

The Azure Security Center initiative that you should assign to the Management Group level is the following one:

 

MG_Fig5.JPG

 

Once you finish this assignment, you will notice that in Azure Security Center / Security Policy, your policy assignment will look like this:

 

MG_Fig8.JPG

 

In the right side of this page, you will see that the policy is now inherited from the Management Group level. However, you also see on the left, that there are two assignments to the subscription. To see these assignments, click View effective policy button. You will see the two initiatives* that are bound to this subscription are:

 

  • ASC Default (subscription_id): default initiative for the subscription.
  • Enable Monitoring in Azure Security Center: initiative that you assigned in the Management Group level.

*Note: in some circumstances, you may have more than two, it depends on how your subscription was configured. Before making changes, make sure you validate with your team that those initiatives are not in use anymore and can be removed.

 

You need to go to Azure Policy and remove the ASC Default assignment from the subscription level. This way you are going to always have centralized control in the Management Group level. If you have multiple subscriptions to remove the assignment, you can leverage this script. This assumes that you already configured the initiative in the Management Group level, so it will scan all subscriptions and remove the ASC Default policy from it.

 

Additional Readings

 

Reviewers

Miri Landau, Tal Rosler and Meital Taran- Gutman from the Azure Security Center Engineering Team

 

Script Referenced

Authored by Nathan Swift.

2 Comments
Occasional Visitor

Great article! Any idea why I am not seeing the 'MG Inherited' but I am seeing policies for the Subscription level when policies are only applied at the Management Group the subscription belongs to? @Yuri Diogenes 

Microsoft

@cloudguy000 did you completely remove the policy from the subscription level? If you didn't, it will still showing up there.