Large organizations that have multiple subscriptions in a single tenant environment are probably already using Azure Management Groups to organize their subscriptions according to the business needs, by creating a hierarchy that applies a policy that reflect the needs of those subscriptions. For example, a policy that limits VM locations to the US West Region in the group called "Production". This policy will inherit onto all the Enterprise Agreement (EA) subscriptions that are descendants of that management group and will apply to all VMs under those subscriptions. This security policy cannot be altered by the resource or subscription owner allowing for improved governance.
When organizations need to enable Azure Security Center across different subscriptions that have different workloads and therefore different assessment needs, it is also common that they want to customize its policies and control it in the Management Group level rather than in the subscription level. Let’s use the scenario below as an example:
In the example above, the Management Groups are reflecting the state where the company has branch offices and each subscription represents a department. Since each branch office may have different needs from the policy perspective, it is recommended to assign the Azure Security Center initiative to the Management Group level, and remove the default assignment from the Subscription level.
The Azure Security Center initiative that you should assign to the Management Group level is the following one:
Once you finish this assignment, you will notice that in Azure Security Center / Security Policy, your policy assignment will look like this:
In the right side of this page, you will see that the policy is now inherited from the Management Group level. However, you also see on the left, that there are two assignments to the subscription. To see these assignments, click View effective policy button. You will see the two initiatives* that are bound to this subscription are:
*Note: in some circumstances, you may have more than two, it depends on how your subscription was configured. Before making changes, make sure you validate with your team that those initiatives are not in use anymore and can be removed.
You need to go to Azure Policy and remove the ASC Default assignment from the subscription level. This way you are going to always have centralized control in the Management Group level. If you have multiple subscriptions to remove the assignment, you can leverage this script. This assumes that you already configured the initiative in the Management Group level, so it will scan all subscriptions and remove the ASC Default policy from it.
Miri Landau, Tal Rosler and Meital Taran- Gutman from the Azure Security Center Engineering Team
Authored by Nathan Swift.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.