Resource exemption in Azure Security Center

Published Sep 23 2020 08:53 AM 8,538 Views

Edited on 1/26/2021 to reflect the latest changes within the resource exemption capability of Azure Security Center.


Resource exemption will allow increased granularity for you to fine-tune recommendations by providing the ability to exempt certain resources from evaluation. With Azure Security Center’s Cloud Security Posture Management (CSPM) capabilities, we are offering a broad set of recommendations and security controls, that might be relevant for most, but not all customers. In the past, the only way to remove recommendations from the ASC dashboard and prevent them from influencing your Secure Score was to disable the whole related policy in the Azure Security Center Policy Initiative. That way, all resources were affected, meaning that once you switched off a policy, the particular recommendation that was derived from it, was never shown again for any resource. Now, with the new resource exemption capability, you can select which resource or scope should no longer be evaluated against a particular recommendation, whereas others still are. It allows you to exempt resources in case they are already healthy because the recommendation's intent was resolved by other means that ASC does not identify, or because you’ve decided to accept the risk of not mitigating a particular recommendation for a resource. Maybe, you have research and development environments for which you want to apply a not-so-strict baseline, whereas the rest of resources in the same subscriptions need to be fully protected. These are great examples for exempting these resources from evaluation with waiver as justification, whereas your production environments are still protected. Maybe you have a mix of Vulnerability Assessment solutions in your environment, some of which are not tracked by Azure Security Center. In this scenario, the respective recommendation has already been remediated, and you can now create an exemption for these resources and select mitigated as justification.


Figure 1 - Create exemption bladeFigure 1 - Create exemption blade



Our goal is to reduce alert-fatigue so that security analysts can focus on the highest priority recommendations. As a result, your secure score will not be impacted by exempted resources.


How does it work?

The process for exempting a resource from a recommendation is straightforward and explained in our official documentation. Basically, when working with a recommendation, you just have to click the Exempt button on top of the recommendation's blade.


Figure 2 - Create exemptionFigure 2 - Create exemption


From a technical perspective, when you create a resource exemption, the status of the particular assessment (the evaluation of a particular resource against a given recommendation) is changed. The properties of the assessment will contain the status code “NotApplicable”, the cause “Exempt” and a description, as shown in the screenshot below.


Figure 3 – Assessment status after creating a resource exemptionFigure 3 – Assessment status after creating a resource exemption


At the same time, creating a resource exemption in ASC will create an Azure Policy exemption, a new capability the resource exemption feature in ASC relies on. That said, there are several ways to programmatically work with resource exemptions.


Resource exemption and automation

Knowing that an assessment is changed, and a new policy exemption is created every time you create a resource exemption in ASC, you have several ways of programmatically interacting with the resource exemption feature.


Azure Resource Graph

Assessments in Azure Security Center are continuously exported to Azure Resource Graph, giving you a great starting point for automation. ARG is a database that keeps a set of information which is gathered from different resources, giving you a very fast option to query information instead of separately pulling it from our REST APIs. Eli Koreh showed in his article how easy it is to create custom dashboards for ASC powered by ARG. You can find a list of starter query samples for Azure Resource Graph in the documentation.


To give you an idea of how to work with resource exemption in an ARG query, I’ve created the following sample, that will return a list of all resource exemptions that have been created in your environment:







| where type == '' and properties.status.cause == 'Exempt'
| extend assessmentKey = name, resourceId = tolower(trim(' ',tostring(properties.resourceDetails.Id))), healthStatus = properties.status.code, cause = properties.status.cause, reason = properties.status.description, displayName = properties.displayName
| project assessmentKey, id, name, displayName, resourceId, healthStatus, cause, reason




You can tune that query according to your needs, but it’s great as is for a quick overview on all exemptions you have created in your environment.

Resource Exemption and REST API

When a resource exemption in ASC is created, an exemption in the ASC Policy Initiative assignment is created. This is why you can leverage the Microsoft.Authorization/policyExemptions API to query for existing exemptions. This API is available as of version 2020-07-01-preview.


A GET call against the REST URI<your sub ID>/providers/Microsoft.Authorization/policyExemptions?api-version=2020-07-01-preview will return all exemptions that have been created for a particular subscription, similar to the output shown below:




  "value": [
      "properties": {
        "policyAssignmentId": "/subscriptions/<yourSubID>/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn",
        "policyDefinitionReferenceIds": [
        "exemptionCategory": "waiver",
        "displayName": "ASC-vmName-diskEncryptionMonitoring-BuiltIn",
        "description": "demo justification",
        "expiresOn": "2020-09-22T22:00:00Z"
      "systemData": {
        "createdBy": "",
        "createdByType": "User",
        "createdAt": "2020-09-22T09:27:23.7962656Z",
        "lastModifiedBy": "",
        "lastModifiedByType": "User",
        "lastModifiedAt": "2020-09-22T09:27:23.7962656Z"
      "id": "/subscriptions/<yourSubID>/resourceGroups/<yourRG>/providers/Microsoft.Compute/virtualMachines/<vmName>/providers/Microsoft.Authorization/policyExemptions/ASC-vmName-diskEncryptionMonitoring-BuiltIn",
      "type": "Microsoft.Authorization/policyExemptions",
      "name": "ASC-vmName-diskEncryptionMonitoring-BuiltIn"




You can find further information about Policy Exemptions in the Azure Policy documentation.

(Workflow) automation with Logic Apps

Azure Security Center’s workflow automation feature is great for both, automatically reacting on alerts and recommendations, as well as manually triggering an automation in case you need it. I have created a sample playbook to request a resource exemption, that I want to explain a bit further below:


Request a resource exemption

In order to be able to create a resource exemption in ASC, your user account needs to be granted elevated access rights, such as Security Admin. In enterprise environments that we are working with, we often see that Azure subscriptions are given to people who are responsible for their own set of resources, but security is still owned by a central team. In this scenario, you don’t want to necessarily give every resource owner the right to create a resource exemption, but still, for justified reasons, someone should be allowed to request an exemption. To make this process easier and to fit it into your approval process, I’ve created a Logic App that can manually be triggered from the recommendation blade and allows you to request an exemption. Once a resource owner is checking recommendations and wants to exempt a resource, they can do it by clicking the Trigger Logic App button. The screenshot below shows the easy process:


Figure 4 – Request resource exemption processFigure 4 – Request resource exemption process


  1. Select one or several resources to be exempted from the recommendation you are currently investigating.
  2. Click the Trigger Logic App button
  3. Select the Request-ResourceExemption Logic App (or whatever name you give it when deploying it)
  4. Click the Trigger button

The Logic App leverages the When an ASC recommendation is created or triggered trigger and will then send an email and a Teams message to the subscription’s security contact(s). This email and message will contain information about the resource, the recommendation, and a link that, once clicked, will lead you directly to a portal view that enables you to immediately create the requested resource exemption. You can find this playbook in our Azure Security Center GitHub repository, from where you can one-click deploy it to your environment.


Figure 5 – content of the request emailFigure 5 – content of the request email


You can also use this sample playbook as a starting point for customizations according to your needs. For example, if you want to create a ServiceNow or JIRA ticket with that workflow, you can simply add a new parallel branch with the Create a new JIRA issue or the Create ServiceNow Record actions:


Figure 6 – add parallel branches for JIRA and/or ServiceNow to the Logic AppFigure 6 – add parallel branches for JIRA and/or ServiceNow to the Logic App


Next Steps

Resource Exemption in Azure Security Center now gives you a way to exempt resources from a recommendation in case it has already been remediated by a process not monitored by Azure Security Center, or in case your organization has decided to accept the risk related to that recommendation. You can easily build your own automations around that feature or leverage the sample artifact we have published in the Azure Security Center GitHub community. You can also publish your own automation templates in the community, so others can benefits from your efforts, as well. We have started a GitHub Wiki so you can easily learn how to publish your automations.


Now, go try it out and let us know what you think! We have published a short survey so you can easily share your thoughts around this new capability and the automation artifact with us.


Special thanks to Miri Landau, Senior Program Manager for reviewing this article.

Occasional Visitor

Creating an exemption does not work for us. What is the correct to report the problem because feature is still in preview?


Hi there,
if your issue still persists and you cannot create exemptions in your environment, I'd suggest you raise a support ticket from inside Azure Portal. Please be aware that it can take some time before the exemption is created.

Occasional Visitor

The failing resource was created by databricks and had a deny assignment. 


I already contacted left feedback about ASC recommendation that created alert with exemption action for a resource that is not user-managed at all.

Senior Member

I would love to be able to pull back the optional description given for an exemption.  I have not been able to find this property in the Graph Explorer.  Any ideas/thoughts?


Hi @jfolberth 
once you create a resource exemption in ASC, a policy exemption is created in Azure Policy. You can use the Microsoft.Authorization/policyExemptions REST API to query that information. I have published another article that explains how to keep track of resource exemptions here. In this article, you'll learn how to use the different APIs to get all information related to exemptions.

Regular Visitor

Hi there,

Do we have any ETA for this exemption feature to be released GA ? It's been in Public Preview for quite a while now.

Version history
Last update:
‎Jan 26 2021 03:33 AM
Updated by: