Weekly Secure Score Progress Report

Published Feb 25 2021 06:28 AM 2,619 Views

With the increasing number of resources in your Azure environment, you need a way to understand and prioritize the security hygiene of your environment and that’s where Azure Security Center comes into picture. Azure Security Center continuously assesses Azure resourceswithin a subscription to identify security issues and provides a list of security recommendations which leverages Azure Security Benchmark. Recommendations are grouped in Security Controls and some security controls will have a score attach to it. Each control is a logical group of related security recommendations and reflects your vulnerable attack surfaces. 

From the continuous improvement perspective, it is imperative that you keep track of your Secure Score progress. This blog post, introduces an automation playbook that you can leverage to receive a Weekly Secure Score Progress report via email.  



This automation is querying Log Analytics Workspace data. Using Continuous export feature of Azure Security Center, make sure you are streaming Security Center data to the Log Analytics workspace. Also make sure you have enabled export of secure score. In the drop-down menu you can choose to export both the overall score of the subscription and the score per control. Please follow this article for enabling Continuous export option


After you deploy this automation, you will need to: 

  • Authorize the azuremonitorlogs API connection to connect to the workspace 
  • Authorize the Office 365 API connection to send emails 
  • Authorize the Logic App managed identity


How does it work

The automation playbook is a Logic App that runs weekly, queries your Log Analytics Workspace and gathers data to send you weekly notification email that will update you details on your current Secure Score as well as Secure Score overtime progress report displayed in a beautiful graph format. In case you notice a spectacular change in the graph, you can continue to review the current security controls that are open and that needs to be prioritized along with the top five most important Security controls that needs to be fixed as early as possible – all in one email. Having this kind of detailed visibility is super important for Security analytics to keep track of the environment’s security hygiene. A sample email from the automation’s run is shown below:  

Image 1: Example Email outputImage 1: Example Email output

The sections that follow will go in details on each one of those steps.


How to deploy the automation playbook

You can find an ARM template that will deploy the Logic App Playbook and all necessary API connections in the Azure Security Center GitHub repository.

The ARM template uses your Log Analytics workspace and creates two API Connections, O365 and an Azure Monitor Logs API connection. As part of the template parameters, you will need to enter your Log Analytics Workspace Subscription ID, Log Analytics Workspace Resource Group Name and Log Analytics Workspace Name. During the deployment, it is highly recommended to create a new resource group, which will contain all the required resources for the playbook.

Once you have deployed the ARM template, you will have some manual steps to take before it works as expected.


Authorize azuremonitorlogs API Connection 

This API connection is used to connect to your Log Analytics workspace. To authorize the API connection:

  1. Go to the Resource Group you have used to deploy the template resources.
  2. Select the azuremonitorlogs API connection and press 'Edit API connection'.
  3. Press the 'Authorize' button.
  4. Make sure to authenticate against Azure AD.
  5. Press save


Authorize Office 365 API Connection 

This API connection is used to send weekly secure score progress report email. To authorize the API connection:

  1. Go to the Resource Group you have used to deploy the template resources.
  2. Select the Office365 API connection and press 'Edit API connection'.
  3. Press the 'Authorize' button.
  4. Make sure to authenticate against Azure AD.
  5. Press save.

Authorize the Logic App’s managed identity

The playbook uses a Managed Identity. You need to assign reader permissions to the subscriptions you want to export for the Manage Identity (explained in detail below). Notice you can assign permissions only as an owner and make sure all selected subscriptions registered to Azure Security Center.


To grant the managed identity reader access, you need to:

  1. Make sure you have User Access Administrator or Owner permissions for this scope.
  2. Go to the subscription/management group page.
  3. Press 'Access Control (IAM)' on the navigation bar.
  4. Press '+Add' and 'Add role assignment'.
  5. Choose ‘Reader’ role.
  6. Assign access to Logic App.
  7. Choose the subscription where the logic app was deployed.
  8. Choose the Logic App you have just deployed.
  9. Press save.


GitHub Sample

You can leverage This logic app as well as many other can be found here: this automation from our GitHub repository using the links below: 


Direct Link to GitHub sample 

Azure Security Center GitHub Repo 


Make sure to take advantage of this automation artifact and stay on top of your environment’s Security Posture 

Let us know your feedback using any of the channels listed in the Resources. Your feedback is highly appreciated.  



Thanks to the amazing Yuri DiogenesPrincipal Program Manager for envisioning this wonderful automation idea and for his feedbacks on this automation and the article. 

Occasional Visitor

I deployed the Logic App and it looks to be querying the SecureScores table in Log Analytics but this table does not exist.


I tried running the Logic App for "https://github.com/Azure/Azure-Security-Center/tree/master/Secure%20Score/Get-SecureScoreData" which says that it pulls data from Security Center into Log Analytics but it seems to create different tables which does not work with this module.


@rayphoon Thanks for the great feedback and question. This automation does not use Get-securescore logicapp but uses Continuous export feature of Azure Security Center. I've edited the article to make that point clear under requirements section. Hope that helps. 

Respected Contributor

Can this same concept be used for the Identity Secure Score in Azure AD?

@Dean Gross  Thanks for reaching out. Identity Secure Score is not part of Azure Security Center. Azure Security Center focuses on infrastructure and platform services, not on identities. In case you want to have this feature included in ASC, please make sure to post or upvote in the ASC Uservoice

Respected Contributor

Thanks for the link to the UserVoice site but it’s my understanding that Microsoft is going to stop using that very soon so I think I will wait until the new system is available 

Respected Contributor

Also, it appears that we have different definitions of cloud security posture management. When I see this term, I think of a comprehensive system that doesn’t exclude identity, which, as we all know, it the most important pillar. If asc is really going to become the cspm tool, it should not exclude identity 

Senior Member

Thanks for this great article Safeena. I was able to deploy the logic app, however, when I try to authorize the office365 API connection I keep getting the error: 'Test connection failed. Error 'REST API is not yet supported for this mailbox. This error can occur for sandbox (test) accounts or for accounts that are on a dedicated (on-premise) mail server.' Any idea how I can fix this

Senior Member

Regarding this option .. Could you please suggest if i enable continues export first time , in that case how & when data will be ingested inside Log analytics workspace  (LAW). I am clear about streaming ,my question more related to first time data ingestion and snapshot (which day of week) . Any option to configure Snapshots schedule ..

 Select the appropriate export frequency:

  • Streaming – assessments will be sent when a resource’s health state is updated (if no updates occur, no data will be sent).
  • Snapshots – a snapshot of the current state of all regulatory compliance assessments will be sent every week (this is a preview feature for weekly snapshots of secure scores and regulatory compliance data).
Version history
Last update:
‎Feb 24 2021 08:12 PM