How to keep track of Resource Exemptions in Microsoft Defender for Cloud
Published Oct 13 2020 12:29 AM 12.7K Views

Microsoft Defender for Cloud has a builtin export capability called continuous export, that helps you to export security alerts and recommendations once they are generated to Azure Log Analytics, and/or Azure EventHub. Unfortunately, today there is no builtin capability to continuously export resource exemptions, as well. Now, resource exemptions are a great capability to granularly tune the set of recommendations that apply to your environment, without having to completely disable the underlying security policy. But with great power comes great responsibility, and so customers have been asking for an ability to be notified once there is a new resource exemption created. This is when our latest automation artifact comes into play, which offers the following benefits:


  • Logic App integration with Office 365 enables you to send notification emails
  • Data can be exported to any service, including Log Analytics, EventHub, Service Now, and others
  • The playbook is triggered just in time, instead of using a regular cadence


Notify about new resource exemptions

In my previous article, you learned that once a new resource exemption is created, the status of the underlying security assessment is changed, and it will contain the following properties.status values:

Figure 1 – status code and causeFigure 1 – status code and cause



There is another capability in Microsoft Defender for Cloud called workflow automation, which allows you to automatically respond to alerts and recommendations. With workflow automation there comes one Logic App trigger type called When a Defender for Cloud Recommendation is created or triggered. With this trigger type, your Logic App will run every time there is a new recommendation, or when the status of an assessment changes. That makes it a perfect fit for our purpose. Once the Logic App is triggered, I calculate the subscription ID from the assessment ID that is passed from workflow automation for further use later in the automation.

Figure 2 – Workflow Automation TriggerFigure 2 – Workflow Automation Trigger



Since the Logic App will run every time a new recommendation is created, or the status of an existing recommendation changes, we need to filter for only these cases when an actual resource exemption has been created. For this, I defined a condition (if…then) in which I make sure that only when properties.status.code is “NotApplicable” and properties.status.cause is “Exempt”, the actual logic is started.

Figure 3 – define a conditionFigure 3 – define a condition


What follows are two GET requests to the Microsoft.Authentication/PolicySetDefintions and Microsoft.Authorization/policyExemptions APIs. The first call will get all information from the Builtin Azure Security Benchmark initiative (PolicySetDefinition ID 1f3afdf9-d0c9-4c3d-847f-89da613e70a8), the second will get all policy exemptions that have been created for the subscription with the ID calculated before. As explained in my previous article, resource exemption in Defender for Cloud leverages the policy exemption feature. With workflow automation, we can react on assessment changes, but there’s no direct way to pass further information about the exemption itself. What we get is the resource ID the assessment applies to, as well as the policy definition ID in the metadata section:


Figure 4 – Policy definition ID the ASC assessment relies onFigure 4 – Policy definition ID the ASC assessment relies on


Policy exemptions unfortunately do not contain the policy definition ID. That is because they do not apply to a policy definition, but to assignments. Good news is that a policy exemption contains a list of Policy Definition Reference IDs instead:


Figure 5 – Policy definition reference IDs in policy exemptionFigure 5 – Policy definition reference IDs in policy exemption


This is when policy set definitions (aka initiative definitions) API comes into play. A policy set definition contains both, policy definition IDs, and policy definition reference IDs. So now, we can make sure to figure out which policy exemption has been created from ASC, and, even better, who and when it was.


Following the workflow, the next step is to compare all policy definition IDs in the policy set definition with the policy definition ID that has been passed from ASC. If both IDs match, we take the corresponding policy definition reference ID and compare it to the IDs in all policy exemptions. If the IDs match, and if also the exemption ID begins with the resource ID that comes from the trigger, we know that we’ve found the policy exemption that has been created using the resource exemption feature in ASC.


What follows is an export of the policy exemption details to a Log Analytics workspace, as well as a notification email that is sent.


How to deploy the automation playbook

You can find an ARM template that will deploy the Logic App Playbook and all necessary API connections in the Defender for Cloud GitHub repository, but you can also directly deploy all resources by clicking here. Once you have deployed the ARM template, you will have some manual steps to take before the tool will work as expected.


Make sure to authorize the Office 365 API connection

This API connection is used to send emails once a new resource exemption is created. To authorize the API connection:


  1. Go to the Resource Group you have used to deploy the template resources.
  2. Select the Office365 API connection and press 'Edit API connection'.
  3. Press the 'Authorize' button.
  4. Make sure to authenticate against Azure AD.
  5. Press 'save'.


Authorize the Logic App’s managed identity

The Logic App is using a system assigned managed identity to query information from the resource exemption and policy set definitions APIs. For this purpose, you need to grant it the reader RBAC role on the scope you want it to be used at. It is recommended to give it reader access on the tenant root management group, so it is able to query information for all subscriptions once relevant. To grant the managed identity reader access, you need to:


  1. Make sure you have User Access Administrator or Owner permissions for this scope.
  2. Go to the subscription/management group page.
  3. Press 'Access Control (IAM)' on the navigation bar.
  4. Press '+Add' and 'Add role assignment'.
  5. Choose ‘Reader’ role.
  6. Assign access to Logic App.
  7. Choose the subscription where the logic app was deployed.
  8. Choose the Logic App you have just deployed.
  9. Press 'save'.


Create a new workflow within Microsoft Defender for Cloud

For the Logic App to be triggered automatically once an assessment is changed, you need to configure a new workflow within Microsoft Defender for Cloud. In Defender for Cloud, you just need to navigate to the Workflow Automation control, select + Add workflow automation, and as a trigger condition, you select Security Center recommendations. In the Actions, you select the Logic App that you’ve just deployed.


Figure 6 – Add workflow in Microsoft Defender for CloudFigure 6 – Add workflow in Microsoft Defender for Cloud


What’s next

If you create a new resource exemption, the exemption information is exported to the Log Analytics workspace you’ve defined during your deployment as of now. In addition to that, the recipient address(es) you’ve defined during the deployment will receive a notification email with the following information:

  • Created by
  • Created at
  • Resource ID
  • Policy Definition ID
  • Policy Definition Reference ID

Figure 7 – example email generated from the playbookFigure 7 – example email generated from the playbook


Now, go ahead, deploy the workflow in your environment, and let us know what you think by commenting on this article.



Thanks to Miri Landau, Senior Program Manager, for reviewing this article.

Version history
Last update:
‎Oct 21 2021 04:31 AM
Updated by: