Microsoft Security Tech Accelerator
Dec 06 2023, 07:00 AM - 12:00 PM (PST)
Microsoft Tech Community

Microsoft Azure Defender for Cloud Regulatory Compliance

Copper Contributor
  1. Could you configure Microsoft Defender to monitor regulatory compliance by resource group (default) instead of by subscription level? Is this possible?
    1. All documentation on this points out that it's by subscription level (default) and management group. You can set default policy, edit/create custom initiatives, and enable/disable regulations/standard on settings. 
3 Replies
Hi Spintov,
Yes. In the Azure portal, if you navigate to the Resource Group, you can select "Policies" and from there you can "Assign Initiative" There are initiatives that correspond to various regulations and standards. Select the one you want and assign it.

Thanks, Ash

@Ash_Gardiner Hi Ash, thanks! When I go to The Regulatory compliance dashboard, how can can I select only the resorce groups I want to see? If my subscription has several resource groups but I only want it to assess specific resource groups. At the moment is applied by subscription level, how can I change it to by ResourceGroup? I know I can run a workbook and select only to be applied to the ResourceGroup I want to take data from but I need to be able to use the Regulatory compliance dashboard as well. I wonder if by taking the other RS groups from having Defender analyzing the initiative against it, if it would drop them from that tab?

best response confirmed by spintov (Copper Contributor)
Hi @spintov,
You are correct that you can unassign the initiative at the Subscription level, which means at that point the assessments are happening at the RG level. If the initiative has not been assigned on RGs within the Subscription directly they should disappear from the compliance view because they are no longer in scope.
My initial answer was black and white - saying that what you wanted could be done and how to do it. The more real world answer is that I don't have customers who managed compliance at the RG level directly as it does not scale well. I've seen exceptions where only a couple of RG need PCI-DSS compliance but if you want to apply an initiative to many RG's individually it's not very fun unless they cascade from a parent Subscription. If workloads need to be subject to PCI-DSS compliance for example, one solution is to place those workloads in a dedicated subscription, maintaining the initiative at the subscription level.
Hopefully someone else in the community has another approach to recommend.
Thanks, Ash