Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Automatically Enable Azure Security Center Standard Tier for new Subscriptions

Microsoft

 

This article describes the steps for a scenario where Azure Security Center Standard tier needs to be automatically enabled for all new subscriptions. To enable this scenario the following components will be used:

  • Azure Management Groups
  • Azure Automation Account
  • Azure Security Center PowerShell modules

In this scenario, all new subscriptions that are created under the Enterprise Management Group will automatically have Azure Security Center standard tier enabled:

 Fig0.JPG

The Azure automation account will be running every hour (it could be less according to your business needs) and if identifies a new subscription that has Security Center Free tier, it will upgrade to Standard.

 

Implementation steps

  1. In Azure Portal, click Automation Accounts.
  2. Click Add and the Add Automation Account blade appears

 Fig1.JPG

  1. Type the name of the Automation Account, select the subscription, the Resource Group and the Location. Make sure the option Yes is selected under Create Azure Run As account and click Create button.
  2. The new automation account will appear in the list, click on it to edit.
  3. Under Shared Resources section, click Modules and click Update Azure modules button.

 Fig2.JPG

 

  1. You may receive a warning like the one below, click Yes to proceed.

 Fig3.JPG

 

  1. Wait until you see the description that the modules were updated, as shown below:

 Fig4.JPG

  1. Open a new tab in your browser and navigate the following URL:

https://www.powershellgallery.com/packages/AzureRM.Security/0.2.0-preview

  1. Click Azure Automation tab and click Deploy to Azure Automation button.

 Fig5.JPG

  1. On the new blade that opens, under Automation Account option, select the Azure Automation Account that you are creating in this article:

 Fig6.JPG

  1. Click OK button, and once the OK button becomes gray out, close the blade.
  2. Go back to the previous tab, where you have the automation account properties, and click Connections under Shared Resources section, and select AzureRunAsConnection:

 Fig7.JPG

  1. Copy the ApplicationID to the clipboard.

Note: this ApplicationID will be used later to provide the proper level of permission, which in this case is Security Administrator.

  1. Close this blade, and under Process Automation, click Runbooks.

 

  1. Click Add Runbook button and click Quick Create option.

 Fig9.JPG

  1. Under Name, type the name for this runbook, under Runbook type, select PowerShell and click OK button.
  2. Under the Edit PowerShell Runbook blade, type the code below:

 

$connectionName = "AzureRunAsConnection"
try { # Get the connection "AzureRunAsConnection " $servicePrincipalConnection=Get-AutomationConnection -Name $connectionName "Logging in to Azure..." Add-AzureRmAccount ` -ServicePrincipal ` -TenantId $servicePrincipalConnection.TenantId ` -ApplicationId $servicePrincipalConnection.ApplicationId ` -CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint } catch { if (!$servicePrincipalConnection) { $ErrorMessage = "Connection $connectionName not found." throw $ErrorMessage } else{ Write-Error -Message $_.Exception throw $_.Exception } } #loop through all subscriptions Get-AzureRmContext -ListAvailable -PipelineVariable AzureRMSub | Set-AzureRmContext | foreach{ $tier = get-AzureRmSecurityPricing if ($tier.PricingTier -like 'Free') { Set-AzureRmSecurityPricing -Name "default" -PricingTier "Standard" } }

 

Note: after the Set-AzureRMSecurityPricing command, you can also add other commands to pre-configure some settings in Azure Security Center, such as the email contact. For more examples, read this blog post.

 

  1. Click Save button, and click Publish button
  2. Under Resources section click Schedules and click Add a schedule.

 Fig10.JPG

  1. Click Link a schedule to your runbook, click in the Schedule blade, and click Create a new schedule.
  2. In the New Schedule blade, under Name, type the name of the schedule, click Recurring button, and select the frequency that you want, and click Create button.
  3. In the Schedule Runbook blade, click OK, and close this blade.

At this point the Azure Automation account is created, the Runbook with the PowerShell script is configured, and the schedule is set. Now you need to grant Security Administrator permission to this account. Follow the steps below:

  1. In the Azure Portal, click All services, and type Management Groups.
  2. Click in the management group that will have the future subscriptions.
  3. Click details hyperlink besides the management group name.

 Fig11.JPG

 

  1. Click Access Control (IAM) option and click Add button.
  2. In the Add Permission blade, under Role, select Security Admin.
  3. Under select, type the name of the Azure automation account, and as you type, the account should appear. Click on it and notice that the account was added to the Selected members field.

 serviceprincipal.jpg

  1. Click Save button.
  2. Confirm that the account appears as Security Admin rights as show the example below:

 secadmin.jpg

 

Authors

Yuri Diogenes, Senior Program Manager (CxE Security)

John Knightly, Senior PFE (Cybersecurity)

0 Replies