Nov 12 2018
02:00 PM
- last edited on
May 24 2021
02:35 PM
by
TechCommunityAP
Nov 12 2018
02:00 PM
- last edited on
May 24 2021
02:35 PM
by
TechCommunityAP
This article describes the steps for a scenario where Azure Security Center Standard tier needs to be automatically enabled for all new subscriptions. To enable this scenario the following components will be used:
In this scenario, all new subscriptions that are created under the Enterprise Management Group will automatically have Azure Security Center standard tier enabled:
The Azure automation account will be running every hour (it could be less according to your business needs) and if identifies a new subscription that has Security Center Free tier, it will upgrade to Standard.
Implementation steps
https://www.powershellgallery.com/packages/AzureRM.Security/0.2.0-preview
Note: this ApplicationID will be used later to provide the proper level of permission, which in this case is Security Administrator.
$connectionName = "AzureRunAsConnection"
try { # Get the connection "AzureRunAsConnection " $servicePrincipalConnection=Get-AutomationConnection -Name $connectionName "Logging in to Azure..." Add-AzureRmAccount ` -ServicePrincipal ` -TenantId $servicePrincipalConnection.TenantId ` -ApplicationId $servicePrincipalConnection.ApplicationId ` -CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint } catch { if (!$servicePrincipalConnection) { $ErrorMessage = "Connection $connectionName not found." throw $ErrorMessage } else{ Write-Error -Message $_.Exception throw $_.Exception } } #loop through all subscriptions Get-AzureRmContext -ListAvailable -PipelineVariable AzureRMSub | Set-AzureRmContext | foreach{ $tier = get-AzureRmSecurityPricing if ($tier.PricingTier -like 'Free') { Set-AzureRmSecurityPricing -Name "default" -PricingTier "Standard" } }
Note: after the Set-AzureRMSecurityPricing command, you can also add other commands to pre-configure some settings in Azure Security Center, such as the email contact. For more examples, read this blog post.
At this point the Azure Automation account is created, the Runbook with the PowerShell script is configured, and the schedule is set. Now you need to grant Security Administrator permission to this account. Follow the steps below:
Authors
Yuri Diogenes, Senior Program Manager (CxE Security)
John Knightly, Senior PFE (Cybersecurity)