Large organizations that have multiple subscriptions in a single tenant environment are probably already using Azure Management Groups to organize their subscriptions according to the business needs, by creating a hierarchy that applies a policy that reflect the needs of those subscriptions. For example, a policy that limits VM locations to the US West Region in the group called "Production". This policy will inherit onto all the Enterprise Agreement (EA) subscriptions that are descendants of that management group and will apply to all VMs under those subscriptions. This security policy cannot be altered by the resource or subscription owner allowing for improved governance.
When organizations need to enable Microsoft Defender for Cloud across different subscriptions that have different workloads and therefore different assessment needs, it is also common that they want to customize its policies and control it in the Management Group level rather than in the subscription level. Let’s use the scenario below as an example:
In the example above, the Management Groups are reflecting the state where the company has branch offices and each subscription represents a department. Since each branch office may have different needs from the policy perspective, it is recommended to assign the Microsoft Defender for Cloud initiative to the Management Group level, and remove the default assignment from the Subscription level.
The Microsoft Defender for Cloud initiative that you should assign to the Management Group level is the following one:
Once you finish this assignment, you will notice that in Microsoft Defender for Cloud / Security Policy, your policy assignment will look like this:
In the right side of this page, you will see that the policy is now inherited from the Management Group level. However, you also see on the left, that there are two assignments to the subscription. To see these assignments, click View effective policy button. You will see the two initiatives* that are bound to this subscription are:
Microsoft Defender for Cloud Default (subscription_id): default initiative for the subscription.
Enable Monitoring in Microsoft Defender for Cloud: initiative that you assigned in the Management Group level.
*Note: in some circumstances, you may have more than two, it depends on how your subscription was configured. Before making changes, make sure you validate with your team that those initiatives are not in use anymore and can be removed.
You need to go to Azure Policy and remove the Microsoft Defender for Cloud Default assignment from the subscription level. This way you are going to always have centralized control in the Management Group level. If you have multiple subscriptions to remove the assignment, you can leverage this script. This assumes that you already configured the initiative in the Management Group level, so it will scan all subscriptions and remove the Microsoft Defender for Cloud Default policy from it.