Eable/Disable Selective ASC Policies

%3CLINGO-SUB%20id%3D%22lingo-sub-1842360%22%20slang%3D%22en-US%22%3EEable%2FDisable%20Selective%20ASC%20Policies%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1842360%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3EIs%20there%20a%20way%20to%20selectively%20disable%20(not%20have%20the%20policy%20active)%20a%20secure%20policy%20either%20at%20the%20subscriptoon%20or%20resource%20group%20level%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20example%2C%20if%20a%20policy%20is%20to%20recommend%20VM%20firewalls%20to%20be%20enabled%2C%20and%20this%20is%20not%20required%2C%20is%20there%20a%20way%20to%20deactivate%20this%20particular%20policy%20in%20the%20ASC%20dashboard%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%20any%20pointers%20to%20more%20specific%20ASC%20configuration%20will%20appreciated.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%3C%2FP%3E%3CP%3EJ%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1843558%22%20slang%3D%22en-US%22%3ERe%3A%20Eable%2FDisable%20Selective%20ASC%20Policies%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1843558%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F658614%22%20target%3D%22_blank%22%3E%40JoVuon%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYes%2C%20this%20is%20possible.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPlease%20check%20the%20following%20two%20articles%3A%3C%2FP%3E%3CUL%3E%3CLI%3EWorking%20with%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Ftutorial-security-policy%23disable-security-policies-and-disable-recommendations%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Esecurity%20policies%3C%2FA%3E%3C%2FLI%3E%3CLI%3EPolicy%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fgovernance%2Fpolicy%2Fconcepts%2Fexemption-structure%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Eexemption%3C%2FA%3E%20(preview)%20feature%20or%20more%20traditional%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fgovernance%2Fpolicy%2Fconcepts%2Fassignment-structure%23excluded-scopes%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Eexclusions%3C%2FA%3E%20(excluded%20scopes)%20in%20policy%20assignments%3C%2FLI%3E%3C%2FUL%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1847013%22%20slang%3D%22en-US%22%3ERe%3A%20Eable%2FDisable%20Selective%20ASC%20Policies%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1847013%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F10907%22%20target%3D%22_blank%22%3E%40David%20Pazdera%3C%2FA%3E%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20the%20response.%20I'll%20review%20the%20link%20and%20see%20how%20I%20go.%20Much%20appreciated.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi,

Is there a way to selectively disable (not have the policy active) a secure policy either at the subscriptoon or resource group level?

 

For example, if a policy is to recommend VM firewalls to be enabled, and this is not required, is there a way to deactivate this particular policy in the ASC dashboard?

 

Also any pointers to more specific ASC configuration will appreciated.

 

 

Regards

J

5 Replies

Hi @JoVuon ,

 

Yes, this is possible.

 

Please check the following two articles:

Hi @David Pazdera,

 

Thanks for the response. I'll review the link and see how I go. Much appreciated. 

Hi David,

Besides the expiry of exemption, is there other differences compared to exclusions? What is MS design goal for exemption given we could exclude it? Or phrasing it differently, what goals it trying to fulfil with exemptions?

Another point, I find update a large policy such as the ASC cumbersome via the Portal, is there an alternative, ie CLI?

Many thanks
Joe

Hi @JoVuon ,

 

You can find info on how these two differ here: https://docs.microsoft.com/en-us/azure/governance/policy/concepts/scope#assignment-scopes. In short, we added exemptions, as requested by many customers, to provide more granular control of what resources/assets you can permanently or temporarily exempt from secure score evaluation/reporting.

 

As far as the azure policy management, there are many ways of doing so, please visit: Overview of Azure Policy - Azure Policy | Microsoft Docs

Hi Stanislav,

Thanks for the reply. I'll have what you've provided. thanks

Joe