Feb 06 2020 07:15 AM - edited Feb 07 2020 02:09 PM
Maybe this will save someone else a few hours of their life.
We recently enabled the Azure CIS 1.1.0 (New) Policy which includes an Only approved VM extensions should be installed recommendation. This recommendation relies on a parameter set when adding the policy called List of virtual machine extensions that are approved for use. It is a semicolon separated list of approved extensions.
Attempt #1 - Use VM Extension Name (Incorrect)
We use several extensions not in the default list, and I thought this list showed extension names, so I added this to the default values:
However, only WindowsAgent.AzureSecurityCenter was being reported as Healthy
Attempt #2 - Use VM Extension Type from VM Extensions Pane (Incorrect)
Looking at the VM Extensions pane, there is a type column, so I tried replacing the names from before with these type values.
None of these were reported as Healthy.
Attempt #3 - Use last segment of Type from VM Extensions Pane (incorrect)
Taking a closer look at the default values that worked, I noticed that only the last segment from the Type column on the VM Extensions pane was in the default value list. So I replace the previous values with:
This time, the first two showed Healthy, but WindowsAgent.AzureSecurityCenter was showing Unhealthy.
Attempt #4 - Use Get-AzVMExtensionImage (RTFM?) - Correct
I finally saw the tooltip when adding the policy that said "To see a complete list of virtual machine extensions, use Get-AzVMExtensionImage". I may not be looking the right place, but I am not aware of this crucial documentation being written anywhere else.
It turns out that the Type column on the VM Extensions pane appears to be a combination of Publisher + Type, but that Type can be more than just the last segment. The Publisher for WindowsAgent.AzureSecurityCenter is actually just Qualys and the Type is WindowsAgent.AzureSecurityCenter
So replacing the above with:
All are showing as Healthy finally.
Dec 07 2020 07:01 AM
You can also use this command to get the ExtensionType from the actual extensions installed on your VM.
Get-AzVMExtension -ResourceGroupName [ResourceGroupName] -VMName [VMName] | Format-List ExtensionType
Aug 31 2021 08:47 AM
You can also use this Azure Resource Graph query to find out all the VM extensions you have in your VMs. The "extensionType" column will help you finding the correct extension type to use in ASC allowed extensions list.
resources
| where type =~ 'microsoft.compute/virtualmachines/extensions'
| extend vmName = tostring(split(id,'/')[8])
| extend extensionType = tostring(properties.type)
| project vmName, extensionType, name
| order by vmName asc, extensionType asc