FYI: Azure CIS 1.1.0 (New) Approved VM Extensions Type is NOT the Type Shown on VM Extensions Pane

New Contributor

Maybe this will save someone else a few hours of their life. 

 

We recently enabled the Azure CIS 1.1.0 (New) Policy which includes an Only approved VM extensions should be installed recommendation. This recommendation relies on a parameter set when adding the policy called List of virtual machine extensions that are approved for use. It is a semicolon separated list of approved extensions. 

 

Attempt #1 - Use VM Extension Name (Incorrect)

We use several extensions not in the default list, and I thought this list showed extension names, so I added this to the default values:

  • joindomain;Microsoft.PowerShell.DSC;WindowsAgent.AzureSecurityCenter

However, only WindowsAgent.AzureSecurityCenter was being reported as Healthy

 

Attempt #2 - Use VM Extension Type from VM Extensions Pane (Incorrect)

Looking at the VM Extensions pane, there is a type column, so I tried replacing the names from before with these type values.

  • Microsoft.Compute.JsonADDomainExtension;Microsoft.PowerShell.DSC;Qualys.WindowsAgent.AzureSecurityCenter

None of these were reported as Healthy.

 

Attempt #3 - Use last segment of Type from VM Extensions Pane (incorrect)

Taking a closer look at the default values that worked, I noticed that only the last segment from the Type column on the VM Extensions pane was in the default value list. So I replace the previous values with:

  • JsonADDomainExtension;DSC;AzureSecurityCenter

This time, the first two showed Healthy, but WindowsAgent.AzureSecurityCenter was showing Unhealthy.

 

Attempt #4 - Use Get-AzVMExtensionImage (RTFM?) - Correct

I finally saw the tooltip when adding the policy that said "To see a complete list of virtual machine extensions, use Get-AzVMExtensionImage".  I may not be looking the right place, but I am not aware of this crucial documentation being written anywhere else.

 

It turns out that the Type column on the VM Extensions pane appears to be a combination of Publisher + Type, but that Type can be more than just the last segment. The Publisher for WindowsAgent.AzureSecurityCenter is actually just Qualys and the Type is WindowsAgent.AzureSecurityCenter

 

So replacing the above with:

  • JsonADDomainExtension;DSC;WindowsAgent.AzureSecurityCenter

All are showing as Healthy finally.

 

2 Replies

You can also use this command to get the ExtensionType from the actual extensions installed on your VM.

Get-AzVMExtension -ResourceGroupName [ResourceGroupName] -VMName [VMName] | Format-List ExtensionType

 

@Michael Carrabine 

 

You can also use this Azure Resource Graph query to find out all the VM extensions you have in your VMs. The "extensionType" column will help you finding the correct extension type to use in ASC allowed extensions list.

 

resources 
| where type =~ 'microsoft.compute/virtualmachines/extensions'
| extend vmName = tostring(split(id,'/')[8])
| extend extensionType = tostring(properties.type)
| project vmName, extensionType, name
| order by vmName asc, extensionType asc