You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/defender-for-cloud/exempt-resource.md
+15-17Lines changed: 15 additions & 17 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -8,16 +8,15 @@ author: dcurwin
8
8
ms.date: 10/29/2023
9
9
---
10
10
11
-
# Exempt resources from recommendations
11
+
# Exempt resources from recommendations
12
12
13
-
14
-
When you investigate security recommendations in Microsoft Defender for Cloud, you usually review the list of affected resources. Occasionally, a resource will be listed that you feel shouldn't be included. Or a recommendation will show in a scope where you feel it doesn't belong. For example, a resource might have been remediated by a process not tracked by Defender for Cloud, or a recommendation might be inappropriate for a specific subscription. Or perhaps your organization has decided to accept the risks related to the specific resource or recommendation.
13
+
When you investigate security recommendations in Microsoft Defender for Cloud, you usually review the list of affected resources. Occasionally, a resource is listed that you feel shouldn't be included. Or a recommendation shows in a scope where you feel it doesn't belong. For example, a resource might be remediated by a process not tracked by Defender for Cloud, or a recommendation might be inappropriate for a specific subscription. Or perhaps your organization decided to accept the risks related to the specific resource or recommendation.
15
14
16
15
In such cases, you can create an exemption to:
17
16
18
-
-**Exempt a resource** to ensure it isn't listed with the unhealthy resources in the future, and doesn't impact your secure score. The resource will be listed as not applicable and the reason will be shown as "exempted" with the specific justification you select.
17
+
-**Exempt a resource** to ensure it isn't listed with the unhealthy resources in the future, and doesn't affect your secure score. The resource will be listed as not applicable and the reason will be shown as "exempted" with the specific justification you select.
19
18
20
-
-**Exempt a subscription or management group** to ensure that the recommendation doesn't impact your secure score and won't be shown for the subscription or management group in the future. This relates to existing resources and any you create in the future. The recommendation will be marked with the specific justification you select for the scope that you selected.
19
+
-**Exempt a subscription or management group** to ensure that the recommendation doesn't affect your secure score and won't be shown for the subscription or management group in the future. This relates to existing resources and any you create in the future. The recommendation will be marked with the specific justification you select for the scope that you selected.
21
20
22
21
For the scope you need, you can create an exemption rule to:
23
22
@@ -26,17 +25,17 @@ For the scope you need, you can create an exemption rule to:
26
25
27
26
## Before you start
28
27
29
-
This feature is in preview. [!INCLUDE [Legalese](../../includes/defender-for-cloud-preview-legal-text.md)] This is a premium Azure Policy capability that's offered at no additional cost for customers with Microsoft Defender for Cloud's enhanced security features enabled. For other users, charges might apply in the future.
28
+
This feature is in preview. [!INCLUDE [Legalese](../../includes/defender-for-cloud-preview-legal-text.md)] This is a premium Azure Policy capability offered at no extra cost for customers with Microsoft Defender for Cloud's enhanced security features enabled. For other users, charges might apply in the future.
30
29
31
30
- You need the following permissions to make exemptions:
32
-
-**Owner** or **Security Admin** or **Resource Policy Contributor** to create an exemption
33
-
- To create a rule, you need permissions to edit policies in Azure Policy. [Learn more](../governance/policy/overview.md#azure-rbac-permissions-in-azure-policy).
31
+
-**Owner** or **Security Admin** or **Resource Policy Contributor** to create an exemption
32
+
- To create a rule, you need permissions to edit policies in Azure Policy. [Learn more](../governance/policy/overview.md#azure-rbac-permissions-in-azure-policy).
34
33
35
34
- You can create exemptions for recommendations included in Defender for Cloud's default [Microsoft cloud security benchmark](/security/benchmark/azure/introduction) standard, or any of the supplied regulatory standards.
36
35
- Custom recommendations can't be exempted.
36
+
- If a recommendation is disabled, all of its subrecommendations are exempted.
37
37
- In addition to working in the portal, you can create exemptions using the Azure Policy API. Learn more [Azure Policy exemption structure](../governance/policy/concepts/exemption-structure.md).
38
38
39
-
40
39
## Define an exemption
41
40
42
41
To create an exemption rule:
@@ -49,7 +48,7 @@ To create an exemption rule:
49
48
50
49
1. In the **Exempt** pane:
51
50
1. Select the scope for the exemption.
52
-
- If you select a management group, the recommendation will be exempted from all subscriptions within that group
51
+
- If you select a management group, the recommendation is exempted from all subscriptions within that group
53
52
- If you're creating this rule to exempt one or more resources from the recommendation, choose "Selected resources" and select the relevant ones from the list
54
53
55
54
1. Enter a name for the exemption rule.
@@ -60,20 +59,19 @@ To create an exemption rule:
60
59
> [!NOTE]
61
60
> When you exempt a recommendation as mitigated, you aren't given points towards your secure score. But because points aren't *removed* for the unhealthy resources, the result is that your score will increase.
62
61
63
-
-**Risk accepted (waiver)** – if you’ve decided to accept the risk of not mitigating this recommendation
62
+
-**Risk accepted (waiver)** – if you decided to accept the risk of not mitigating this recommendation
64
63
1. Enter a description.
65
64
1. Select **Create**.
66
65
:::image type="content" source="media/exempt-resource/defining-recommendation-exemption.png" alt-text="Steps to create an exemption rule to exempt a recommendation from your subscription or management group." lightbox="media/exempt-resource/defining-recommendation-exemption.png":::
67
66
68
-
69
67
## After creating the exemption
70
68
71
-
After creating the exemption it can take up to 30 minutes to take effect. After it takes effect:
72
-
69
+
After creating the exemption, it can take up to 30 minutes to take effect. After it takes effect:
70
+
73
71
- The recommendation or resources won't impact your secure score.
74
-
- If you've exempted specific resources, they'll be listed in the **Not applicable** tab of the recommendation details page.
75
-
- If you've exempted a recommendation, it will be hidden by default on Defender for Cloud's recommendations page. This is because the default options of the **Recommendation status** filter on that page are to exclude **Not applicable** recommendations. The same is true if you exempt all recommendations in a security control.
72
+
- If you exempted specific resources, they'll be listed in the **Not applicable** tab of the recommendation details page.
73
+
- If you exempted a recommendation, it will be hidden by default on Defender for Cloud's recommendations page. This is because the default options of the **Recommendation status** filter on that page are to exclude **Not applicable** recommendations. The same is true if you exempt all recommendations in a security control.
76
74
77
75
## Next steps
78
76
79
-
[Review exempted resources](review-exemptions.md) in Defender for Cloud.
77
+
[Review exempted resources](review-exemptions.md) in Defender for Cloud.
Copy file name to clipboardExpand all lines: articles/defender-for-cloud/manage-mcsb.md
+8-7Lines changed: 8 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -22,7 +22,7 @@ This article describes how you can manage recommendations provided by MCSB.
22
22
23
23
-**Deny** is used to prevent deployment of resources that don't comply with MCSB. For example, if you have a Deny control that specifies that a new storage account must meet a certain criteria, a storage account can't be created if it doesn't meet that criteria.
24
24
25
-
-**Enforce** lets you take advantage of the **DeployIfNotExist** effect in Azure Policy, and automatically remediate non-compliant resources upon creation.
25
+
-**Enforce** lets you take advantage of the **DeployIfNotExist** effect in Azure Policy, and automatically remediate noncompliant resources upon creation.
26
26
27
27
> [!NOTE]
28
28
> Enforce and Deny are applicable to Azure recommendations and are supported on a subset of recommendations.
@@ -33,6 +33,9 @@ To review which recommendations you can deny and enforce, in the **Security poli
33
33
34
34
You can enable/disable, deny and enforce recommendations.
35
35
36
+
> [!NOTE]
37
+
> If a recommendation is disabled, all of its subrecommendations are exempted.
38
+
36
39
1. In the Defender for Cloud portal, open the **Environment settings** page.
37
40
38
41
1. Select the subscription or management group for which you want to manage MCSB recommendations.
@@ -60,14 +63,11 @@ You can only enforce a recommendation from the recommendation details page.
60
63
61
64
1. Select **Save**.
62
65
63
-
The setting will take effect immediately, but recommendations will update based on their freshness interval (up to 12 hours).
64
-
65
-
66
-
66
+
The setting takes effect immediately, but recommendations will update based on their freshness interval (up to 12 hours).
67
67
68
68
## Modify additional parameters
69
69
70
-
You might want to configure additional parameters for some recommendations. For example diagnostic logging recommendations have a default retention period of one day. You can change that default value.
70
+
You might want to configure additional parameters for some recommendations. For example, diagnostic logging recommendations have a default retention period of one day. You can change that default value.
71
71
72
72
In the recommendation details page, the **Additional parameters** column indicates whether a recommendation has associated additional parameters.
73
73
@@ -94,11 +94,12 @@ Potential conflicts can arise when you have multiple assignments of standards wi
94
94
:::image type="content" source="./media/manage-mcsb/effect-conflict.png" alt-text="Screenshot showing how to manage assignment of standards with different values." lightbox="./media/manage-mcsb/effect-conflict.png":::
95
95
96
96
1. To identify conflicts in additional parameters, in **Add**, select **Additional parameters conflict** > **Has conflict** to identify any conflicts.
97
-
1. If conflicts are found, in **Recommendation settings**, select the required value, and save.
97
+
1. If conflicts are found, in **Recommendation settings**, select the required value, and save.
98
98
99
99
All assignments on the scope will be aligned with the new setting, resolving the conflict.
100
100
101
101
## Next steps
102
+
102
103
This page explained security policies. For related information, see the following pages:
103
104
104
105
-[Learn how to set policies using PowerShell](../governance/policy/assign-policy-powershell.md)
0 commit comments