How to monitor your custom Azure Policy definitions with Azure Security Center recommendations

Azure Policy allows you to enforce organizational standards and to assess a required compliance state. For example, you can specify that resources in a particular subscription should be restricted to the European Union for deployment only. There are built-in policy definitions for common use cases already included, like implementing governance for resource consistency, regulatory compliance, security, cost, and management. The Azure Policy compliance dashboard provides an aggregated view to evaluate the overall state of the environment. More information about Azure Policy can be found here.

Image: Azure Policy Dashboard

Azure Security Center is a unified infrastructure security management system that strengthens the security posture of your cloud, hybrid, and other cloud environments. It covers two broad pillars of cloud security:

  • Cloud security posture management (CSPM): this is also called the free version of Azure Security Center. It includes CSPM features like secure score, detection of misconfigurations in your Azure virtual machines, asset inventory, etc.
  • Cloud workload protection (CWP): the integrated workload protection, also called Azure Defender, brings advanced, intelligent protection of your Azure and hybrid resources and workloads. In addition to the built-in policies, when you’ve enabled any Azure Defender plan, you can add custom polices and initiatives. Furthermore, there are regulatory standards included – such as NIST and Azure CIS – as well as the Azure Security Benchmark for a truly customized view of your compliance. More information about Azure Security Center can be found here.
Image: Azure Security Center Dashboard

Create an Azure Policy definition

In the first step, we create an Azure Policy definition. I’m sure you may have already any existing ones that you would like to add to the Azure Security Center recommendations pane, which is of course possible as well. In this example, the definition only regulates the Azure location of the resources to be created.

Note: you must be granted at least Resource Policy Contributor permissions.

Image: Azure Policy Definition Allowed Locations

We regulate – only for the subscription “Visual Studio Enterprise Subscription” – that the allowed locations parameter have europe, northeurope, and westeurope in place.

Create an Azure Policy initiative

An Azure Policy initiative is a collection of Azure Policy definitions, or rules, that are grouped together towards a specific goal or purpose. Azure Security Center initiatives are also created in Azure Policy. You can use either the Azure Policy pane (as we do in this blog post), or you can also create the custom initiative in Azure Security Center directly; the result remains the same.

Note: you must be granted Owner permissions for every subscription you want to add your custom initiative.

Image: Azure Policy Initiative Assignment

Review the recommendations in Azure Security Center

After your Azure Policy definition and Azure Policy initiative has been created and assigned, you can see it first under Regulatory compliance in the Azure Security Center as shown in the following screenshot. (First, because it can take up to one hour or more until the custom initiative is also visible under Recommendations as well).

Image: Azure Security Center Regulatory Compliance

Note: Access to the regulatory compliance portal is only available if you have an Azure Defender in place (any kind of Azure Defender plan, e. g. Azure Defender for Servers).

And here is the view from the Azure Security Center recommendations:

Image: Azure Security Center Recommendations

Enhance your custom recommendations with detailed information

To get a more granular description and severity level, you can add both type of information to your custom recommendations via the REST API. The following two types are available:

  • RemediationDescription – String
  • Severity – Enum [Low, Medium, High]

The metadata should be added to the policy definition for a policy that is part of the custom initiative. You can edit these values in the Policy definition:

Image: Edit Azure Policy Definition

To add the RemediationDescription string and the severity parameter, just add the following JSON data within the properties brackets between line 2 and line 10:

“metadata”: {

      “securityCenter”: {

            “RemediationDescription”: “Your custom description”,

            “Severity”: “severity value (High, Medium, Low)”


Many more PowerShell, Azure CLI, and REST API scripts and automation tasks for Azure Security Center can be found at GitHub. For example, this repository includes:

  • Programmatic remediation tools for security recommendations
  • PowerShell scripts for programmatic management
  • Azure Policy custom definitions for at-scale management of Azure Security Center
  • And many more!


In this post, we showed how custom Azure policies can be added to Azure Security Center to generate recommendations. With many subscriptions and resources, especially with agile teams within the organization, this way provides notifications as well as remediations based on the definition in the Azure policy and custom initiative in Azure Security Center.

Automate Azure Administrative Units in Azure Automation

Azure Automation delivers a cloud-based automation and configuration service that provides consistent management across your Azure and non-Azure environments. It consists of process automation, update management, and configuration features. Azure Automation provides complete control during deployment, operations, and decommissioning of workloads and resources. It can automate frequent, time-consuming, and error-prone cloud management tasks. This automation helps you focus on work that adds business value.

Azure Automation manages across the lifecycle of your infrastructure and applications. Transfer knowledge into the system on how the organization delivers and maintains workloads. Author in common languages like PowerShell, desired state configuration, Python, and graphical runbooks. Common scenarios for Automation:

  • Build / Deploy resources: Deploy VMs across a hybrid environment using Runbooks and Azure Resource Manager templates. Integrate into development tools like Jenkins and Azure DevOps.
  • Configure VMs: Assess and configure Windows and Linux machines with the desired configuration for the infrastructure and application.
  • Monitor: Identify changes on machines that are causing issues and remediate or escalate to management systems.
  • Protect: Quarantine VM if security alert is raised. Set in-guest requirements.
  • Govern: Set up role-based access control for teams. Recover unused resources.

Continue reading “Automate Azure Administrative Units in Azure Automation”

Exchange Online Basic Authentication Settings

Microsoft recently added Basic Authentication settings to the Microsoft 365 admin center (Roadmap). You can now quickly disable/enable Basic Authentication per protocol:

Login to and go to “Settings” and “Org settings”:

Next, click on “Modern authentication” and you can see the configuration options like this:


More information on Basic Authentication, how to use Graph API or OAuth2 for POP and IMAP protocols, also how to use the Exchange Online v2 PowerShell module with Modern Authentication can be found here.

Session slides “password-less authentication in AD FS 2019” from European Collaboration Summit

European Collaboration Summit ( 2019 was an awesome community-driven conference and it was a pleasure being part of it!

You can download my session slides about “password-less authentication with AD FS 2019” here:!ApvEqumCGaOPjJgyXIazPiJpQVXaqA

BRK3081 – Implementing a modern network architecture to get the most out of Office 365

This blog post covers a summary of the session from Paul Collinge and Jeff Mealiffe about a recommended network architecture to get the most out of Office 365.

The enterprise connectivity challenge is that most customers are using a lot of expensive network equipment for the outgoing and incoming network traffic to and from the Internet. For example, proxy servers, WAN accelerator, secure web gateway, intrusion prevention system, etc. All of this network and connectivity equipment is expected because all things outside is unknown and untrusted.The enterprise connectivity challenge

But this model doesn’t fit with the cloud world of Office 365 and causes various connectivity problems.

Continue reading “BRK3081 – Implementing a modern network architecture to get the most out of Office 365”

Exchange Server Preview 2019

Microsoft announced today a preview build of Exchange Server 2019. You can download it here.

“We strongly believe Office 365 delivers the best and most cost-effective experience to our customers, but we understand that some customers have reasons to remain on-premises. Exchange Server 2019 is designed to deliver security, performance, and improved administration and management capabilities. These are the attributes our largest on-premises customers tell us they need from Exchange. We also have features end-users will love too of course.”

Read more at the EHLO blog.

Centralized Mail-Transport In Exchange Multi-Forest Environments

Outbound messages to the Internet are routed from the Exchange Online organization through your on-premises organization. With the exception being messages sent to other recipients in the same Exchange Online organization, all messages sent from recipients in the Exchange Online organization are sent through the on-premises organization. This enables you to apply compliance rules to these messages and any other processes or requirements, like digital sign emails at your smtp gateway, or that must be applied to all of your recipients, regardless of whether they’re located in the Exchange Online organization or the on-premises organization.

Read more at the ENow Software Blog.

Delegated Administration with Azure Active Directory Administrative Units

Office 365 comes with a set of admin roles that can be assigned to users within your organization. Each admin role maps to common business functions and gives your users permissions to do specific tasks in the Office 365 admin center and Windows PowerShell.
This is especially true for large organizations or universities with multiple brands or decentralized administration within a single Office 365 tenant, the default admin roles can cause headaches. While the delegation of permissions in Exchange Online works very well with Role Based Access Control (RBAC), other applications and services are hard to manage at a granular level. For example, license management or helpdesk for different countries, brands, and organizations. In these organizations, only a subset of administrative users are allowed to edit properties based on their region or brand.

Read more at the ENOW SOFTWARE BLOG

Exchange Hybrid MRS vs. MigrationService Migrations

I would like to share some Exchange 2010 hybrid migration facts with you that we figured out.

First, again many thanks to Michael Van Horenbeeck! He helped me discuss this with a customer. I’m always very happy to work with him. And many thanks to Ben Winzenz and Jeff Kizner as well, I’m very grateful for your help.

In short: a customer is trying to keep about 65k mailboxes in sync to ensure a short cutover time. We are using a maximum of 1,500 mailboxes per batch, 5 batches per week, and switching 7,500 mailboxes with an overall data of about 5TB per week. For some technical details, we are using Azure ER (800 Mbit) for migration with 4 TMG as a proxy and some kind of F5 load balancing in between, PAW is activated, and two migration endpoints with each 100 sync/complete in parallel. We did some networking measuring and move request statistics and we had an average migration velocity of 18.6GB/h for batches starting the first incremental sync (0% to 95%) which is great. Of course, the migration velocity depends on the number of batches, mailboxes, mailbox items, network workload, etc.

Continue reading “Exchange Hybrid MRS vs. MigrationService Migrations”

Delegated Administration in Exchange Online

My colleagues and I are working on a (pilot) multi-forest Exchange hybrid environment with a single Office 365 tenant. In this early stage of the project we will have two companies, each with their own on-premises environment. One of the requirement is a delegated administrative concept for Exchange Online, which means administrators and helpdesk workers should only manage and configure settings for their specific domains. This blog post will show you how to handle this with Role Based Access Control (RBAC).

Read more at the atwork blog.