How to monitor your custom Azure Policy definitions with Azure Security Center recommendations

Azure Policy allows you to enforce organizational standards and to assess a required compliance state. For example, you can specify that resources in a particular subscription should be restricted to the European Union for deployment only. There are built-in policy definitions for common use cases already included, like implementing governance for resource consistency, regulatory compliance, security, cost, and management. The Azure Policy compliance dashboard provides an aggregated view to evaluate the overall state of the environment. More information about Azure Policy can be found here.

Image: Azure Policy Dashboard

Azure Security Center is a unified infrastructure security management system that strengthens the security posture of your cloud, hybrid, and other cloud environments. It covers two broad pillars of cloud security:

  • Cloud security posture management (CSPM): this is also called the free version of Azure Security Center. It includes CSPM features like secure score, detection of misconfigurations in your Azure virtual machines, asset inventory, etc.
  • Cloud workload protection (CWP): the integrated workload protection, also called Azure Defender, brings advanced, intelligent protection of your Azure and hybrid resources and workloads. In addition to the built-in policies, when you’ve enabled any Azure Defender plan, you can add custom polices and initiatives. Furthermore, there are regulatory standards included – such as NIST and Azure CIS – as well as the Azure Security Benchmark for a truly customized view of your compliance. More information about Azure Security Center can be found here.
Image: Azure Security Center Dashboard

Create an Azure Policy definition

In the first step, we create an Azure Policy definition. I’m sure you may have already any existing ones that you would like to add to the Azure Security Center recommendations pane, which is of course possible as well. In this example, the definition only regulates the Azure location of the resources to be created.

Note: you must be granted at least Resource Policy Contributor permissions.

Image: Azure Policy Definition Allowed Locations

We regulate – only for the subscription “Visual Studio Enterprise Subscription” – that the allowed locations parameter have europe, northeurope, and westeurope in place.

Create an Azure Policy initiative

An Azure Policy initiative is a collection of Azure Policy definitions, or rules, that are grouped together towards a specific goal or purpose. Azure Security Center initiatives are also created in Azure Policy. You can use either the Azure Policy pane (as we do in this blog post), or you can also create the custom initiative in Azure Security Center directly; the result remains the same.

Note: you must be granted Owner permissions for every subscription you want to add your custom initiative.

Image: Azure Policy Initiative Assignment

Review the recommendations in Azure Security Center

After your Azure Policy definition and Azure Policy initiative has been created and assigned, you can see it first under Regulatory compliance in the Azure Security Center as shown in the following screenshot. (First, because it can take up to one hour or more until the custom initiative is also visible under Recommendations as well).

Image: Azure Security Center Regulatory Compliance

Note: Access to the regulatory compliance portal is only available if you have an Azure Defender in place (any kind of Azure Defender plan, e. g. Azure Defender for Servers).

And here is the view from the Azure Security Center recommendations:

Image: Azure Security Center Recommendations

Enhance your custom recommendations with detailed information

To get a more granular description and severity level, you can add both type of information to your custom recommendations via the REST API. The following two types are available:

  • RemediationDescription – String
  • Severity – Enum [Low, Medium, High]

The metadata should be added to the policy definition for a policy that is part of the custom initiative. You can edit these values in the Policy definition:

Image: Edit Azure Policy Definition

To add the RemediationDescription string and the severity parameter, just add the following JSON data within the properties brackets between line 2 and line 10:

“metadata”: {

      “securityCenter”: {

            “RemediationDescription”: “Your custom description”,

            “Severity”: “severity value (High, Medium, Low)”

    },

Many more PowerShell, Azure CLI, and REST API scripts and automation tasks for Azure Security Center can be found at GitHub. For example, this repository includes:

  • Programmatic remediation tools for security recommendations
  • PowerShell scripts for programmatic management
  • Azure Policy custom definitions for at-scale management of Azure Security Center
  • And many more!

Summary

In this post, we showed how custom Azure policies can be added to Azure Security Center to generate recommendations. With many subscriptions and resources, especially with agile teams within the organization, this way provides notifications as well as remediations based on the definition in the Azure policy and custom initiative in Azure Security Center.

Automate Azure Administrative Units in Azure Automation

Azure Automation delivers a cloud-based automation and configuration service that provides consistent management across your Azure and non-Azure environments. It consists of process automation, update management, and configuration features. Azure Automation provides complete control during deployment, operations, and decommissioning of workloads and resources. It can automate frequent, time-consuming, and error-prone cloud management tasks. This automation helps you focus on work that adds business value.

Azure Automation manages across the lifecycle of your infrastructure and applications. Transfer knowledge into the system on how the organization delivers and maintains workloads. Author in common languages like PowerShell, desired state configuration, Python, and graphical runbooks. Common scenarios for Automation:

  • Build / Deploy resources: Deploy VMs across a hybrid environment using Runbooks and Azure Resource Manager templates. Integrate into development tools like Jenkins and Azure DevOps.
  • Configure VMs: Assess and configure Windows and Linux machines with the desired configuration for the infrastructure and application.
  • Monitor: Identify changes on machines that are causing issues and remediate or escalate to management systems.
  • Protect: Quarantine VM if security alert is raised. Set in-guest requirements.
  • Govern: Set up role-based access control for teams. Recover unused resources.

Continue reading “Automate Azure Administrative Units in Azure Automation”

Session slides “password-less authentication in AD FS 2019” from European Collaboration Summit

European Collaboration Summit (https://www.collabsummit.eu) 2019 was an awesome community-driven conference and it was a pleasure being part of it!

You can download my session slides about “password-less authentication with AD FS 2019” here: https://1drv.ms/p/s!ApvEqumCGaOPjJgyXIazPiJpQVXaqA

Delegated Administration with Azure Active Directory Administrative Units

Office 365 comes with a set of admin roles that can be assigned to users within your organization. Each admin role maps to common business functions and gives your users permissions to do specific tasks in the Office 365 admin center and Windows PowerShell.
This is especially true for large organizations or universities with multiple brands or decentralized administration within a single Office 365 tenant, the default admin roles can cause headaches. While the delegation of permissions in Exchange Online works very well with Role Based Access Control (RBAC), other applications and services are hard to manage at a granular level. For example, license management or helpdesk for different countries, brands, and organizations. In these organizations, only a subset of administrative users are allowed to edit properties based on their region or brand.

Read more at the ENOW SOFTWARE BLOG

Microsoft Enterprise Mobility Suite (EMS) – Identity + Access Management (IAM)

The growth of mobile devices such as smartphones and tablets changed the world rapidly. Most notably business users store important information on their devices such as emails, certificates, pictures, corporate apps and applications, etc. Maintaining control over their applications across corporate datacenters and public cloud platforms has become a significant challenge. IAM helps organizations to reduce helpdesk costs with self-service and single-sign-on experiences.

EMS – Enterprise Mobility Suite was introduced in the end of 2014. There is no specific product for EMS, it’s a collection of services you can choose.

Currently EMS contains the following services:

–          Cloud Identity + Access Management: gives users self-service capabilities and single sign-on for any corporate resource for easier identity management – for cloud-only and hybrid identities.

–          Mobile Device + Application Management: mobile device management, such as MDM in Office 365 and Intune to manage and protect corporate data and apps on almost any device.

–          Information Protection: information security management across on-premises environment and cloud applications while protecting corporate data inside and outside of the organization.

–          Desktop Virtualization: a scalable platform to deliver corporate applications simply and cost effectively – everywhere.

Continue reading “Microsoft Enterprise Mobility Suite (EMS) – Identity + Access Management (IAM)”