Some time ago I wrote about the possibility to exclude a specific resource from an Azure Security Center (ASC) security recommendation (Create an exemption rule to exclude a resource from a security recommendation). With which you can ensure that this resource has no effect on your secure score in specific scenarios (such as accepted risks).

 

 

In some cases, however, it may happen that you do not only want to exclude 1 or a few resources from the recommendation, but that you want to configure an exemption for the recommendation in its entirety. For example if you have a 3rd party solution to mitigate the risk (which is highlighted in the recommendation), but it is not detected by ASC.

 

 

Fortunately, Microsoft has listened to this feedback and expanded the existing feature.

 

 

 

How to create an exemption rule for a recommendation

If you believe that a recommendation should be exempted on the level of (one or more) subscriptions or management groups, you can configure this with the following steps. This will cause the resources’ status to change to “not applicable” and applies to existing resources and any resources you create in the future. The recommendation is marked with the specific justification you select for the scope you selected.

Please note that this is a premium Azure policy capability that’s offered for Azure Defender customers with no additional cost. For other users, charges may apply in the future.

Open the recommendation

  • Go to the recommendation pane of ASC (Azure Portal https://portal.azure.com > Azure Security Center > Recommendations)
  • Open up the recommendation you want to exempt
  • In the top left corner, click on the “Exempt” button




Create the exemption

  • In the newly open “create exemption” pane:

    • Select the scope for the exemption:

      • MG: To exempt the recommendation on the level of (one or more) management groups
      • Subscription: To exempt the recommendation on the level of (one or more) subscriptions
      • Resources: To exempt the recommendation on the level of (one or more) resources

    • Provide a name for the exemption. Choose something descriptive, so that later on, it is immediately clear what kind of exception it is without much research
    • Optionally you can choose to expire the exemption at a future moment automatically. This is useful in cases where you want to see this recommendation later if it is not resolved after X days, for example.
    • Select the exemption category for auditing purposes:

      • Mitigated – This issue isn’t relevant for this recommendation because it’s been resolved by a different tool or process than the one being suggested
      • Waiver – Accepting the risk for this resource

    • Optionally you can provide a description containing details about this exemption.
    • Click on “Create”


View all recommendation exemptions

  • Go to the recommendation pane of ASC (Azure Portal https://portal.azure.com > Azure Security Center > Recommendations)
  • Set the “Contains exemptions” filter to “Yes”

The overview below the filter will show you all the recommendations for which a exemption has been made.

Because the exemptions are configured on the background using Azure Policy, you can also use the Azure Policy interface to list all the exemptions you configured within ASC:

  • Open the Azure Policy exemption page (Azure Portal https://portal.azure.com > Azure Policy > Exemptions)
  • To view additional information or to modify/delete an exemption, select the ellipsis menu (“…”)

For more information about recommendation exemption rules see the following documentation:

https://docs.microsoft.com/en-us/azure/security-center/exempt-resource