Category: Powershell

Automating Azure Policy Non Compliance on False Positive Findings using PowerShell

There’s nothing I loathe more then Microsoft’s never ending pursuit to get everyone to signup and use their most expensive licensing models regardless of the product. If you use 3rd parties for Identity Providers (IdP), anti-malware, vulnerability scanning, or cloud security posture management (CSPM) solutions, be prepared for your Microsoft and Azure Advisor Secure Score’s to absolutely suck.

I got tired of seeing how crappy our score was. It doesn’t look great, and this is definitely by design from Microsoft. So, rather then trudge through the portal and manually make changes, I decided to automate making exemptions for findings that we have compensating controls for.

While not mandatory, it will help you immensely if you use my other script to generate the CSV in my other post – You can grab that here: https://mclaughlin.ai/exporting-azure-policy-assignment-resource-compliance-across-the-tenant/

Before getting started, we’ll be using these PowerShell commands, so if you don’t have the underlying modules on your machine, Google away my friend. Once installed circle back here for the goods. They are:

  • Get-AzSubscription
  • Set-AzContext
  • Get-AzPolicyAssignment
  • Get-AzPolicyState
  • New-AzPolicyExemption

Some other basic PowerShell commands are in place but you should be good there. With that said, here’s the code, and we’ll break it down afterwards:


$date = (Get-Date -Format MM-dd-yy-hh-mm-ss).ToString()
$subs = get-azsubscription
       $i = 1
       $ii = 0

$pol2rem = Read-Host -Prompt "Which policy would you like to place a Waiver for? Enter the PolicyDefinitionReferenceId attribute"
$polWaiverNote = Read-Host -Prompt "Enter a SHORT description to be placed in with the Policy Waiver, 10 chars or less (This doesn't check length so it is up to you)"

Write-Host $subs.Count "Subscriptions" -ForegroundColor Green
foreach ($sub in $subs) {

    write-host "Setting subscription to "$sub.Name -ForegroundColor Green
    set-azcontext -subscriptionid $sub.Id
    write-host "Set subscription to "$sub.Name -ForegroundColor Green
    
    $assignedPols = get-azpolicyassignment
    write-host "Got policy assignments for"$sub.Name -ForegroundColor Green
            
    foreach ($pol in $assignedPols) {      

                $polDefRefId = $polDef.PolicyDefinitionReferenceId.tostring()
                $polDefResId = $polDef.ResourceId.tostring()
                if ($polDef.ComplianceState -eq 'NonCompliant' -and $polDefRefId -eq $pol2rem.ToString()) {
                    $ii += 1

                            new-azpolicyexemption -name "PS $polWaiverNote" -policydefinitionreferenceid $polDefRefId -exemptioncategory Waiver -policyassignment $pol -scope $polDefResId

                            write-host "Exemption created for $polDefRefId within policy assignment"$pol.Name"in sub"$sub.Name -ForegroundColor Cyan
                }
            }
    }

    write-host "Procsessed $i of"$subs.Count"subscriptions" -ForegroundColor Green
    write-host "Processed $ii policies" -ForegroundColor Cyan
    $i++

}

The script starts off by gathering Date information.. Then it collects all the Azure Subscriptions across the Tenant and sets some variables we’ll use to keep track of the Subscriptions we’ve processed and the number of Exemptions put in place.

There are two inputs which you’ll use to run the script. The first prompt is the PolicyDefinitionReferenceId that you want to make exemptions for. The second prompt is for a brief description for the Waiver mitigation description. This attribute has a max character limit of 64, so we need to keep this somewhat brief. I was too lazy to add in code to ensure we don’t go over the 10 character limit, but consider this your warning. You’ll know it bombs out if it’s too long because I didn’t to a try/catch block on the Exemption piece so you can see what the actual error is.

With all that said, the first foreach block loops through the Subscriptions, setting the PowerShell boundaries to each one individually. Simple enough

The second foreach block does what we want it to do: Put in Exemption Waiver’s for false positives. This done with the following command:

new-azpolicyexemption -name "PS $polWaiverNote" -policydefinitionreferenceid $polDefRefId -exemptioncategory Waiver -policyassignment $pol -scope $polDefResId

Let’s break this down:

The -name parameter is the description of why we are marking it as Exempt.

The -policydefinitionreferenceid is the name of the policy we want to be Exempted. You can find this on the earlier CSV generated.

The -exemptioncategory we set to Waiver so it falls off the report and helps clean up the numbers/scores.

The -policyassignment is the Azure Policy Assignment that has the Azure Policy Definition that is being marked as a False Positive Non Compliant finding. It that sentence makes you feel like you’re in the movie Inception, you’re not alone.

The last parameter, -scope, pulls the PolicyDefinitionResourceId (not to be confused with the PolicyDefinitionReferenceId), which targets the Subscription, Resource Group, or Resource which is being flagged a Non Compliant.

Couple this together and you get automated way to get rid of False Positive findings so you can then start trudging through the True Positives. Start with the low hanging fruit is what I say. This script has made my life immensely easier when dealing with Azure Advisor, Azure Secure Score, and Defender for Cloud findings.

Hope this helps and enjoy!

Exporting Azure Policy Assignment Resource Compliance Across the Tenant to CSV

Azure Policies are a foundational component to securing your cloud environment. One of the challenges you may run into is that it can bloat your tab memory and slow response over time when trying to navigate large Azure implementations using the Portal. Hopping around the Azure Portal can become unmanageable, evaluating different policies for Compliance, only to have it crash due to the large number of information it attempts to front load in your browser. I find it silly that it doesn’t release memory when you jump to different areas of Policy, but I guess fixing that (if they are aware of it at all) is in the almighty backlog.

In short: It caused me frustration. And this frustration led me down a path of figuring out how to export all of the Policies across all Subscriptions to CSV. I ended up using PowerShell to accomplish this and am sharing if anyone else has felt the pain.

The first thing we need to become familiar with are the Azure Policy PowerShell commands. Microsoft’s documentation on a few of these are lacking, and they don’t fully explain in enough detail what each of the parameters does. This is something else that caused additional frustration. Anyway, this script uses:

  • Get-AzSubscription
  • Set-AzContext
  • Get-AzPolicyAssignment
  • Get-AzPolicyState

Collectively, with some other built in PowerShell commands, we can paint a picture of our entire Azure Tenant and All Subscription Policy through Excel. Much, much easier.

Here’s the code, and then I’ll break out how it works in detail after if you’re interested. Note: You’ll need to use Connect-AzAccount first.

$date = (Get-Date -Format MM-dd-yy-hh-mm-ss).ToString()
$subs = get-azsubscription
       $i = 1

Write-Host $subs.Count "Subscriptions" -ForegroundColor Green
foreach ($sub in $subs) {


    write-host "Setting subscription to "$sub.Name -ForegroundColor Green
    set-azcontext -subscriptionid $sub.Id
    write-host "Set subscription to "$sub.Name -ForegroundColor Green

    $assignedPols = get-azpolicyassignment
    write-host "Got policy assignments for"$sub.Name -ForegroundColor Green
            
    foreach ($pol in $assignedPols) {  
            Get-AzPolicyState -PolicyAssignmentName $pol.Name | Select-Object *, @{Name='SubscriptionName';Expression={$($sub.Name)}}, @{Name='State';Expression={$($sub.State)}} | Export-Csv -Path "c:\temp\polexp-$date.csv" -NoTypeInformation -Append
            $polState = Get-AzPolicyState -PolicyAssignmentName $pol.Name
            write-host "Got policy assignment details for"$pol.Name -ForegroundColor Green
    }

    write-host "$i of"$subs.Count"subs processed." -ForegroundColor Cyan
    $i++

}

The first thing the script does is use Get-Date to a variable. The second thing it does is collect all of our Azure Subscriptions across the entire tenant into another variable.

The first foreach block begins looping through each Subscription and uses Set-AzContext to set the PowerShell boundaries to that Subscription. Then it collects all Policy Assignments to a variable. But this alone will not give us all the information we need, and instead just provides a high level export of what Azure Policy Assignments exist against the Subscription. It is not detailed at all, and it is annoying. This is where the next foreach loop comes into play.

The nested foreach block then takes each Policy Assignment in the Subscription and does a deep dive against it. Get-AzPolicyState takes each Policy within the Assignment to truly get an understanding of what is Compliant, NonCompliant, or Exempt. It ended up working pretty well.

This is really the meat and potatoes of the script:

Get-AzPolicyState -PolicyAssignmentName $pol.Name | Select-Object *, @{Name='SubscriptionName';Expression={$($sub.Name)}}, @{Name='State';Expression={$($sub.State)}} | Export-Csv -Path "c:\temp\polexp-$date.csv" -NoTypeInformation -Append

Let’s break it down.

We get the state of all Policies within a unique Assignment by using the -PolicyAssignmentName parameter. We pull the Assignment name by querying against the $pol.Name variable attribute.

Because I would rather have all of the information and filter out what I don’t need, I use Select-Object * to return every attribute available against the Policy. I then create two custom Object’s pulling in the Subscription Name (Which is much easier to understand then the Subscription ID) and State of the Subscription, which tells me if it’s Enabled or Disabled.

Lastly, it then pumps all of the individual Resources that are applicable to that Policy, and exports everything into a nice, clean, CSV. These are the headers you get in the report:

  • PolicySetDefinitionParameters
  • ManagementGroupIds
  • PolicyDefinitionReferenceId
  • ComplianceState
  • PolicyEvaluationDetails
  • PolicyDefinitionGroupNames
  • PolicyDefinitionVersion
  • PolicySetDefinitionVersion
  • PolicyAssignmentVersion
  • SubscriptionName
  • State

I hope this helps. Architecting secure cloud environments can be difficult, but thankfully we can automate things to make our lives a bit easier.