Share via

Problems with Microsoft Defender for Cloud identity recommendations V2

Janne Kujanpää 241 Reputation points
2023-05-22T19:55:57+00:00

The new set of identity related recommendations when GA on 2023-05-01: https://github.com/MicrosoftDocs/azure-docs/commit/aba0c46fdabe84065951c96a7df75333a0493cac#diff-dbd404e58cedaa40736d88385d006caf82189af9cac95af849538aab5c5b57d8L70-L78

As a result multiple items are missing from Enable MFA category on Secure score recommendations:

User's image

User's image

  • Only one recommendation/policy assignment visible. Should have three
  • Only one subscription being listed. Should have three

MFA related recommendations:

Recommendation Assessment Key Policy Id
Accounts with owner permissions on Azure resources should be MFA enabled 6240402e-f77c-46fa-9060-a7ce53997754 e3e008c3-56b9-4133-8fd7-d3347377402a
Accounts with write permissions on Azure resources should be MFA enabled c0cb17b2-0607-48a7-b0e0-903ed22de39b 931e118d-50a1-4457-a5e4-78550e086c52
Accounts with read permissions on Azure resources should be MFA enabled dabc9bc4-b8a8-45bd-9a5a-43000df8aa1c 81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4

Resource graph query to find the underlying issue:

PolicyResources
| where type =~ 'Microsoft.PolicyInsights/PolicyStates'
| extend complianceState = tostring(properties.complianceState)
| extend
	resourceId = tostring(properties.resourceId),
	policyAssignmentId = tostring(properties.policyAssignmentId),
	policyAssignmentScope = tostring(properties.policyAssignmentScope),
	policyAssignmentName = tostring(properties.policyAssignmentName),
	policyDefinitionId = tostring(properties.policyDefinitionId),
	policyDefinitionReferenceId = tostring(properties.policyDefinitionReferenceId),
	stateWeight = iff(complianceState == 'NonCompliant', int(300), iff(complianceState == 'Compliant', int(200), iff(complianceState == 'Conflict', int(100), iff(complianceState == 'Exempt', int(50), int(0))))),
    complianceReasonCode = tostring(properties.complianceReasonCode)
| where policyDefinitionId contains "e3e008c3-56b9-4133-8fd7-d3347377402a"
    or policyDefinitionId contains "931e118d-50a1-4457-a5e4-78550e086c52"
    or policyDefinitionId contains "81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4"
    or policyDefinitionId contains "339353f6-2387-4a45-abe4-7f529d121046"
    or policyDefinitionId contains "94e1c2ac-cbbe-4cac-a2b5-389c812dee87"
    or policyDefinitionId contains "e9ac8f8e-ce22-4355-8f04-99b911d6be52"
    or policyDefinitionId contains "0cfea604-3201-4e14-88fc-fae4c427a6c5"
    or policyDefinitionId contains "8d7e1fde-fe26-4b5f-8108-f8e432cbc2be"
| order by subscriptionId asc, policyDefinitionReferenceId asc, complianceState asc
| project subscriptionId, policyDefinitionReferenceId, complianceState, complianceReasonCode

Results:

enter image description here

From results we can see that policies are on NonCompliant state because underlying Microsoft.Security/assessments resources are missing from the subscription.

Regulatory compliance also displays wrong number of resources:

User's image

and

User's image

  • Anyone got insights if this is a known issue?
  • Any workarounds? Should I trigger something to re-calculate those assesment findings?
  • ATM we cannot trust Defender's green findings at all.
Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
916 questions
Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,411 questions

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.