Azure Policy comes with a variety of built-in policy definitions, one of which is used to enable Microsoft Defender for Cloud on the scope you chose. In order to enable the service on all existing and future subscriptions, it's enough to simply assign the Enable Azure Security Center on your subscription policy to your root management group. To onboard a management group and all its subscriptions to Defender for Cloud, follow these steps:
1. Make sure to log in with an account that has Security Admin permissions, open Azure Policy, and search for the Enable Azure Security Center on your subscription policy definition.
2. Select the definition, and then click Assign:
3. Select Tenant Root Group as the assignment scope. There are no other parameters you need to change.
4. Click Review + create and then Create.
5. After the definition has been assigned, navigate to the Assignments blade in Azure Policy and select the assignment you have just created. In the assignment, click on Create Remediation Task. This remediation task is necessary to make sure Defender for Cloud will not only be enabled for future subscriptions, but also for all subscriptions that already exist.
6. Select all applicable resources (if any) and click on Remediate.
Now that you have enabled Microsoft Defender for Cloud on all of your subscriptions, let's move on and deploy mandatory agents and extensions to your IaaS.
Thant Zin Phyo@Cracky (MCT, MCE, MVP)
No comments:
Post a Comment