Closed Agazoth closed 8 months ago
Hi,
This behavior is for free customers only. Paying customers will always have fresh data.
We've deployed a fix for this where all new registrations will have their activity status reset.
For existing free customers who are already registered, you can try setting the pricing tier to its existing state to reset activity status, or querying securityStatuses API
For example:
PUT https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Security/pricings/{pricingName}?api-version=2023-01-01 { "properties": { "pricingTier": "Free" } }
@chshum Thanks for your reply. That is much appreciated!
Does: "We've deployed a fix for this where all new registrations will have their activity status reset." mean, that customers on the free tier will also get the basic securescores if we "reset" their pricing tier as described?
I have tested on several tenants, that logging on to the tenant and clicking the Microsoft Defender for Cloud is required before ascScore retrieval is triggered.
I think there is really simple but hard to notice explanation for this. Some action, e.g. opening Defender UI, triggers background processes.
E.g. Microsoft cloud security benchmark policy initiative is being assigned automatically on subscription when TBD is done on portal.
Exact action seen in the brand new subscription activity log: 1) Windows Azure Security Resource Provider registers Microsoft.GuestConfiguration 1) Windows Azure Security Resource Provider registers Microsoft.PolicyInsights 2) Windows Azure Security Resource Provider creates policy inititative assignment:
"requestbody": "{\"id\":\"/subscriptions/x-x-x-x-x/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn\",\"name\":\"SecurityCenterBuiltIn\",\"type\":\"Microsoft.Authorization/policyAssignments\",\"sku\":{\"name\":\"A1\",\"tier\":\"Standard\"},\"properties\":{\"parameters\":\"******\",\"description\":\"This is the default set of policies monitored by Azure Security Center. It was automatically assigned as part of onboarding to Security Center. The default assignment contains only audit policies. For more information please visit https://aka.ms/ascpolicies\",\"displayName\":\"ASC Default (subscription: 731f3bda-584f-4578-a54e-addf20109a8e)\",\"scope\":\"/subscriptions/731f3bda-584f-4578-a54e-addf20109a8e\",\"policyDefinitionId\":\"/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8\",\"metaData\":\"******\"}}"
Afaik Defender plans have really minimal effect on secure score if any.
Ps. Shame on MSFT not documenting this properly. Assignment of the policy initiative is part of the some landing zones: https://github.com/search?q=repo%3AAzure%2FALZ-Bicep%20%2F1f3afdf9-d0c9-4c3d-847f-89da613e70a8%2F&type=code
Closing as a solution was provided
I work for a CSP provider with 1000+ customers. We want to activate Microsoft Defender for Cloud on all subscriptions in order to monitor and enhance their secure score.
We use the API to activate the Microsoft.Security provider on all subscriptions. This activation works as expected and the provider gets registered.
BUT the Secure Score assessment does not start until someone logs on to the portal and clicks on the Microsoft Defender for Cloud blade
To Reproduce Steps to reproduce the behavior:
Expected behavior ascScore should have started within the 48 hours and have delivered something like:
Additional context I have tested on several tenants, that logging on to the tenant and clicking the Microsoft Defender for Cloud is required before ascScore retrieval is triggered. I still have 1000+ tenants with several subscriptions each, where the Microsoft.Security provider has been registered for 30+ days, but ascScore has no secure scores generated.
I made a MS support case on the issue, and this is what they answered:
According to that statement, logging on to the portal once a month is required to get continuous generation of Secure Score.
Is there any way to trigger the portal logon to Microsoft Defender for Cloud so we don't have to do this logon manually.