search

JulianHayward / Azure-MG-Sub-Governance-Reporting

Azure Governance Visualizer aka AzGovViz is a PowerShell script that captures Azure Governance related information such as Azure Policy, RBAC (a lot more) by polling Azure ARM, Storage and Microsoft Graph APIs.
MIT License
858 stars 308 forks source link

Built-in policies flagged under "naming findings" #170

Closed vegazbabz closed 1 year ago

vegazbabz commented 1 year ago

AzGovViz version Latest

CodeRunPlatform Azure DevOps

Describe the bug It reports the built-in Defender plan policies as “non-compliant” under policy assignment naming findings, because they have the invalid char “:”. They use e.g. "ASC DataProtection (subscription: xxxx)" - which contains “:”.

Screenshots image

Additional context I tried to look around the Wiki here, but no luck. What is the reason behind naming finding? Why react on invalid chars such as "/" or ":"?

JulianHayward commented 1 year ago

@vegazbabz if you want to export e.g. Policy assignments (like azgvz does) to a file where the filename is built using the displayName of the assignment then you run into issues in windows or linux if the displayName contains those characters. In azgvz we work around by replacing these chars, which could lead to confusion.. And yes, documentation is lacking for this one.

Example (chars '<' and '>'):

{
  "properties": {
    "displayName": "customInitiativeTenantRoot2ExcludeTest<>",
    xxx
  },
  "id": "/providers/Microsoft.Management/managementGroups/xxx/providers/Microsoft.Authorization/policyAssignments/b57ff837d0114527b406c11b",
  "type": "Microsoft.Authorization/policyAssignments",
  "name": "b57ff837d0114527b406c11b"
}

export to file result (wiki/JSON_ManagementGroupId/Assignments/PolicyAssignments/Mg/0 (MG 0 displayName)/customInitiativeTenantRoot2ExcludeTest__ (b57ff837d0114527b406c11b).json

vegazbabz commented 1 year ago

That is understandable. However, the built-in Defender for Cloud plans deploy policies with naming that is contradicting this. As mentioned, they use e.g. "ASC DataProtection (subscription: xxxx)" - which contains an illegal character “:”

So maybe replace the ":" with "" when exporting and exclude it from the names finding? It is not great that you have multiple missing finding per subscription if you have enabled the Defender plans. It drowns the "real" findings. Just wanted to report this, you can close it if needed. Thanks for your great effort.