question

NunoMoncheira-3027 avatar image
0 Votes"
NunoMoncheira-3027 asked Monalla-MSFT commented

In Azure policy assigning an Azure Security Benchmark initiave for version 2 is not working

After assigning the Azure Security Benchmark initiative to a brand new subscription, it seems that the compliance results are based on security controls v3 and not on v2 version.
When assigning the initiative we can clearly see it mentions v2 version

196643-todelete.png

Still when looking into the "Initiave Complaince" section the results we have there all seem to be based on v3.

Example LT-1
V2: Enable threat detection for Azure resources
V3: Enable threat detection capabilities (This is what appears on Portal)

Even if i use Az CLI or Powershell the result is the same.

Is this a Bug? Is it possible to change? For me it's really importante, because i have lots of work done using the version 2 of security controls.


azure-policy
todelete.png (10.8 KiB)
· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Monalla-MSFT avatar image Monalla-MSFT ·

@NunoMoncheira-3027 - Did the below answer help resolve your issue, if not please revert back with any questions.
and if it did, please feel free to "accept as answer" so it can be beneficial to the community.

0 Votes 0 ·

1 Answer

stan avatar image
0 Votes"
stan answered stan commented

Hi
You are using v3 as the v1 and v2 are deprecated and they are not seen in Azure Portal. The description does not mention that this is v2 version. It mentions that recommendations from v2 are within this initiative. Never the less all the built-in policies and initiatives are available in this repository. If you see any issues with the description you can post an issue in that repository.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


· 2
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

NunoMoncheira-3027 avatar image NunoMoncheira-3027 ·

Hi @stan thanks for the answer.

"The description does not mention that this is v2 version. It mentions that recommendations from v2 are within this initiative." - You got me confused with this one. Can you explain it a bit further?
I already posted an issue in the repository.
I understand that v3 is the most recent version and that the others should be deprectated, but if thats the case when a v4 version appears v3 will be deprecated too.
The work we do in previous versions is "deprecated" and we need to redo all our work? To me thats bad service.

Thanks for the clarifications.


0 Votes 0 ·
stan avatar image stan NunoMoncheira-3027 ·

The way I read the description is that recommendations that were available in v2 are also available in v3. The description is overall not so important and as I have mentioned probably someone will respond to your issue logged. I cannot comment on if there will be v4 and what kind of changes are done as I am not part of the team that is handling the policies nor I am part of Microsoft. In general when a policy/initiative is deprecated it will disappear from Azure Portal but that does not mean the policy/initiative is completely gone. If you have it assigned to existing subscriptions the policy assignment will still work. The actual policy/initiative although deprecated is present and still can be assigned. Azure Portal makes it easier to use the latest version if you are just starting by hiding the deprecated policies/initiatives. From my experience Microsoft makes changes on policies/initiatives all the time and when they decide to do a big refactor on initiative due to various reasons they do some versioning in the display name of the initiative but underneath that is complete new initiative. So your assignments are tied to the old initiative and if you want to move to this new version you need to do a new assignment. You are free to do that whenever you feel it is ok for you and you can even have both assignments working at the same time.

0 Votes 0 ·