Exempt a resource from recommendations and secure score

A core priority of every security team is trying to ensure the analysts can focus on the tasks and incidents that matter to the organization. Security Center has many features for customizing the information you prioritize the most and making sure your secure score is a valid reflection of your organization's security decisions. Exempting resources is one such feature.

When you investigate a security recommendation in Azure Security Center, one of the first pieces of information you review is the list of affected resources.

Occasionally, a resource will be listed that you feel shouldn't be included. It might have been remediated by a process not tracked by Security Center. Or perhaps your organization has decided to accept the risk for that specific resource.

In such cases, you can create an exemption rule and ensure that resource isn't listed with the unhealthy resources in the future, and doesn't impact your secure score.

The resource will be listed as not applicable and the reason will be shown as "exempted" with the justification you select.

Availability

Aspect Details
Release state: Preview
The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Pricing: This is a premium Azure policy capability that's offered for Azure Defender customers with no additional cost. For other users, charges might apply in the future.
Required roles and permissions: Subscription owner or Policy contributor to create an exemption
To create a rule, you need permissions to edit policies in Azure Policy.
Learn more in Azure RBAC permissions in Azure Policy.
Clouds: Yes Commercial clouds
No National/Sovereign (US Gov, China Gov, Other Gov)

Create an exemption rule

  1. On the list of unhealthy resources, select the ellipsis menu ("...") for the resource you want to exempt.

    Create exemption option from context menu

    The create exemption pane opens.

    Create exemption pane

  2. Enter your criteria and select a criteria for why this resource should be exempted:

    • Mitigated - This issue isn't relevant to the resource because it's been handled by a different tool or process than the one being suggested
    • Waiver - Accepting the risk for this resource
  3. Select Save.

  4. After a while (it might take up to 24 hours):

    • The resource doesn't impact your secure score.

    • The resource is listed in the Not applicable tab of the recommendation details page

    • The information strip at the top of the recommendation details page lists the number of exempted resources:

      Number of exempted resources

  5. To review your exempted resources, open the Not applicable tab.

    Modifying an exemption

    The reason for each exemption is included in the table (1).

    To modify or delete an exemption, select the ellipsis menu ("...") as shown (2).

Review all of the exemption rules on your subscription

Exemption rules use Azure policy to create an exemption for the resource on the policy assignment.

You can use Azure Policy to track all your exemption in the Exemption page:

Azure Policy's exemption page

Next steps

In this article, you learned how to exempt a resource from a recommendation so that it doesn't impact your secure score. For more information about secure score, see: