Automate onboarding of Azure Security Center using PowerShell

You can secure your Azure workloads programmatically, using the Azure Security Center PowerShell module. Using PowerShell enables you to automate tasks and avoid the human error inherent in manual tasks. This is especially useful in large-scale deployments that involve dozens of subscriptions with hundreds and thousands of resources – all of which must be secured from the beginning.

Onboarding Azure Security Center using PowerShell enables you to programmatically automate onboarding and management of your Azure resources and add the necessary security controls.

This article provides a sample PowerShell script that can be modified and used in your environment to roll out Security Center across your subscriptions.

In this example, we will enable Security Center on a subscription with ID: d07c0080-170c-4c24-861d-9c817742786c and apply the recommended settings that provide a high level of protection, by implementing the Standard tier of Security Center, which provides advanced threat protection and detection capabilities:

  1. Set the ASC standard level of protection.

  2. Set the Log Analytics workspace to which the Microsoft Monitoring Agent will send the data it collects on the VMs associated with the subscription – in this example, an existing user defined workspace (myWorkspace).

  3. Activate Security Center’s automatic agent provisioning which deploys the Microsoft Monitoring Agent.

  4. Set the organization’s CISO as the security contact for ASC alerts and notable events.

  5. Assign Security Center’s default security policies.

Prerequisites

These steps should be performed before you run the Security Center cmdlets:

  1. Run PowerShell as admin.

  2. Run the following commands in PowerShell:

    Set-ExecutionPolicy -ExecutionPolicy AllSigned
    Install-Module -Name Az.Security -Force
    

Onboard Security Center using PowerShell

  1. Register your subscriptions to the Security Center Resource Provider:

    Set-AzContext -Subscription "d07c0080-170c-4c24-861d-9c817742786c"
    Register-AzResourceProvider -ProviderNamespace 'Microsoft.Security' 
    
  2. Optional: Set the coverage level (pricing tier) of the subscriptions (If not defined, the pricing tier is set to Free):

    Set-AzContext -Subscription "d07c0080-170c-4c24-861d-9c817742786c"
    Set-AzSecurityPricing -Name "default" -PricingTier "Standard"
    
  3. Configure a Log Analytics workspace to which the agents will report. You must have a Log Analytics workspace that you already created, that the subscription’s VMs will report to. You can define multiple subscriptions to report to the same workspace. If not defined, the default workspace will be used.

    Set-AzSecurityWorkspaceSetting -Name "default" -Scope
    "/subscriptions/d07c0080-170c-4c24-861d-9c817742786c" -WorkspaceId"/subscriptions/d07c0080-170c-4c24-861d-9c817742786c/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace"
    
  4. Auto-provision installation of the Microsoft Monitoring Agent on your Azure VMs:

    Set-AzContext -Subscription "d07c0080-170c-4c24-861d-9c817742786c"
    
    Set-AzSecurityAutoProvisioningSetting -Name "default" -EnableAutoProvision
    

    Note

    It is recommended to enable auto provisioning to make sure that your Azure virtual machines are automatically protected by Azure Security Center.

  5. Optional: It is highly recommended that you define the security contact details for the subscriptions you onboard, which will be used as the recipients of alerts and notifications generated by Security Center:

    Set-AzSecurityContact -Name "default1" -Email "CISO@my-org.com" -Phone "2142754038" -AlertAdmin -NotifyOnAlert 
    
  6. Assign the default Security Center policy initiative:

    Register-AzResourceProvider -ProviderNamespace 'Microsoft.PolicyInsights'
    $Policy = Get-AzPolicySetDefinition | where {$_.Properties.displayName -EQ '[Preview]: Enable Monitoring in Azure Security Center'}
    New-AzPolicyAssignment -Name 'ASC Default <d07c0080-170c-4c24-861d-9c817742786c>' -DisplayName 'Security Center Default <subscription ID>' -PolicySetDefinition $Policy -Scope '/subscriptions/d07c0080-170c-4c24-861d-9c817742786c'
    

You now successfully onboarded Azure Security Center with PowerShell!

You can now use these PowerShell cmdlets with automation scripts to programmatically iterate across subscriptions and resources. This saves time and reduces the likelihood of human error. You can use this sample script as reference.

See also

To learn more about how you can use PowerShell to automate onboarding to Security Center, see the following article:

To learn more about Security Center, see the following article: