Automate onboarding of Azure Security Center using PowerShell

You can secure your Azure workloads programmatically, using the Azure Security Center PowerShell module. Using PowerShell enables you to automate tasks and avoid the human error inherent in manual tasks. This is especially useful in large-scale deployments that involve dozens of subscriptions with hundreds and thousands of resources – all of which must be secured from the beginning.

Onboarding Azure Security Center using PowerShell enables you to programmatically automate onboarding and management of your Azure resources and add the necessary security controls.

This article provides a sample PowerShell script that can be modified and used in your environment to roll out Security Center across your subscriptions.

In this example, we will enable Security Center on a subscription with ID: d07c0080-170c-4c24-861d-9c817742786c and apply the recommended settings that provide a high level of protection, by enabling Azure Defender, which provides advanced threat protection and detection capabilities:

  1. Enable Azure Defender.

  2. Set the Log Analytics workspace to which the Log Analytics agent will send the data it collects on the VMs associated with the subscription – in this example, an existing user defined workspace (myWorkspace).

  3. Activate Security Center’s automatic agent provisioning which deploys the Log Analytics agent.

  4. Set the organization’s CISO as the security contact for Security Center alerts and notable events.

  5. Assign Security Center’s default security policies.

Prerequisites

These steps should be performed before you run the Security Center cmdlets:

  1. Run PowerShell as admin.

  2. Run the following commands in PowerShell:

    Set-ExecutionPolicy -ExecutionPolicy AllSigned

    Install-Module -Name Az.Security -Force

Onboard Security Center using PowerShell

  1. Register your subscriptions to the Security Center Resource Provider:

    Set-AzContext -Subscription "d07c0080-170c-4c24-861d-9c817742786c"

    Register-AzResourceProvider -ProviderNamespace 'Microsoft.Security'

  2. Optional: Set the coverage level (Azure Defender on/off) of the subscriptions. If undefined, Defender is off:

    Set-AzContext -Subscription "d07c0080-170c-4c24-861d-9c817742786c"

    Set-AzSecurityPricing -Name "default" -PricingTier "Standard"

  3. Configure a Log Analytics workspace to which the agents will report. You must have a Log Analytics workspace that you already created, that the subscription’s VMs will report to. You can define multiple subscriptions to report to the same workspace. If not defined, the default workspace will be used.

    Set-AzSecurityWorkspaceSetting -Name "default" -Scope "/subscriptions/d07c0080-170c-4c24-861d-9c817742786c" -WorkspaceId"/subscriptions/d07c0080-170c-4c24-861d-9c817742786c/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace"

  4. Auto-provision installation of the Log Analytics agent on your Azure VMs:

    Set-AzContext -Subscription "d07c0080-170c-4c24-861d-9c817742786c"

    Set-AzSecurityAutoProvisioningSetting -Name "default" -EnableAutoProvision

    Note

    It is recommended to enable auto provisioning to make sure that your Azure virtual machines are automatically protected by Azure Security Center.

  5. Optional: It is highly recommended that you define the security contact details for the subscriptions you onboard, which will be used as the recipients of alerts and notifications generated by Security Center:

    Set-AzSecurityContact -Name "default1" -Email "CISO@my-org.com" -Phone "2142754038" -AlertAdmin -NotifyOnAlert

  6. Assign the default Security Center policy initiative:

    Register-AzResourceProvider -ProviderNamespace 'Microsoft.PolicyInsights'

    $Policy = Get-AzPolicySetDefinition | where {$_.Properties.displayName -EQ 'Azure Security Benchmark'} New-AzPolicyAssignment -Name 'ASC Default <d07c0080-170c-4c24-861d-9c817742786c>' -DisplayName 'Security Center Default <subscription ID>' -PolicySetDefinition $Policy -Scope '/subscriptions/d07c0080-170c-4c24-861d-9c817742786c'

You've successfully onboarded Azure Security Center with PowerShell.

You can now use these PowerShell cmdlets with automation scripts to programmatically iterate across subscriptions and resources. This saves time and reduces the likelihood of human error. You can use this sample script as reference.

See also

To learn more about how you can use PowerShell to automate onboarding to Security Center, see the following article:

To learn more about Security Center, see the following article: