-
Notifications
You must be signed in to change notification settings - Fork 752
/
Remove-MDFCPolicyExemptions.ps1
104 lines (83 loc) · 3.98 KB
/
Remove-MDFCPolicyExemptions.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
<#
.SYNOPSIS
Microsoft Defender for Cloud - Recommendations Exemption removal script.
.DESCRIPTION
This script is purposed to remove Azure Policy exemptions under a subscription.
It can remove all exemptions under a subscription or single Recommendation exemptions from subscription scope.
This script can remove all the exemptions for all recommendations in a subscription or one Recommendation exemption - use with care!
.EXAMPLE
Remove-MDFCPolicyExemptions.md -SubscriptionId {subId} -referenceId {policyReferenceId}
Remove the exemption for single policy
.EXAMPLE
Remove-MDFCPolicyExemptions.md -SubscriptionId {subId} -deleteExemptionsFromAllRecommendations
Remove all the exemptions from a subscription
.PARAMETER subscriptionId
The subscription Id in context
.PARAMETER referenceId
Recommendation Policy Id to remove its exemption
To find a Policy reference ID go to Azure Policy, locate the relevant initiative (e.g. Azure Security Benchmark), open it and look for the policy to exempt, find it under Reference ID column.
.PARAMETER deleteExemptionsFromAllRecommendations
Indicate this flag to clear out all the exemptions from the subscription.
Use with care!
.INPUTS
None. You cannot pipe objects to Add-Extension.
.OUTPUTS
REST API invocation. Only errors will be output.
.NOTES
It is recommended to list the existing exemptions before running this script by using https://docs.microsoft.com/en-us/rest/api/policy/policy-exemptions/list
.LINK
This script posted to and discussed at the following locations:
https://github.com/Azure/Microsoft-Defender-for-Cloud/tree/main/Powershell%20scripts
#>
##
param (
#---------Parameters---------
#Define scoped to delete
[Parameter(Mandatory = $true)]
[string]$subscriptionId,
#Delete all exemptions flag
[switch]$deleteExemptionsFromAllRecommendations,
#Reference id (optional)
[string]$referenceId # = "REFERENCE_ID", the policy definition of the assessment. aka "Log Analytics agent health issues should be resolved on your machines" -> resolveLogAnalyticsHealthIssuesMonitoring
)
# Validate parameters
if(!($deleteExemptionsFromAllRecommendations) -AND !($referenceId))
{
Write-Host "`nPlease asssign the Recommendation reference ID for the exemption you wish to remove.`nIf you want to remove all exemptions in the subscription, pass the ```-deleteExemptionsFromAllRecommendations``` parameter.`n" -ForegroundColor Yellow
return
}
# Subscription login
$subContext = Get-AzContext
if (!($subContext.Subscription.Id) -OR $subContext.Subscription.Id -ne $subscriptionId)
{
try
{
Set-AzContext -SubscriptionId $subscriptionId -ErrorAction Stop
}
catch
{
write-host "`nPlease make sure you logged on to your Azure subscription using Login-AzAccount cmdlet" -ForegroundColor Yellow
}
}
if ($subContext.Subscription.Id -eq $subscriptionId)
{
Write-Host "Subscription $subscriptionId was set as the context`n" -ForegroundColor Green
}
#Subscription token
$token = (Get-AzAccessToken).Token
# Removing exemptions
$getExemptionUrl = "https://management.azure.com/subscriptions/$($subscriptionId)/providers/Microsoft.Authorization/policyExemptions?api-version=2020-07-01-preview"
$exemptions = Invoke-RestMethod -Uri $getExemptionUrl -Headers @{ Authorization="Bearer $token" }
Write-Host "$($exemptions.value.Count) Policy exemptions were found under subscription ID: $subscriptionId.`n" -ForegroundColor Red
$counter =0
foreach($exemption in $exemptions.value)
{
if (($exemption.properties.policyDefinitionReferenceIds -contains $referenceId) -or $deleteExemptionsFromAllRecommendations)
{
$deleteExemptionUrl = "https://management.azure.com/$($exemption.id)?api-version=2020-07-01-preview"
$res = Invoke-RestMethod -Uri $deleteExemptionUrl -Headers @{ Authorization="Bearer $token" } -Method "Delete"
$counter = $counter +1
Write-Host "`"$($exemption.Name)`" exemption deleted from $subscriptionId count: $counter" -ForegroundColor Red
}
}
Write-Host "`nCompleted. $counter exemptions were attempted to delete!"