Monitor the Total Number of Subscription Owners (2024)

  • Knowledge Base
  • Microsoft Azure
  • Defender
  • Monitor the Total Number of Subscription Owners

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: Medium (should be achieved)

Rule ID: SecurityCenter-022

Ensure that the total number of subscription owners created for your Microsoft Azure account subscriptions is being monitored by the Microsoft Defender for Cloud service. Trend Micro Cloud One™ – Conformity recommends designating up to 3 subscription owners in order to reduce the potential for security breaches by one or more compromised owners.

This rule resolution is part of the Conformity .

Monitor the Total Number of Subscription Owners (1) Security

As a security best practice, a maximum number of 3 owners should be designated for a Microsoft Azure subscription. By monitoring the number of subscription owners using Microsoft Defender for Cloud, you can enforce these best practices and always maintain a maximum of 3 subscription owners. This should reduce the risk of a compromised owner's account being used to gain access to your subscription.

Audit

To determine if the number of subscription owners is being monitored with Microsoft Defender for Cloud, perform the following operations:

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to Microsoft Defender for Cloud blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0.

03 In the main navigation panel, underManagement, choose Environment settings.

04 Click on the name (link) of the Azure subscription that you want to examine.

05 In the navigation panel, underPolicy settings, choose Security policy.

06 In the Default initiative section, click on the name of the default initiative enabled for the selected subscription (i.e. ASC Default (subscription: <subscription-id>)).

07 Choose the Parameters tab, uncheck Only show parameters that need input or review, and search for the following parameter: A maximum of 3 owners should be designated for your subscription. If the specified parameter is set to Disabled, the total number of Azure account subscription owners is not monitored using Microsoft Defender for Cloud.

08 Repeat steps no. 4 – 7 for each Microsoft Azure subscription created within your Azure account.

Using Azure CLI

01 Run account get-access-token command (Windows/macOS/Linux) using custom query filters to determine if the number of subscription owners is being monitored by checking the identityDesignateLessThanOwnersMonitoringEffect parameter value:

az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X GET -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn?api-version=2018-05-01' | jq 'select(.name=="SecurityCenterBuiltIn")'|jq '.properties.parameters.identityDesignateLessThanOwnersMonitoringEffect.value'

02 The command output should return the requested parameter value:

"Disabled"

If the account get-access-token command output returns "Disabled", as shown in the output example above, the total number of Azure account subscription owners is not monitored using Microsoft Defender for Cloud.

03 Repeat steps no. 1 and 2 for each Microsoft Azure subscription available in your Azure cloud account.

Remediation / Resolution

To begin monitoring the total number of Azure subscription owners using the Microsoft Defender for Cloud service, perform the following operations:

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to Microsoft Defender for Cloud blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0.

03 In the main navigation panel, underManagement, choose Environment settings.

04 Click on the name (link) of the Azure subscription that you want to access.

05 In the navigation panel, underPolicy settings, choose Security policy.

06 In the Default initiative section, click on the name of the default initiative enabled for the selected subscription (i.e. ASC Default (subscription: <subscription-id>)).

07 Choose the Parameters tab and uncheck the Only show parameters that need input or review checkbox to list all the initiative parameters.

08 Select AuditIfNotExists from the A maximum of 3 owners should be designated for your subscription parameter dropdown list to enable the monitoring of maximum subscription owners in the selected Azure account subscription.

09 Select Review + save to review the configuration changes, then choose Save to apply the new changes. If the operation is successful, the following confirmation message should be displayed: "Updating policy assignment succeeded".

10 Repeat steps no. 4 – 9 for each Microsoft Azure subscription available within your Azure account.

Using Azure CLI

01 Define the configuration parameters for the account get-access-tokencommand, where the identityDesignateLessThanOwnersMonitoringEffect parameter is enabled to turn on the monitoring feature. Save the configuration document to a JSON file named enable-subscription-owners-monitoring.json and replace the highlighted details, i.e. <azure-subscription-id> and <policy-definition-id>, with your own Azure account subscription details:

{ "properties":{ "displayName":"ASC Default (subscription: <azure-subscription-id>)", "policyDefinitionId":"/providers/Microsoft.Authorization/policySetDefinitions/<policy-definition-id>", "scope":"/subscriptions/<azure-subscription-id>", "parameters":{ "identityDesignateLessThanOwnersMonitoringEffect":{ "value":"AuditIfNotExists" } } }, "id":"/subscriptions//providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn", "type":"Microsoft.Authorization/policyAssignments", "name":"SecurityCenterBuiltIn", "location":"eastus"}

02 Run account get-access-token command (Windows/macOS/Linux) using the configuration document defined at the previous step (i.e. enable-subscription-owners-monitoring.json file), to enable the monitoring of maximum subscription owners within the current Azure account subscription:

az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn?api-version=2018-05-01 -d@"enable-subscription-owners-monitoring.json"'

03 The command output should return information about the modified configuration parameter:

{ "sku": { "name": "A0", "tier": "Free" }, "properties": { "displayName": "ASC Default (subscription: abcdabcd-1234-1234-1234-abcdabcdabcd)", "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/1234abcd-1234-1234-1234-abcd1234abcd", "scope": "/subscriptions/abcdabcd-1234-1234-1234-abcdabcdabcd", "parameters": { "identityDesignateLessThanOwnersMonitoringEffect": { "value": "AuditIfNotExists" } }, "metadata": { "createdBy": "abcdabcd-1234-1234-1234-abcdabcdabcd", "createdOn": "2019-05-17T15:38:40.3473931Z", "updatedBy": "1234abcd-1234-1234-1234-abcd1234abcd", "updatedOn": "2022-02-01T21:22:40.7422203Z" } }, "id": "/subscriptions/abcdabcd-1234-1234-1234-abcdabcdabcd/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn", "type": "Microsoft.Authorization/policyAssignments", "name": "SecurityCenterBuiltIn", "location": "eastus"}

04 Repeat steps no. 1 – 3 for each Microsoft Azure subscription available in your Azure cloud account.

References

Publication date Mar 27, 2020

Related SecurityCenter rules

  • Security Contact Phone Number (Security)
  • Monitor System Updates (Security)
  • Enable Microsoft Defender for Cloud for App Service Instances (Security)
  • Enable All Parameters for Microsoft Defender for Cloud Default Policy (Security)

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Monitor the Total Number of Subscription Owners (2)

No thanks, back to article

You are auditing:

Monitor the Total Number of Subscription Owners

Risk Level: Medium

Monitor the Total Number of Subscription Owners (2024)
Top Articles
Latest Posts
Article information

Author: Chrissy Homenick

Last Updated:

Views: 5629

Rating: 4.3 / 5 (54 voted)

Reviews: 93% of readers found this page helpful

Author information

Name: Chrissy Homenick

Birthday: 2001-10-22

Address: 611 Kuhn Oval, Feltonbury, NY 02783-3818

Phone: +96619177651654

Job: Mining Representative

Hobby: amateur radio, Sculling, Knife making, Gardening, Watching movies, Gunsmithing, Video gaming

Introduction: My name is Chrissy Homenick, I am a tender, funny, determined, tender, glorious, fancy, enthusiastic person who loves writing and wants to share my knowledge and understanding with you.