对管理组中的所有订阅启用安全中心Enable Security Center on all subscriptions in a management group

你可以使用 Azure Policy 对同一管理组 (MG) 中的所有 Azure 订阅启用 Azure 安全中心。You can use Azure Policy to enable Azure Security Center on all the Azure subscriptions within the same management group (MG). 这比通过门户单独访问它们更为方便,即使订阅属于不同的所有者,此方法也有效。This is more convenient than accessing them individually from the portal, and works even if the subscriptions belong to different owners.

加入管理组及其所有订阅:To onboard a management group and all its subscriptions:

  1. 以具有“安全管理员”权限的用户身份,打开 Azure Policy,然后搜索“在订阅上启用 Azure 安全中心”定义 。As a user with Security Admin permissions, open Azure Policy and search for the definition Enable Azure Security Center on your subscription.

    Azure Policy 定义“对订阅启用 Azure 安全中心”

  2. 选择“分配”,并确保将范围设置为 MG 级别。Select Assign and ensure you set the scope to the MG level.

    分配定义“对订阅启用 Azure 安全中心”

    提示

    除范围外,没有其他必需的参数。Other than the scope, there are no required parameters.

  3. 选择“创建修正任务”,确保将加入所有未启用安全中心的现有订阅。Select Create a remediation task to ensure all existing subscriptions that don't have Security Center enabled, will get onboarded.

    为 Azure Policy 定义“对订阅启用 Azure 安全中心”创建修正任务

  4. 分配定义后,修正任务将执行以下操作:When the definition is assigned it will:

    1. 检测 MG 中所有尚未在安全中心注册的订阅。Detect all subscriptions in the MG that aren't yet registered with Security Center.
    2. 将这些订阅标记为“不合规”。Mark those subscriptions as “non-compliant”.
    3. 将所有已注册的订阅标记为“合规”(无论它们是否启用了 Azure Defender)。Mark as "compliant" all registered subscriptions (regardless of whether they have Azure Defender on or off).

    然后,修正任务将免费对不合规的订阅启用安全中心。The remediation task will then enable Security Center, for free, on the non-compliant subscriptions.

重要

策略定义将仅对现有订阅启用安全中心。The policy definition will only enable Security Center on existing subscriptions. 若要注册新创建的订阅,请打开“合规性”选项卡,选择相关的不合规订阅,然后创建修正任务。如果要使用安全中心监视一个或多个新订阅,请重复此步骤。To register newly created subscriptions, open the compliance tab, select the relevant non-compliant subscriptions, and create a remediation task.Repeat this step when you have one or more new subscriptions you want to monitor with Security Center.

可选修改Optional modifications

有多种用于修改 Azure Policy 定义的方法可供选择:There are a variety of ways you might choose to modify the Azure Policy definition:

  • 以不同的方式定义合规性性 - 提供的策略将 MG 中尚未在安全中心注册的所有订阅分类为“不合规”。Define compliance differently - The supplied policy classifies all subscriptions in the MG that aren't yet registered with Security Center as “non-compliant”. 你可以选择将它设置为未启用 Azure Defender 的所有订阅。You might choose to set it to all subscriptions without Azure Defender.

    提供的定义将下面任一“定价”设置定义为合规。The supplied definition, defines either of the 'pricing' settings below as compliant. 也就是说设置为“标准”或“免费”的订阅均合规。Meaning that a subscription set to 'standard' or 'free' is compliant.

    提示

    启用 Azure Defender 计划后,将在策略定义中根据“标准”设置对其进行描述。When an Azure Defender plan is enabled, it's described in a policy definition as being on the 'Standard' setting. 禁用时,它是“免费”设置。When it's disabled, it's 'Free'. 若要了解这些计划之间的差异,请参阅安全中心免费版与已启用 Azure DefenderTo learn about the differences between these plans, see Security Center free vs Azure Defender enabled.

    "existenceCondition": {
        "anyof": [
            {
                "field": "microsoft.security/pricings/pricingTier",
                "equals": "standard"
            },
            {
                "field": "microsoft.security/pricings/pricingTier",
                "equals": "free"
            }
        ]
    },
    

    如果将其更改为以下内容,则仅设置为“标准”的订阅会被分类为合规:If you change it to the following, only subscriptions set to 'standard' would be classified as compliant:

    "existenceCondition": {
          {
            "field": "microsoft.security/pricings/pricingTier",
            "equals": "standard"
          },
    },
    
  • 定义一些要在启用安全中心时应用的 Azure Defender 计划 - 提供的策略启用没有任何可选 Azure Defender 计划的安全中心。Define some Azure Defender plans to apply when enabling Security Center - The supplied policy enables Security Center without any of the optional Azure Defender plans. 你可以选择启用一个或多个计划。You might choose to enable one or more of them.

    提供的定义的 deployment 部分具有参数 pricingTierThe supplied definition's deployment section has a parameter pricingTier. 默认情况下,它设置为 free,但可以对其进行修改。By default, this is set to free, but you can modify it.

后续步骤:Next steps:

现已加入了整个管理组,请启用 Azure Defender 的高级保护。Now that you've onboarded an entire management group, enable the advanced protections of Azure Defender.