Azure Policy Guest Configuration – Part 1 – Creating a Custom Policy

I’ve been working quite a bit with custom Azure Policy Guest Configuration lately, and after encountering a few early bumps I’ve become a big fan. Guest Configuration policies are quite flexible, which in essence gives you the ability to bring almost anything we can do in PowerShell and/or DSC into Azure Policy. Very cool!

The first two use cases I’ve worked on were as follows:

  1. Audit base OS hardening compliance for Windows VMs in Azure.
  2. Audit antimalware compliance for Windows Vms in Azure.

Creating the Guest Configuration Package

For part 1 of this post, let’s focus on use case #1. To accomplish this use case, you’ll use the Microsoft Security Configuration Baseline as the base DSC template by converting the GPO provided in the “BaselineManagement” module to PowerShell DSC. This step is described in detail in Microsoft’s “Convert Group Policy into DSC” quickstart documentation.

Continue reading

Speeding up Azure PowerShell scripting with Azure Resource Graph

I was recently working with Azure Graph using the Az.ResourceGraph PowerShell module to query resources across our Azure tenant to test the speed compared to traditional Azure PowerShell scripts I’ve written in the past. Let’s just say I will never go back to traditional Azure PowerShell for scenarios where Azure Graph is an option moving forward!  My original Azure PowerShell script took several minutes to finish looping through all of the our subscriptions to finally output a full list of VMs in the tenant. Simply replacing this section of the script with an Azure Graph query reduced the run time to seconds! 

Continue reading