Author: Tom Janetscheck
This Playbook leverages the Secure Score and Assessment APIs to regularly (every 24h) pull information about Secure Score, Controls, and Assessments into an EventHub.
The ARM template will create an EventHub, API connection, and LogicApp Playbook. In order to be able to deploy these resources, your user account needs to be granted Contributor rights on the target Resource Group. The LogicApp uses a system-assigned Managed Identity to access data from the APIs. You need to make sure to grant the Managed Identity Read access to all Azure subscriptions you want to export security data from. You need to have the User Access Administrator role assigned to your user account for the respective scope (Management Group or Subscriptions) in order to assign access rights for the Managed Identity.
You have three different options to assign access rights to the Managed Identity:
- Grant read access to the Managed Identity on Management Group level to include all subscriptions within this scope (preferred).
- Grant read access to the Managed Identity on every single subscription you want to export data from.
- Use the provided PowerShell script
Grant-SubscriptionPermissions.ps1to grant read access to all subscriptions within your scope.
You can deploy the main template by clicking on the buttons below:
To assign Managed Identity to specific scope:
- Make sure you have owner permissions for this scope.
- Go to the subscription/management group page.
- Press 'Access Control (IAM)' on the navigation bar.
- Press '+Add' and 'Add role assignment'.
- Choose Reader role.
- Assign access to Logic App.
- Choose the subscription where the logic app was deployed.
- Choose 'Get-ASCData' Logic App.
- Press 'save'.
Please notice that only on the first time you need to manually trigger the Logic App after adding the Managed Identity to the subscriptions. The LogicApp will then run every 24 hours to export a snapshot of Subscription, Secure Score, Recommendations, and Assessments to the EventHub.