Azure Security Center default policy

[shaunsat]

What is Microsoft's best practice for modifying the policies within the ASC default initiative that is assigned to a new subscription:

1. Change all policies for all subscriptions and leave the default assignment at the subscription scope
2. Delete all the ASC default assignments and deploy it at the Management Group with the required configuration

My concerns are that you may deploy the ASC default (v3) at a later date, or update something and cause either our deployment to be out-of-date or there incorrect information. If you could highlight any concerns with either approach that would be great.

Thanks

[shaunsat]

So after testing the above removing the ASC Default causes a host of problems and MG inherited causes conflicts. Doesn't seem to be a solution for this

[TomJanetscheck]

Hi @shaunsat
for product-specific questions regarding ASC please refer to the Resources section in our Github Wiki and join the Azure Security Center TechCommunity discussions. We unfortunately can't provide product support or Q&A within the scope of this Github community.

In general, you can assign the Azure Security Center default policy (aka Azure Security Benchmark) to either a management group, or to subscriptions. In case you want to exempt resources or scopes from being assessed, you can use the resource exemptions capability.