Most of the Azure Advisor recommendations are great, but like static code analysis, we don’t need all of them.
We’ve done a decent job resolving these recommendations in the past, but in our Azure portal today, we have two outstanding SQL security recommendations. Resolving these would cost $15 per server. With our three environments, that is an additional cost of $90 a month. We unfortunately have budgets, and therefore have made the decision to accept the risk of these items and disable the recommendations. Here is our current view of the two recommendations in the Security Advisor.
This is affecting our “overall secure score” in security center too.
Fortunately there is a process to disable recommendations we don’t need. First, we open security center, and select the subscription or management group we want to add the policy exceptions too.
This takes us to the security policy blade, where we select the “view effective policy” button
Now we can see all of the policies “effectively applied” to our subscription. We click on the subscription to be able to edit these rules. Note that if you have management groups, you can also set these rules at that level, instead of individual subscriptions.
We are now looking at the security policy for our specific subscription.
Clicking on the parameters tab, we can now scroll through the rules and find the rules we desire to disable.
Once done, we click the “review + save” button, and see the following summary page of the rules we are going to disable. We click save, and the there is a little delay to the Advisor cleaning up these ignored recommendations, but we check the next day and they are gone.
Creating alerts to be notified by future recommendations
How do we stay on top of these recommendations moving forward? Let’s create an alert when new recommendations are triggered. Yesterday we were playing with some bots and it triggered a new security alert we didn’t see until today. Wouldn’t it be better to know as soon as a new recommendation is created or we create a resource out of compliance? Fortunately in Advisor there is an “Alerts (preview)” feature.
In this Alerts section, we create a “new advisor alert rule”.
In the new rule, we leave most of the options to their defaults to include all types of rules. If we only wanted to be notified of low or high priority rules, we could configure that here. We do need an action group, so we will create one, and then add the alert name and description, and specify a resource group we can use to save the rule. The important rule for alerts is, only create actionable alerts. Creating an alert when you disk space is 50% full is not helpful – unless you require 50% disk space. Creating an alert when you hit 80 or 90% disk utilization – which requires you to allocate more disk space, is the right way to create an alert.
“…only create actionable alerts – only create notifications that require action from you”
To create an action group, we need a name, a short name (< 12 characters), a resource group, and action name. In the action, we also specify who will receive the alert, where we specify our email address.
With the alert saved, we can see it in a list. Next time we add a resource that creates a recommendation, we will be notified!
Removing these two recommendations has reduced the total possible score to 190, and resolved all outstanding recommendations. We are now at a level playing field. With alerts to ensure we don’t reduce our compliance level, we will be alerted anytime a new recommendation is created, or a resource is added that is out of compliance.