Navigate Tag Policy Exceptions in Microsoft Defender for Cloud

Understanding and managing tag policy exceptions in Microsoft Defender for Cloud is crucial for maintaining security posture while accommodating specific resource requirements. To configure a policy exception for Red Canary regarding tag requirements, enabling Red Canary to receive Microsoft Defender for Cloud alerts seamlessly via the Azure integration, follow the procedure from beginning to end.

Azure Console

1. In Azure, navigate to the Policy section from the Home page.

2. Under Authoring, click Assignments.

3. Identify and click the policies requiring tags. 

   

Note: There are several approaches to complete the steps. Choose the option that best fits with your configuration and process.

Option 1 - Add an exemption

1. Select the Create exemption tab. 

   

2. Click the ellipsis next to Exemption scope.

3. Under Exemption scope, click Resource Group and select RCAutomation for each subscription. Your title goes here

   Note: Ensure you add exemptions to all applicable subscriptions.

   

4. Click Select.

5. Click Review + save. 

Option 2 - Edit an existing policy assignment

1. Click Edit Assignment

2. Click the Exclusions ellipsis. This opens the Scope window

3. Add an exclusion for the RCAutomation Resource Group in each subscription.

4. Click Save.

5. Click Review + save. 

   

Option 3 - Add an exclusion that applies to the entire scope of the policy

1. Expand the resource selectors, and under resourceType add a blanket exclusion for Microsoft.Security/automations. 

   

2. Save the policy assignment. Check the compliance report to ensure that the scope was not overly broad.