Created on

Microsoft Defender for Cloud – Create exemptions using REST API

In my previous post, I touched on the topic of how to get Microsoft Defender for Cloud recommendation exemptions (also called standard assignments: exempt mode). In this post I want to show how to create policy exemptions using REST API. Please read my previous post here:

Microsoft Defender for Cloud – Get exemptions using REST API

To understand authentication, read my previous post where I describe this. For this post, we assume that we are authenticated and have a proper header with a token.

We need to have a few variables ready:

$displayName = "ckj-test-exemption-privileged-role-subscription-level"
$description = "Exemption of: Privileged roles should not have permanent access at the subscription and resource group level"
$identityObjectId = "12345678-1234-1234-ab12-12345678abcd" # Object ID for user, security group or service principal we want to exempt
$assessmentKey = "706b33f0-129e-4ed0-a179-f450b9ee4145" # "Privileged roles should not have permanent access at the subscription and resource group level"

If you do not have the object Id of the identity you need to create exemption for, go to Entra Id and search for it (user, group or service principal) and grab its object Id. For the assessmentKey, It can be easier to create a similar exemption in the portal and export using the method provided in my previous post. In my example I use “706b33f0-129e-4ed0-a179-f450b9ee4145”, which corresponds to “Privileged roles should not have permanent access at the subscription and resource group level” recommendation.

Once we have the variables ready, we can now deploy the recommendation:

$apiVersion = "2024-08-01"
$standardAssignmentName = (New-Guid).guid # Unique name for the standard assignment - generate new GUID each time we create a new exemption

$resourceScope = "/subscriptions/$subscriptionId/providers/Microsoft.Security/pricings/CloudPosture/securityentitydata/$identityObjectId"
$uri = "https://management.azure.com/$resourceScope/providers/Microsoft.Security/standardAssignments/" + $standardAssignmentName + "?api-version=$apiVersion"

$body = @{
    properties = @{
        description     = $description
        displayName     = $displayName
        effect          = "Exempt"
        exemptionData   = @{
            exemptionCategory = "Waiver"
            assignedAssessment = @{
                assessmentKey = $assessmentKey
            }
        }
    }
}
$body = $body | ConvertTo-Json -Depth 10

Invoke-RestMethod -Uri $uri -Method Put -Headers $headers -Body $body

The output in the terminal should look similar to this:

Read my next post about how to delete an exemption:

Microsoft Defender for Cloud – Delete exemptions using REST API

LinkedIn Connect with me on LinkedIn