From 1d3880f9f5e7b54f1d14030cc2c3f1ec324ac248 Mon Sep 17 00:00:00 2001 From: Himanshu Kamble Date: Wed, 16 Sep 2020 15:29:08 +0530 Subject: [PATCH 1/2] Documentation update for UCA delete certs and ASC tier --- 01-Subscription-Security/Readme.md | 4 +++- 04-Continous-Assurance/Readme.md | 6 ++++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/01-Subscription-Security/Readme.md b/01-Subscription-Security/Readme.md index d4740b51..9e26f8b6 100644 --- a/01-Subscription-Security/Readme.md +++ b/01-Subscription-Security/Readme.md @@ -423,7 +423,8 @@ The Set-AzSKAzureSecurityCenterPolicies provisions the following for Azure Secur Set-AzSKAzureSecurityCenterPolicies -SubscriptionId ` -SecurityContactEmails ` -SecurityPhoneNumber ` - [-OptionalPolicies] + [-OptionalPolicies] ` + [-SetASCTier] ``` |Config Param Name |Purpose | | --------------- | -------- | @@ -431,6 +432,7 @@ Set-AzSKAzureSecurityCenterPolicies -SubscriptionId ` |SecurityContactEmails |Comma-separated list of emails (e.g., 'abc@microsoft.com, def@microsoft.com') for contact preference| |SecurityPhoneNumber |Single phone number (e.g., '425-882-8080' or '+91-98765-43210' or '+1-425-882-8080') for contact preference| |OptionalPolicies |Switch to enable policies which are marked as optional| +|SetASCTier |Switch for configuring standard pricing tiers for all the resource types supported in Azure Security Center (ASC) | This command will *overwrite* the contact emails and contact phone previously set in Azure Security Center. Here is the [list](../01-Subscription-Security/ASCPoliciesCoverage.md) of all the policies (both mandatory & optional) that are enabled via this command. diff --git a/04-Continous-Assurance/Readme.md b/04-Continous-Assurance/Readme.md index ac6ef97c..79c3aab7 100644 --- a/04-Continous-Assurance/Readme.md +++ b/04-Continous-Assurance/Readme.md @@ -275,7 +275,8 @@ Update-AzSKContinuousAssurance -SubscriptionId ` [-FixRuntimeAccount] ` [-NewRuntimeAccount] ` [-FixModules] ` - [-RenewCertificate]` + [-RenewCertificate] ` + [-SkipCertificateCleanup]` [-Remove ` |FixRuntimeAccount|Use this switch to fix CA runtime account in case of below issues.
  1. Runtime account deleted
    (Permissions required: Subscription owner)
  2. Runtime account permissions missing
    (Permissions required: Subscription owner and AD App owner)
  3. Certificate deleted/expired
    (Permissions required: Subscription owner and AD App owner)
|FALSE|None|| |NewRuntimeAccount|Use this switch to setup new runtime account and the person running the command will become new SPN owner.This feature is helpful in case when CA certificate is expired but the SPN owner who had setup CA is not available and certificate can't be renewed. |FALSE|None|| |FixModules|Use this switch in case Az.Automation/Az.Accounts module(s) extraction fails in CA Automation Account.|FALSE|None|| -|RenewCertificate|Renews certificate credential of CA SPN if the caller is Owner of the AAD Application (SPN). If the caller is not Owner, a new application is created with a corresponding SPN and a certificate owned by the caller. CA uses the updated credential going forward.|FALSE|None|| +|RenewCertificate|Renews certificate credential of CA SPN if the caller is Owner of the AAD Application (SPN). If the caller is not Owner, a new application is created with a corresponding SPN and a certificate owned by the caller. CA uses the updated credential going forward.
It will offer workflow to delete existing old credentials|FALSE|None|| +|SkipCertificateCleanup|This switch may be used to skip deletion of older certificates associated with CA SPN.|FALSE|None|| |ScanOnDeployment|CA scan can be auto-triggered upon resource deployment.Updating CA with this flag will make sure that the Resource Group in which resource is deployed will be scanned.|FALSE|None|| |Remove|Use this switch to clear previously set LogAnalytics, AltLogAnalytics,Webhook settings from CA Automation Account or to unregister from scan on deployment mode|False|None|| From 9415494b7e815fb669aa1907541cc6b4ce39db6e Mon Sep 17 00:00:00 2001 From: Himanshu Kamble Date: Fri, 16 Oct 2020 16:04:44 +0530 Subject: [PATCH 2/2] Updated doc for -DeleteOldCredentials --- 04-Continous-Assurance/Readme.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/04-Continous-Assurance/Readme.md b/04-Continous-Assurance/Readme.md index 79c3aab7..33bc204a 100644 --- a/04-Continous-Assurance/Readme.md +++ b/04-Continous-Assurance/Readme.md @@ -277,6 +277,7 @@ Update-AzSKContinuousAssurance -SubscriptionId ` [-FixModules] ` [-RenewCertificate] ` [-SkipCertificateCleanup]` + [-DeleteOldCredentials]` [-Remove ` |FixModules|Use this switch in case Az.Automation/Az.Accounts module(s) extraction fails in CA Automation Account.|FALSE|None|| |RenewCertificate|Renews certificate credential of CA SPN if the caller is Owner of the AAD Application (SPN). If the caller is not Owner, a new application is created with a corresponding SPN and a certificate owned by the caller. CA uses the updated credential going forward.
It will offer workflow to delete existing old credentials|FALSE|None|| |SkipCertificateCleanup|This switch may be used to skip deletion of older certificates associated with CA SPN.|FALSE|None|| +|-DeleteOldCredentials|This switch may be used for deletion of older certificates associated with CA SPN without renewing a certificate.|FALSE|None|| |ScanOnDeployment|CA scan can be auto-triggered upon resource deployment.Updating CA with this flag will make sure that the Resource Group in which resource is deployed will be scanned.|FALSE|None|| |Remove|Use this switch to clear previously set LogAnalytics, AltLogAnalytics,Webhook settings from CA Automation Account or to unregister from scan on deployment mode|False|None||