0

I have a tenant where we are adding subscriptions all the time. I wish to loop over all subscriptions and run a deployment on each of them, without having to hard-code the list of subscription IDs / names. In a bicep template, is it possible to somehow obtain a list of all the subscriptions in a tenant / management group?

Context: We use ASC (Azure Security Center / Microsoft Defender for Cloud). ASC generates one initiative-assignment per subscription: "ASC Default". We wish to exempt some of the policies in this initiave, for each subscription.

If I pass a list of subscription names / IDs as a parameter to bicep, then I can loop over them. Although that requires a two-stage approach: generate the list first, then run the bicep deployment. I would prefer to do this in one stage, i.e. with a single bicep deployment. Can this be done?

Grilse
  • 3,491
  • 2
  • 28
  • 35
  • 1
    Cannot you use Management Groups instead ? https://learn.microsoft.com/en-us/azure/governance/management-groups/overview. Assigning policies at MG level will make sure all subscriptions will inherit the assignment. You can then manage exemptions/exclusions at wish. – Jul_DW Mar 31 '23 at 07:16
  • Yes that would be nicer, but no we cannot. ASC auto-assigns these policies, we have no control over how it does that. – Grilse Mar 31 '23 at 08:56
  • How are you deploying? I think rather then solve this in Bicep which may not work since I don't believe scope can be that dynamic. I would recommend at the deploying you loop through all the service connection and redepoy the same bicep file with the bicep file scope being set to subscription. – DreadedFrost Apr 16 '23 at 03:16

1 Answers1

1

You can create exemptions in MDC that apply to a management group. If you open the recommendation, select 'Exempt' you'll get the following screen:

  1. Select the MG you want to be in scope
  2. It will also create an exemption for any of the other initiative sets this recommendation is in (if you do it programmatically, Azure won't assume you meant to do that)

example

lunchbox
  • 63
  • 6