- James Wassinger
- Posts
- 💯 Get an Emailed Report of Azure Subscriptions With A Low Azure Security Score
💯 Get an Emailed Report of Azure Subscriptions With A Low Azure Security Score
For Better Tracking and Reporting, View this Step-by-Step Guide to Set up Your Own Emailed Report of Azure Subscriptions with a Low Azure Security Score.
![](https://media.beehiiv.com/cdn-cgi/image/fit=scale-down,format=auto,onerror=redirect,quality=80/uploads/asset/file/d96bee3d-5277-4402-a620-93267469b13d/jw-az-subscription-security-score.png?t=1715889231)
Summary
This article outlines how I created an emailed report that displays Azure subscriptions with a Microsoft Defender for Cloud Security Score below the recommended 80%.
Results
After completing this step-by-step guide, you will create a process for reporting Azure subscriptions with a security score below 80%. The process results are shown below.
![](https://media.beehiiv.com/cdn-cgi/image/fit=scale-down,format=auto,onerror=redirect,quality=80/uploads/asset/file/b1293e74-7e47-4d3a-951c-4dede4f35214/image.png?t=1715898781)
⚠️ Note: The results show a 100% score for testing and display purposes.
Requirements
A minimum of one Azure subscription
Enable Microsoft Defender for Cloud
A domain name (Used for sending email with Sendgrid)
Deploy
Here are the technical step-by-step instructions for deploying this process in your environment.
Create an Entra ID Application Registration
Open the Azure portal.
From the left-side menu, select Microsoft Entra ID.
![](https://media.beehiiv.com/cdn-cgi/image/fit=scale-down,format=auto,onerror=redirect,quality=80/uploads/asset/file/7235dd87-c7c3-43e5-b7eb-16eb1cba0bc1/image.png?t=1715949718)
From the left-side menu of Microsoft Entra ID, select Application Registrations.
![](https://media.beehiiv.com/cdn-cgi/image/fit=scale-down,format=auto,onerror=redirect,quality=80/uploads/asset/file/d686122a-2ac6-4203-b3c1-25cb2cf2a8b8/image.png?t=1715949947)
Select new registration.
![](https://media.beehiiv.com/cdn-cgi/image/fit=scale-down,format=auto,onerror=redirect,quality=80/uploads/asset/file/ee3e5172-e710-4da6-8f02-4766541c8eeb/image.png?t=1715950011)
On the Register an application screen, enter the Name: Azure Security Score Monitor
, and press Register at the bottom.
![](https://media.beehiiv.com/cdn-cgi/image/fit=scale-down,format=auto,onerror=redirect,quality=80/uploads/asset/file/568127d0-7136-464d-9b83-f8875fa69c36/image.png?t=1715950218)
Copy the Application (client) ID and Directory (tenant) ID for later use
Select Certificates and Secrets from the left-side menu.
![](https://media.beehiiv.com/cdn-cgi/image/fit=scale-down,format=auto,onerror=redirect,quality=80/uploads/asset/file/57e9d3d1-bf81-4143-acab-50bd50f5904b/image.png?t=1715950717)
Select New client secret, name the secret AzureSecurityMonitor
, select 24 months, click Add, and copy the secret value for later use.
![](https://media.beehiiv.com/cdn-cgi/image/fit=scale-down,format=auto,onerror=redirect,quality=80/uploads/asset/file/601141c2-5d6b-4c21-b13f-dd2ea24c5fa5/image.png?t=1715950948)
Select API permissions and remove the default User.Read permissions. These default permissions are not required.
![](https://media.beehiiv.com/cdn-cgi/image/fit=scale-down,format=auto,onerror=redirect,quality=80/uploads/asset/file/697827f9-98a9-4dd1-a0a0-1055ba93a967/image.png?t=1715951219)
![](https://media.beehiiv.com/cdn-cgi/image/fit=scale-down,format=auto,onerror=redirect,quality=80/uploads/asset/file/7c728562-4f4e-4340-8aef-98c61b7410ec/image.png?t=1715951249)
Using Access Control (IAM), assign the Reader role to the Azure Security Score Monitor Entra ID Application Registration at the subscription or management group scope for the resources you want to monitor.
![](https://media.beehiiv.com/cdn-cgi/image/fit=scale-down,format=auto,onerror=redirect,quality=80/uploads/asset/file/eb9a0898-3dca-4f8d-94a2-f18a922ba0b1/image.png?t=1715951491)
Create an Azure Resource Group
Select Resource groups from the left-side menu of the Azure Portal.
![](https://media.beehiiv.com/cdn-cgi/image/fit=scale-down,format=auto,onerror=redirect,quality=80/uploads/asset/file/b3da0727-f57c-48c2-acf0-2cef720aeb04/image.png?t=1715951718)
Select Create to create a new resource group.
![](https://media.beehiiv.com/cdn-cgi/image/fit=scale-down,format=auto,onerror=redirect,quality=80/uploads/asset/file/645af866-1da7-422d-8e71-e77d59e667fc/image.png?t=1715951780)
On the Create a resource group page:
Select the subscription
Resource group name:
rg-SecurityScoreMonitor
Select a region
Click Review + Create
![](https://media.beehiiv.com/cdn-cgi/image/fit=scale-down,format=auto,onerror=redirect,quality=80/uploads/asset/file/9bad8d70-05ae-4732-85f0-a35f8796c929/image.png?t=1715953035)
Create an Azure Log Analytics Workspace
On the Create Log Analytics workspace page, enter the name la-ascscoreemonitor
and click Review + Create.
![](https://media.beehiiv.com/cdn-cgi/image/fit=scale-down,format=auto,onerror=redirect,quality=80/uploads/asset/file/b75a16be-825c-4e3e-93a1-1887b0d735f4/image.png?t=1715953303)
Create an Azure Key Vault
On the Create a Key Vault page, the the below information and Click Next.
Key vault name:
kv-ascscoremonitor
Region: Select your resource group region
Pricing tier: Standard
![](https://media.beehiiv.com/cdn-cgi/image/fit=scale-down,format=auto,onerror=redirect,quality=80/uploads/asset/file/9e54347b-03c8-4637-808b-51e8ca08dc6c/image.png?t=1715968702)
On the Access configuration page, leave the default Azure rule-abased access control (recommended) selected and click Next.
![](https://media.beehiiv.com/cdn-cgi/image/fit=scale-down,format=auto,onerror=redirect,quality=80/uploads/asset/file/fd019a44-3064-49e0-8384-a923495914c4/image.png?t=1715968782)
On the Networking page, select the following options and click Review + Create.
Public network Access Enabled
Allow access from Selected Networks
Exception: Check to Allow trusted Microsoft services to bypass this firewall.
![](https://media.beehiiv.com/cdn-cgi/image/fit=scale-down,format=auto,onerror=redirect,quality=80/uploads/asset/file/7faf2f90-beb1-4d58-88cc-a239db503dc1/image.png?t=1715968959)
Navigate to the newly created Key Vault. On the kv-ascscoremonitor page, click on Networking and add your client’s IP address. You can use this resource to find your client’s IP address: https://whatismyipaddress.com/.
Select Access Control (IAM) from the left-side menu and assign your account the Key Vault Administrator
rule. ⚠️This assignment is temporary.
From the left-side menu, click on Secrets. Click on the Generate/Import to create a secret.
Name: tenant-id
Secret value: Enter the tenantId copied from the application registration step.
Click create.
Repeat this to add the client-id and client-secret to the key vault.
After adding the application Registration values to the Key Vault, remove your username from the Access Control (IAM) and your IP address from the Networking section.
Create an Azure Logic App
Enter the information below on the Create Logic App page and click Review + Create.
Logic app name:
logic-ascscoremonitor
Publish: Workflow
Region: Select your resource group region.
Enable log analytics: No
Plan Consumption
![](https://media.beehiiv.com/cdn-cgi/image/fit=scale-down,format=auto,onerror=redirect,quality=80/uploads/asset/file/709ea4f6-ff83-425d-ad1d-b10def13a864/image.png?t=1715971421)
Open the new Logic app and select Identity from the left-side menu. Toggle the status to On, click Save, and then Yes.
Assign the Logic App Permissions to Access the Key Vault
Open the Key Vault kv-ascscoremonitor
, and from the left-side menu, select Access Control (IAM).
Click Add, and Add role assignment. Select the Key Vault Secrets User
role. Uder members, select Managed Identity and choose the logic app identity. Press Review + Assign.
![](https://media.beehiiv.com/cdn-cgi/image/fit=scale-down,format=auto,onerror=redirect,quality=80/uploads/asset/file/c730189f-8d40-4bb2-a729-628df1a28c3a/image.png?t=1715971658)
Setup Resource Diagnostic Settings
Key Vault
From the kv-ascscoremonitor
Key Vault page, select Diagnostic settings from the left-side menu, click Add diagnostic setting, enter KV Security Monitor Settings
in the Diagnostic setting name field, select allLogs and AllMetrics, select Send to Log Analytics workspace, and click Save.
![](https://media.beehiiv.com/cdn-cgi/image/fit=scale-down,format=auto,onerror=redirect,quality=80/uploads/asset/file/ce778f99-75f1-4c45-87fa-6eddfee9afd1/image.png?t=1715971969)
Logic App
From the logic-ascscoremointor
Logic App page, select Diagnostic settings from the left-side menu, click Add diagnostic setting, enter Logic Security Monitor Settings
in the Diagnostic setting name, select allLogs and AllMetrics, select Send to Log Analytics workspace, and then click Save.
![](https://media.beehiiv.com/cdn-cgi/image/fit=scale-down,format=auto,onerror=redirect,quality=80/uploads/asset/file/0af5eaad-78cc-44d5-8a93-92871a7f0f05/image.png?t=1715972893)
Create the Logic App
From the Logic App page, select Logic app designer
Setup the main trigger
From the left-side menu. Click Add a trigger, search for and select Recurrence.
Configure the recurrence. Lets’ check the Security Score of our resources once a week.
Interval: 1
Frequency: Week
Time Zone: select your Time Zone.
Start time: enter your desired start time, example,
2024-05-17T08:00:00Z
On these days: Monday
At these hours: 8
At these minutes: 00
![](https://media.beehiiv.com/cdn-cgi/image/fit=scale-down,format=auto,onerror=redirect,quality=80/uploads/asset/file/c2179b26-6d08-440f-8a0e-476519146dbe/image.png?t=1715973769)
Retrieve and store the secrets from the Key Vault
Press the Add an action button, search, and select Get secret. Enter the required information and press Create to create a connection to the Key Vault.
Connection name:
AzureKeyVault
Authentication Type: Managed Identity
Vault name:
kv-ascscoremonitor
![](https://media.beehiiv.com/cdn-cgi/image/fit=scale-down,format=auto,onerror=redirect,quality=80/uploads/asset/file/66feef4a-68c4-478a-96b6-e1623c9fa67a/image.png?t=1715974457)
⚠️ There will be an error when you use the dropdown to attempt to select a secret.
![](https://media.beehiiv.com/cdn-cgi/image/fit=scale-down,format=auto,onerror=redirect,quality=80/uploads/asset/file/56c6a94e-1853-4290-a6b0-ac0edef30593/image.png?t=1715974617)
Resolve the Logic App Connection to Key Vault
Open the Key Vault, select Logs from the left-side menu, enter in the below query, and press Run.
AzureDiagnostics | where ResultSignature == "Forbidden" or ResultSignature == "Unauthorized" | project CallerIPAddress
![](https://media.beehiiv.com/cdn-cgi/image/fit=scale-down,format=auto,onerror=redirect,quality=80/uploads/asset/file/1f5884fc-ddff-4367-bff3-5eef3cb2aad9/image.png?t=1715974757)
Copy all the unique IP addresses, open Networking from the left-side menu, add the IP addresses under Firewall, and press Apply.
![](https://media.beehiiv.com/cdn-cgi/image/fit=scale-down,format=auto,onerror=redirect,quality=80/uploads/asset/file/ab272a21-2a41-416f-a773-b433d5a0cea7/image.png?t=1715974851)
Continue the Logic App Design
Return to the Get Secret step, select client-id from the dropdown list, and change the step title to client-id
. Repeat the Get secret steps to add a separate step for the tenant-id
and client-secret
.
![](https://media.beehiiv.com/cdn-cgi/image/fit=scale-down,format=auto,onerror=redirect,quality=80/uploads/asset/file/83dfcc90-fade-4769-b497-9f32f9145a22/image.png?t=1715975134)
Initialize the From email address variable
Add an action, search, and select Initialize variable. Enter the configurations below.
Name:
FromEmailAddress
Type: String
Change the title to
Int - FromEmailAddress
![](https://media.beehiiv.com/cdn-cgi/image/fit=scale-down,format=auto,onerror=redirect,quality=80/uploads/asset/file/74c28eea-6e1b-4a15-9b97-4d670ac9df0d/image.png?t=1715975478)
Initialize the To email addresses variable
Add an action, search, and select Initialize variable. Enter the configurations below.
Name:
ToEmailAddresses
Type: Object
Value: See the below JSON code block.
Change the step name to
Int - ToEmailAddresses
{
"emailAddresses": "Enter email addresses separated by ;"
}
For Example:
{
"emailAddresses": "[email protected]; [email protected]; [email protected]"
}
![](https://media.beehiiv.com/cdn-cgi/image/fit=scale-down,format=auto,onerror=redirect,quality=80/uploads/asset/file/1bae4f8d-9c09-45c0-a6b5-cf968d9c5ddd/image.png?t=1715975958)
Initialize the email subject variable
Add an action, search, and select Initialize variable. Enter the configurations below.
Name:
EmailSubject
Type: String
Value
!! Azure Security Score Notification
Change the title to
Int - EmailSubject
![](https://media.beehiiv.com/cdn-cgi/image/fit=scale-down,format=auto,onerror=redirect,quality=80/uploads/asset/file/949f4861-a09f-4862-8bf2-267a0523726e/image.png?t=1715976436)
Initialize the subscription name variable
Add an action, search, and select Initialize variable. Enter the configurations below.
Name:
SubscriptionName
Type: String
Change the title to
Int - SubscriptionName
![](https://media.beehiiv.com/cdn-cgi/image/fit=scale-down,format=auto,onerror=redirect,quality=80/uploads/asset/file/0d2f7fe4-d4b1-410f-aa0e-2cd66409e2ef/image.png?t=1715976714)
Initialize the subscription ID variable
Add an action, search, and select Initialize variable. Enter the configurations below.
Name:
SubscriptionId
Type: String
Change the title to
Int - SubscriptionId
![](https://media.beehiiv.com/cdn-cgi/image/fit=scale-down,format=auto,onerror=redirect,quality=80/uploads/asset/file/8aafc849-8fa3-4bef-b59c-38d242b9058c/image.png?t=1715976845)
Initialize the score threshold variable
Add an action, search, and select Initialize variable. Enter the configurations below.
Name:
ScoreThreshold
Type: Float
Value:
80
Change the title to
Int - ScoreThreshold
![](https://media.beehiiv.com/cdn-cgi/image/fit=scale-down,format=auto,onerror=redirect,quality=80/uploads/asset/file/c3634228-3c66-4060-9978-10f754d1c5fb/image.png?t=1715977034)
Initialize the score variable
Add an action, search, and select Initialize variable. Enter the configurations below.
Name:
Score
Type: Float
Change the title to
Int - Score
![](https://media.beehiiv.com/cdn-cgi/image/fit=scale-down,format=auto,onerror=redirect,quality=80/uploads/asset/file/19257b0a-da36-46f8-9c3a-112257515bd7/image.png?t=1715977348)
Initialize the score percentage variable
Add an action, search, and select Initialize variable. Enter the configurations below.
Name:
Percentage
Type: Float
Change the title to
Int - Percentage
![](https://media.beehiiv.com/cdn-cgi/image/fit=scale-down,format=auto,onerror=redirect,quality=80/uploads/asset/file/2c4ad056-ad3a-4ceb-87fe-50684db6a04b/image.png?t=1715977236)
Initialize the CSS styles variable
Add an action, search, and select Initialize variable. Enter the configurations below.
Name:
ResultsStyle
Type: Object
Value: See the below code block
Change the title to
Int - ResultsStyle
{
"tableStyle": "style=\"border-collapse: collapse; width:100%;\"",
"theadStyle": "style=\"border: 1px solid #dddddd; text-align: left; padding 8px;\"",
"tdataStyle": "style=\"border: 1px solid #dddddd; text-align: left; padding 8px;\""
}
![](https://media.beehiiv.com/cdn-cgi/image/fit=scale-down,format=auto,onerror=redirect,quality=80/uploads/asset/file/71f3b26b-d5be-405c-88fe-5b74b637ef20/image.png?t=1716119451)
Initialize the HTML variable
Add an action, search, and select Initialize variable. Enter the configurations below.
Name:
Results
Type: String
Value: See the below code block
Change the title to
Int - Results
<h2>Azure Subscriptions With A Security Score Below 80%</h2>
<p>The table below shows subscriptions out of compliance with a security score below 80%.</p>
<table [Add Variable]>
<tr>
<th [Add Variable]>Subscription Name</th>
<th [Add Variable]>Subscription ID</th>
<th [Add Variable]>Security Score %</th>
</tr>
Change the [Add Variables'] to the below functions:
Table
variables('ResultsStyle').tableStyle
Table Header
variables('ResultsStyle').theadStyle
![](https://media.beehiiv.com/cdn-cgi/image/fit=scale-down,format=auto,onerror=redirect,quality=80/uploads/asset/file/6db50c80-e262-44eb-9ba0-3fa1a80fbf46/image.png?t=1715978384)
Store Azure subscription information.
Add an action, search, and select List subscriptions. Enter the configurations below.
Authentication: Service Principal
Connection name:
GetSubscriptionInformation
Client ID: Enter the ClientId from the Azure Security Score Monitor Application Registration.
Client Secret: Enter the Client Secret from the Azure Security Score Monitor Application Registration.
Teanant: Enter the TenantId from the Azure Security Score Monitor Application Registration.
Press Create New
Change the title to
Subscriptions
![](https://media.beehiiv.com/cdn-cgi/image/fit=scale-down,format=auto,onerror=redirect,quality=80/uploads/asset/file/b850fa00-696f-48da-9f4a-e34a392be219/image.png?t=1715979043)
Add an action, search, and select HTTP. Add the below configurations.
URI: Replace the
{{TenantId}}
with thetenant-id
value.https://login.microsoftonline.com/{{TenantId}}/oauth2/token
Method: Post
Headers
Content-Type
|application/x-www-form-urlencoded
Body: See the below code block
Replace the {
{ClientId}}
with theclient-id
value.Replace the
{{ClientSecret}}
with theclient-secret
value.Change the title name to
Get AuthToken
grant_type=client_credentials
&client_id={{ClientId}}
&client_secret={{ClientSecret}}
&resource=https://management.azure.com/
![](https://media.beehiiv.com/cdn-cgi/image/fit=scale-down,format=auto,onerror=redirect,quality=80/uploads/asset/file/1ad23063-5231-44e6-a6dc-c3527e3a83e2/image.png?t=1715979752)
⚠️ At this point, press Save to save your progress.
Parse the JSON response for the Access Token
Add an action, search, and select Parse JSON.
Content : Select Body of the Get AuthToken step.
Schema: See the below code block.
Change the title to
Parse - Get Access Token
{
"type": "object",
"properties": {
"token_type": {
"type": "string"
},
"expires_in": {
"type": "string"
},
"ext_expires_in": {
"type": "string"
},
"expires_on": {
"type": "string"
},
"not_before": {
"type": "string"
},
"resource": {
"type": "string"
},
"access_token": {
"type": "string"
}
}
}
![](https://media.beehiiv.com/cdn-cgi/image/fit=scale-down,format=auto,onerror=redirect,quality=80/uploads/asset/file/154b4d11-c472-40c2-a87f-5604ae06529e/image.png?t=1716119626)
Set the SubscriptionName Variable
Add an action, search, and select Set Variable.
Name: SeubscriptionName
Value: DisplayName of the Subscription
Change the title to
Set - SubscriptionName
⚡️A ForEach will automatically be created. Change the name of this ForEach to ForEach - Subscription
![](https://media.beehiiv.com/cdn-cgi/image/fit=scale-down,format=auto,onerror=redirect,quality=80/uploads/asset/file/38bac043-5ed1-466b-8bce-9cbf329eb864/image.png?t=1716120173)
![](https://media.beehiiv.com/cdn-cgi/image/fit=scale-down,format=auto,onerror=redirect,quality=80/uploads/asset/file/eef1e8ec-1234-4fc3-948a-8043afa8388f/image.png?t=1716120118)
Set the SubscriptionId Variable
Add an action, search, and select Set Variable.
Name: SubscriptionId
Value: SubscriptionId of the Subscription.
Change the title to Set - SubscriptionId
![](https://media.beehiiv.com/cdn-cgi/image/fit=scale-down,format=auto,onerror=redirect,quality=80/uploads/asset/file/20ca7634-6f0f-4c95-b84c-1ab8bdf10586/image.png?t=1716120241)
Setup the Graph API call to get the subscription score for each SubscriptionId.
With in the ForEach, Add an action, search, and select HTTP.
URI: See the below code block.
Method: Get
Headers:
Authorization
|Bearer {{ AccessToken }}
Change the title to
Get Subscription Secure Score Data
https://management.azure.com/subscriptions/{{SubscriptionId}}/providers/Microsoft.Security/secureScores/ascScore?api-version=2020-01-01-preview
![](https://media.beehiiv.com/cdn-cgi/image/fit=scale-down,format=auto,onerror=redirect,quality=80/uploads/asset/file/cefb8553-2946-4b6e-bc79-ccbf57c0bab5/image.png?t=1716120712)
⚠️ Ensure the URI contains the / after subscription and before providers. After adding the dynamic content these may get removed and cause an error.
Parse the JSON Security Data response
Within the ForEach, add an action, search, and select Parse JSON.
Content: Add the Body from the Get Subscription Secure Score Data.
Schema: See the below code block.
Change the title to Parse - Security Score Data.
{
"type": "object",
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"type": {
"type": "string"
},
"properties": {
"type": "object",
"properties": {
"displayName": {
"type": "string"
},
"score": {
"type": "object",
"properties": {
"max": {
"type": "integer"
},
"current": {
"type": "integer"
},
"percentage": {
"type": "integer"
}
}
},
"weight": {
"type": "integer"
}
}
}
}
}
![](https://media.beehiiv.com/cdn-cgi/image/fit=scale-down,format=auto,onerror=redirect,quality=80/uploads/asset/file/52694fbb-284a-4c4a-b6a1-6b8dc8e545b7/image.png?t=1716121701)
Set the Percentage variable
Within the ForEach, add an action, search, and select Set Variable.
Name: Percentage
Value: Select the Body percentage property of the Parse - Security Score Data
Change the title to
Set - Percentage
![](https://media.beehiiv.com/cdn-cgi/image/fit=scale-down,format=auto,onerror=redirect,quality=80/uploads/asset/file/5ffbc03f-abe3-4a16-a3e9-a1fb7fdaac48/image.png?t=1716121904)
Set the Score variable
Within the ForEach, add an action, select Set Variable.
Name: Score
Value: See the below code block for the function express to enter.
Change the title to Set - Score
mul(float(variables('Percentage')), int(100))
![](https://media.beehiiv.com/cdn-cgi/image/fit=scale-down,format=auto,onerror=redirect,quality=80/uploads/asset/file/4ecf15c5-f783-41b4-8950-22e58066f38b/image.png?t=1716122295)
Condition Statement
Within the ForEach, add an action, search, and select Condition.
Choose a value (left): Add the score variable.
Is less than
Choose a value (right): Add the ScoreThreshold variable.
Change the title to
If Score Is Less Than 80
![](https://media.beehiiv.com/cdn-cgi/image/fit=scale-down,format=auto,onerror=redirect,quality=80/uploads/asset/file/bccb9174-7947-4951-a9d2-57536ba4382a/image.png?t=1716122592)
⚠️ For the Results example the ScoreThreshold variable was changed to 101 to get an email generated. You can change this number to fit your needs as well.
Add the True action with in the Condition statement
Within the True Condition, add an action, search, and select Append to string variable.
Name: Select the Results variable.
Value: See the below code block.
Change the title to
Append To Results
<tr>
<td {{TableDataStyle}}>{{ SubscriptionName }}</td>
<td {{TableDataStyle}}>{{ SubscriptionID }}</td>
<td {{TableDataStyle}}>{{ Score }}%</td>
</tr>
Replace the corresponding placeholders with the fuction expressions and matching variables.
Replace with the below function expression.
variables('ResultsStyle').tdataStyle
Replace with the below function expression.
formatNumber(float(variables('Score')), 'F2')
![](https://media.beehiiv.com/cdn-cgi/image/fit=scale-down,format=auto,onerror=redirect,quality=80/uploads/asset/file/fcc29309-afc7-4048-beba-ce3b69b909fc/image.png?t=1716123390)
Close the HTML
Outside of the ForEach, add an action, search, and select Append to string.
Name: Results
Value: See the below code block.
Change the title to
Close Results
</table>
<p>If you are responsible for any of the above subscriptions, please review and remediate the security findings for these subscriptions at your earliest convenience. </p>
<p>These security findings can be viewed in the <a href="https://portal.azure.com/#view/Microsoft_Azure_Security/SecurityMenuBlade/~/0">Microsoft Defender for Cloud</a> dashboard.</p>
<p>Please let us know if you need any assistance or have any questions.</p>
<p>Thank you</p>
![](https://media.beehiiv.com/cdn-cgi/image/fit=scale-down,format=auto,onerror=redirect,quality=80/uploads/asset/file/00d957d4-2b24-4eb3-b7ea-f4152346087e/image.png?t=1716123780)
⚠️ Save the Logic app.
Setup Sendgrid
Within the rg-SecurityScoreMonitor resource group, press Create.
![](https://media.beehiiv.com/cdn-cgi/image/fit=scale-down,format=auto,onerror=redirect,quality=80/uploads/asset/file/202fb132-71bd-49fa-a3a7-6209d5d1e1e1/image.png?t=1716124566)
Search and select Twilio Sendgrid. Press Subscribe and Free 100 (2022).
On the subscribe to Twilio Sendgrid page, enter the below information.
Ensure the rg-SecurityScoreMonitor resource group is selected.
Name: Choose a name, example sendgrid-SecurityScoreMonitor.
Press Review + Create.
![](https://media.beehiiv.com/cdn-cgi/image/fit=scale-down,format=auto,onerror=redirect,quality=80/uploads/asset/file/1467ab4c-2a79-48c5-977b-0f1a73080b51/image.png?t=1716124747)
Press the Configure account now button to complete the configuration.
![](https://media.beehiiv.com/cdn-cgi/image/fit=scale-down,format=auto,onerror=redirect,quality=80/uploads/asset/file/acf92ac1-9f45-466c-a57e-c54b0a6adf05/image.png?t=1716124805)
Accept the application permissions.
![](https://media.beehiiv.com/cdn-cgi/image/fit=scale-down,format=auto,onerror=redirect,quality=80/uploads/asset/file/c3c5d943-be9b-4030-bd62-0fa015e39e71/image.png?t=1716124847)
Enter your information, press Get Started.
![](https://media.beehiiv.com/cdn-cgi/image/fit=scale-down,format=auto,onerror=redirect,quality=80/uploads/asset/file/79782582-5932-49f9-ad31-a53abba676ba/image.png?t=1716124897)
From the left-side menu select Settings and Sender Authentication.
![](https://media.beehiiv.com/cdn-cgi/image/fit=scale-down,format=auto,onerror=redirect,quality=80/uploads/asset/file/cc80d7a0-e8bc-4240-acb4-a5a6528e2420/image.png?t=1716124975)
Press Get Started in the Authenticate Your Domain.
![](https://media.beehiiv.com/cdn-cgi/image/fit=scale-down,format=auto,onerror=redirect,quality=80/uploads/asset/file/49eb36dc-2565-4fd7-983c-5052d9d02884/image.png?t=1716125058)
Enter the DNS provider name and select Next.
![](https://media.beehiiv.com/cdn-cgi/image/fit=scale-down,format=auto,onerror=redirect,quality=80/uploads/asset/file/8ef57c83-fdd2-49ff-8bc7-9cf85ca23277/image.png?t=1716125104)
Enter in your domain, and press Next.
![](https://media.beehiiv.com/cdn-cgi/image/fit=scale-down,format=auto,onerror=redirect,quality=80/uploads/asset/file/345d87dc-62c8-41a1-85f1-1ad995dfb1c0/image.png?t=1716125174)
You will need to install the DNS records to complete the process. Once the records have been added to your domain’s DNS press Verify. If the verification is successful, you will receive the below verification message.
![](https://media.beehiiv.com/cdn-cgi/image/fit=scale-down,format=auto,onerror=redirect,quality=80/uploads/asset/file/54530e9b-90ad-4be7-9cf8-16e260bf3b80/image.png?t=1716125260)
From the left-side menu click on Settings, and select API Key.
![](https://media.beehiiv.com/cdn-cgi/image/fit=scale-down,format=auto,onerror=redirect,quality=80/uploads/asset/file/8666d301-d699-4a00-97a3-0b66da16d6de/image.png?t=1716125491)
Press the Create API Key buttion in the upper-right.
![](https://media.beehiiv.com/cdn-cgi/image/fit=scale-down,format=auto,onerror=redirect,quality=80/uploads/asset/file/ccffa983-e17b-467b-915b-602ec753c1ef/image.png?t=1716125547)
Enter Azure Security Score Monitor for the API Key Name, select Restricted Access, select Mail Send, and grant Full Access. Press Create & View.
Copy the API Key for later use.
![](https://media.beehiiv.com/cdn-cgi/image/fit=scale-down,format=auto,onerror=redirect,quality=80/uploads/asset/file/d70e51e3-cfe5-4661-862a-0bb1a45f9c81/image.png?t=1716125652)
⚠️ If you see the below warning on your account dashboard, click on the ticket history link and follow the instructions from the ticket titled Status of Your Twilio Sendgrid Account Request. You emails will NOT send until this process is completed.
![](https://media.beehiiv.com/cdn-cgi/image/fit=scale-down,format=auto,onerror=redirect,quality=80/uploads/asset/file/45c79f66-b343-4584-a3b2-ba976acaa7be/image.png?t=1716125830)
Complete the Logic App Design
Navigate back to the Log App Designer. Under the last action (Close Results), add an action, search, and select Send email (V4).
Connection name: SendGrid
Enter the copied API Key, Press Create New.
![](https://media.beehiiv.com/cdn-cgi/image/fit=scale-down,format=auto,onerror=redirect,quality=80/uploads/asset/file/2b005675-58b2-4fc7-ab50-966a2919ba02/image.png?t=1716126316)
Complete the email setup
From: FromEmailAddress
To: Add the below code block function expression for the ToEmailAddresses variable
Subject: EmailSubject
Body: Results
Change the title to
Send Results
Click Save
Click Run
variables('ToEmailAddresses').emailAddresses
![](https://media.beehiiv.com/cdn-cgi/image/fit=scale-down,format=auto,onerror=redirect,quality=80/uploads/asset/file/c9dea7bd-0a7f-4bb5-b7b3-7c691bb7149a/image.png?t=1716126795)
The results should resemble what is found in the Results section.