function Confirm-PacOwner { [CmdletBinding()] param ( [Parameter(Mandatory = $true)] $ThisPacOwnerId, [Parameter(Mandatory = $true)] $PolicyResource, [Parameter(Mandatory = $false)] $Scope = $null, [Parameter(Mandatory = $true)] $ManagedByCounters ) $properties = $PolicyResource.properties $metadata = $properties.metadata if ($null -eq $metadata -or $null -eq $metadata.pacOwnerId) { $kind = $PolicyResource.kind if ($kind -eq "policyassignments" -and $Scope.StartsWith("/subscriptions/")) { $description = $properties.description if ($null -ne $description) { $definitionIdParts = Split-AzPolicyResourceId -Id $properties.policyDefinitionId if ($definitionIdParts.scopeType -eq "builtin") { # Check if the owner is a special case, either managed by DfC's "Security Policies" or one of the "Defender Plans" # This is difficult due to inconsistent naming and createdBy users. # At present, the only way to identify these is by string comparing the description field. This is not ideal. # "Security Policies" (e.g., MCSB, NIST, ...) use a description "This object has been generated by Microsoft Defender for Cloud. To make changes, navigate to the security policies management page.", # "Defender Plans" (e.g., Servers, App Service, Databases, ...) use a description starting with "This policy assignment was automatically created by " if ($description.StartsWith("This object has been generated by ")) { $ManagedByCounters.dfcSecurityPolicies += 1 return "managedByDfcSecurityPolicies" } elseif ($description.StartsWith("This policy assignment was automatically created by ")) { $ManagedByCounters.dfcDefenderPlans += 1 return "managedByDfcDefenderPlans" } } } } $ManagedByCounters.unknown += 1 return "unknownOwner" } elseif ($ThisPacOwnerId -eq $Metadata.pacOwnerId) { $ManagedByCounters.thisPaC += 1 return "thisPaC" } else { $ManagedByCounters.otherPaC += 1 return "otherPaC" } }