What are exceptions?
Exceptions are specific items that should not be counted as anomalies (matched items) and, as a result, are not required to comply with a particular policy. Playbooks allow you to manage exceptions both temporarily and permanently.
For example, suppose you're about to run remediation for all matched items detected by the “Inactive Teams users” policy. However, you find one user who hasn't had any activities in the last 30 days, but it's because they're on parental leave. In this case, there's no reason to remove Teams from this user, so you can set them as an exception.
Exceptions vs. Trusted Items
In our Entra Apps policies, items that have been reviewed and validated by an administrator are labeled as “Trusted Items” instead of “Exceptions”. This designation means that an admin has temporarily approved these verified items within your tenant, with the intention to review them again after their expiration. Once they expire, these items will reappear as matched items. This process ensures a consistent review cycle, thereby maintaining compliance with governance strategies. The same rules described for exceptions in this guide apply to trusted items as well.
When and where you can set exceptions
You can set an exception in two moments:
- After the remediation has been enabled: once matched items have been detected, you can set one or more of them as exceptions (see the Set matched items as exceptions section below).
- During the attestation process: attestation is an action that involves sending a confirmation request to a manager/stakeholder via email before proceeding with the remediation of a matched item. The recipient can also set the item as an exception.
Learn how to configure attestation.
Evaluate exceptions
|
In the policy box you can see:
By clicking on the grey icon, you can open a new page (Exception report) where you can see a list of all the exceptions. |
Please note that remediation can only be run if the toggle “Enable remediation” is on.
Set “Matched items” as exceptions
Matched items are detected items that are not compliant with a particular policy. Those items can be remediated or set as an exception. Let's see how to do it:
Step 1: Select matched items
From the Policy Box, click on the red tag “Matched items”. This will take you to the policy report.
Step 2: Set exceptions
From the policy report, select the items you want to set as an exception, then click “Set as exception” in the bottom-right corner.
The selected items will be removed from the “Matched items” list and added to the “Exceptions” list.
Manage an exception
You can manage items marked as exceptions and, if needed, remove them from the exception list. When you do so, the removed item will be shown in the matched items, since it is no longer considered an exception.
Step 1: Select exceptions
From the Policy Box, click on the gray icon “N. Exceptions”.
This will take you to the Exceptions report. Here, you can review detailed information about your exceptions, including their creation date, expiration date, renewal history, ownership, and more.
Step 2: Update exceptions
Exceptions can be updated either in bulk or individually.
Bulk update:
- Select all exceptions you wish to edit.
- Click on “Manage exception” at the top of the screen.
- A wizard will appear, prompting you to edit policy expiration details and add a note.
- Confirm your changes by clicking “Submit”.
Individual update:
- Under the “Actions” column, click the ellipses ("…") for the specific exception.
- Select “Manage exception” from the dropdown menu.
Step 3: Remove exceptions
Exceptions can be removed either in bulk or individually.
Bulk removal:
- Select the items you want to remove.
- Click on “Remove all exceptions” located in the top-right corner of the window.
Individual removal:
- Under the “Actions” column, click the ellipses ("...") for the specific exception.
- Choose “Remove exception” from the dropdown menu
When you remove an item as an exception, that item will be shown in the matched items, since it is no longer considered an exception.
Manage expired exceptions
From the Exceptions report, you may notice some exceptions have expired. These can be found under the “Expired exceptions” tab at the top of the screen. Select this tab to manage expired exceptions.
Step 1: Review expiration details
In the “Expired exceptions” report, you can review the creation and expiration dates for each expired policy. Additional information includes owners, notes, and other properties available in the main exception report.
Step 2: Resume expired exceptions
Expired exceptions can be renewed either in bulk or individually.
Bulk update:
- Select all exceptions you wish to edit.
- Click on “Resume exception” at the top of the screen.
- A wizard will appear, prompting you to edit policy expiration details and add a note.
- Confirm your changes by clicking “Submit”.
Individual update:
- Under the “Actions” column, click the ellipses ("…") for the specific exception.
- Select “Resume exception” from the dropdown menu.
Step 3: Remove expired exceptions
Expired exceptions can be removed either in bulk or individually.
Bulk removal:
- Select the items you want to remove.
- Click on “Remove all exceptions” located in the top-right corner of the window.
Individual removal:
- Under the “Actions” column, click the ellipses ("...") for the specific exception.
- Choose “Remove exception” from the dropdown menu.
This report is designed to help you effectively manage and take necessary actions on expired exceptions, ensuring that policy exceptions are current and accurately reflect your organization's compliance needs.