I regularly come across Azure environments where the Microsoft Defender plans are not enabled, which is desired. In many cases, the cause can be found in manually managing the environment settings (former ‘Pricing Settings’), where all plans must be enabled for each new subscription. And thus be forgotten when a new subscription becomes available.
Many don’t know that you can easily manage these settings at scale using Azure Policy, so that the desired configuration is automatically set when you request a new subscription. All you have to do is assign the policies below on the scope – a Management Group in this case – under which all subscriptions should have Microsoft Defender enabled automatically.
See below an overview of all the built-in policies that Microsoft has published for the various Microsoft Defender plans in Microsoft Defender for Cloud and the recommendation they resolve:
|Recommendation||Policy Name||Policy Definition ID|
|Azure Defender for servers should be enabled||Configure Azure Defender for servers to be enabled||/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222|
|Azure Defender for App Service should be enabled||Configure Azure Defender for App Service to be enabled||/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d|
|Azure Defender for Azure SQL Database servers should be enabled||Configure Azure Defender for Azure SQL database to be enabled||/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491|
|Azure Defender for SQL servers on machines should be enabled||Configure Azure Defender for SQL servers on machines to be enabled||/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3|
|Azure Defender for Storage should be enabled||Configure Azure Defender for Storage to be enabled||/providers/Microsoft.Authorization/policyDefinitions/74c30959-af11-47b3-9ed2-a26e03f427a3|
|Azure Defender for Kubernetes should be enabled||Configure Azure Defender for Kubernetes to be enabled||/providers/Microsoft.Authorization/policyDefinitions/133047bf-1369-41e3-a3be-74a11ed1395a|
|Azure Defender for container registries should be enabled||Configure Azure Defender for container registries to be enabled||/providers/Microsoft.Authorization/policyDefinitions/d3d1e68e-49d4-4b56-acff-93cef644b432|
|Azure Defender for Key Vault should be enabled||Configure Azure Defender for Key Vaults to be enabled||/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7|
|Azure Defender for Resource Manager should be enabled||Configure Azure Defender for Resource Manager to be enabled||/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9|
|Azure Defender for DNS should be enabled||Configure Azure Defender for DNS to be enabled||/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f|
|Azure Defender for open-source relational databases should be enabled||Configure Azure Defender for open-source relational databases to be enabled||/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a|
Note: With the November ’21 edition of Ignite, Microsoft has announced that several well-known security products will now go through life under a new name. Therefore, not all of the above products may look familiar to you. “Azure Security Center” (ASC) and “Azure Defender” are now jointly renamed “Microsoft Defender for Cloud”, while all “Azure Defender Plans” continue as “Microsoft Defender Plans”. As you can see in the table above, Microsoft has not yet renamed everything within Azure.
Learn more about the recent renaming of Microsoft security services.