Unforeseen Azure Defender for IoT costs, pricing explained

Recently I was confronted with the fact that a subscription with a spending limit was suddenly turned off by exceeding the budget. Because I did not know what caused this, I immediately delved into the cost analysis. Where I found the following:

Somewhat surprised, I tried to find out what was going on. Until recently, I had one Azure Defender for IoT sensor deployed for testing purposes, which was linked to an IoT Hub, with the Azure Defender for IoT plan enabled. However, I had already removed this IoT hub and the on-premises sensor appliance. But still the costs for the Azure Defender for IoT plan continued, causing to eventually exceed my subscription spending limit.

To get rid of these charges I wanted to remove it. However within the Azure portal as well as with PowerShell and Azure CLI I could not find the resource that came out of the cost overview, nor the resource group named ‘microsoft.security’. Because the costs just ran and would therefore also affect my subscription if it started a new billing period, this had to be resolved.

After a lot of searching and reading the Azure Defender for IoT pricing information, I found out that the moment you onboard a subscription for Azure Defender for IoT, you make a commitment (for at least 1000 devices per month). The first 1,000 committed devices are free of cost for the first 30 days (within this period I removed the Sensor and IoT Hub, so I thought I would not incur any costs). But you must explicitly remove the commitment by offboarding your subscription, otherwise the costs will continue to run. And these are significant with € 1,687 / month per 1,000 devices.

In addition, you should take into account that the billing cycle for Azure Defender for IoT follows a calendar month. Any changes in device commitment (including subscription offboarding) during the month will take effect on the next billing month. This means that after you conducted the subscription offboarding, you will continue to pay until the end of the month.

Offboard a subscription from Azure Defender for IoT

If you no longer want to use Azure Defender for IoT, you must therefore offboard the subscription to prevent the costs from continuing unseen. To do this, follow the steps below.

  • Go to the pricing pane of Defender for IoT (Azure Portal https://portal.azure.com > Azure Defender for IoT > Pricing), or using the link
  • In the overview you can see all subscriptions for which you have created a commitment. At the very right of the subscription you will see two buttons:
    • A pen with which you can edit how many devices the commitment applies to
    • A trash can with which you can initiate the offboarding, which we will use in this situation
  • After hitting the trash can icon, you will be prompted to confirm that you wish to proceed.

If you receive an error message that there is still a sensor linked to the subscription, you can find it by clicking on ‘Sites and sensors’ in the menu on the left, or using the link.

See also

Monitor resource management operations and run advanced security analytics to improve resiliency against attacks with the new cloud-native threat protection capabilities of Azure Defender for Resource Manager

Azure Defender provides security alerts and advanced threat protection for all kinds of workloads, like virtual machines, SQL databases, containers and web applications. New plans within Azure Defender are regularly introduced, recently for Key Vault and now also for Resource … Read More
Read More