Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Ensure Microsoft Defender CSPM is Enabled

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that Microsoft Defender CSPM (Cloud Security Posture Management) is enabled to continuously assess cloud resources for security misconfigurations, compliance risks, and exposure to threats. Microsoft Defender CSPM provides detailed visibility into the security state of assets and workloads within your Azure environment. The service offers hardening guidance to help improve security posture, identifies configuration drift, detects compliance violations, and provides actionable recommendations to remediate security issues.

Security
Operational
excellence

Microsoft Defender CSPM provides critical security capabilities that go beyond basic security monitoring. The service delivers detailed visibility into the security state of assets and workloads, offering hardening guidance to help improve overall security posture. Without Defender CSPM enabled, organizations lack automated security assessments, misconfiguration detection, and compliance monitoring across their Azure subscriptions. Defender CSPM continuously evaluates resources against security best practices and regulatory frameworks, identifying vulnerabilities and providing prioritized remediation guidance. The service also offers attack path analysis, which helps security teams understand how attackers could potentially exploit security weaknesses across connected resources. This proactive approach to cloud security enables organizations to detect and remediate security issues before they can be exploited.

Enabling Microsoft Defender CSPM incurs hourly charges for each billable compute, database, and storage resource, which can lead to significant costs in larger environments. Organizations with extensive Azure deployments should conduct careful planning and cost analysis before enabling the service. The pricing model is based on resource consumption, so costs will scale with the number of resources being monitored. For detailed pricing information, refer to the Microsoft Defender for Cloud pricing page.

Audit

To determine if Microsoft Defender CSPM is enabled for your Azure subscriptions, perform the following operations:

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to Microsoft Defender for Cloud blade available at https://portal.azure.com/#view/Microsoft_Azure_Security/SecurityMenuBlade/~/0.

03 In the left navigation panel, under Management, select Environment settings.

04 Under Azure, click on the name (link) of the Azure subscription that you want to examine.

05 In the left navigation panel, under Settings, select Defender plans to access the Defender for Cloud pricing plans available for the selected Azure subscription.

06 On the Defender plans page, under Cloud Security Posture Management (CSPM), locate the Defender CSPM row.

07 In the Status column for Defender CSPM, verify if the status is set to On or Off:

  • If the status is set to Off, Microsoft Defender CSPM is not enabled for the selected Azure subscription.
  • If the status is set to On, Microsoft Defender CSPM is enabled for the selected Azure subscription.

08 Repeat steps no. 4 - 7 for each Azure subscription in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list \
	--query '[].{id:id, name:name}'

02 The command output should return the requested subscription identifiers (IDs) and names: 

[
	{
		"id": "abcdabcd-1234-abcd-1234-abcdabcdabcd",
		"name": "Production Subscription"
	},
	{
		"id": "abcd1234-abcd-1234-abcd-abcd1234abcd",
		"name": "Development Subscription"
	}
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set \
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run security pricing show command (Windows/macOS/Linux) with the --name parameter set to CloudPosture to get the CloudPosture plan pricing tier: 

az security pricing show \
	--name CloudPosture \
	--query pricingTier

05 The command output should return the pricing tier for Microsoft Defender CSPM:

If Defender CSPM is disabled:

"Free"

If the security pricing show command output returns "Free", Microsoft Defender CSPM is not enabled for the selected Azure subscription.
If Defender CSPM is enabled:

"Standard"

If the command output returns "Standard", Microsoft Defender CSPM is enabled for the selected Azure subscription.

06 Repeat steps no. 3 - 5 for each Azure subscription available in your Microsoft Azure cloud account.

Remediation / Resolution

To enable Microsoft Defender CSPM for your Azure subscriptions, perform the following operations:

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to Microsoft Defender for Cloud blade available at https://portal.azure.com/#view/Microsoft_Azure_Security/SecurityMenuBlade/~/0.

03 In the left navigation panel, under Management, select Environment settings.

04 Under Azure, click on the name (link) of the Azure subscription that you want to configure.

05 In the left navigation panel, under Settings, select Defender plans to access the Defender for Cloud pricing plans available for the selected Azure subscription.

06 On the Defender plans page, under Cloud Security Posture Management (CSPM), locate the Defender CSPM row.

07 In the Status column for Defender CSPM, toggle the switch to On to enable Microsoft Defender CSPM for the selected subscription.

08 Click Save from the top menu bar to apply the configuration changes.

09 Repeat steps no. 4 - 8 for each Azure subscription that requires Microsoft Defender CSPM in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list \
	--query '[].{id:id, name:name}'

02 The command output should return the requested subscription identifiers (IDs) and names: 

[
	{
		"id": "abcdabcd-1234-abcd-1234-abcdabcdabcd",
		"name": "Production Subscription"
	},
	{
		"id": "abcd1234-abcd-1234-abcd-abcd1234abcd",
		"name": "Development Subscription"
	}
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to configure as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set \
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run security pricing create command (Windows/macOS/Linux) to enable Microsoft Defender CSPM for the selected Azure subscription: 

az security pricing create \
	--name CloudPosture \
	--tier Standard
	--extensions name=ApiPosture isEnabled=true

05 The command output should return the configuration information for the enabled Defender CSPM plan: 

{
	"deprecated": null,
	"enablementTime": "2025-01-27T10:30:00.000000+00:00",
	"extensions": [
		{
			"additionalExtensionProperties": null,
			"isEnabled": "True",
			"name": "ApiPosture",
			"operationStatus": {
				"code": "Succeeded",
				"message": "Successfully enabled extension"
			}
		},
		{
			"additionalExtensionProperties": null,
			"isEnabled": "True",
			"name": "SensitiveDataDiscovery",
			"operationStatus": {
				"code": "Succeeded",
				"message": "Successfully enabled extension"
			}
		},
		{
			"additionalExtensionProperties": null,
			"isEnabled": "True",
			"name": "ContainerRegistriesVulnerabilityAssessments",
			"operationStatus": null
		},
		{
			"additionalExtensionProperties": null,
			"isEnabled": "True",
			"name": "AgentlessDiscoveryForKubernetes",
			"operationStatus": {
				"code": "Succeeded",
				"message": "Successfully enabled extension"
			}
		},
		{
			"additionalExtensionProperties": {
				"ExclusionTags": "[]"
			},
			"isEnabled": "True",
			"name": "AgentlessVmScanning",
			"operationStatus": {
				"code": "Succeeded",
				"message": "Successfully enabled extension"
			}
		}
	],
	"freeTrialRemainingTime": "30 days, 0:00:00",
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/providers/Microsoft.Security/pricings/CloudPosture",
	"name": "CloudPosture",
	"pricingTier": "Standard",
	"replacedBy": null,
	"subPlan": null,
	"type": "Microsoft.Security/pricings"
}

06 Repeat steps no. 3 - 5 for each Azure subscription that requires Microsoft Defender CSPM in your Microsoft Azure cloud account.


By default, Microsoft Defender CSPM is disabled (set to Free tier) for all Azure subscriptions. Organizations must explicitly enable the Standard tier to activate Defender CSPM capabilities.

References

Publication date Jan 28, 2026

Related SecurityCenter rules