Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Microsoft Defender for Cloud for Azure Resource Manager

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that Microsoft Defender for Cloud is enabled for all the cloud resources connected to the Azure Resource Manager (ARM).

Security

By default, Microsoft Defender for Cloud is disabled for Azure Resource Manager (ARM). Defender for Cloud automatically monitors the resource management operations within your organization, regardless these operations are performed through the Azure Portal, Azure REST APIs, Azure Command Line Interface (CLI), or other Azure programmatic clients. The Microsoft Defender for Cloud service runs advanced security analytics to detect threats and alerts you when detects suspicious activity.

Audit

To determine if Microsoft Defender for Cloud is enabled for Azure Resource Manager (ARM), perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to Microsoft Defender for Cloud blade available at https://portal.azure.com/#view/Microsoft_Azure_Security/SecurityMenuBlade/~/0.

03 In the left navigation panel, under Management, choose Environment settings.

04 Under Azure, click on the name (link) of the Azure subscription that you want to examine.

05 In the left navigation panel, under Settings, choose Defender plans to access the Defender for Cloud pricing plans available for the selected Azure subscription.

06 In the Cloud Workload Protection (CWP) section, check the pricing plan status listed in the Status column for the Resource Manager plan. If the pricing plan status for Resource Manager is set to Off, Microsoft Defender for Cloud is not enabled for the cloud resources connected to the Azure Resource Manager (ARM) in the selected subscription.

07 Repeat steps no. 4 – 6 for each Azure subscription created within your Microsoft Azure account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run security pricing list command (Windows/macOS/Linux) with custom output filters to describe the name of the Microsoft Defender for Cloud pricing plan configured for the resources managed with Azure Resource Manager (ARM), in the selected subscription: 

az security pricing list
	--query 'value[?(name==`Arm`)].pricingTier'

05 The command output should return the pricing plan (tier) configured for the Azure Resource Manager (ARM) resources: 

[
	"Free"
]

If the security pricing list command output returns "Free", as shown in the output example above, Microsoft Defender for Cloud is not enabled for the cloud resources connected to the Azure Resource Manager (ARM) in the selected subscription.

06 Repeat steps no. 3 - 5 for each Azure subscription available in your Microsoft Azure cloud account.

Remediation / Resolution

To enable Microsoft Defender for Cloud for resources managed with Azure Resource Manager (ARM), perform the following operations:

Turning on Microsoft Defender for Cloud for Azure Resource Manager incurs an additional cost per resource management operation.

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to Microsoft Defender for Cloud blade available at https://portal.azure.com/#view/Microsoft_Azure_Security/SecurityMenuBlade/~/0.

03 In the left navigation panel, under Management, choose Environment settings.

04 Under Azure, click on the name (link) of the Azure subscription that you want to examine.

05 In the left navigation panel, under Settings, choose Defender plans to access the Defender for Cloud pricing plans available for the selected Azure subscription.

06 In the Cloud Workload Protection (CWP) section, choose On for the Resource Manager pricing plan from the Status column, to enable Microsoft Defender for Cloud for all the cloud resources managed with Azure Resource Manager (ARM). Choose Save from the top menu to apply the changes.

07 Repeat step no. 4 – 6 for each Azure subscription available in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run security pricing create command (Windows/macOS/Linux) to enable the Standard tier (i.e., Standard pricing plan) for the Resource Manager plan. This will enable Microsoft Defender for Cloud for all the resources managed with Azure Resource Manager (ARM): 

az security pricing create
	--name Arm
	--tier standard

05 The command output should return the configuration information available for modified pricing plan: 

{
	"deprecated": null,
	"enablementTime": "2025-02-26T10:00:00.000000+00:00",
	"extensions": null,
	"freeTrialRemainingTime": "0:00:00",
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/providers/Microsoft.Security/pricings/Arm",
	"name": "Arm",
	"pricingTier": "Standard",
	"replacedBy": null,
	"subPlan": "PerSubscription",
	"type": "Microsoft.Security/pricings"
}

06 Repeat steps no. 3 - 5 for each Azure subscription available in your Microsoft Azure cloud account.

References

Publication date Feb 28, 2025

Related SecurityCenter rules