Recent Discussions
Automate Defender for Cloud settings: FIM, Vulnerability Assessment, and Guest Configuration Agent
I’m working on automating the configuration of Microsoft Defender for Cloud – Server Plans across multiple subscriptions (100+), including any newly deployed subscriptions. The goal is to avoid manual changes and ensure compliance from day one. Current Setup: I’ve used the built-in policy: Configure Microsoft Defender for Servers plan, which successfully enables: Defender for Cloud Plan P2 Endpoint Protection Agentless scanning I attempted to copy this policy and add parameters for Vulnerability Assessment, but the assignment fails with an error. What I’ve Tried: For File Integrity Monitor: Policy name → Configure ChangeTracking Extension for Windows virtual machines For Vulnerability Assessment: Policy name → Configure machines to receive a vulnerability assessment provider Assigning these policies works on my non-prod subscription, but the toggle in Defender for Cloud → Environment Settings remains No. Challenge: How can I ensure these options (File Integrity Monitoring, Vulnerability Assessment, and preferably Guest Configuration Agent) are automatically enabled for: All existing subscriptions Any new subscriptions created in the future Goal: No manual intervention in Defender for Cloud portal Fully automated via Azure Policy or another recommended approach uestions: Is there a way to extend the built-in policy or create a custom initiative that enforces these settings at the subscription level? Are there ARM templates, Bicep modules, Powershell scripts or REST API calls that can toggle these settings programmatically? Any best practices for ensuring compliance across multiple subscriptions? Any help is much appreciated and looking forward to your expertise! Thank you in advance. Best Regards, Pascal SlotAbout Defender for Cloud aggregated logs in Advanced Hunting
Hi, I create this threat hoping that the Microsoft team will read and hopefully provide insights about future changes and roadmap. When SOC teams use a non-Microsoft SIEM/SOAR, they need to export logs from M365 and Azure, and send them to the third-party SIEM/SOAR solution. • For M365 logs, there is the M365XDR connector that allows exporting logs using an Event Hub. • For Azure logs, we used to configure diagnostics settings and send them to an Event Hub. This began to change with new features within Defender for Cloud (c.f. picture).: • Defender for Resource Manager now sends Azure Activity logs to M365XDR portal, and can be exported using M365XDR Streaming API • Defender for Storage now sends logs to M365XDR portal, and can be exported using M365XDR Streaming API (c.f. https://www.youtube.com/watch?v=Yraeks8c8hg&t=1s). This is great as it is easy to configure and doesn't interfere with infrastructure teams managing operational logs through diagnostic settings. I have two questions : • Is there any documentation about this? I didn't find any? • What can we expect in the future weeks, months regarding this native logs collection feature through various Defender for Cloud products? For example, can we expect Defender for SQL to send logs to M365XDR natively? Thanks for you support!
Is setting an index tag in Azure Defender for Cloud during file write an atomic operation?
Hi, When using Azure Defender for Cloud, is setting an index tag at the same time as writing a file considered an atomic operation? Or is there a propagation delay before the tag becomes fully available and effective for search and policy enforcement? Any insights or official documentation references would be appreciated!
Playbooks with MDCA
I am attempting to integrate MDCA alerts with freshdesk as per the e.g. https://learn.microsoft.com/en-us/defender-cloud-apps/flow-integration I have E5 without teams licenses. I created the flow, Once from playbooks in MDCA portal and once in power automate directly and went to create a policy to test it out but the option "Sent to power automate" from the policy is always greyed out. Alerts are not automatically detected in the flow unless the action in the policy is set to send to power automate which again is greyed as option in the policies. Also playbooks tab in the MDCA portal does not show the flows I created before, It shows empty, Seems link is broken between MDCA and PowerAutomate. Any reason for this, Any Idea about this? Thanks in advance.
MISRA support in Defender
I want to check for MISRA C code compliance. The idea is to check for MISRA C compliance when asking for a Pull Request. If the code fails on those checks, the PR will not be created. This way, we enforce MISRA compliance before integrating the code to the repository. I am not seeing MISRA in the list of standards under - Regulatory Compliance>>Subscriptions>> Security Po;iciesRuntime protection - Microsoft Defender for Cloud DevOps Security (Defender CSPM)
Hi team! The current support status for Microsoft Defender for Cloud DevOps Security (Defender CSPM) and runtime protection across services are this one : Fully Supported for Runtime Protection Azure Kubernetes Service (AKS) Amazon Elastic Kubernetes Service (EKS) are there more runtime in the product roadmap (Azure Container Apps, AWS, Fargate for Amazon ECS, Azure Functions, AWS Lambda)? ThanksOnboarding MDE with Defender for Cloud (Problem)
Hello Community, In our Customer i have a strange problem. We onboarded with Azure Arc server and activate a Defender for Cloud servises only for Endpoint protection. Some of this device onboarded into Microsoft Defender portale, but not appears as a device, infact i don't have opportunity to put them into a group to apply policy. I have check sensor of Azure Arc and all works fine (device are in Azure Arc, are in the defender portal and see them on Intune (managed by MDE)). From Intune portal From Defender portal But in difference from other device into entra ID exists only the enterprise application and not device I show the example of device that works correctly (the same onboarding method) Is there anyone who has or has had this problem? Thanks and Regards, Guido
Microsoft Defender for Cloud - Servers & Apps Question
Hi, while learning about the Microsoft Defender for Cloud (MDC) Cloud Workload Protection (CWP), I have seen below points. Servers: When we opt for MDC CWP for servers, I see Agentless scanning for machines and along with it below, But we already have "Carbon Black" which handles the above role of Guest Configuration agent. So, my question is, If I enroll for MDC - Cloud workload protection: As we need to have a security/defender tool installed on Azure machines (In this case Guest Configuration agent). Would this then replace "Carbon Black" as we already, have it? Or do we see this MDC - Cloud workload protection for Servers as additional apart from Carbon Black? Apps: We have our Azure Apps protected by Cloudflare and VNet Integration which are with our firewall-based routes, do we still need to enroll for App Service protection by MDC CWP. Please advise on above 2 areas. ThanksFilter out BYOD devices from blocking unsanctioned apps
Hi there, I've encountered an issue. When I tag a cloud app as unsanctioned, it gets blocked as expected. However, we use BYOD mobile devices that are Entra registered along with app protection policies, and the unsanctioned apps are being blocked outside the managed apps. For example, an unsanctioned app gets blocked in unmanaged safari browser on BYOD iOS device. I can't find information on how to limit the enforcement scope to only managed apps on BYODs or how to limit the enforcement scope to company-managed devices. Please help.Defender for Servers
Defender for servers is part of Defender for Cloud CWP. We do not use this product, however we have interest in logging Servers both on-premise and multi cloud tenants to Sentinel workspace. Couple of ways to accomplish: Defender for Servers in passive - Since we're currently not subscribed can we get data in with ARC + AMA + Defender extension across multi cloud tenant? Objective is to NOT pay for Defender for Servers p1/p2 instead log Events for detections Azure Monitor Agent and Data Collection Rule with logging level (Common, Minimal, Custom) I've ideas on both but I'm leaning towards Defender for Servers in passive with Defender Extension and AMA. Will this automatically get charge as part of Defender for Server CWP or it flat out won't work if not enabled? I can't get straight answer on this from anyone and I don't have full blown tenant owner permission to test this. When asked there is wait time to get response from other teams. I'm interested getting data in via Defender in Passive relying and relaying partner as Defender Extension and ARC+AMA. Let me know your thoughts!
DevOps Security: MDC-ADO integration through Service account
Hi All, Is it possible to integrate MDC-ADO Integration with Service Account? When I attempted to authorize ADO in MDC during the integration process, it appears to only accept individual accounts. Does anyone have insights on how to utilize a Service Account for this integration?Cost Calculator for Defender for Cloud (Public Preview)
Did you know Microsoft Defender for Cloud has a built-in cost calculator to easily calculate the costs of protected resources in your cloud environment? No? Well, I didn’t either until I stumbled upon the button in the MDC portal myself. Apparently, Microsoft announced the preview for the MDC cost calculator last month, on February 19, 2025. With this post, I’m sharing my experience with this new cost calculator for Microsoft Defender for Cloud, providing guidance and comparing available options to calculate the costs. https://myronhelgering.com/cost-calculator-for-defender-for-cloud/Sensitivity Data Flag will not be deleted after Settings are changed
We have a lot of storage accounts which are flaged with risk factor "Sensitive Data" which also means all storage Accounts which have this label have risklevel critical. We deactivated Sensitive Data Scan but nothing happens As I got it correct once a resource is flagged with "Sensitive Data" the flag will not delete anymore What we did so far: turn off/on/off… the data scanning turn off/on/off Data sensitivity deselect all of different data sensitivity categories like Finance, PII, and Credentials turn off/on/off threshold for sensitive data labels turn off/on complete Defender There is also a support ticket where the support can the recommendation was to open a discussion here to have the product team look at this error (#2502031420002278)Alert FineTuning(Sev:Low): Vulnerability Scanner Detection
Hi, we are seeing a high number of "Vulnerability Scanner Detection" alerts and facing challenges during analysis: The alerts often show Microsoft IP addresses, and some of them appear malicious. Can we fine-tune this to capture the actual IP scanning the environment? How can we determine whether the scan was successful or failed, for example, by using status codes like 200 or 404? Is there a way to identify if the app service is using platforms like Joomla, Drupal, WordPress, or others? Looking forward to your support on this.
Defender for Database - SQL Server on Machine Pricing
Hi Folks , while we enable defender on Databases ( enable SQL server on machine ) do we also need to enable on Server ( which is running SQL Server). Also defender for Server cost - 15$ /server/month and SQL Server on Machine cost -15$/Server/month, Separate cost for both will be applicable ? apart from enabling toggle do we need any addition configuration for enabling defender for Databases ?what is recommended setting of workspace for AMA configuration ( default or custom ) can we choose sentinel workspace ?
How to programmatically assign security standards on Defender for Cloud
Hi all, i would like to know if there is a way to programmatically (REST API, Terraform,...) activate custom secutity Standards on Defender for Cloud. Basically the step 6 on this guide https://learn.microsoft.com/en-us/azure/defender-for-cloud/update-regulatory-compliance-packages. I didn't found any way to do that. I have a policySet that i would like to activate in an automated way. Any ideas? Thank you in advance!KQL Secure score controls and Assessments
I have a query that is working but is not producing what I need. a query that will combine the Recommedation categories( 13 listed under the Classic View in recommendations) and the individual assessments associated to those categories: securityresources | where type == "microsoft.security/securescores/securescorecontrols" | extend category_name = tostring(properties.displayName) //category name | extend Tenant_Id=tostring(tenantId) | extend healthy = properties.healthyResourceCount | extend unhealthy = properties.unhealthyResourceCount | extend notApplicable = properties.notApplicableResourceCount | extend score = properties.score | extend scr= parse_json(score) | project category_name, healthy, unhealthy, notApplicable, CurrentScore=scr.current, MaxScore=scr.max, Tenant_Id | join ( securityresources | where type == "microsoft.security/assessments" | extend assessment_name = tostring(properties.displayName) //assessment name | extend Tenant_Id=tostring(tenantId) | extend resourceName = properties.resourceDetails.ResourceName | extend status = properties.status.code | extend metadata = properties.metadata | extend severity = metadata.severity | project assessment_name, resourceName, status, severity, Tenant_Id ) on Tenant_Id | project category_name, assessment_name, resourceName, status, severity, healthy, unhealthy, notApplicable, CurrentScore, MaxScore,Tenant_Id This is a work in progress script, I do get a valid script but I know it is not working like I need it to work. For example, when I run this script, I get for "assessment_name: EDR solution should be installed on Virtual Machines" but for the "category_name" I get "Restrict unauthorized network access". It should be category_name = Enable endpoint protection. I'm trying to find a valid join field but not getting it correctly. Perhaps I need to add anothere "Type" but I'm not sure which. Please advise, Serge
No automatic MDE.Windows installation anymore
We have an Azure subscription to which our on-premises servers are connected via Azure Arc. Actually, only Microsoft Defender for Servers Plan 1 should be used. However, ‘Plan 2’ is billed in the cost analyses, which leads to significantly higher costs than planned. I´ve fixed it but it lead to the Problem of not installing MDE.Windows anymore. The servers are connected to Azure by executing a script, after which some plugins are installed(MDE.Windows, MicrosoftMonitoringAgent, and on some servers "WindowsPatchExtension"). In the environment management of Defender for Cloud we have explicitly selected plan 1, despite this plan 2 is activated for each server. There is no Log-Workspace. Here are the Policies, i think they go automaticly created by Azure. I´ve deleted "ASC provisioning LA agent Windows Arc" and the linux one because this is deploying the two Extensions "MicrosoftMonitoringAgent" and "WindowsPatchExtension", which activate Plan 2. After deleting those to Extensions i should not get billed as Plan 2 anymore. My Problem is now that i don´t have the policy to install the MDE Plugin anymore. How do i get this working again, i need to install only the MDE Plugin on the computers to ensure we only use Plan 1. No other extensions, no Log-Workspace... Appreciate the help.Automate the AWS account onboarding process
How can we automate the onboarding process for new tenants that ensures any new AWS account created within the landing zone is automatically onboarded to Microsoft Defender, exploring an alternative automation approach that is directly embedded within the structure of the stack set.
Cloud Discovery policy - Governance action - Scoped profile missing
Hi everyone, I wanted to create a Cloud Discovery policy that automatically tags as unsanctioned some applications but only for a scoped profiles. When tagging cloud applications manually, it's possible to scope it to a profile: However, this option doesn't exist in the governance actions section: Are there any other way to create policies that can tag but only for a device group/scoped profile? Cheers,
Recent Blogs
- In today’s AI-powered world, the boundaries of security are shifting fast. From code to runtime, organizations are moving faster than ever – building with AI across clouds, accelerating innovation, a...Nov 18, 2025
- Overview Since its first introduction in 2019, the Azure Security Benchmark and its successor Microsoft cloud security benchmark announced in 2023, Microsoft cloud security benchmark (“the Benchmar...Nov 12, 2025
