Forum Discussion
Disable Defender for Servers at resource level
ikazimirs Hi, I always recommend you to try it on a test environment 🙂
You can create a custom Azure Policy that automatically enables Microsoft Defender for Servers (Plan 1) for all virtual machines (VMs) in your subscription, while excluding specific machines based on their names or other identifiers (like tags). Below is a sample policy definition that enables Defender for Servers Plan 1 on all VMs but allows you to exclude specific machines via a parameter list.
Sample Azure Policy Definition
This policy will deploy Microsoft Defender for Servers (Plan 1) to all VMs in the scope (such as a subscription or resource group) and exclude specific machines by their names, which you can specify in the parameter list.
json
{
"mode": "Indexed",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
{
"field": "name",
"notIn": "[parameters('excludedVMs')]"
}
]
},
"then": {
"effect": "deployIfNotExists",
"details": {
"type": "Microsoft.Security/advancedThreatProtectionSettings",
"name": "default",
"existenceCondition": {
"field": "Microsoft.Security/advancedThreatProtectionSettings.isEnabled",
"equals": "true"
},
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/5f6c37f4-441e-4394-a0f7-15c994f6f7e8" // Security Admin role
],
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Security/advancedThreatProtectionSettings",
"name": "default",
"apiVersion": "2019-01-01",
"properties": {
"isEnabled": true
}
}
]
}
}
}
}
}
},
"parameters": {
"excludedVMs": {
"type": "Array",
"metadata": {
"description": "List of virtual machine names to exclude from Defender for Servers deployment",
"displayName": "Excluded Virtual Machines"
}
}
}
}Explanation of the Policy:
Mode: "Indexed" mode means the policy applies to resources like virtual machines that are indexed by Azure Resource Manager.
if condition:
It targets resources of type Microsoft.Compute/virtualMachines.
It checks if the VM’s name is not in the list of excluded VM names provided in the policy parameters.
then action:
If the conditions are met (i.e., the VM name is not in the excluded list), it deploys the Defender for Servers Plan 1 by using the deployIfNotExists effect.
The deployIfNotExists action checks whether Defender is already enabled, and if not, it deploys it to that VM.
Parameters:
excludedVMs: This is an array where you can specify the names of virtual machines to exclude from Defender for Servers deployment.
Deployment Instructions:
Define the Policy in Azure:Go to Azure Portal → Policy → Definitions → + Policy Definition.
Paste the above JSON in the policy definition.
Set the policy display name (e.g., "Deploy Defender for Servers with Exclusions").
Assign the Policy:After defining the policy, go to Assignments → Assign Policy.
During the assignment, specify the excluded VMs list in the parameters section by entering the names of the virtual machines you want to exclude.
Verify:After assignment, the policy will automatically enable Defender for Servers (Plan 1) on all VMs except for those excluded by name.
How to Manage Exclusions:
Update Excluded VMs: If you want to update the list of excluded VMs later, you can modify the policy assignment parameters to add or remove VM names without changing the policy definition.
Notes:
Ensure that the appropriate permissions (like Security Admin) are assigned to the policy's managed identity or the user deploying the policy.
This policy will only affect VMs in the scope of the policy assignment (such as a subscription or resource group).
The exclusion list is based on VM names, but you can adjust this to exclude by other fields (e.g., resource tags) by modifying the if condition.
This policy will help you deploy Defender for Servers Plan 1 across your environment while providing flexibility to exclude specific machines as needed.
micheleariis thank you kindly for this, would you have a sample azure policy that would let me deploy defender to all servers in P1 and provide a list of excluded machine names?
The stock ones are based around images rather than vm names.
ikazimirs Hi, I always recommend you to try it on a test environment 🙂
You can create a custom Azure Policy that automatically enables Microsoft Defender for Servers (Plan 1) for all virtual machines (VMs) in your subscription, while excluding specific machines based on their names or other identifiers (like tags). Below is a sample policy definition that enables Defender for Servers Plan 1 on all VMs but allows you to exclude specific machines via a parameter list.
Sample Azure Policy Definition
This policy will deploy Microsoft Defender for Servers (Plan 1) to all VMs in the scope (such as a subscription or resource group) and exclude specific machines by their names, which you can specify in the parameter list.
json
{
"mode": "Indexed",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
{
"field": "name",
"notIn": "[parameters('excludedVMs')]"
}
]
},
"then": {
"effect": "deployIfNotExists",
"details": {
"type": "Microsoft.Security/advancedThreatProtectionSettings",
"name": "default",
"existenceCondition": {
"field": "Microsoft.Security/advancedThreatProtectionSettings.isEnabled",
"equals": "true"
},
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/5f6c37f4-441e-4394-a0f7-15c994f6f7e8" // Security Admin role
],
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Security/advancedThreatProtectionSettings",
"name": "default",
"apiVersion": "2019-01-01",
"properties": {
"isEnabled": true
}
}
]
}
}
}
}
}
},
"parameters": {
"excludedVMs": {
"type": "Array",
"metadata": {
"description": "List of virtual machine names to exclude from Defender for Servers deployment",
"displayName": "Excluded Virtual Machines"
}
}
}
}
Explanation of the Policy:
Mode: "Indexed" mode means the policy applies to resources like virtual machines that are indexed by Azure Resource Manager.
if condition:
It targets resources of type Microsoft.Compute/virtualMachines.
It checks if the VM’s name is not in the list of excluded VM names provided in the policy parameters.
then action:
If the conditions are met (i.e., the VM name is not in the excluded list), it deploys the Defender for Servers Plan 1 by using the deployIfNotExists effect.
The deployIfNotExists action checks whether Defender is already enabled, and if not, it deploys it to that VM.
Parameters:
excludedVMs: This is an array where you can specify the names of virtual machines to exclude from Defender for Servers deployment.
Deployment Instructions:
Define the Policy in Azure:
Go to Azure Portal → Policy → Definitions → + Policy Definition.
Paste the above JSON in the policy definition.
Set the policy display name (e.g., "Deploy Defender for Servers with Exclusions").
Assign the Policy:
After defining the policy, go to Assignments → Assign Policy.
During the assignment, specify the excluded VMs list in the parameters section by entering the names of the virtual machines you want to exclude.
Verify:
After assignment, the policy will automatically enable Defender for Servers (Plan 1) on all VMs except for those excluded by name.
How to Manage Exclusions:
Update Excluded VMs: If you want to update the list of excluded VMs later, you can modify the policy assignment parameters to add or remove VM names without changing the policy definition.
Notes:
Ensure that the appropriate permissions (like Security Admin) are assigned to the policy's managed identity or the user deploying the policy.
This policy will only affect VMs in the scope of the policy assignment (such as a subscription or resource group).
The exclusion list is based on VM names, but you can adjust this to exclude by other fields (e.g., resource tags) by modifying the if condition.
This policy will help you deploy Defender for Servers Plan 1 across your environment while providing flexibility to exclude specific machines as needed.