Forum Discussion

Marco_Reinli's avatar
Marco_Reinli
Copper Contributor
May 06, 2024

Enabling Defender for Cloud for Azure Subscriptions

I'm unclear about how the enablement works if there hasn't been any subscription in the tenant that has previously used Microsoft Defender for Cloud (MDC) despite having read through Connect Azure subscription and Enabling Microsoft Defender for Cloud.

 

The documentation specifies: First sign in to the portal and then open Defender for Cloud. Defender for Cloud is now enabled on your subscription and you have access to the basic features (= Foundational CSPM).

 

The subscription filter of the Azure portal defaults to all subscriptions of the current Entra ID directory. So when accessing MDC, there is no such thing as "your subscription".

 

Imagine a new and pristine directory with a pristine subscription. Is MDC already enabled after creating the directory and the subscription?

If yes, then the documentation should state that Foundational CSPM is enabled per default and no enablement is needed. Only paid plans like Defender CSPM or Defender for Storage must be enabled per subscription.

If not, what happens when I navigate to MDC on the Azure portal (https://portal.azure.com/#view/Microsoft_Azure_Security/SecurityMenuBlade/)? Does it enable MDC for all current and future subscriptions (since there is no particular subscription "selected" when doing this)? What Azure/directory roles are required to do this? Can I trigger this action via API? How can I find out if someone already initiated this activation?

 

Based on my tests in my own environment, it appears that Foundational CSPM is automatically activated on new subscriptions without ever navigating to MDC. The basic CSPM features are enabled shortly after creating a new subscription, the ASC default Azure Policy initiative is automatically assigned and MDC assesses the subscription.

 

Update: I just checked another tenant/subscription with a user that has the Reader role assigned. MDC was not activated on this subscription.

 

The "Getting started" wizard appeared when opening the MDC portal.

Selected "Skip" -> 1 Azure subscription but no recommendations was displayed.

The subscription was not onboarded to MDC after finishing the "Getting started" wizard as Reader.

$ az security pricing list
(Subscription Not Registered) Please register to Microsoft.Security in order to view your security status
Code: Subscription Not Registered
Message: Please register to Microsoft.Security in order to view your security status

 

After that, when I opened the MDC portal as the Owner of the subscription, the "Getting started" wizard still appeared, which I then skipped.

MDC was immediately activated for the subscription.

 

$ az security pricing list -o yaml
value:
- deprecated: null
enablementTime: null
extensions: null
freeTrialRemainingTime: 30 days, 0:00:00
id: /subscriptions/de2543a8-cc06-41d6-aa05-cefac8daeff3/providers/Microsoft.Security/pricings/VirtualMachines
name: VirtualMachines
pricingTier: Free
replacedBy: null
subPlan: null
type: Microsoft.Security/pricings
- deprecated: null
enablementTime: null
extensions: null
freeTrialRemainingTime: 30 days, 0:00:00
id: /subscriptions/de2543a8-cc06-41d6-aa05-cefac8daeff3/providers/Microsoft.Security/pricings/SqlServers
name: SqlServers
pricingTier: Free
replacedBy: null
subPlan: null
type: Microsoft.Security/pricings

 

No RepliesBe the first to reply

Resources