Forum Discussion
Disable Defender for Servers at resource level
See snippet from MS article below - cant seem to find any guidance on how to disable at resource level and what the caveats are. If i have it enabled at the subscription for P1 then now do i go about with the following:
* Disable on certain machines
* understand if im still being billed even with it disabled
* how do i do this at scale
Disable Defender for Servers on the resource level
To disable The Defender for Servers plan or any of the features of the plan, navigate to the subscription or workspace and toggle the plan to Off.
On the resource level, you can enable or disable Defender for Servers plan 1. Plan 2 can only be disabled at the resource level
For example, itβs possible to enable Defender for Servers plan 2 at the subscription level and disable specific resources within the subscription. You can't enable plan 2 only on specific resources.
ikazimirs Hi, I always recommend you to try it on a test environment π
You can create a custom Azure Policy that automatically enables Microsoft Defender for Servers (Plan 1) for all virtual machines (VMs) in your subscription, while excluding specific machines based on their names or other identifiers (like tags). Below is a sample policy definition that enables Defender for Servers Plan 1 on all VMs but allows you to exclude specific machines via a parameter list.
Sample Azure Policy Definition
This policy will deploy Microsoft Defender for Servers (Plan 1) to all VMs in the scope (such as a subscription or resource group) and exclude specific machines by their names, which you can specify in the parameter list.
json
{
"mode": "Indexed",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
{
"field": "name",
"notIn": "[parameters('excludedVMs')]"
}
]
},
"then": {
"effect": "deployIfNotExists",
"details": {
"type": "Microsoft.Security/advancedThreatProtectionSettings",
"name": "default",
"existenceCondition": {
"field": "Microsoft.Security/advancedThreatProtectionSettings.isEnabled",
"equals": "true"
},
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/5f6c37f4-441e-4394-a0f7-15c994f6f7e8" // Security Admin role
],
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Security/advancedThreatProtectionSettings",
"name": "default",
"apiVersion": "2019-01-01",
"properties": {
"isEnabled": true
}
}
]
}
}
}
}
}
},
"parameters": {
"excludedVMs": {
"type": "Array",
"metadata": {
"description": "List of virtual machine names to exclude from Defender for Servers deployment",
"displayName": "Excluded Virtual Machines"
}
}
}
}Explanation of the Policy:
Mode: "Indexed" mode means the policy applies to resources like virtual machines that are indexed by Azure Resource Manager.
if condition:
It targets resources of type Microsoft.Compute/virtualMachines.
It checks if the VMβs name is not in the list of excluded VM names provided in the policy parameters.
then action:
If the conditions are met (i.e., the VM name is not in the excluded list), it deploys the Defender for Servers Plan 1 by using the deployIfNotExists effect.
The deployIfNotExists action checks whether Defender is already enabled, and if not, it deploys it to that VM.
Parameters:
excludedVMs: This is an array where you can specify the names of virtual machines to exclude from Defender for Servers deployment.
Deployment Instructions:
Define the Policy in Azure:Go to Azure Portal β Policy β Definitions β + Policy Definition.
Paste the above JSON in the policy definition.
Set the policy display name (e.g., "Deploy Defender for Servers with Exclusions").
Assign the Policy:After defining the policy, go to Assignments β Assign Policy.
During the assignment, specify the excluded VMs list in the parameters section by entering the names of the virtual machines you want to exclude.
Verify:After assignment, the policy will automatically enable Defender for Servers (Plan 1) on all VMs except for those excluded by name.
How to Manage Exclusions:
Update Excluded VMs: If you want to update the list of excluded VMs later, you can modify the policy assignment parameters to add or remove VM names without changing the policy definition.
Notes:
Ensure that the appropriate permissions (like Security Admin) are assigned to the policy's managed identity or the user deploying the policy.
This policy will only affect VMs in the scope of the policy assignment (such as a subscription or resource group).
The exclusion list is based on VM names, but you can adjust this to exclude by other fields (e.g., resource tags) by modifying the if condition.
This policy will help you deploy Defender for Servers Plan 1 across your environment while providing flexibility to exclude specific machines as needed.
3 Replies
ikazimirs Hi, disabling Defender for Servers for multiple resources can be done via automation using the following methods:
-Option 1: Azure Policy
You can create an Azure Policy to automatically exclude certain resources (like specific VMs) from having Defender for Servers enabled.Create a Custom Azure Policy:
Create a custom policy that sets the Microsoft.Security/complianceResults property for specific machines to exclude them from Defender for Servers.
Assign the Policy to the Subscription or Resource Group:Assign the policy to exclude specific VMs based on resource tags, names, or other identifying characteristics.
-Option 2: Azure CLI / PowerShellFor large-scale environments, you can use Azure CLI or PowerShell to disable Defender for Servers across multiple VMs or resources:
PowerShell Example:
powershell
$resourceIds = (Get-AzVM).Id
foreach ($id in $resourceIds) {
Set-AzSecuritySetting -Name "DefenderForServers" -ResourceId $id -Enabled $false
}Azure CLI Example:
az vm list --query "[].id" -o tsv | while read vmId; do
az security setting update --name DefenderForServers --resource-id $vmId --is-enabled false
doneThese scripts will loop through all the VMs in the subscription and disable Defender for Servers where applicable.
I hope this can help you
micheleariis thank you kindly for this, would you have a sample azure policy that would let me deploy defender to all servers in P1 and provide a list of excluded machine names?
The stock ones are based around images rather than vm names.
ikazimirs Hi, I always recommend you to try it on a test environment π
You can create a custom Azure Policy that automatically enables Microsoft Defender for Servers (Plan 1) for all virtual machines (VMs) in your subscription, while excluding specific machines based on their names or other identifiers (like tags). Below is a sample policy definition that enables Defender for Servers Plan 1 on all VMs but allows you to exclude specific machines via a parameter list.
Sample Azure Policy Definition
This policy will deploy Microsoft Defender for Servers (Plan 1) to all VMs in the scope (such as a subscription or resource group) and exclude specific machines by their names, which you can specify in the parameter list.
json
{
"mode": "Indexed",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
{
"field": "name",
"notIn": "[parameters('excludedVMs')]"
}
]
},
"then": {
"effect": "deployIfNotExists",
"details": {
"type": "Microsoft.Security/advancedThreatProtectionSettings",
"name": "default",
"existenceCondition": {
"field": "Microsoft.Security/advancedThreatProtectionSettings.isEnabled",
"equals": "true"
},
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/5f6c37f4-441e-4394-a0f7-15c994f6f7e8" // Security Admin role
],
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Security/advancedThreatProtectionSettings",
"name": "default",
"apiVersion": "2019-01-01",
"properties": {
"isEnabled": true
}
}
]
}
}
}
}
}
},
"parameters": {
"excludedVMs": {
"type": "Array",
"metadata": {
"description": "List of virtual machine names to exclude from Defender for Servers deployment",
"displayName": "Excluded Virtual Machines"
}
}
}
}Explanation of the Policy:
Mode: "Indexed" mode means the policy applies to resources like virtual machines that are indexed by Azure Resource Manager.
if condition:
It targets resources of type Microsoft.Compute/virtualMachines.
It checks if the VMβs name is not in the list of excluded VM names provided in the policy parameters.
then action:
If the conditions are met (i.e., the VM name is not in the excluded list), it deploys the Defender for Servers Plan 1 by using the deployIfNotExists effect.
The deployIfNotExists action checks whether Defender is already enabled, and if not, it deploys it to that VM.
Parameters:
excludedVMs: This is an array where you can specify the names of virtual machines to exclude from Defender for Servers deployment.
Deployment Instructions:
Define the Policy in Azure:Go to Azure Portal β Policy β Definitions β + Policy Definition.
Paste the above JSON in the policy definition.
Set the policy display name (e.g., "Deploy Defender for Servers with Exclusions").
Assign the Policy:After defining the policy, go to Assignments β Assign Policy.
During the assignment, specify the excluded VMs list in the parameters section by entering the names of the virtual machines you want to exclude.
Verify:After assignment, the policy will automatically enable Defender for Servers (Plan 1) on all VMs except for those excluded by name.
How to Manage Exclusions:
Update Excluded VMs: If you want to update the list of excluded VMs later, you can modify the policy assignment parameters to add or remove VM names without changing the policy definition.
Notes:
Ensure that the appropriate permissions (like Security Admin) are assigned to the policy's managed identity or the user deploying the policy.
This policy will only affect VMs in the scope of the policy assignment (such as a subscription or resource group).
The exclusion list is based on VM names, but you can adjust this to exclude by other fields (e.g., resource tags) by modifying the if condition.
This policy will help you deploy Defender for Servers Plan 1 across your environment while providing flexibility to exclude specific machines as needed.
