Owner role required to install MS Defender for Cloud on Azure VMs

Occasional Contributor

At the moment, if you want to install the Defender for Cloud to Azure VMs, you need to have to owner role on that resource/resource group.  I currently have following roles:


Security Admin


Log Analytics Contributor

Microsoft Sentinel Contributor

Resource Policy Contributor


But these are not enough to install the the Defender agent on Azure VMs, I would have expected Security Admin role to be sufficient. As I mentioned above, after checking the documentation I have realized you have to be Owner to be able to install agents on VMs. Since we have many subscriptions / resource groups, this is really hard to do as these resource groups have different owners based on their roles (developers, Infra admins, network team and so on) So it is bit tough to go around and ask people if they can install the agent, which also does not work in my case. I have an IT admin who is a Subscription owner, I got him to install the agents, we got the "remediation successful" message, but checking the Defender for Cloud portal later on shows those VMs are unprotected.  Maybe we should allow Security Admins to be able to install / configure Security related solutions/extensions?

1 Reply

@Ciyaresh not sure if understood correctly, adding the reference for roles and allowed actions in Defender for Cloudroles-and-allowed-actions . hope that's help.