Owner role required to install MS Defender for Cloud on Azure VMs

Brass Contributor

At the moment, if you want to install the Defender for Cloud to Azure VMs, you need to have to owner role on that resource/resource group.  I currently have following roles:


Security Admin


Log Analytics Contributor

Microsoft Sentinel Contributor

Resource Policy Contributor


But these are not enough to install the the Defender agent on Azure VMs, I would have expected Security Admin role to be sufficient. As I mentioned above, after checking the documentation I have realized you have to be Owner to be able to install agents on VMs. Since we have many subscriptions / resource groups, this is really hard to do as these resource groups have different owners based on their roles (developers, Infra admins, network team and so on) So it is bit tough to go around and ask people if they can install the agent, which also does not work in my case. I have an IT admin who is a Subscription owner, I got him to install the agents, we got the "remediation successful" message, but checking the Defender for Cloud portal later on shows those VMs are unprotected.  Maybe we should allow Security Admins to be able to install / configure Security related solutions/extensions?

2 Replies

@Ciyaresh not sure if understood correctly, adding the reference for roles and allowed actions in Defender for Cloudroles-and-allowed-actions . hope that's help. 

My problem:


We have had many VMs deployed on Azure prior to getting the Cloud Defender license. Now we have a policy that deploys the cloud defender agent to all new VMs. However, if you want to deploy the agent on existing VMs, you need to have a Owner role for that VM you are trying to deploy the agent on. Since we have a lot of VMs in different subscriptions/resource groups, it becomes a really tedious task trying to get Cloud Defender on all VMs, as first you need to become the "Owner" of that VM. A Security Administrator should be able to deploy a security tool to resources without being an Owner of that resource.