cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Owner role required to install MS Defender for Cloud on Azure VMs

Ciyaresh
Brass Contributor

‎Dec 23 2021 07:35 PM

‎Dec 23 2021 07:35 PM

Owner role required to install MS Defender for Cloud on Azure VMs

At the moment, if you want to install the Defender for Cloud to Azure VMs, you need to have to owner role on that resource/resource group.  I currently have following roles:

 

Security Admin

Contributor

Log Analytics Contributor

Microsoft Sentinel Contributor

Resource Policy Contributor

 

But these are not enough to install the the Defender agent on Azure VMs, I would have expected Security Admin role to be sufficient. As I mentioned above, after checking the documentation I have realized you have to be Owner to be able to install agents on VMs. Since we have many subscriptions / resource groups, this is really hard to do as these resource groups have different owners based on their roles (developers, Infra admins, network team and so on) So it is bit tough to go around and ask people if they can install the agent, which also does not work in my case. I have an IT admin who is a Subscription owner, I got him to install the agents, we got the "remediation successful" message, but checking the Defender for Cloud portal later on shows those VMs are unprotected.  Maybe we should allow Security Admins to be able to install / configure Security related solutions/extensions?

908 Views
0 Likes
2 Replies
Reply
2 Replies
Shay_Amar

‎Dec 28 2021 06:56 AM

‎Dec 28 2021 06:56 AM

Re: Owner role required to install MS Defender for Cloud on Azure VMs

@Ciyaresh not sure if understood correctly, adding the reference for roles and allowed actions in Defender for Cloudroles-and-allowed-actions . hope that's help. 

0 Likes
Reply
Ciyaresh

‎Feb 27 2022 02:20 PM

‎Feb 27 2022 02:20 PM

Re: Owner role required to install MS Defender for Cloud on Azure VMs

My problem:

 

We have had many VMs deployed on Azure prior to getting the Cloud Defender license. Now we have a policy that deploys the cloud defender agent to all new VMs. However, if you want to deploy the agent on existing VMs, you need to have a Owner role for that VM you are trying to deploy the agent on. Since we have a lot of VMs in different subscriptions/resource groups, it becomes a really tedious task trying to get Cloud Defender on all VMs, as first you need to become the "Owner" of that VM. A Security Administrator should be able to deploy a security tool to resources without being an Owner of that resource.

0 Likes
Reply