Automate enabling Defender for servers P1 at resource group or individual machines using Tags.
By default, Defender for Servers is enabled as a subscription-wide setting, covering all Azure VMs, Azure Arc-enabled Servers and VMSS nodes at the same time. However, there are scenarios in which it makes sense only enable Defender for Servers Plan 1 on a subset of machines in a subscription. The document covers below steps. You can use one of the three options to enable defender plan selectively on individual VMs or Resource group. Before executing the option, you can use step #4 or #5 to add VM tags using script. Option 1: Enable Plan 1 with a power shell script Option 2: Enable Plan 1 with Azure Policy (on resource group) Option 3: Enable Plan 1 with Azure Policy (on resource tag) Assigning a VM Tag to the VMs listed in the CSV file Assigning a VM Tag to the VMs which are part of Azure Resource Group Option 1 : Enable Plan 1 with a script a) Download and save this file as a PowerShell file. b) Run the downloaded file. c) Customize as needed. Select resources by tag or by resource group. d) Follow the rest of the onscreen instructions. Option 2: Enable Plan 1 with Azure Policy (on resource group) a) Sign in to Azure portal and navigate to the Policy b) In the Policy dashboard, select Definitions from the left-side menu. c) In the Security Center – Granular Pricing category, search for and then select Configure Azure Defender for Servers to be enabled (with 'P1' subplan) for all resources (resource level). This policy enables Defender for Servers Plan 1 on all resources (Azure VMs, VMSS and Azure Arc-enabled servers) under the assignment scope. d) Select the policy and review it. e) Select Assign and edit the assignment details according to your needs. In the Basics tab, as Scope, select your relevant resource group. f) In the Remediation tab, select Create a remediation task. g) Once you edited all details, select **Review + create. Then select Create. Option 3: Enable Plan 1 with Azure Policy (on resource tag) a) Sign in to Azure portal and navigate to the Policy b) In the Policy dashboard, select Definitions from the left-side menu. c) In the Security Center – Granular Pricing category, search for and then select Configure Azure Defender for Servers to be enabled (with 'P1' subplan) for all resources with the selected tag. This policy enables Defender for Servers Plan 1 on all resources (Azure VMs, VMSS and Azure Arc-enabled servers) under the assignment scope. d) Select the policy and review it. e) Select Assign and edit the assignment details according to your needs. f) In the Parameters tab, clear Only show parameters that need input or review g) In Inclusion Tag Name, enter the custom tag name. Enter the tag's value in Inclusion Tag Values h) In the Remediation tab, select Create a remediation task. i) Once you edited all details, select **Review + create. Then select Create. Assigning a VM Tag to the VMs listed in the CSV file. PowerShell script that reads a list of computers from a CSV file and adds an Azure tag to each of them. The CSV file should have a column named "ComputerName" with the names of the computers. Below is the script copy to text file and save it as .ps1 file. ___________________________________________________________________________________________________ # Import the CSV file $computers = Import-Csv -Path "C:\path\to\your\computers.csv" # Define the Azure tag $tagName = "YourTagName" $tagValue = "YourTagValue" # Loop through each computer and add the Azure tag foreach ($computer in $computers) { $computerName = $computer.ComputerName # Add the Azure tag to the computer Set-AzResource -ResourceName $computerName -Tag @{ $tagName = $tagValue } -Force } Write-Output "Tags added to all computers successfully." _____________________________________________________________________________________________________ Make sure to replace "C:\path\to\your\computers.csv" with the actual path to your CSV file, and "YourTagName" and "YourTagValue" with the tag name and value you want to use. Before running the script, ensure you have the Azure PowerShell module installed and are authenticated to your Azure account. You can install the Azure PowerShell module using: Install-Module -Name Az -AllowClobber -Force And authenticate to your Azure account using: Connect-AzAccount Assigning a VM Tag to the VMs which are part of Azure Resource Group You can assign tags to multiple Azure VMs within a ResourceGroup using a PowerShell script. Here's a step-by-step guide to help you do that: Prerequisites Ensure you have the Azure PowerShell module installed. If not, you can install it using: Install-Module -Name Az -AllowClobber -Scope CurrentUser Sign in to your Azure account: Connect-AzAccount Script to Assign Tags to Multiple VMs Here's a PowerShell script to assign a tag to multiple Azure VMs: ------------------------------------------------------------------------------------------------------------ # Define the resource group and tag details $resourceGroupName = "YourResourceGroupName" $tagName = "Environment" $tagValue = "Production" # Get the list of VMs in the specified resource group $vms = Get-AzVM -ResourceGroupName $resourceGroupName # Loop through each VM and assign the tag foreach ($vm in $vms) { $vmId = $vm.Id $tags = @{} $tags[$tagName] = $tagValue # Assign the tag to the VM Set-AzResource -ResourceId $vmId -Tag $tags -Force Write-Output "Tag assigned to VM: $($vm.Name)" } ------------------------------------------------------------------------------------------------------------ Explanation Define Resource Group and Tag Details: Set the $resourceGroupName, $tagName, and $tagValue variables to your desired values. Get the List of VMs: Use Get-AzVM to retrieve all VMs in the specified resource group. Loop Through Each VM: For each VM, create a hashtable for the tags and assign the tag using Set-AzResource. Output: The script outputs the name of each VM to which the tag is assigned. Running the Script Save the script to a .ps1 file, for example, AssignTags.ps1. Open PowerShell with administrator permissions. Navigate to the directory where the script is saved. Run the script: .\AssignTags.ps1 This script will assign the specified tag to all VMs in the given resource group. If you need to assign tags to VMs across multiple resource groups or with different criteria, you can modify the script accordingly.
