Enable Azure Defender for all resource types using Azure Policies

Question

For security reasons I do have to enable Azure Defender in the ASC for all resource types. Since we do have a lot of different subscriptions within Azure and the number is increasing we do have to configure an Azure Policy to enforce that.

There already is an option to enable the Azure Defender for all resources, but I have not found anything useful in the documentation to enable this via an Azure Policy.

I have two solutions in my mind which would match my requirements. The first would be, that we enable the Azure Defender for all resource types and the other would be that we enable only specific resource types (for me just the resource type for the open source relational databases is currently relevant).

I only found that initiative that deploys the Azure Defender to the database server, but it will not activate that option within my Azure Security Center. Are there any other documentations from Microsoft how to accomplishing that?

Answer 1

We have the same requirement. I created a custom policy with `deployIfNotExists' to activate ASC Standard tier as a prerequisite to activate needed Azure Defender components.

"if" : {
  "allOf" : [
    {
      "field" : "type",
      "equals" : "Microsoft.Resources/subscriptions"
    }
  ]
},
"then" : {
  "effect" : "deployIfNotExists",
  "details" : {
    "type" : "Microsoft.Security/pricings",
    "deploymentScope" : "Subscription",
    "existenceScope" : "Subscription",
    "roleDefinitionIds" : [
      "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635"
    ],
    "existenceCondition" : {
      "field" : "Microsoft.Security/pricings/pricingTier",
      "equals" : "Standard"
    },
    "deployment" : {
      "location" : "westeurope",
      "properties" : {
        "mode" : "incremental",
        "parameters" : {},
        "template" : {
          "$schema" : "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
          "contentVersion" : "1.0.0.0",
          "parameters" : {},
          "variables" : {},
          "resources" : [
            {
              "type" : "Microsoft.Security/pricings",
              "apiVersion" : "2017-08-01-preview",
              "name" : "default",
              "properties" : {
                "pricingTier" : "Standard"
              }
            },
            {
              "type" : "Microsoft.Security/pricings",
              "apiVersion" : "2018-06-01",
              "name" : "AppServices",
              "properties" : {
                "pricingTier" : "Standard"
              }
            },
            {
              "type" : "Microsoft.Security/pricings",
              "apiVersion" : "2018-06-01",
              "name" : "ContainerRegistry",
              "properties" : {
                "pricingTier" : "Standard"
              }
            },
            {
              "type" : "Microsoft.Security/pricings",
              "apiVersion" : "2018-06-01",
              "name" : "KeyVaults",
              "properties" : {
                "pricingTier" : "Standard"
              }
            },
            {
              "type" : "Microsoft.Security/pricings",
              "apiVersion" : "2018-06-01",
              "name" : "KubernetesService",
              "properties" : {
                "pricingTier" : "Standard"
              }
            },
            {
              "type" : "Microsoft.Security/pricings",
              "apiVersion" : "2018-06-01",
              "name" : "SqlServers",
              "properties" : {
                "pricingTier" : "Standard"
              }
            },
            {
              "type" : "Microsoft.Security/pricings",
              "apiVersion" : "2018-06-01",
              "name" : "SqlServerVirtualMachines",
              "properties" : {
                "pricingTier" : "Standard"
              }
            },
            {
              "type" : "Microsoft.Security/pricings",
              "apiVersion" : "2018-06-01",
              "name" : "StorageAccounts",
              "properties" : {
                "pricingTier" : "Standard"
              }
            },
            {
              "type" : "Microsoft.Security/pricings",
              "apiVersion" : "2018-06-01",
              "name" : "VirtualMachines",
              "properties" : {
                "pricingTier" : "Standard"
              }
            }
          ],
          "outputs" : {}
        }
      }
    }
  }
}

But this doesn't work.

Reason for non-compliance Current value must be equal to the target value.

Field Microsoft.Security/pricings/pricingTier

Path properties.pricingTier

Current value "Free"

Target value "Standard"

We have opened a corresponding ticket with Micrsoft but still haven't received any effective help from their end. While opening the ticket, I received this article as a possible solution, hadn't found this before. Maybe it will help you.

https://techcommunity.microsoft.com/t5/azure-security-center/managing-security-center-at-scale-using-arm-templates-and-azure/ba-p/327761

Answer 2

Microsoft Defender for Cloud (Azure Security Center) has built-in Azure policies to enforce enablement of Defender plans.

For a single subscription, you can use the "enforce" option in "Microsoft Defender for X should be enabled" recommendation, which will take you to the relevant policy creation page:

Or via Azure Policy portal, directly, assign the same policy on subscription or management group scope via: "Configure Azure Defender for <DefenderPlan> to be enabled" policy. Assign this with "deployifnotexist" and it will enforce the Defender plan state.