Enable Azure Defender for all resource types using Azure Policies

Question

For security reasons I do have to enable Azure Defender in the ASC for all resource types. Since we do have a lot of different subscriptions within Azure and the number is increasing we do have to configure an Azure Policy to enforce that.

There already is an option to enable the Azure Defender for all resources, but I have not found anything useful in the documentation to enable this via an Azure Policy.

I have two solutions in my mind which would match my requirements. The first would be, that we enable the Azure Defender for all resource types and the other would be that we enable only specific resource types (for me just the resource type for the open source relational databases is currently relevant).

I only found that initiative that deploys the Azure Defender to the database server, but it will not activate that option within my Azure Security Center. Are there any other documentations from Microsoft how to accomplishing that?

Answer 1

Microsoft Defender for Cloud (Azure Security Center) has built-in Azure policies to enforce enablement of Defender plans.

For a single subscription, you can use the "enforce" option in "Microsoft Defender for X should be enabled" recommendation, which will take you to the relevant policy creation page:

Or via Azure Policy portal, directly, assign the same policy on subscription or management group scope via: "Configure Azure Defender for <DefenderPlan> to be enabled" policy. Assign this with "deployifnotexist" and it will enforce the Defender plan state.