Deploy Microsoft Defender for Cloud configuration

Azure Landing Zones (ALZ) Policy Initiative (PolicySet)

Policy DisplayName

Policy Id

Category

Effect

Roles#

Roles

State

Type

[Deprecated]: Configure Azure Defender for DNS to be enabled

2370a3c1-4a25-4283-a91a-c9c1a145fb2f

Security Center

Default
Disabled
Allowed
DeployIfNotExists, Disabled

Security Admin

Deprecated

BuiltIn

[Deprecated]: Configure Microsoft Defender for APIs should be enabled

e54d2be9-5f2e-4d65-98e4-4f0e670b23d6

Security Center

Default
Disabled
Allowed
DeployIfNotExists, Disabled

Security Admin

Deprecated

BuiltIn

Configure Azure Defender for App Service to be enabled

b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d

Security Center

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

Security Admin

BuiltIn

Configure Azure Defender for Azure SQL database to be enabled

b99b73e7-074b-4089-9395-b7236f094491

Security Center

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

Security Admin

BuiltIn

Configure Azure Defender for open-source relational databases to be enabled

44433aa3-7ec2-4002-93ea-65c65ff0310a

Security Center

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

Security Admin

BuiltIn

Configure Azure Defender for Resource Manager to be enabled

b7021b2b-08fd-4dc0-9de7-3c6ece09faf9

Security Center

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

Security Admin

BuiltIn

Configure Azure Defender for servers to be enabled

8e86a5b6-b9bd-49d1-8e21-4bb8a0862222

Security Center

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

Security Admin

BuiltIn

Configure Azure Defender for SQL servers on machines to be enabled

50ea7265-7d8c-429e-9a7d-ca1f410191c3

Security Center

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

Security Admin

BuiltIn

Configure Azure Kubernetes Service clusters to enable Defender profile

64def556-fbad-4622-930e-72d1d5589bf5

Kubernetes

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

Contributor, Log Analytics Contributor

BuiltIn

Configure machines to receive a vulnerability assessment provider

13ce0167-8ca6-4048-8e6b-f996402e3c1b

Security Center

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

Security Admin

BuiltIn

Configure Microsoft Defender CSPM to be enabled

689f7782-ef2c-4270-a6d0-7664869076bd

Security Center

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

Owner

BuiltIn

Configure Microsoft Defender for Azure Cosmos DB to be enabled

82bf5b87-728b-4a74-ba4d-6123845cf542

Security Center

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

Security Admin

BuiltIn

Configure Microsoft Defender for Containers to be enabled

c9ddb292-b203-4738-aead-18e2716e858f

Security Center

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

Security Admin

BuiltIn

Configure Microsoft Defender for Key Vault plan

1f725891-01c0-420a-9059-4fa46cb770b7

Security Center

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

Security Admin

BuiltIn

Configure Microsoft Defender for Storage to be enabled

cfdc5972-75b3-4418-8ae1-7f5c36839390

Security Center

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

Owner

BuiltIn

Deploy Azure Policy Add-on to Azure Kubernetes Service clusters

a8eff44f-8c92-45c3-a3fb-9880802d67a7

Kubernetes

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

Azure Kubernetes Service Contributor Role, Azure Kubernetes Service Policy Add-on Deployment

BuiltIn

Deploy export to Log Analytics workspace for Microsoft Defender for Cloud data

ffb6f416-7bd2-4488-8828-56585fef2be9

Security Center

Fixed
deployIfNotExists

Contributor

BuiltIn

Deploy Microsoft Defender for Cloud Security Contacts

Deploy-ASC-SecurityContacts

Security Center

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

Security Admin

ALZ

Setup subscriptions to transition to an alternative vulnerability assessment solution

766e621d-ba95-4e43-a6f2-e945db3d7888

Security Center

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

Security Admin

BuiltIn

Role

Role Id

Policies count

Policies

Azure Kubernetes Service Policy Add-on Deployment

18ed5180-3e48-46fd-8541-4ea054d57064

Deploy Azure Policy Add-on to Azure Kubernetes Service clusters

Owner

8e3af657-a8ff-443c-a75c-2fe8c4bcb635

Configure Microsoft Defender CSPM to be enabled, Configure Microsoft Defender for Storage to be enabled

Contributor

b24988ac-6180-42a0-ab88-20f7382dd24c

Configure Azure Kubernetes Service clusters to enable Defender profile, Deploy export to Log Analytics workspace for Microsoft Defender for Cloud data

Azure Kubernetes Service Contributor Role

ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8

Deploy Azure Policy Add-on to Azure Kubernetes Service clusters

Security Admin

fb1c8493-542b-48eb-b624-b4c8fea62acd

[Deprecated]: Configure Azure Defender for DNS to be enabled, [Deprecated]: Configure Microsoft Defender for APIs should be enabled, Configure Azure Defender for App Service to be enabled, Configure Azure Defender for Azure SQL database to be enabled, Configure Azure Defender for open-source relational databases to be enabled, Configure Azure Defender for Resource Manager to be enabled, Configure Azure Defender for servers to be enabled, Configure Azure Defender for SQL servers on machines to be enabled, Configure machines to receive a vulnerability assessment provider, Configure Microsoft Defender for Azure Cosmos DB to be enabled, Configure Microsoft Defender for Containers to be enabled, Configure Microsoft Defender for Key Vault plan, Deploy Microsoft Defender for Cloud Security Contacts, Setup subscriptions to transition to an alternative vulnerability assessment solution

Log Analytics Contributor

92aaf0da-9dab-42b6-94a3-d43ce8d16293

Configure Azure Kubernetes Service clusters to enable Defender profile