last sync: 2024-Nov-01 18:49:42 UTC

Deploy Microsoft Defender for Cloud configuration

Azure Landing Zones (ALZ) Policy Initiative (PolicySet)

Source Repository Azure Landing Zones (ALZ) GitHub
JSON Deploy-MDFC-Config_20240319
Display nameDeploy Microsoft Defender for Cloud configuration
IdDeploy-MDFC-Config_20240319
Version2.1.0
Details on versioning
CategorySecurity Center
DescriptionDeploy Microsoft Defender for Cloud configuration
TypeCustom Azure Landing Zones (ALZ)
DeprecatedFalse
PreviewFalse
Replaces PolicySet This ALZ PolicySet definition replaces [Deprecated]: Deploy Microsoft Defender for Cloud configuration (Deploy-MDFC-Config)
More information on Azure Landing Zones deprecated Policy and PolicySet definitions
Policy count Total Policies: 17
Builtin Policies: 16
Static Policies: 0
ALZ Policies: 1
Policy used
Policy DisplayName Policy Id Category Effect Roles# Roles State Type
Configure Azure Defender for App Service to be enabled b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d Security Center Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
1 Security Admin GA BuiltIn
Configure Azure Defender for Azure SQL database to be enabled b99b73e7-074b-4089-9395-b7236f094491 Security Center Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
1 Security Admin GA BuiltIn
Configure Azure Defender for open-source relational databases to be enabled 44433aa3-7ec2-4002-93ea-65c65ff0310a Security Center Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
1 Security Admin GA BuiltIn
Configure Azure Defender for Resource Manager to be enabled b7021b2b-08fd-4dc0-9de7-3c6ece09faf9 Security Center Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
1 Security Admin GA BuiltIn
Configure Azure Defender for servers to be enabled 8e86a5b6-b9bd-49d1-8e21-4bb8a0862222 Security Center Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
1 Security Admin GA BuiltIn
Configure Azure Defender for SQL servers on machines to be enabled 50ea7265-7d8c-429e-9a7d-ca1f410191c3 Security Center Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
1 Security Admin GA BuiltIn
Configure Azure Kubernetes Service clusters to enable Defender profile 64def556-fbad-4622-930e-72d1d5589bf5 Kubernetes Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
2 Defender Kubernetes Agent Operator, Kubernetes Agent Operator GA BuiltIn
Configure machines to receive a vulnerability assessment provider 13ce0167-8ca6-4048-8e6b-f996402e3c1b Security Center Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
1 Security Admin GA BuiltIn
Configure Microsoft Defender CSPM plan 72f8cee7-2937-403d-84a1-a4e3e57f3c21 Security Center Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
1 Owner GA BuiltIn
Configure Microsoft Defender for Azure Cosmos DB to be enabled 82bf5b87-728b-4a74-ba4d-6123845cf542 Security Center Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
1 Security Admin GA BuiltIn
Configure Microsoft Defender for Containers to be enabled c9ddb292-b203-4738-aead-18e2716e858f Security Center Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
1 Security Admin GA BuiltIn
Configure Microsoft Defender for Key Vault plan 1f725891-01c0-420a-9059-4fa46cb770b7 Security Center Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
1 Security Admin GA BuiltIn
Configure Microsoft Defender for Storage to be enabled cfdc5972-75b3-4418-8ae1-7f5c36839390 Security Center Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
1 Owner GA BuiltIn
Deploy Azure Policy Add-on to Azure Kubernetes Service clusters a8eff44f-8c92-45c3-a3fb-9880802d67a7 Kubernetes Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
2 Azure Kubernetes Service Contributor Role, Azure Kubernetes Service Policy Add-on Deployment GA BuiltIn
Deploy export to Log Analytics workspace for Microsoft Defender for Cloud data ffb6f416-7bd2-4488-8828-56585fef2be9 Security Center Fixed
deployIfNotExists
1 Contributor GA BuiltIn
Deploy Microsoft Defender for Cloud Security Contacts Deploy-ASC-SecurityContacts Security Center Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
1 Security Admin GA ALZ
Setup subscriptions to transition to an alternative vulnerability assessment solution 766e621d-ba95-4e43-a6f2-e945db3d7888 Security Center Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
1 Security Admin GA BuiltIn
Roles used
Total Roles usage: 19
Total Roles unique usage: 7
Role Role Id Policies count Policies
Azure Kubernetes Service Contributor Role ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8 1 Deploy Azure Policy Add-on to Azure Kubernetes Service clusters
Security Admin fb1c8493-542b-48eb-b624-b4c8fea62acd 12 Configure Azure Defender for App Service to be enabled, Configure Azure Defender for Azure SQL database to be enabled, Configure Azure Defender for open-source relational databases to be enabled, Configure Azure Defender for Resource Manager to be enabled, Configure Azure Defender for servers to be enabled, Configure Azure Defender for SQL servers on machines to be enabled, Configure machines to receive a vulnerability assessment provider, Configure Microsoft Defender for Azure Cosmos DB to be enabled, Configure Microsoft Defender for Containers to be enabled, Configure Microsoft Defender for Key Vault plan, Deploy Microsoft Defender for Cloud Security Contacts, Setup subscriptions to transition to an alternative vulnerability assessment solution
Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 2 Configure Microsoft Defender CSPM plan, Configure Microsoft Defender for Storage to be enabled
Defender Kubernetes Agent Operator 8bb6f106-b146-4ee6-a3f9-b9c5a96e0ae5 1 Configure Azure Kubernetes Service clusters to enable Defender profile
Azure Kubernetes Service Policy Add-on Deployment 18ed5180-3e48-46fd-8541-4ea054d57064 1 Deploy Azure Policy Add-on to Azure Kubernetes Service clusters
Contributor b24988ac-6180-42a0-ab88-20f7382dd24c 1 Deploy export to Log Analytics workspace for Microsoft Defender for Cloud data
Kubernetes Agent Operator 5e93ba01-8f92-4c7a-b12a-801e3df23824 1 Configure Azure Kubernetes Service clusters to enable Defender profile
History none
JSON compare n/a
JSON
EPAC