Enabling Defender for Cloud at the Resource Level with PowerShell

Efficiently managing Azure resources can be challenging, especially in large environments. To help with this, I’ve developed a PowerShell script designed to automate the process of managing Defender for Cloud pricing configurations across various Azure resources, including Virtual Machines (VMs), Virtual Machine Scale Sets (VMSS), and Azure Arc-enabled servers.

Script Overview

This PowerShell script automates setting or reading Defender for Cloud pricing configurations for multiple resources within a specified Azure subscription. It supports two modes of operation:

1. Resource Group (RG) Mode: Applies the configuration to all resources within a specified resource group.
2. Tag-Based (TAG) Mode: Applies the configuration to resources based on specified tag names and values.

Key Features

• Automated Login: Ensures the user is logged into their Azure account and retrieves the necessary access token.
• Flexible Targeting: Allows users to specify resources by resource group or tags.
• Comprehensive Resource Handling: Supports Virtual Machines, Virtual Machine Scale Sets, and Azure Arc-enabled machines.
• Token Management: Automatically renews the Azure access token if it expires during script execution.
• Robust Error Handling: Provides detailed error messages for failed operations.
• Interactive Prompts: Guides the user through the process with clear prompts and options.

Script Functionality

Authentication and Token Management

The script starts by ensuring the user is logged into their Azure account and retrieves an access token. If the token expires during execution, the script renews it automatically.

The script prompts the user to choose between targeting resources by resource group or by tag. It then fetches the relevant resources accordingly.

For the illustration of this blog post I will go ahead and use “RG” and apply to everything under the resource group.

The script will list all resources found under the resource group if any resources are found.

Processing Resources

The script processes each type of resource (VMs, VMSS, ARC) based on the user’s input. It sets the pricing tier or reads the current configuration for each resource.

The script will prompt to process by pressing any key to continue. The provide the Defender for Cloud Plan Tier, I will use “Standard”

The script will run and allow the Tier to the resources in the Resource Group. Output will look as follow.

Use Cases

1. Security Compliance: Ensuring that all resources have the appropriate Defender for Cloud plans to meet security and compliance requirements.
2. Cost Management: Setting resources to the ‘Free’ tier when additional protection is not required, helping to manage costs effectively.
3. Configuration Auditing: Reading the current Defender for Cloud configuration across all resources to audit and ensure compliance with organizational policies.
4. Automated Resource Management: Streamlining the management of large environments by automating repetitive tasks, reducing the potential for human error.

Benefits of Resource-Level Defender for Cloud Configuration

Enabling Defender for Cloud at the resource level provides a granular level of control. It allows organizations to apply security measures only to critical resources, thereby optimizing costs and ensuring compliance with specific security policies. This approach is beneficial for organizations that want to avoid the overhead of enabling Defender for Cloud across an entire subscription, which can lead to unnecessary costs and potential performance impacts on less critical resources.

Where to Find the Script

This script can be found on GitHub, created and maintained by Microsoft. It provides an efficient and flexible way to manage Defender for Cloud configurations at the resource level, ensuring your Azure environment is secure and compliant without incurring unnecessary costs. You can access the script here.

Sharing is caring!