Description:

Microsoft Defender for Resource Manager is part of Microsoft Defender for Cloud and provides enhanced security monitoring and threat protection for Azure Resource Manager (ARM). ARM is the core service used to deploy, configure, and manage Azure resources.

This includes monitoring for:

  • Misconfigurations in resources

  • Unauthorized access attempts

  • Changes to deployments or access policies

  • Potential security violations during resource management


Rationale:

Enabling Microsoft Defender for Resource Manager helps organizations to:

  1. Enhance security: Detect malicious or unauthorized activities in resource deployment and management.

  2. Strengthen governance: Monitor all changes to Azure resources and identify suspicious activity or misconfigurations.

  3. Ensure compliance: Maintain adherence to security standards and best practices by securing all resource management operations.

  4. Proactively prevent attacks: Identify misconfigured permissions, insecure deployments, or unauthorized attempts to manage resources.


Impact:

Setting Microsoft Defender for Resource Manager to ‘On’ will:

  • Increase security: Continuous monitoring of management-plane activities reduces the risk of unauthorized access or malicious changes.

  • Generate alerts: Administrators receive real-time notifications to detect and respond to security issues promptly.

  • Support compliance: Ensures all ARM operations are monitored in line with regulatory and organizational standards.


Default Value:

By default, Microsoft Defender for Resource Manager is disabled (OFF). It must be manually enabled per subscription.


Pre-requisites:

  • Azure subscription with Microsoft Defender for Cloud enabled.

  • Global Administrator or Security Administrator permissions to enable and configure Microsoft Defender forzure Resources.


Test Plan:

  1. Sign in to the Azure Portal.

  2. Search for Microsoft Defender for Cloud.

  3. Under the management section, select the Environment settings, then choose the subscription where your Resource Group is located.

  4. Under the settings, click Defender Plan

  5. Under Cloud Workload Protection (CWPP), locate the Resource Group and check if it is ON or OFF.


  1. If it is OFF, follow the Implementation Plan


Implementation Plan:

  1. Sign in to the Azure Portal.

  2. Search for Microsoft Defender for Cloud.

  3. Under the management section, select the Environment settings, then choose the subscription where your Resource Group is located.


  1. Under the settings, click Defender Plan

  2. Under Cloud Workload Protection (CWPP), locate the Resource Group and Turn ON Microsoft Defender for Cloud for the Resource Group.

  1. Save it.


Backout Plan:

  1. Sign in to the Azure Portal.

  2. Search for Microsoft Defender for Cloud.

  3. Under the management section, select the Environment settings, then choose the subscription where your Resource Group is located.

  4. Under the settings, click Defender Plan

  5. Under Cloud Workload Protection (CWPP), locate the Resource Group and Turn OFF Microsoft Defender for Cloud for the Resource Group.


Reference: