Description:

Auto-provisioning installs the Log Analytics agent automatically on Azure VMs to ensure they send security and monitoring data to Microsoft Defender for Cloud. This setting guarantees that all newly created or existing VMs begin forwarding logs without manual configuration.


Rationale:

Enabling auto-provisioning ensures consistent deployment of the Log Analytics agent across all Azure VMs. This improves monitoring coverage, supports automated threat detection, and prevents gaps where machines may operate without required security telemetry.


Impact:

  • Ensures uniform security monitoring across all Azure VMs

  • Automates onboarding of new VMs into Log Analytics / Defender

  • Supports SIEM, threat detection, and vulnerability scanning

  • Reduces operational overhead and human error

  • Required for many compliance standards


Default Value:

Auto provisioning is disabled by default.


Pre-Requisites:

  • A Log Analytics Workspace is available

  • Defender for Servers Plan recommended

  • Permissions:

    • Microsoft.Security/*

    • Microsoft.OperationalInsights/workspaces/*

    • Microsoft.Compute/virtualMachines/*

Test Plan:

  1. Sign in to the Azure portal

  2. Search for Microsoft Defender for Cloud

  3. Under the management section, Select Environment Settings

  4. Choose the Subscription

  5. Under the settings, click Defender plans

  6. In the Defender plans page, click Settings & Monitoring 

  7. Check if the Log Analytics agent is on or off

  8. If it is off, follow the implementation steps.


Implementation Steps:

  1. Sign in to the Azure portal

  2. Search for Microsoft Defender for Cloud

  3. Under the management section, click Environment Settings

  4. Choose the Subscription

  1. Under the settings, click Defender plans

  2. In the Defender plans page, click Settings & Monitoring 

  1. Find the Log Analytics agent. Change toggle to On

  1. Continue to Save changes

Backout Plan:

  1. Sign in to the Azure portal.

  2. Search for and open Microsoft Defender for Cloud.

  3. Under the Management section, select Environment Settings.

  4. Select the required subscription.

  5. Under the settings, click Defender plans

  6. In the Defender plans page, click Settings & Monitoring 

  7. Set Vulnerability assessment for machines to Off.

  8. Save the changes.


Reference: