You dont have javascript enabled! Please enable it! Effective Way To Check Azure Defender Status Plan - CHARBEL NEMNOM - MVP | MCT | CCSP | CISM - Cloud & CyberSecurity

Effective Way To Check Azure Defender Status Plan

6 Min. Read

During Microsoft Ignite in November 2021, Azure Security Center and Azure Defender are now called Microsoft Defender for Cloud. They’ve also renamed Azure Defender plans to Microsoft Defender plans. For example, Azure Defender for Storage is now Microsoft Defender for Storage.

In this article, we will share with you how to check Defender Plans status (formerly known as the Standard Tier in Azure Security Center) on every Azure subscription with PowerShell.

Introduction

Azure Security Center gives you complete visibility and control over the security of hybrid cloud workloads, including compute, network, storage, identity, and application workloads. Azure Security Center (ASC) has two main value propositions:

1) Cloud Security Posture Management (CSPM) – Help you prevent misconfiguration to strengthen your security posture for all different types of cloud workloads and resources in Azure (IaaS, PaaS, and SaaS). CSPM in the Security Center is available for free to all Azure users.

2) Cloud Workload Protection Platform (CWPP) – Protect against threats for servers whether they are running in Azure, on-premises, or different clouds such as Amazon AWS or Google GCP, in addition to cloud-native workloads such as Web Apps, Kubernetes, Key Vaults, as well as for SQL databases (PaaS/VM) and storage accounts. CWPP is part of the Azure Defender plan (formerly known as the Standard Tier).

Defender Plans is an evolution of the threat-protection technologies in Microsoft Defender for Cloud, protecting Azure and hybrid environments. When you enable Azure Defender from the Pricing and settings area of Azure Security Center, the following Defender plans are all enabled simultaneously and provide comprehensive defenses for the Compute, Data, and service layers of your environment:

From the Environment settings area, you can also enable or disable one of the Azure Defender plans as shown in the figure below.

Effective Way To Check Azure Defender Status Plan 1

What if you have many subscriptions and you want to know which Azure Defender plan is enabled on which subscription?

Check Azure Defender Plans Status

In this quick article, we will share with you how to query Azure Defender on every Azure subscription and get its status with PowerShell.

Prerequisites

To follow this article, you need to have the following:

1) Azure subscription – If you don’t have an Azure subscription, you can create a free one here.

2) Azure Security Center Free or Azure Defender enabled.

3) Azure PowerShell installed locally on your machine or using Azure Cloud Shell.

4) The Azure Resource Graph module for PowerShell. Please note that this module can be used with locally installed PowerShell, with Azure Cloud Shell, or with the PowerShell Docker image.

Install the Azure Resource Graph module

In this example, I am using the Azure Cloud Shell. Open the Cloud Shell and run the following commands to install the Azure Resource Graph module from the PowerShell Gallery.

# Install the Resource Graph module from PowerShell Gallery
Install-Module -Name Az.ResourceGraph
# Get a list of commands for the imported Az.ResourceGraph module
Get-Command -Module 'Az.ResourceGraph' -CommandType 'Cmdlet'

At the time of this writing, I am running the latest Resource Graph PowerShell version (0.7.7).

Effective Way To Check Azure Defender Status Plan 2

Get Microsoft Defender Plans Status

Assuming you have all the prerequisites in place, open the Azure Cloud Shell (https://shell.azure.com/) and run the following command:

# Query Azure Defender Status and sort by tier
Search-AZGraph -Query "securityresources | where type == `"microsoft.security/pricings`" | extend tier = properties.pricingTier | project name, tier, subscriptionId" | Sort-object tier

In my example, the output looks like this. You can see the name of each Azure Defender plan if it’s enabled (Standard), or not (Free). The Standard tier is still referred to as the old naming, I believe that Microsoft will change it to Microsoft Defender in the future (the subscription ID has been intentionally obscured in this example).

Effective Way To Check Azure Defender Status Plan 3

For small to medium deployment, you could use the Azure PowerShell or CLI as described in this article. However, it is not a good idea to do it on a large scale because Azure Resource Manager (ARM) will throttle requests at 12k/h.

For large-scale deployment with a lot of subscriptions, it’s recommended to use the Azure Resource Graph (ARG) explorer.

Open the Azure Resource Graph Explorer blade and run the following KQL query:

securityresources
| where type == "microsoft.security/pricings"
| project DefenderPlan=name, subscriptionId, Pricing = properties.pricingTier
| order by DefenderPlan asc

Here are the output and results of the query:

Query Microsoft Defender for Cloud plan for all subscriptions with Azure Resource Graph
Query Microsoft Defender for Cloud plan for all subscriptions with Azure Resource Graph

There’s more…

You could also get Microsoft Defender for Cloud status plan using PowerShell and the Azure CLI.

Azure PowerShell

# Set the Azure context for the relevant subscription
Set-AzContext -Subscription "xxxx-xxxx-xxxx-xxxx"

# Show Microsoft Defender for Cloud plan
Get-AzSecurityPricing | select Name, PricingTier, FreeTrialRemainingTime
Show Microsoft Defender for Cloud plan with PowerShell
Show Microsoft Defender for Cloud plan with PowerShell

Azure CLI

# Set the Azure context for the relevant subscription
az account set --subscription "xxxx-xxxx-xxxx-xxxx"

# Show Defender for Storage plan
az security pricing list --query "value[*].{DefenderPlan:name,Pricing:pricingTier,RemainingTime:freeTrialRemainingTime}" --output table
Show Microsoft Defender for Cloud plan with Azure CLI
Show Microsoft Defender for Cloud plan with Azure CLI

Enable Vulnerability Assessment for machines via REST

A recent question came from one of my readers is the following:

How can we change the above queries to list all subscriptions and which vulnerability management (Microsoft or Qualys) solution is enabled on them?

As you probably know, Vulnerability assessment (VA) for machines is part of Microsoft Defender for Servers as a sub-component, which can be enabled from Defender for Cloud’s menu > Environment settings > Subscription >  Vulnerability assessment for machines as shown in the figure below.

Vulnerability Assessment for Machine Configuration
Vulnerability Assessment for Machine Configuration

Please note that Microsoft Defender for Servers Plan 2 is required to integrate vulnerability assessment powered by Qualys or Rapid7, and Microsoft Defender for Servers Plan 1 gives you access to the built-in Microsoft Defender vulnerability management (MdeTVM) only.

Now when it comes to automation to query and check which vulnerability management solution is enabled, unfortunately, we don’t have many options. Neither PowerShell, Azure CLI, nor Azure Resource Graph does support that query. The only option that remains is to use the REST API to query and set the desired vulnerability management solution on the subscription level.

The following PowerShell script backed by the REST API will help you to query all subscriptions (if the subscription ID parameter is not specified), and then it will check which vulnerability management solution is enabled on them.

Optionally, you can enable the default Microsoft Defender vulnerability management (MdeTVM) by setting the parameter -enableVA [Yes]. Please note that Qualys and  Rapid7 are out of scope here.

.\Get-MDfCVA.ps1 -SubscriptionId <SUB-ID> -enableVA [No] -Verbose

<#
.SYNOPSIS
Query and set Vulnerability Assessment for machines in Microsoft Defender for Cloud.

.DESCRIPTION
Query and set Vulnerability Assessment for machines in Microsoft Defender for Cloud via REST API.

.NOTES
File Name : Get-MDfCVA.ps1
Author    : Microsoft MVP/MCT - Charbel Nemnom
Version   : 1.0
Date      : 14-September-2023
Update    : 15-September-2023
Requires  : PowerShell 7.3.x (Core)
Module    : Az Module

.LINK
To provide feedback or for further assistance please visit:
 https://charbelnemnom.com 

.EXAMPLE
.\Get-MDfCVA.ps1 -SubscriptionId <SUB-ID> -enableVA [No] -Verbose
This example will connect to your Azure account using the subscription Id specified, and then check if VA solution is enabled in Microsoft Defender for Cloud.
You have the option to enable the default vulnerability management solution by setting the parameter -enableVA [Yes].
Please note that Qualys and  Rapid7 are out of scope here.
#>

param (
    [Parameter(Position = 0, HelpMessage = 'Enter Azure Subscription ID')]
    [string]$subscriptionId,

    [ValidateSet("Yes", "No")]
    [String]$enableVA = 'No',

    [ValidateSet("MdeTvm")]
    [String]$vaType = 'MdeTvm'
)

#! Install Az Module If Needed
function Install-Module-If-Needed {
    param([string]$ModuleName)
 
    if (Get-Module -ListAvailable -Name $ModuleName) {
        Write-Host "Module '$($ModuleName)' already exists, continue..." -ForegroundColor Green
    } 
    else {
        Write-Host "Module '$($ModuleName)' does not exist, installing..." -ForegroundColor Yellow
        Install-Module $ModuleName -Force  -AllowClobber -ErrorAction Stop
        Write-Host "Module '$($ModuleName)' installed." -ForegroundColor Green
    }
}

#! Install Az Accounts Module If Needed
Install-Module-If-Needed Az.Accounts

#! Check Azure Connection
Try { 
    Write-Verbose "Connecting to Azure Cloud..." 
    Connect-AzAccount -ErrorAction Stop | Out-Null 
}
Catch { 
    Write-Warning "Cannot connect to Azure Cloud. Please check your credentials. Exiting!" 
    Break 
}

#! Get Az Access Token
$token = Get-AzAccessToken #This will default to Azure Resource Manager endpoint
$authHeader = @{
    'Content-Type'  = 'application/json'
    'Authorization' = 'Bearer ' + $token.Token
}

if (!$subscriptionId) {
    #! Get all Azure Subscriptions
    $azSubscriptions = Get-AzSubscription -TenantId (Get-AzContext).Tenant
    $vaResults = @()

    #! Loop through all Azure Subscriptions
    foreach ($azSubscription in $azSubscriptions) { 
        Set-AzContext $azSubscription.id | Out-Null
        $subscriptionid = $azSubscription.id

        $URI = "https://management.azure.com/subscriptions/$subscriptionid/providers/Microsoft.Security/serverVulnerabilityAssessmentsSettings?api-version=2022-01-01-preview"
        $vaResponse = Invoke-RestMethod $URI -Method 'GET' -Headers $authHeader        
        if (!$vaResponse.value) {
            $vaResults += $vaResponse | Select-Object `
            @{Label = 'Subscription Name'; Expression = { $azSubscription.name } }, `
            @{Label = 'Subscription ID'; Expression = { $azSubscription.id } }, `
            @{Label = 'VA Solution'; Expression = { "N/A" } }, `
            @{Label = 'VA Setting'; Expression = { "N/A" } }            
        } else {        
            $vaResults += $vaResponse | Select-Object `
            @{Label = 'Subscription Name'; Expression = { $azSubscription.name } }, `
            @{Label = 'Subscription ID'; Expression = { $azSubscription.id } }, `
            @{Label = 'VA Solution'; Expression = { $vaResponse.value.properties.selectedProvider } }, `
            @{Label = 'VA Setting'; Expression = { $vaResponse.value.name } }          
        }
    }
    Write-Output $vaResults
}
Else {
    $azSubscription = Get-AzSubscription -SubscriptionId $subscriptionid
    $vaResults = @()
    $URI = "https://management.azure.com/subscriptions/$subscriptionid/providers/Microsoft.Security/serverVulnerabilityAssessmentsSettings?api-version=2022-01-01-preview"
    $vaResponse = Invoke-RestMethod $URI -Method 'GET' -Headers $authHeader    
    if (!$vaResponse.value) {
        $vaResults += $vaResponse | Select-Object `
        @{Label = 'Subscription Name'; Expression = { $azSubscription.name } }, `
        @{Label = 'Subscription ID'; Expression = { $azSubscription.id } }, `
        @{Label = 'VA Solution'; Expression = { "N/A" } }, `
        @{Label = 'VA Setting'; Expression = { "N/A" } }            
    } else {        
        $vaResults += $vaResponse | Select-Object `
        @{Label = 'Subscription Name'; Expression = { $azSubscription.name } }, `
        @{Label = 'Subscription ID'; Expression = { $azSubscription.id } }, `
        @{Label = 'VA Solution'; Expression = { $vaResponse.value.properties.selectedProvider } }, `
        @{Label = 'VA Setting'; Expression = { $vaResponse.value.name } }          
    }
    Write-Output $vaResults

    If ($enableVA -eq "Yes") {    
        #! Set Vulnerability assessment solution for machines
        $body = @{
            "kind"       = "AzureServersSetting"
            "properties" = @{
                "selectedProvider" = "$vaType"
            }
        }
    
        $URI = "https://management.azure.com/subscriptions/$subscriptionid/providers/Microsoft.Security/serverVulnerabilityAssessmentsSettings/AzureServersSetting?api-version=2022-01-01-preview"
        $vaUpdate = Invoke-RestMethod $URI `
        -Method 'PUT' `
        -Headers $authHeader `
        -Body (ConvertTo-Json $body -Depth 2)
    
        Write-Output $vaUpdate.properties.selectedProvider
    }    
}

Here you can see a sample of the output results.

Get Vulnerability Assessment for Machine Configuration via REST API
Get Vulnerability Assessment for Machine Configuration via REST API

Last, if you want to disable the Microsoft Defender vulnerability assessment (MdeTVM) solution, you can use the same PowerShell code above and the same body, but you need only to change the Invoke-RestMethod to -MethodDELETE‘ instead of ‘PUT‘.

That’s it there you have it!

Summary

In this article, we showed you how to query Azure Defender status on every Azure subscription with PowerShell and Azure Resource Graph.

Additional resources we highly encourage you to check:

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

Photo of author
About the Author
Charbel Nemnom
Charbel Nemnom is a Senior Cloud Architect with 20+ years of IT experience. As a Swiss Certified Information Security Manager (ISM), CCSP, CISM, MVP, and MCT, he excels in optimizing mission-critical enterprise systems. His extensive practical knowledge spans complex system design, network architecture, business continuity, and cloud security, establishing him as an authoritative and trustworthy expert in the field. Charbel frequently writes about Cloud, Cybersecurity, and IT Certifications.
Previous

How to Configure Application Gateway in Front of Azure Blob Storage

Finding Diagnostic Settings Configuration for Azure Resources

Next

5 thoughts on “Effective Way To Check Azure Defender Status Plan”

Leave a comment...

  1. How come I only get a handful of results when running the below command?

    Search-AZGraph -Query “securityresources | where type == `”microsoft.security/pricings`” | extend tier = properties.pricingTier | project name, tier, subscriptionId”

    I’m supposed to query 600+ subs but I’m only getting 100+ in my results.

  2. Hello Soper, thanks for the comment!
    It looks like you’ve been throttled by the Azure Resource Manager (reads/12K).
    A better way is to use Azure Resource Graph Explorer here, and then run the query below:

    securityresources
    | where type == "microsoft.security/pricings"
    | project DefenderPlan=name, subscriptionId, Pricing = properties.pricingTier
    | order by DefenderPlan asc

    It should work in your large environment.
    Hope it helps!

  3. Hi Charbel.
    Great stuff, really!
    I was wondering how can I change your queries in order to list all subscriptions and which vulnerability management solution is enabled on them. Microsoft or Qualys?
    Thanks
    Sasa

  4. Hello Sasa, thanks for the comment and the great question!
    Please note that neither PowerShell, Azure CLI, nor Azure Resource Graph supports querying which vulnerability management solution is enabled.
    The only option that remains is to use the REST API to query and set the desired vulnerability management solution on the subscription level.
    Please check the following section and let me know if it works for you!
    Cheers,

Let me know what you think, or ask a question...