During Microsoft Ignite in November 2021, Azure Security Center and Azure Defender are now called Microsoft Defender for Cloud. They’ve also renamed Azure Defender plans to Microsoft Defender plans. For example, Azure Defender for Storage is now Microsoft Defender for Storage.
In this article, we will share with you how to check Azure Defender status (formerly known as the Standard Tier in Azure Security Center) on every Azure subscription with PowerShell.
In This Article
Introduction
Azure Security Center gives you complete visibility and control over the security of hybrid cloud workloads, including compute, network, storage, identity, and application workloads. Azure Security Center (ASC) has two main value propositions:
1) Cloud Security Posture Management (CSPM) – Help you prevent misconfiguration to strengthen your security posture for all different types of cloud workloads and resources in Azure (IaaS, PaaS, and SaaS). CSPM in Security Center is available for free to all Azure users.
2) Cloud Workload Protection Platform (CWPP) – Protect against threats for servers whether they are running in Azure, on-premises, or different clouds such as Amazon AWS or Google GCP, in addition to cloud-native workloads such as Web Apps, Kubernetes, Key Vaults, as well as for SQL databases (PaaS/VM) and storage accounts. CWPP is part of the Azure Defender plan (formerly known as the Standard Tier).
Azure Defender is an evolution of the threat-protection technologies in Azure Security Center, protecting Azure and hybrid environments. When you enable Azure Defender from the Pricing and settings area of Azure Security Center, the following Defender plans are all enabled simultaneously and provide comprehensive defenses for the compute, data, and service layers of your environment:
- Azure Defender for servers
- Azure Defender for App Service
- Azure Defender for Storage
- Azure Defender for SQL
- Azure Defender for Kubernetes
- Azure Defender for container registries
- Azure Defender for Key Vault
- Azure Defender for Azure DNS
- Azure Defender for Resource Manager
From the Environment settings area, you can also enable or disable one of the Azure Defender plans as shown in the figure below.
What if you have many subscriptions and you want to know which Azure Defender plan is enabled on which subscription?
In this quick article, we will share with you how to query Azure Defender on every Azure subscription and get its status with PowerShell.
Prerequisites
To follow this article, you need to have the following:
1) Azure subscription – If you don’t have an Azure subscription, you can create a free one here.
2) Azure Security Center Free or Azure Defender enabled.
3) Azure PowerShell installed locally on your machine or using Azure Cloud Shell.
4) The Azure Resource Graph module for PowerShell. Please note that this module can be used with locally installed PowerShell, with Azure Cloud Shell, or with the PowerShell Docker image.
Install Azure Resource Graph module
In this example, I am using the Azure Cloud Shell. Open the Cloud Shell and run the following commands to install the Azure Resource Graph module from PowerShell Gallery.
# Install the Resource Graph module from PowerShell Gallery
Install-Module -Name Az.ResourceGraph
# Get a list of commands for the imported Az.ResourceGraph module
Get-Command -Module 'Az.ResourceGraph' -CommandType 'Cmdlet'At the time of this writing, I am running the latest Resource Graph PowerShell version (0.7.7).
Get Microsoft Defender status
Assuming you have all the prerequisites in place, open the Azure Cloud Shell (https://shell.azure.com/) and run the following command:
# Query Azure Defender Status and sort by tier
Search-AZGraph -Query "securityresources | where type == `"microsoft.security/pricings`" | extend tier = properties.pricingTier | project name, tier, subscriptionId" | Sort-object tierIn my example, the output looks like this. You can see the name of each Azure Defender plan if it’s enabled (Standard), or not (Free). The Standard tier is still referred to as the old naming, I believe that Microsoft will change it to Microsoft Defender in the future (the subscription Id has been intentionally obscured in this example).
For small to medium deployment, you could use the Azure PowerShell or CLI as described in this article. However, it is not a good idea to do it on a large scale because Azure Resource Manager (ARM) will throttle requests at 12k/h.
For large-scale deployment with a lot of subscriptions, it’s recommended to use the Azure Resource Graph (ARG) explorer.
Open the Azure Resource Graph Explorer blade and run the following KQL query:
securityresources
| where type == "microsoft.security/pricings"
| project DefenderPlan=name, subscriptionId, Pricing = properties.pricingTier
| order by DefenderPlan ascHere are the output and results of the query:
That’s it there you have it!
There’s more…
You could also get Microsoft Defender for Cloud status plan using PowerShell and the Azure CLI.
Azure PowerShell
# Set the Azure context for the relevant subscription
Set-AzContext -Subscription "xxxx-xxxx-xxxx-xxxx"
# Show Microsoft Defender for Cloud plan
Get-AzSecurityPricing | select Name, PricingTier, FreeTrialRemainingTime
Azure CLI
# Set the Azure context for the relevant subscription
az account set --subscription "xxxx-xxxx-xxxx-xxxx"
# Show Defender for Storage plan
az security pricing list --query "value[*].{DefenderPlan:name,Pricing:pricingTier,RemainingTime:freeTrialRemainingTime}" --output table
Summary
In this article, we showed you how to query Azure Defender status on every Azure subscription with PowerShell and Azure Resource Graph.
Additional resources we highly encourage you to check:
- Workflow automation in Azure Security Center to automate your security operations.
- Learn more about how to integrate Azure Security Center with Azure Monitor Alerts.
- Learn more about how to integrate Azure Security Center with Azure Sentinel cloud-native (SIEM).
- Learn more about Microsoft Defender for Cloud, and check the official documentation from Microsoft.
- Learn how to enable file integrity monitoring for Windows and Linux Machines in Azure Security Center.
__
Thank you for reading my blog.
If you have any questions or feedback, please leave a comment.
-Charbel Nemnom-
These Documents are super helpful!
How come I only get a handful of results when running the below command?
Search-AZGraph -Query “securityresources | where type == `”microsoft.security/pricings`” | extend tier = properties.pricingTier | project name, tier, subscriptionId”
I’m supposed to query 600+ subs but I’m only getting 100+ in my results.
Hello Soper, thanks for the comment!
It looks like you’ve been throttled by the Azure Resource Manager (reads/12K).
A better way is to use Azure Resource Graph Explorer here, and then run the query below:
It should work in your large environment.
Hope it helps!