CloudRunbook logo
Read

CloudRunbook | Practical Cloud Engineering

Defender for Cloud baseline: plan coverage, auto-provisioning, and turning recommendations into guardrails

14 Jan 2026 4 min read

A practical Defender for Cloud baseline for Azure landing zones: plan coverage decisions, auto-provisioning, and closing the loop with policy-backed guardrails.

Defender for Cloud Security Azure Landing Zones
Applies to
Defender for CloudAzure PolicyLog AnalyticsRecommendations
Effort
1–2 days
Risk
Medium
Rollback
Partial
Last reviewed
14 Jan 2026
TL;DR

Turn on the right Defender plans, auto-onboard every subscription, collect telemetry centrally, then turn high-value recommendations into policy-backed guardrails. Treat the portal as a status view — not the control plane.

Why you should care

Defender for Cloud is part signal, part configuration drift detector. Without a baseline:

  • workloads inherit random plan coverage
  • recommendations never feed back into policy
  • auto-provisioning toggles are left to subscription owners
  • breaches go undetected because telemetry never lands in a Log Analytics workspace

A tidy baseline gives you predictable coverage, standard deployment of agents, and an audit trail you can trust when auditors or responders come calling.

Baseline decision points

  1. Plan coverage granularity
    Decide which Defender plans are mandatory (servers, SQL, storage, containers, PaaS) and which remain optional. Align the cost profile with workload criticality.

  2. Telemetry landing zone
    Pick the Log Analytics workspace hierarchy up front. Cross-region data movement may matter for regulatory reasons.

  3. Auto-provisioning scope
    Enforce the default onboarding mode (agentless scanning, AMA, Defender CSPM agents) via policy, not portal toggles.

  4. Recommendation routing
    Decide who owns responding to each recommendation category. Do not leave it to platform alone.

  5. Guardrail feedback loop
    Select the top ten recurring Defender recommendations and codify them as Azure Policy initiatives.

  6. Exemptions vs governance
    Define how teams request exemptions. Every exemption should have an expiry and a tracked reason.

  7. Cost transparency
    Expose plan charges in dashboards or FinOps reviews so no one is surprised by the billing impact.

Runbook: stand up a Defender for Cloud baseline that sticks

  1. Confirm landing zone scope and target workspaces

    List every subscription that will enrol in Defender for Cloud. Decide whether they point to a central Log Analytics workspace or a per-environment set (prod vs non-prod). Capture workspace IDs and regions; they will be referenced in automation and policy.

  2. Enable plan coverage through IaC, not the portal

    Use Terraform, Bicep or the REST API to enable the Defender plans you need. This makes the state auditable. Typical minimum: servers, SQL (PaaS and IaaS), storage, containers, and Key Vault.

    resource defenderPlans 'Microsoft.Security/pricings@2023-01-01-preview' = [
  for plan in [
    'VirtualMachines'
    'SqlServers'
    'StorageAccounts'
    'Containers'
    'KeyVaults'
  ]: {
    name: plan
    properties: {
      pricingTier: 'Standard'
    }
  }
]
  3. Lock auto-provisioning to the desired agent set

    Turn on AMA, agentless scanning, and any extension deployment via IaC. Disable the old Log Analytics agent if you are migrating. Record which toggle maps to which use case so you can explain the bill later.

  4. Route telemetry into the correct workspaces

    For every subscription, assign the Diagnostic Settings template so Defender data lands in the agreed workspace. Confirm the retention settings and costs are covered by the platform team budget.

  5. Create a policy initiative for mandatory recommendations

    Pick the recommendations that map to genuine risk (public storage, SQL missing TDE, missing MFA on SQL logins, etc). Build an Azure Policy initiative and assign it at the landing-zone management group. This keeps Defender from nagging endlessly — it becomes an enforceable guardrail instead.

  6. Automate assignment of security contacts and notifications

    Configure the Microsoft.Security/securityContacts resource to point at platform inboxes, service management tooling, and (if applicable) SIEM connectors. Store the runbook for rotating these contacts when teams change.

  7. Surface Defender insights in your operations tooling

    Pipe Defender alerts into Sentinel, ticketing, or chat notifications. Make sure the operational teams know what to do with them; create short runbooks for the common alert types.

  8. Define the exemption workflow

    Document how a workload team requests an exemption when a recommendation or policy assignment is incorrect for their scenario. Track expiry dates and owners. Avoid indefinite blanket exemptions.

  9. Backfill historical coverage gaps

    Review existing subscriptions for plan coverage drift. Run a CLI or REST script to confirm the desired plans are enabled everywhere. This is often a one-off night shift to clean up legacy subs.

  10. Publish cost visibility

    Share dashboards showing Defender charges per subscription. This prevents surprise resistance the next time you enforce a plan upgrade.

Common pitfalls

Portal toggles left to workload owners

If you rely on subscription owners to enable plans or agents, coverage will drift in days. Automate via IaC and policy.

One workspace per workload

Sprawling workspaces make data unqueryable. Fewer, well-governed workspaces keep costs and queries predictable.

Ignoring recommendations that should be policy

If Defender keeps complaining about the same misconfiguration, codify it as policy. Constant noise erodes trust in the tool.

No exemption expiry

Temporary waivers without an end date become permanent blind spots. Always set review dates.

Validation checklist

  • Every target subscription shows the expected Defender plans enabled via IaC state.

  • Auto-provisioning toggles match the documented baseline (AMA, agentless scanning, etc).

  • Security contacts and notification channels receive Defender alerts during testing.

  • Diagnostic settings push Defender data into the agreed Log Analytics workspace(s).

  • Policy initiatives exist for the high-impact recommendations you care about.

  • Exemptions are tracked with owners and expiry dates.

  • Operations teams confirm Defender alerts reach their tooling and have clear response steps.

  • Cost dashboards or reports show Defender charges per subscription.

Rollback / back-out plan

  • If a plan change causes unexpected cost or noise, revert the IaC commit and redeploy to disable the affected plan. Expect data gaps in the interim.
  • Auto-provisioning misconfiguration can be backed out by switching the toggle in IaC and removing the agents/extensions through Azure Policy remediation.
  • Workspace routing issues can be reverted by repointing Diagnostic Settings to the prior workspace, but keep the storage retention impact in mind.
  • For policy initiatives that unintentionally block delivery, disable the assignment rather than deleting it, then rework the policy definitions offline.

Rollback is partial because telemetry once collected remains in the workspace and some policies may have already remediated resources.