Disable Microsoft Defender for Cloud plans

You can disable Microsoft Defender for Cloud plans on your connected environments to manage your security costs. When you disable a plan, the associated security features, recommendations, and alerts for that plan stop appearing in Defender for Cloud.

Each Defender for Cloud plan has a different pricing structure based on attached resources and enabled subplans. For more information, see the Defender for Cloud pricing page. You can also estimate costs with the Defender for Cloud cost calculator.

Disable plans on the subscription level

Disabling a plan at the subscription level affects all resources under that subscription unless resource-level overrides are active.

If you created a resource to support a plan, such as a Log Analytics workspace or a Storage Account, delete it manually when it's no longer needed.

To disable plans at the subscription level:

1. Sign in to the Azure portal.

2. Go to Microsoft Defender for Cloud > Environment settings.

3. Select the relevant Azure, Amazon Web Services (AWS), or Google Cloud Project (GCP) subscription.

   

Disable plans by multicloud environment

To continue, select the relevant multicloud environment.

Azure

1. Find the plans you want to disable and toggle the switch to Off.

   

   1. (Optional) To disable the Defender for Databases plan, use the pop-up to turn off all four Defender for Databases subplans.

      

2. Select Continue.

3. Select Save.

AWS

1. Find the plans you want to disable and toggle the switch to Off.

   

2. Select Next: Configure access.

3. Select a deployment type:

   • Default access: Allows Defender for Cloud to scan your resources and automatically include future capabilities.
   • Least privilege access: Grants Defender for Cloud access only to the current permissions needed for the selected plans. If you select the least privileged permissions, you receive notifications on any new roles and permissions that are required to get full functionality for connector health.

4. Select a deployment method: AWS CloudFormation or Terraform.

   

5. Follow the on-screen instructions for the selected deployment method to complete the required dependencies on AWS.

6. Select the check box to confirm you followed the instructions.

7. Select Next: Review and generate.

8. Select Create.

GCP

1. Find the plans you want to disable and toggle the switch to Off.

   

2. Select Next: Configure access.

3. Select a deployment type:

   • Default access: Allows Defender for Cloud to scan your resources and automatically include future capabilities.
   • Least privilege access: Grants Defender for Cloud access only to the current permissions needed for the selected plans. If you select the least privileged permissions, you receive notifications on any new roles and permissions that are required to get full functionality for connector health.

4. Select a deployment method: GCP Cloud shell or Terraform.

5. Follow the on-screen instructions for the selected deployment method to complete the required dependencies on Google Cloud.

   

6. Select the check box to confirm you followed the instructions.

7. Select Next: Review and generate.

8. Select Create.

Important

Defender for Cloud stops monitoring and onboarding all your resources after you disable all plans in your environment.

Disabling plans doesn't cancel your subscription. To cancel your subscription, use the Azure subscription cancellation process.

Ensure plans are fully disabled

Turning off a plan at the subscription level doesn't prevent it from being turned on for a specific resource, which can generate charges. To fully disable a plan for a specific resource, check the resource-level configuration for that plan.

For security purposes, Defender for Cloud has multiple features that can re-enable themselves. Those mechanisms include:

• Autoprovisioning (agents/extensions that get reinstalled)
• Azure Policy assignments that redeploy Defender for Cloud components
• Resource-level settings

Note

To confirm that charges stop, check your billing meters in Cost Management + Billing.

1. Disable autoprovisioning

Autoprovisioning can silently reinstall agents or extensions after you turn off plans. To prevent reinstallation, disable autoprovisioning for Endpoint protection and Guest Configuration agent in Defender for Cloud settings.

1. Sign in to the Azure portal.

2. Go to Microsoft Defender for Cloud > Environment settings > relevant subscription or resource.

3. Select Settings for the relevant plans.

   

4. Toggle Guest configuration agent to Off.

5. Toggle Endpoint protection to Off.

6. Select Continue.

7. Select Save.

2. Disable Azure Policy assignments

As a security measure, Defender for Cloud includes Azure Policy initiatives that automatically redeploy Defender for Cloud components if you uninstall them. To prevent this automatic redeployment, identify and disable any relevant Azure Policy assignments.

1. Sign in to the Azure portal.

2. Search for and select Policy.

3. Select Assignments.

   

4. Search policies starting with Deploy Microsoft Defender for Endpoint....

   

5. Select each relevant policy assignment.

6. Select Delete assignment.

Check resource-level settings

You can enable Microsoft Defender for Cloud for individual resources, even if you turn off the subscription-level plan. To fully stop charges, check and disable Microsoft Defender for Cloud on each supported resource type.

To check and disable Defender for Cloud at the resource level:

1. Sign in to the Azure portal.

2. Open the specific Azure resource.

3. Locate and select Microsoft Defender for Cloud.

4. Turn Defender for Cloud to Off.

5. Select Save.

Resource-specific instructions

The following resource types are the most common where Defender for Cloud stays enabled.

App Service

App Service is the most common place where Defender for Cloud stays enabled accidentally. You pay for Defender for App Service per App Service plan. It can stay enabled even when the subscription plan is off.

1. Sign in to the Azure portal.

2. Open the App Service plan (not the individual app).

3. Select Microsoft Defender for Cloud.

4. Set Defender for App Service to Off.

5. Select Save.

Storage Accounts

The resource-level setting overrides the subscription setting. Charges stop for that storage account only.

1. Sign in to the Azure portal.

2. Open the Storage Account.

3. Select Microsoft Defender for Cloud.

4. Toggle Defender for Storage to Off.

5. Select Save.

Virtual Machines

If autoprovisioning or an Azure Policy assignment is still active, agents might be reinstalled. This dependency is why subscription-level cleanup still matters.

1. Sign in to the Azure portal.

2. Search for and select Virtual Machines.

3. Select a virtual machine (VM).

4. Ensure Defender for Servers displays unknown.

   

5. If Microsoft Defender for Servers displays On, go to Microsoft Defender for Cloud > Environment settings > relevant subscription or resource.

6. Toggle Defender for Servers to Off.

7. Select Save.

SQL / Databases

1. Sign in to the Azure portal.

2. Open the SQL Server or SQL Database resource.

3. Select Microsoft Defender for Cloud.

4. Select Configure.

   

5. Toggle Microsoft Defender for SQL to Off.

6. Select Save.

Servers

At the resource level, you can enable or disable Defender for Servers plan 1. For plan 2, you can disable it for specific resources only when plan 2 remains enabled at the subscription level.

For example, you can enable Defender for Servers plan 2 at the subscription level and disable it for specific resources within the subscription. However, you can't enable plan 2 only on specific resources. If you're still being billed even after you disable the plan, use the Coverage workbook to see what resources remain covered.

1. Sign in to the Azure portal.

2. Search for and select Microsoft Defender for Cloud.

3. Go to Environment settings.

4. Select a relevant subscription or workspace.

5. Toggle Defender for Servers plan 1 or plan 2 to Off.

6. Select Save.

7. Repeat for each relevant subscription or workspace.

Confirm resource-level Defender is off

To confirm that resource-level Defender is truly off, use billing as the source of truth.

1. Sign in to the Azure portal.

2. Go to Cost Management + Billing > Cost analysis.

3. Filter by Service name and Meter name.

4. Look for meters such as:

   • Defender for App Service
   • Defender for Storage
   • Defender for Servers
   • Defender CSPM (Cloud Security Posture Management)

If charges still appear, there's at least one resource with Defender still enabled, or a policy or autoprovisioning rule is re-enabling it.

Confirm you're no longer covered

After you disable the plans and confirm that you're no longer billed, use the Coverage workbook to verify your current coverage.

Next step

What is Microsoft Defender for Cloud?