Microsoft defender for cloud - environment settings - auto provisioning

Question

Hi all,
When trying to get list of all auto provisioning extensions using REST API (https://learn.microsoft.com/en-us/rest/api/defenderforcloud/auto-provisioning-settings/list?tabs=HTTP) I'm getting only the default one - Log Analytics agent/Azure Output:

"value": [
{
"id": "/subscriptions/blahblahblah/providers/Microsoft.Security/autoProvisioningSettings/default",
"name": "default",
"type": "Microsoft.Security/autoProvisioningSettings",
"properties": {
"autoProvision": "On"
}
}
]
}

Does anyone have an idea how to get the other auto provisioning extensions state?

• Vulnerability assessment for machines
• Microsoft Defender for Containers components.

Answer 1

Hi,
This API only has a default one. Basically it is an old API that still exists and works for the Log Analytics agent only but mainly when you enable the options in the screenshot, they are now applied by creating Azure Policy assignments when you set them to On. The created Azure policy assignments take care of installing the needed resources.

Added: I have now create a blog post on how to do this via Bicep.

Added:
As I wrote on my previous answer this is just regular policy assignments so it is policy assignments API.. The policies definitions that are used to assign the policies are:

Guest Configuration Agent:

• Azure Policy definition Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs
• Azure Policy definition Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
• Azure Policy definition Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
• Azure Policy definition Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity

Azure Monitor agent:

• Preview: Configure machines to create the user-defined Microsoft Defender for Cloud pipeline using Azure Monitor Agent

Vulnerability Assessment:

• Azure Policy definition Configure machines to receive a vulnerability assessment provider

If you choose "Microsoft threat and vulnerability management" option you will also need to create resource of type Microsoft.Security/serverVulnerabilityAssessmentsSettings with name and kind AzureServersSetting at subscription scope and property selectedProvider set to MdeTvm.

AKS:

• Azure Policy definition Configure Azure Kubernetes Service clusters to enable Defender profile
• Azure Policy definition Preview: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extension
• Azure Policy definition Deploy Azure Policy Add-on to Azure Kubernetes Service clusters
• Preview: Configure Azure Arc enabled Kubernetes clusters to install the Azure Policy extension

Below you can see the policy assignments created when you enable those. You can enable and disable to see those policies appear and disappear.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.