how to deploy Defender for Cloud at management group level, while it is already enabled at per subscription level?

Question

I have few questions regarding deployment of Defender for cloud at a management group level via Azure policy.

• If defender for cloud portal is already showing Defender for cloud enabled plans at the subscriptions which are under the targeted MG, how would we know if it was deployed at the Management group level already or was it at per subscription level?
• If it was deployed at the Subscription level, do I have to remove existing workspaces which would be there already for the defender (default of custom both), to deploy Defender at the Management group level?

Would appreciate some insight on this, as it is tricky to understand existing deployment which has no documentation in the org and then plan the deployment as what I explained above.

Answer 1

Hi,

Defender for cloud plans are not available on Management group scope, they are only available at subscription scope. This means that there is nothing that you can enable at Management Group scope for Defender for Cloud plans. If you want to configure Defender for Cloud plans on all subscriptions part of a management group you can configure Azure Policy Configure Microsoft Defender for Cloud plans at the management group scope. That way you will not have to go and configure each subscription individually, Azure Policy will do that for you by applying the policy and remediating it.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.