Share via

Azure Kubernetes Service clusters should have Defender profile enabled

Sruthisha J M 0 Reputation points
2026-03-23T07:17:51.0766667+00:00

Azure Kubernetes Service clusters should have Defender profile enabled .we have already enabled the defender for containers and deployment sensors for the subscriptions. To remediate this recommendation. Apart from the quick fix option . Is there any way to remedite it ? what is the approach in remediating it let us know if there any cost involved in remediating.we would like to know if we enable the quick fix option is there any changes happening or is it impacting the workload?

Azure Kubernetes Service
Azure Kubernetes Service

An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.

0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Manish Deshpande 5,420 Reputation points Microsoft External Staff Moderator
    2026-03-23T12:57:30.12+00:00

    Hello Sruthisha,

    Thank you for your question. You are correct that enabling Microsoft Defender for Containers at the subscription level is an important prerequisite; however, this alone does not automatically enable the Defender profile on existing AKS clusters.

    The recommendation “Azure Kubernetes Service clusters should have Defender profile enabled” specifically checks whether the Defender profile (securityProfile.defender) is enabled on each AKS cluster so that the Defender sensor is deployed to the nodes for runtime threat protection.

    Recommended and Supported Remediation

    The supported and recommended approach is to enable the Defender profile directly on the affected AKS clusters. This can be done either via the Quick Fix option in Microsoft Defender for Cloud or manually.

    • The Quick Fix deploys the Defender sensor (DaemonSet) and required configuration to the cluster.
    • This action does not restart nodes or workloads and is designed to have minimal performance impact, as it only collects security telemetry and runtime signals.

    Link :

    https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-containers-azure-enable-portal

    Alternative approach If you prefer a controlled rollout:

    • Enable the Defender profile using Azure CLI or Infrastructure as Code (ARM/Bicep).
    • You can selectively enable or disable Defender components (such as the Defender sensor or Azure Policy add‑on) after deployment.

    Link :

    https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-containers-azure-configure

    • Enabling the Defender profile does not modify application workloads
    • No pod restarts or cluster downtime are introduced
    • The deployed Defender sensor runs as a DaemonSet and is designed for low overhead monitoring

    Microsoft explains that the Defender profile deploys an agent only to collect security events and signals, not to interfere with application traffic or scheduling.

    If the recommendation continues to appear after enabling the Defender profile, or if you observe any unexpected behavior, please let us know. We are happy to assist further and review the cluster configuration in detail.

    Kindly add your observations or questions in the Comment section, and we will respond promptly.

    Thanks.
    Manish

    1 person found this answer helpful.
  2. SUNOJ KUMAR YELURU 18,171 Reputation points MVP Volunteer Moderator
    2026-03-23T09:40:18.0133333+00:00

    Hello @Sruthisha J M,

    You have a couple of options apart from the quick fix option. One approach is to manually deploy the Defender sensor to your AKS clusters using the Azure portal or Helm.

    Manual Deployment Steps: Using the Azure Portal: Navigate to Microsoft Defender for Cloud > Recommendations.

    Search for the recommendation: “Azure Kubernetes Service clusters should have Defender profile enabled”.

    Select the AKS clusters that require the sensor and click on Fix.

    Review the deployment configuration and confirm the deployment.

    Using Helm: Helm allows for more control over the deployment and is particularly useful in DevOps scenarios. You can integrate the deployment into CI/CD pipelines and manage updates flexibly. For detailed instructions, refer to the Helm deployment guide.

    Cost Considerations: Enabling Defender for Containers may incur costs based on the resources used and the Defender plan selected. It’s important to review the pricing details associated with Defender for Cloud services to understand any potential costs involved in enabling these features.

    Impact of Quick Fix Option: If you choose the quick fix option, it will automatically deploy the Defender sensor to all AKS clusters in your subscription. This action may impact your workload temporarily as the sensor is deployed and configured, but it is designed to minimize disruption. The deployment process is intended to be seamless, allowing for continued operation of your workloads while enhancing security measures.

    In summary, you can remediate the recommendation by manually deploying the Defender sensor or using Helm, and while the quick fix option is convenient, it may have a temporary impact on your workloads during deployment.

    If this answers your query, do click Accept Answer and Up-Vote for the same. And, if you have any further query do let us know.

    1 person found this answer helpful.
    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.