Microsoft Defender for Cloud's basic and enhanced security features

Defender for Cloud offers many enhanced security features that can help protect your organization against threats and attacks.

  • Basic security features (Free) - When you open Defender for Cloud in the Azure portal for the first time or if you enable it through the API, Defender for Cloud is enabled for free on all your Azure subscriptions. By default, Defender for Cloud provides the secure score, security policy and basic recommendations, and network security assessment to help you protect your Azure resources.

    If you want to try out the enhanced security features, enable enhanced security features for free for the first 30 days. At the end of 30 days, if you decide to continue using the service, we'll automatically start charging for usage. For pricing details in your local currency or region, see the pricing page.

  • Enhanced security features (Paid) - When you enable the enhanced security features, Defender for Cloud can provide unified security management and threat protection across your hybrid cloud workloads, including:

    • Microsoft Defender for Endpoint - Microsoft Defender for Servers includes Microsoft Defender for Endpoint for comprehensive endpoint detection and response (EDR). Learn more about the benefits of using Microsoft Defender for Endpoint together with Defender for Cloud in Use Defender for Cloud's integrated EDR solution.

    • Vulnerability assessment for virtual machines, container registries, and SQL resources - Easily enable vulnerability assessment solutions to discover, manage, and resolve vulnerabilities. View, investigate, and remediate the findings directly from within Defender for Cloud.

    • Multicloud security - Connect your accounts from Amazon Web Services (AWS) and Google Cloud Platform (GCP) to protect resources and workloads on those platforms with a range of Microsoft Defender for Cloud security features.

    • Hybrid security – Get a unified view of security across all of your on-premises and cloud workloads. Apply security policies and continuously assess the security of your hybrid cloud workloads to ensure compliance with security standards. Collect, search, and analyze security data from multiple sources, including firewalls and other partner solutions.

    • Threat protection alerts - Advanced behavioral analytics and the Microsoft Intelligent Security Graph provide an edge over evolving cyber-attacks. Built-in behavioral analytics and machine learning can identify attacks and zero-day exploits. Monitor networks, machines, data stores (SQL servers hosted inside and outside Azure, Azure SQL databases, Azure SQL Managed Instance, and Azure Storage) and cloud services for incoming attacks and post-breach activity. Streamline investigation with interactive tools and contextual threat intelligence.

    • Track compliance with a range of standards - Defender for Cloud continuously assesses your hybrid cloud environment to analyze the risk factors according to the controls and best practices in Microsoft cloud security benchmark. When you enable the enhanced security features, you can apply a range of other industry standards, regulatory standards, and benchmarks according to your organization's needs. Add standards and track your compliance with them from the regulatory compliance dashboard.

    • Access and application controls - Block malware and other unwanted applications by applying machine learning powered recommendations adapted to your specific workloads to create allowlists and blocklists. Reduce the network attack surface with just-in-time, controlled access to management ports on Azure VMs. Access and application control drastically reduce exposure to brute force and other network attacks.

    • Container security features - Benefit from vulnerability management and real-time threat protection on your containerized environments. Charges are based on the number of unique container images pushed to your connected registry. After an image has been scanned once, you won't be charged for it again unless it's modified and pushed once more.

    • Breadth threat protection for resources connected to Azure - Cloud-native threat protection for the Azure services common to all of your resources: Azure Resource Manager, Azure DNS, Azure network layer, and Azure Key Vault. Defender for Cloud has unique visibility into the Azure management layer and the Azure DNS layer, and can therefore protect cloud resources that are connected to those layers.

    • Manage your Cloud Security Posture Management (CSPM) - CSPM offers you the ability to remediate security issues and review your security posture through the tools provided. These tools include:

      • Security governance and regulatory compliance
      • Cloud security graph
      • Attack path analysis
      • Agentless scanning for machines

      Learn more about CSPM.

FAQ - Pricing and billing

How can I track who in my organization enabled a Microsoft Defender plan in Defender for Cloud?

Azure Subscriptions may have multiple administrators with permissions to change the pricing settings. To find out which user made a change, use the Azure Activity Log.

Azure Activity log showing a pricing change event.

If the user's info isn't listed in the Event initiated by column, explore the event's JSON for the relevant details.

Azure Activity log JSON explorer.

What are the plans offered by Defender for Cloud?

The free offering from Microsoft Defender for Cloud offers the secure score and related tools. Enabling enhanced security turns on all of the Microsoft Defender plans to provide a range of security benefits for all your resources in Azure, hybrid, and multicloud environments.

How do I enable Defender for Cloud's enhanced security for my subscription?

You can use any of the following ways to enable enhanced security for your subscription:

Method Instructions
Defender for Cloud pages of the Azure portal Enable enhanced protections
REST API Pricings API
Azure CLI az security pricing
PowerShell Set-AzSecurityPricing
Azure Policy Bundle Pricings

Can I enable Microsoft Defender for Servers on a subset of servers?

No. When you enable Microsoft Defender for Servers on an Azure subscription or a connected AWS account, all of the connected machines will be protected by Defender for Servers.

Another alternative is to enable Microsoft Defender for Servers at the Log Analytics workspace level. If you do this, only servers reporting to that workspace will be protected and billed. However, several capabilities will be unavailable. These include Microsoft Defender for Endpoint, VA solution (TVM/Qualys), just-in-time VM access, and more.

If I already have a license for Microsoft Defender for Endpoint, can I get a discount for Defender for Servers?

If you already have a license for Microsoft Defender for Endpoint for Servers Plan 2, you won't have to pay for that part of your Microsoft Defender for Servers license. Learn more about this license.

To request your discount, contact Defender for Cloud's support team. You'll need to provide the relevant workspace ID, region, and number of Microsoft Defender for Endpoint for servers licenses applied for machines in the given workspace.

The discount will be effective starting from the approval date, and won't take place retroactively.

My subscription has Microsoft Defender for Servers enabled, which machines do I pay for?

When you enable Microsoft Defender for Servers on a subscription, all machines in that subscription (including machines that are part of PaaS services and reside in this subscription) are billed according to their power state as shown in the following table:

State Description Instance usage billed
Starting VM is starting up. Not billed
Running Normal working state for a VM Billed
Stopping This state is transitional. When completed, it will show as Stopped. Billed
Stopped The VM has been shut down from within the guest OS or using the PowerOff APIs. Hardware is still allocated to the VM and it remains on the host. Billed
Deallocating This state is transitional. When completed, the VM will show as Deallocated. Not billed
Deallocated The VM has been stopped successfully and removed from the host. Not billed

Azure Virtual Machines showing a deallocated machine.

If I enable Defender for Clouds Servers plan on the subscription level, do I need to enable it on the workspace level?

When you enable the Servers plan on the subscription level, Defender for Cloud will enable the Servers plan on your default workspaces automatically. Connect to the default workspace by selecting Connect Azure VMs to the default workspace(s) created by Defender for Cloud option and selecting Apply.

Screenshot showing how to auto-provision Defender for Cloud to manage your workspaces.

However, if you're using a custom workspace in place of the default workspace, you'll need to enable the Servers plan on all of your custom workspaces that don't have it enabled.

If you're using a custom workspace and enable the plan on the subscription level only, the Microsoft Defender for servers should be enabled on workspaces recommendation will appear on the Recommendations page. This recommendation will give you the option to enable the servers plan on the workspace level with the Fix button. You're charged for all VMs in the subscription even if the Servers plan isn't enabled for the workspace. The VMs won't benefit from features that depend on the Log Analytics workspace, such as Microsoft Defender for Endpoint, VA solution (TVM/Qualys), and Just-in-Time VM access.

Enabling the Servers plan on both the subscription and its connected workspaces, won't incur a double charge. The system will identify each unique VM.

If you enable the Servers plan on cross-subscription workspaces, connected VMs from all subscriptions will be billed, including subscriptions that don't have the Servers plan enabled.

Will I be charged for machines without the Log Analytics agent installed?

Yes. When you enable Microsoft Defender for Servers on an Azure subscription or a connected AWS account, you'll be charged for all machines that are connected to your Azure subscription or AWS account. The term machines include Azure virtual machines, Azure Virtual Machine Scale Sets instances, and Azure Arc-enabled servers. Machines that don't have Log Analytics installed are covered by protections that don't depend on the Log Analytics agent.

If a Log Analytics agent reports to multiple workspaces, will I be charged twice?

If a machine, reports to multiple workspaces, and all of them have Defender for Servers enabled, the machines will be billed for each attached workspace.

If a Log Analytics agent reports to multiple workspaces, is the 500-MB free data ingestion available on all of them?

Yes. If you configure your Log Analytics agent to send data to two or more different Log Analytics workspaces (multi-homing), you'll get 500-MB free data ingestion for each workspace. It's calculated per node, per reported workspace, per day, and available for every workspace that has a 'Security' or 'AntiMalware' solution installed. You'll be charged for any data ingested over the 500-MB limit.

Is the 500-MB free data ingestion calculated for an entire workspace or strictly per machine?

You'll get 500-MB free data ingestion per day, for every VM connected to the workspace. Specifically for the security data types that are directly collected by Defender for Cloud.

This data is a daily rate averaged across all nodes. Your total daily free limit is equal to [number of machines] x 500 MB. So even if some machines send 100 MB and others send 800 MB, if the total doesn't exceed your total daily free limit, you won't be charged extra.

What data types are included in the 500-MB data daily allowance?

Defender for Cloud's billing is closely tied to the billing for Log Analytics. Microsoft Defender for Servers provides a 500 MB/node/day allocation for machines against the following subset of security data types:

If the workspace is in the legacy Per Node pricing tier, the Defender for Cloud and Log Analytics allocations are combined and applied jointly to all billable ingested data.

How can I monitor my daily usage

You can view your data usage in two different ways, the Azure portal, or by running a script.

To view your usage in the Azure portal:

  1. Sign in to the Azure portal.

  2. Navigate to Log Analytics workspaces.

  3. Select your workspace.

  4. Select Usage and estimated costs.

    Screenshot of your data usage of your log analytics workspace.

You can also view estimated costs under different pricing tiers by selecting for each pricing tier.

Screenshot showing how to view estimated costs under additional pricing tiers.

To view your usage by using a script:

  1. Sign in to the Azure portal.

  2. Navigate to Log Analytics workspaces > Logs.

  3. Select your time range. Learn about time ranges.

  4. Copy and past the following query into the Type your query here section.

    let Unit= 'GB';
    Usage
    | where IsBillable == 'TRUE'
    | where DataType in ('SecurityAlert', 'SecurityBaseline', 'SecurityBaselineSummary', 'SecurityDetection', 'SecurityEvent', 'WindowsFirewall', 'MaliciousIPCommunication', 'SysmonEvent', 'ProtectionStatus', 'Update', 'UpdateSummary')
    | project TimeGenerated, DataType, Solution, Quantity, QuantityUnit
    | summarize DataConsumedPerDataType = sum(Quantity)/1024 by  DataType, DataUnit = Unit
    | sort by DataConsumedPerDataType desc
    
  5. Select Run.

    Screenshot showing where to enter your query and where the select run button is located.

You can learn how to Analyze usage in Log Analytics workspace.

Based on your usage, you won't be billed until you've used your daily allowance. If you're receiving a bill, it's only for the data used after the 500-MB limit is reached, or for other service that doesn't fall under the coverage of Defender for Cloud.

Next steps

This article explained Defender for Cloud's pricing options. For related material, see:

Important

Solution targeting has been deprecated because the Log Analytics agent is being replaced with the Azure Monitor agent and solutions in Azure Monitor are being replaced with insights. You can continue to use solution targeting if you already have it configured, but it is not available in new regions. The feature will not be supported after August 31, 2024. Regions that support solution targeting until the deprecation date are:

Region code Region name
CCAN canadacentral
CHN switzerlandnorth
CID centralindia
CQ brazilsouth
CUS centralus
DEWC germanywestcentral
DXB UAENorth
EA eastasia
EAU australiaeast
EJP japaneast
EUS eastus
EUS2 eastus2
NCUS northcentralus
NEU NorthEurope
NOE norwayeast
PAR FranceCentral
SCUS southcentralus
SE KoreaCentral
SEA southeastasia
SEAU australiasoutheast
SUK uksouth
WCUS westcentralus
WEU westeurope
WUS westus
WUS2 westus2
Air-gapped clouds Region code Region name
UsNat EXE usnateast
UsNat EXW usnatwest
UsGov FF usgovvirginia
China MC ChinaEast2
UsGov PHX usgovarizona
UsSec RXE usseceast
UsSec RXW ussecwest