Onboard agentless container posture in Defender CSPM

Onboarding agentless container posture in Defender CSPM allows you to gain all its capabilities.

Defender CSPM includes two extensions that allow for agentless visibility into Kubernetes and containers registries across your organization's software development lifecycle.

To onboard agentless container posture in Defender CSPM:

  1. Before starting, verify that the subscription is onboarded to Defender CSPM.

  2. In the Azure portal, navigate to the Defender for Cloud's Environment Settings page.

  3. Select the subscription that's onboarded to the Defender CSPM plan, then select Settings.

  4. Ensure the Agentless discovery for Kubernetes and Agentless Container vulnerability assessments extensions are toggled to On.

  5. Select Continue.

    Screenshot of selecting components.

  6. Select Save.

A notification message pops up in the top right corner that verifies that the settings were saved successfully.


Agentless discovery for Kubernetes uses AKS trusted access. For more information about about AKS trusted access, see Enable Azure resources to access Azure Kubernetes Service (AKS) clusters using Trusted Access.

What are the extensions for agentless container posture management?

There are two extensions that provide agentless CSPM functionality:

  • Agentless Container vulnerability assessments: Provides agentless containers vulnerability assessments. Learn more about Agentless Container vulnerability assessment.
  • Agentless discovery for Kubernetes: Provides API-based discovery of information about Kubernetes cluster architecture, workload objects, and setup.

How can I onboard multiple subscriptions at once?

To onboard multiple subscriptions at once, you can use this script.

Why don't I see results from my clusters?

If you don't see results from your clusters, check the following:

What can I do if I have stopped clusters?

We don't support or charge stopped clusters. To get the value of agentless capabilities on a stopped cluster, you can rerun the cluster.

What do I do if I have locked resource groups, subscriptions, or clusters?

We suggest that you unlock the locked resource group/subscription/cluster, make the relevant requests manually, and then relock the resource group/subscription/cluster by doing the following:

  1. Enable the feature flag manually via CLI by using Trusted Access.

    “az feature register --namespace "Microsoft.ContainerService" --name "TrustedAccessPreview” 
  2. Perform the bind operation in the CLI:

    az account set -s <SubscriptionId> 
    az extension add --name aks-preview 
    az aks trustedaccess rolebinding create --resource-group <cluster resource group> --cluster-name <cluster name> --name defender-cloudposture --source-resource-id /subscriptions/<SubscriptionId>/providers/Microsoft.Security/pricings/CloudPosture/securityOperators/DefenderCSPMSecurityOperator --roles  "Microsoft.Security/pricings/microsoft-defender-operator" 

For locked clusters, you can also do one of the following:

  • Remove the lock.
  • Perform the bind operation manually by making an API request.

Learn more about locked resources.

Are you using an updated version of AKS?

Learn more about supported Kubernetes versions in Azure Kubernetes Service (AKS).

Next Steps