Azure Monitor Agent in Defender for Cloud
To make sure that your server resources are secure, Microsoft Defender for Cloud uses agents installed on your servers to send information about your servers to Microsoft Defender for Cloud for analysis.
In this article, we give an overview of AMA preferences for when you deploy Defender for SQL servers on machines.
Note
As part of the Defender for Cloud updated strategy, Azure Monitor Agent will no longer be required for the Defender for Servers offering. However, it will still be required for Defender for SQL Server on machines. As a result, the previous autoprovisioning process for both agents has been adjusted accordingly. Learn more about this announcement.
Azure Monitor Agent in Defender for Servers
Azure Monitor Agent (AMA) is still available for deployment on your servers but isn't required to receive Defender for Servers features and capabilities. To ensure your servers are secured, receive all the security content of Defender for Servers, verify Defender for Endpoint (MDE) integration and agentless disk scanning are enabled on your subscriptions. This ensures you’ll seamlessly be up to date and receive all the alternative deliverables once they're provided.
AMA provisioning is available through the Microsoft Defender for Cloud platform only through Defender for SQL servers on machines. Learn how to deploy AMA on your servers using standard methods including PowerShell, CLI, and Resource Manager templates.
Availability
The following information on availability is relevant for the Defender for SQL plan only.
| Aspect | Details |
|---|---|
| Release state: | Generally available (GA) |
| Relevant Defender plan: | Defender for SQL Servers on Machines |
| Required roles and permissions (subscription-level): | Owner |
| Supported destinations: | 
Azure virtual machines
Azure Arc-enabled machines |
| Policy-based: |
Yes |
| Clouds: |
Commercial clouds
Azure Government, Microsoft Azure operated by 21Vianet |
Prerequisites
Before you deploy AMA with Defender for Cloud, you must have the following prerequisites:
- Make sure your multicloud and on-premises machines have Azure Arc installed.
- AWS and GCP machines
- Onboard your AWS connector and autoprovision Azure Arc.
- Onboard your GCP connector and autoprovision Azure Arc.
- On-premises machines
- AWS and GCP machines
- Make sure the Defender plans that you want the Azure Monitor Agent to support are enabled:
Deploy the SQL server-targeted AMA autoprovisioning process
Deploying Azure Monitor Agent with Defender for Cloud is available for SQL servers on machines as detailed here.
Impact of running with both the Log Analytics and Azure Monitor Agents
You can run both the Log Analytics and Azure Monitor Agents on the same machine, but you should be aware of these considerations:
- Certain recommendations or alerts are reported by both agents and appear twice in Defender for Cloud.
- Each machine is billed once in Defender for Cloud, but make sure you track billing of other services connected to the Log Analytics and Azure Monitor, such as the Log Analytics workspace data ingestion.
- Both agents have performance impact on the machine.
When you enable Defender for Servers Plan 2, Defender for Cloud decides which agent to provision. In most cases, the default is the Log Analytics agent.
Learn more about migrating to the Azure Monitor Agent.
Custom configurations
Configure custom destination Log Analytics workspace
When you install the Azure Monitor Agent with autoprovisioning, you can define the destination workspace of the installed extensions. By default, the destination is the “default workspace” that Defender for Cloud creates for each region in the subscription: defaultWorkspace-<subscriptionId>-<regionShortName>. Defender for Cloud automatically configures the data collection rules, workspace solution, and other extensions for that workspace.
If you configure a custom Log Analytics workspace:
- Defender for Cloud only configures the data collection rules and other extensions for the custom workspace. You have to configure the workspace solution on the custom workspace.
- Machines with Log Analytics agent that reports to a Log Analytics workspace with the security solution are billed even when the Defender for Servers plan isn't enabled. Machines with the Azure Monitor Agent are billed only when the plan is enabled on the subscription. The security solution is still required on the workspace to work with the plans features and to be eligible for the 500-MB benefit.
Log analytics workspace solutions
The Azure Monitor Agent requires Log analytics workspace solutions. These solutions are automatically installed when you autoprovision the Azure Monitor Agent with the default workspace.
The required Log Analytics workspace solutions for the data that you're collecting are:
- Cloud security posture management (CSPM) – SecurityCenterFree solution
- Defender for Servers Plan 2 – Security solution
Other security events collection
When you autoprovision the Log Analytics agent in Defender for Cloud, you can choose to collect other security events to the workspace.
As in Log Analytics workspaces, Defender for Servers Plan 2 users are eligible for 500 MB of free data daily on defined data types that include security events.
Next steps
Now that you enabled the Log Analytics agent, check out the features that are supported by the agent: