This document describes the actions that an organization must take in order to successfully onboard to Microsoft Defender for Cloud (MDC) at scale. Our recommendation is to automate as many of the steps as possible, as this reduces both manual deployment errors and maintenance effort. Before starting, customers should check the Prerequisites section to make sure they can follow all of the steps outlined in the following section. If customers need to report to their management on the progress of the MDC rollout, they can run the Azure Resource Graph queries listed in the Inventory section before and after following the implementation steps.
- Version 0.5 - Preview documentation of Microsoft Defender for Cloud Enterprise Onboarding Guide. Use at your own risk.
The following table provides an overview of the steps required to onboard to Microsoft Defender for Cloud at scale. For each of the steps, customers can see a summary of the required action as well as the available automation options. Further details on each step are provided in the following sections of this document.
| Step | Action | Automation options | ||||
|---|---|---|---|---|---|---|
| Azure Policy (rec.) | Azure CLI | Azure PowerShell | REST API | ARM Template | ||
| Ensure the basic environment setup and knowledge are in place | NA | |||||
| #1 | Create a central team that will be responsible for tracking and/or enforcing security on your Azure environment | NA | ||||
| #2 | Assign the necessary RBAC permissions to the central security team | ✕ | ✓ | ✓ | ✓ | ✓ |
| #3 | Assign and customize the MDC default policy to the appropriate scope | ✓ | ✕ | ✕ | ✕ | ✕ |
| #4 | Choose standards for your compliance dashboard (recommended) | ✓ | ✓ | ✓ | ✓ | ✓ |
| #5 | Ensure resources are secure by default through Azure Policy and Azure Blueprints | ✓ | ✕ | ✕ | ✕ | ✕ |
| #6 | Assign custom policies (optional) | ✓ | ✓ | ✓ | ✓ | ✓ |
| #7 | Enable all Microsoft Defender plans (recommended) | ✓ | ✕ | ✕ | ✕ | ✕ |
| #8 | Set security contact & email settings (recommended) | ✓ | ✓ | ✓ | ✓ | ✓ |
| #9 | Deploy required agents (recommended) | ✓ | ✓ | ✓ | ✓ | ✓ |
| #10 | Export Microsoft Defender for Cloud data to Microsoft Sentinel (recommended) | ✕ | ✕ | ✕ | ✓ | ✕ |
| #11 | Prepare and deploy Logic Apps (recommended) | ✕ | ✕ | ✕ | ✓ | ✕ |
| #12 | Workflow Automation (recommended) | ✓ | ✕ | ✕ | ✓ | ✕ |
| #13 | Export data for additional reporting (optional) | ✓ | ✕ | ✕ | ✓ | ✕ |
| #14 | Export Microsoft Defender for Cloud data to other SIEM or ITSM solutions (optional) | ✓ | ✕ | ✕ | ✓ | ✕ |
| #15 | Set alert suppression rules (optional) | ✓ | ✕ | ✕ | ✓ | ✕ |
| Acronym | Meaning | Description |
|---|---|---|
| MDC | Microsoft Defender for Cloud | Built-in free service which offers limited security for your Azure resources only |
| SIEM | Security information and event management | Tool to provide a central place to collect events and alerts, that aggregates data from multiple systems and analyze that data to catch abnormal behavior or potential cyberattacks. For example, Microsoft Sentinel. |
| SOC | Security Operations Center | The main objective of a cloud SOC is to detect, respond to, and recover from active attacks on enterprise assets. |
| CSPM | Cloud Security Posture Management | Means having visibility to your cloud resources posture, have discovery capabilities to learn about the actual usage of each platform, be able to monitor suspicious activities, assess, and review configurations and compliance statuses, and be enabled to deploy real-time protection mechanisms. |
| CWPP | Cloud Workload Protection Platform | Provides workload-centric security protection solutions such as servers, app service, storage, database and more. All CWP capabilities are covered under Microsoft Defender for Cloud. |
| ARM | Azure Resource Manager | Deployment and management layer that enables you to create, update, and delete resources in your Azure account. |
| RBAC | Role-based access control | Authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources. |
| MG | Management Group | Management groups allow you to organize your subscriptions and apply governance controls, such as Azure Policy and Role-Based Access Controls (RBAC), to the management groups. |