Enable Defender CSPM Plan

Implementation Effort: Medium – Enabling the plan requires administrative access to Azure subscriptions and coordination with cloud security teams to activate and configure advanced posture management features.

User Impact: Low – This is a backend configuration task; end users are not directly affected unless policy enforcement or scanning results lead to changes in resource configurations.

Overview

The Defender Cloud Security Posture Management (CSPM) plan in Microsoft Defender for Cloud provides advanced capabilities to assess, visualize, and improve your cloud security posture. While Foundational CSPM is enabled by default and free, the Defender CSPM plan is a paid upgrade that unlocks features such as:

• Governance and regulatory compliance
• Cloud Security Explorer
• Attack path analysis
• Agentless scanning for machines

To enable the Defender CSPM plan:

1. Sign in to the Azure portal.
2. Go to Microsoft Defender for Cloud > Environment settings.
3. Select the relevant Azure subscription, AWS account, or GCP project.
4. On the Defender plans page, toggle Defender CSPM to On.
5. Click Save.

⚠️ Note: Only Subscription Owners can enable agentless scanning. If a user with lower permissions enables the plan, some features like attack path analysis may not function fully 1.

This capability supports the Zero Trust principle of "Assume Breach" by enabling continuous visibility into misconfigurations, attack paths, and compliance gaps across multicloud environments.

Reference

• Protect your resources with Defender CSPM – Microsoft Learn
• Cloud Security Posture Management (CSPM) – Microsoft Learn
• Enable data security posture management – Microsoft Learn