Enable Defender for API Plan and DCSPM

Implementation Effort: Medium
Enabling both Defender for APIs and Defender CSPM requires coordination between security teams and Azure administrators to configure subscriptions, onboard APIs, and validate monitoring.

User Impact: Low
Only administrators and security teams are involved in the enablement process; no end-user action is required.

Overview

To fully secure APIs in Microsoft Defender for Cloud, organizations should enable both the Defender for APIs plan and the Defender Cloud Security Posture Management (DCSPM) plan.

• Defender for APIs provides runtime protection, threat detection, and alerting for APIs published through Azure API Management. It is enabled at the subscription level via the Azure portal or directly from the API Management instance 1 2.
• Defender CSPM enhances API security posture by continuously assessing APIs for misconfigurations, sensitive data exposure, and attack paths. It requires no agents and integrates with the API inventory in Defender for Cloud 3.

To enable these plans:

1. Ensure APIs are published in Azure API Management.
2. In the Azure portal, navigate to Microsoft Defender for Cloud.
3. Under Environment settings, select the subscription and enable:
   • Defender for APIs under the Defender plans.
   • API Security Posture Management under the Defender CSPM settings.
4. Save the configuration.

Once enabled, APIs are onboarded automatically and appear in the API security dashboard. This setup supports the Zero Trust principle of "Assume breach" by combining real-time threat detection with proactive posture management.

Reference

• Enable API security posture management - Microsoft Learn
• Protect your APIs with Defender for APIs
• Protect APIs in API Management with Defender for APIs