Enable Defender for Resource Manager

Implementation Effort: Low — Enabling Defender for Resource Manager is a simple configuration task in the Azure portal and does not require changes to existing infrastructure or applications.

User Impact: Low — This change is transparent to end users and does not require any user interaction or notification.

Overview

Microsoft Defender for Resource Manager provides threat detection for control plane operations in Azure. It monitors management operations such as deployments, role assignments, and resource modifications across all Azure services. This helps detect suspicious activity like privilege escalation, unauthorized changes, or unusual deployment patterns.

To enable Defender for Resource Manager:

1. Sign in to the Azure Portal.
2. Navigate to Microsoft Defender for Cloud.
3. Select Environment settings.
4. Choose the relevant subscription.
5. On the Defender plans page, toggle Resource Manager to On.
6. Click Save 1.

Once enabled, Defender for Resource Manager:

• Monitors operations performed via the Azure portal, REST APIs, CLI, and SDKs.
• Uses advanced analytics to detect threats and generate alerts.
• Helps secure the Azure control plane by identifying risky or unauthorized actions 2.

This capability supports the "Assume Breach" principle of Zero Trust by continuously monitoring for threats and enabling rapid detection of suspicious control plane activity. Without this protection, attackers could make unauthorized changes to your Azure environment without detection.

Reference

• Enable Defender for Resource Manager
• Defender for Resource Manager Overview
• Respond to Defender for Resource Manager Alerts