Introduction to Microsoft Defender for Resource Manager


Azure Security Center and Azure Defender are now called Microsoft Defender for Cloud. We've also renamed Azure Defender plans to Microsoft Defender plans. For example, Azure Defender for Storage is now Microsoft Defender for Storage.

Learn more about the recent renaming of Microsoft security services.

Azure Resource Manager is the deployment and management service for Azure. It provides a management layer that enables you to create, update, and delete resources in your Azure account. You use management features, like access control, locks, and tags, to secure and organize your resources after deployment.

The cloud management layer is a crucial service connected to all your cloud resources. Because of this, it is also a potential target for attackers. Consequently, we recommend security operations teams monitor the resource management layer closely.

Microsoft Defender for Resource Manager automatically monitors the resource management operations in your organization, whether they're performed through the Azure portal, Azure REST APIs, Azure CLI, or other Azure programmatic clients. Defender for Cloud runs advanced security analytics to detect threats and alerts you about suspicious activity.


Some of these analytics are powered by Microsoft Defender for Cloud Apps (formerly known as Microsoft Cloud App Security). To benefit from these analytics, you must activate a Defender for Cloud Apps license. If you have a Defender for Cloud Apps license, then these alerts are enabled by default. To disable the alerts:

  1. From Defender for Cloud's menu, open Environment settings.
  2. Select the subscription you want to change.
  3. Select Integrations.
  4. Clear Allow Microsoft Defender for Cloud Apps to access my data, and select Save.


Aspect Details
Release state: General availability (GA)
Pricing: Microsoft Defender for Resource Manager is billed as shown on the pricing page
Clouds: Commercial clouds
Azure Government
Azure China 21Vianet

What are the benefits of Microsoft Defender for Resource Manager?

Microsoft Defender for Resource Manager protects against issues including:

  • Suspicious resource management operations, such as operations from malicious IP addresses, disabling antimalware and suspicious scripts running in VM extensions
  • Use of exploitation toolkits like Microburst or PowerZure
  • Lateral movement from the Azure management layer to the Azure resources data plane

Azure Resource Manager overview diagram.

A full list of the alerts provided by Microsoft Defender for Resource Manager is on the alerts reference page.

How to investigate alerts from Microsoft Defender for Resource Manager

Security alerts from Microsoft Defender for Resource Manager are based on threats detected by monitoring Azure Resource Manager operations. Defender for Cloud uses internal log sources of Azure Resource Manager as well as Azure Activity log, a platform log in Azure that provides insight into subscription-level events.

Learn more about Azure Activity log.

To investigate security alerts from Microsoft Defender for Resource Manager:

  1. Open Azure Activity log.

    How to open Azure Activity log.

  2. Filter the events to:

    • The subscription mentioned in the alert
    • The timeframe of the detected activity
    • The related user account (if relevant)
  3. Look for suspicious activities.


For a better, richer investigation experience, stream your Azure activity logs to Microsoft Sentinel as described in Connect data from Azure Activity log.

Next steps

In this article, you learned about Microsoft Defender for Resource Manager.

For related material, see the following article:

  • Security alerts might be generated or received by Defender for Cloud from different security products. To export all of these alerts to Microsoft Sentinel, any third-party SIEM, or any other external tool, follow the instructions in Exporting alerts to a SIEM solution.