Scale a Defender for Servers deployment

Article
08/14/2023

This article helps you scale your Microsoft Defender for Servers deployment.

Defender for Servers is one of the paid plans provided by Microsoft Defender for Cloud.

Before you begin

This article is the sixth and final article in the Defender for Servers planning guide series. Before you begin, review the earlier articles:

Scaling overview

When you enable a Defender for Cloud subscription, this process occurs:

The microsoft.security resource provider is automatically registered on the subscription.
At the same time, the Cloud Security Benchmark initiative that's responsible for creating security recommendations and calculating the secure score is assigned to the subscription.
After you enable Defender for Cloud on the subscription, you turn on Defender for Servers Plan 1 or Defender for Servers Plan 2, and then you enable auto provisioning.

In the next sections, review considerations for specific steps as you scale your deployment:

Scale a Cloud Security Benchmark deployment
Scale a Defender for Servers plan
Scale auto provisioning

Scale a Cloud Security Benchmark deployment

In a scaled deployment, you might want the Cloud Security Benchmark (formerly the Azure Security Benchmark) to be automatically assigned.

The assignment is inherited for every existing and future subscription in the management group. To set up your deployment to automatically apply the benchmark, assign the policy initiative to your management group (root) instead of to each subscription.

You can get the Azure Security Benchmark policy definition on GitHub.

Learn more about using a built-in policy definition to register a resource provider.

Scale a Defender for Servers plan

You can use a policy definition to enable Defender for Servers at scale:

To get the built-in Configure Azure Defender for Servers to be enabled policy definition, in the Azure portal for your deployment, go to Azure Policy > Policy Definitions.
Alternatively, you can use a custom policy to enable Defender for Servers and select the plan at the same time.
You can enable only one Defender for Servers plan on each subscription. You can't enable both Defender for Servers Plan 1 and Plan 2 at the same subscription.
If you want to use both plans in your environment, divide your subscriptions into two management groups. On each management group, assign a policy to enable the respective plan on each underlying subscription.

Scale auto provisioning

You can set up auto provisioning by assigning the built-in policy definitions to an Azure management group to cover underlying subscriptions. The following table summarizes the definitions:

Agent	Policy
Log Analytics agent (default workspace)	Enable Security Center's autoprovisioning of the Log Analytics agent on your subscriptions with default workspaces
Log Analytics agent (custom workspace)	Enable Security Center's autoprovisioning of the Log Analytics agent on your subscriptions with custom workspaces
Azure Monitor agent (default data collection rule)	[Preview]: Configure Arc machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent [Preview]: Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent
Azure Monitor agent (custom data collection rule)	[Preview]: Configure Arc machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent [Preview]: Configure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent
Qualys vulnerability assessment	Configure machines to receive a vulnerability assessment provider
Guest configuration extension	Overview and prerequisites

To review policy definitions, in the Azure portal, go to Policy > Definitions.

Next steps

Begin a deployment for your scenario: