Introduction to Azure Defender for Resource Manager

Azure Resource Manager is the deployment and management service for Azure. It provides a management layer that enables you to create, update, and delete resources in your Azure account. You use management features, like access control, locks, and tags, to secure and organize your resources after deployment.

The cloud management layer is a crucial service connected to all your cloud resources. Because of this, it is also a potential target for attackers. Consequently, we recommend security operations teams monitor the resource management layer closely.

Azure Defender for Resource Manager automatically monitors the resource management operations in your organization, whether they're performed through the Azure portal, Azure REST APIs, Azure CLI, or other Azure programmatic clients. Azure Defender runs advanced security analytics to detect threats and alerts you about suspicious activity.


Some of these analytics are powered by Microsoft Cloud App Security. To benefit from these analytics, you must activate a Cloud App Security license. If you have a Cloud App Security license, then these alerts are enabled by default. To disable the alerts:

  1. From Security Center's menu, select Pricing & settings.
  2. Select the subscription you want to change.
  3. Select Integrations.
  4. Clear Allow Microsoft Cloud App Security to access my data, and select Save.


Aspect Details
Release state: General availability (GA)
Pricing: Azure Defender for Resource Manager is billed as shown on Security Center pricing
Clouds: Commercial clouds
Azure Government
Azure China 21Vianet

What are the benefits of Azure Defender for Resource Manager?

Azure Defender for Resource Manager protects against issues including:

  • Suspicious resource management operations, such as operations from malicious IP addresses, disabling antimalware and suspicious scripts running in VM extensions
  • Use of exploitation toolkits like Microburst or PowerZure
  • Lateral movement from the Azure management layer to the Azure resources data plane

Azure Resource Manager overview diagram.

A full list of the alerts provided by Azure Defender for Resource Manager is on the alerts reference page.

How to investigate alerts from Azure Defender for Resource Manager

Security alerts from Azure Defender for Resource Manager are based on threats detected by monitoring Azure Resource Manager operations. Azure Defender uses internal log sources of Azure Resource Manager as well as Azure Activity log, a platform log in Azure that provides insight into subscription-level events.

Learn more about Azure Activity log.

To investigate security alerts from Azure Defender for Resource Manager:

  1. Open Azure Activity log.

    How to open Azure Activity log.

  2. Filter the events to:

    • The subscription mentioned in the alert
    • The timeframe of the detected activity
    • The related user account (if relevant)
  3. Look for suspicious activities.


For a better, richer investigation experience, stream your Azure activity logs to Azure Sentinel as described in Connect data from Azure Activity log.

Next steps

In this article, you learned about Azure Defender for Resource Manager.

For related material, see the following article:

  • Security alerts might be generated by Security Center or received by Security Center from different security products. To export all of these alerts to Azure Sentinel, any third-party SIEM, or any other external tool, follow the instructions in Exporting alerts to a SIEM.