Refine Your Pricing Strategy: Tailoring Defender for Servers P1 or P2 on Specific Resources, including Subscription Level pricing plan
Picture Defender for Servers as your trusty guardian, watching over all your Azure VMs and Azure Arc-enabled Servers across your subscription. But in the world of cybersecurity, things aren’t always straightforward. Sometimes, you need to get specific. Maybe you want to tweak the protection on certain machines, like switching from a heavy-duty security plan to a lighter one, or only turning it on for certain servers.
In response to user needs, Microsoft has made a big change to how Microsoft Defender for Cloud works, especially with the Defender for Server P1 and P2 plans. Before, you could only activate these plans for your whole subscription. But now, Microsoft has given you the ability to activate them for individual servers too. There are scenarios in which it makes sense to downgrade individual machines from Defender for Servers Plan 2 to Plan 1, or only enable Defender for Servers Plan 1 on a subset of machines in a subscription. This means you can adjust your security exactly how you want it. The basic rules of keeping your subscription safe and sticking to the big security plan still matter. This change just gives you more options:
- Customize security settings for individual servers, enabling precise adjustments comparable to fine-tuning a machine’s operation.
- Selectively designate the level of protection for each server, ensuring tailored security measures are applied where needed.
- Maintain alignment with the main security plan while implementing these granular adjustments.
Section 1 : Enabling Microsoft defender for servers at the granular level covering Azure VM and Azure Arc Machines via Powershell method
Initialization and Azure Authentication:
In this section, we initialize parameters, set up variable initialization, install and import necessary modules, and authenticate to Azure and retrieve access tokens, ensuring that we’re ready to interact with Azure resources securely.
Resource Retrieval (Tag-based)
The script retrieves Azure resources based on specific tags, such as environment: PROD. It fetches both virtual machines and Azure Arc-enabled machines tagged with the specified criteria.
Outputting the resources
This snippet displays a summary of the discovered resources, including virtual machines and Azure Arc-enabled servers. It provides a clear overview of the resources present in the Azure environment.
Pricing Plan Configuration
The script allows users to specify a pricing tier (Free or Standard) for the resources. Based on the provided tier, it enables or disables pricing plans accordingly.
$PricingTier = ‘Standard’
Setting PricingTier to Standard enables the P1 Pricing plan on the targeted resources (Tag Based)
Updating Pricing Configuration
For each resource, the script updates the pricing configuration by sending REST API requests to Azure. It iterates through each resource, applies the designated pricing tier settings, and handles any errors encountered during the process.
Error Handling
The script incorporates error handling mechanisms to manage exceptions during resource retrieval and pricing configuration updates. It provides informative error messages to assist users in troubleshooting issues effectively.
By integrating these sections of code into the blog post, users can gain a comprehensive understanding of how the PowerShell script manages Azure resource pricing plans at the resource level.
Pricing Results Summary and Subplan Output
After retrieving the resource pricing information, let’s summarize the results and display the pricing plan details for each resource.
In this section, we provide a comprehensive summary of the pricing results, including the counts of virtual machines and Azure Arc-enabled servers found, along with the success and failure counts for setting them. Additionally, we output the pricing plan details for each resource, including virtual machines and Azure Arc-enabled servers, if available.
Summary of the Pricing result and verifying the status on the Portal
Added tags to the required Azure Virtual Machines (VMs) and Azure Arc-enabled machines
Note :
Resource level pricing is currently available only for P1 sub plan. If you want to enable P2 Pricing Plan on the resources, you can do it via Subscription level. I've uploaded the code for implementing subscription-level/ Resouce-level pricing plan to the following Github repository :https://github.com/tejascs57/Microsoft-Defender-For-Cloud.git
Section 2 : Implementing Azure Subscription-Level Pricing Plans with PowerShell
Initialization and Azure Authentication
In this section, we initialize parameters, set up variable initialization, install and import necessary modules, and authenticate to Azure and retrieve access tokens, ensuring that we’re ready to interact with Azure resources securely.
Resource Retrieval and Machine Enumeration Summary
This section encompasses fetching information about all virtual machines and Azure Arc-enabled machines within the specified resource group. It also handles any errors that may occur during this process.
Pricing Plan Configuration
This section deals with updating the pricing configuration on the subscription level based on specified criteria such as the pricing tier and subplan.
Azure VM’s and Arc-enabled Server Pricing Plan Details
This section retrieves and displays pricing plan details for each Azure VM and each Azure Arc-enabled server found in the resource group.
This section provides a comprehensive overview of how pricing plan details are fetched and displayed for both Azure VMs and Azure Arc-enabled servers.
In the event that the value of the
$PricingTiervariable is designated as 'Free', the script is programmed to deactivate the pricing plan by adjusting the pricing tier settings accordingly
Summary of the Pricing result and verifying the status on the Portal
Section 3 : Downgrading Pricing Plan and Targeting Specific Resources
When downgrading the pricing plan and targeting specific resources, it’s essential to ensure that the enforce parameter in the $pricingBody is set to False to allow the downgrade and disable the pricing plan for Azure VMs and ARC machines. Below is a snippet of the script illustrating this process:
This section of the script effectively handles the process of downgrading the pricing plan from P2 to P1 and enabling or disabling the pricing plan for Azure VMs and ARC machines based on the specified conditions.
Conclusion
Managing Azure subscription-level & Resource-level pricing plans with PowerShell offers a powerful solution for optimizing costs and resource allocation in cloud environments, enabling more efficient and cost-effective operations.
Happy Learning !
You can find the code in the below link :
https://github.com/tejascs57/Microsoft-Defender-For-Cloud.git
Follow me on LinkedIn:
https://www.linkedin.com/in/tejas-c-s-439a021b1/
