Azure landing zone Documentation
Home GitHub Issue Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  1. Azure landing zone Documentation
  2. /
  3. Accelerator
  4. /
  5. Starter Modules
  6. /
  7. Terraform - Azure Verified Modules for Platform landing zone (ALZ)
  8. /
  9. Options
  10. /
  11. 13 - Turn off Defender Plans
Edit page

13 - Turn off Defender Plans

The Defender Plan policy is enabled by default. If you want to turn off individual Defender plans, you can follow these steps:

  1. Update the management_group_settings.policy_assignments_to_modify section.

  2. Find the Deploy-MDFC-Config-H224 block setting and set the enforcement mode of the individual Defender plan line settings to Disabled. See the following example to turn off a subset the Defender plans:

    Warning
    If you have updated the alz management group ID, then you need to update the management group ID in this block setting to match. For example, replace alz with contoso.
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

    management_group_settings = {
  ...
  policy_assignments_to_modify = {
    alz = {
      policy_assignments = {
        Deploy-MDFC-Config-H224 = {
          parameters = {
            ascExportResourceGroupName                  = "$${asc_export_resource_group_name}"
            ascExportResourceGroupLocation              = "$${starter_location_01}"
            emailSecurityContact                        = "security_contact@replace_me"
            enableAscForServers                         = "Disabled"
            enableAscForServersVulnerabilityAssessments = "DeployIfNotExists"
            enableAscForSql                             = "DeployIfNotExists"
            enableAscForAppServices                     = "DeployIfNotExists"
            enableAscForStorage                         = "DeployIfNotExists"
            enableAscForContainers                      = "DeployIfNotExists"
            enableAscForKeyVault                        = "DeployIfNotExists"
            enableAscForSqlOnVm                         = "Disabled"
            enableAscForArm                             = "DeployIfNotExists"
            enableAscForOssDb                           = "Disabled"
            enableAscForCosmosDbs                       = "DeployIfNotExists"
            enableAscForCspm                            = "DeployIfNotExists"
          }
        }
      }
    }
  }
  ...
}
Tip
You can find the full list of parameters in the policy assignment Deploy-MDFC-Config-H224 in the library.
gdoc_arrow_left_alt 12 - Deploy Azure Monitoring Baseline Alerts (AMBA) 14 - Zero Trust Networking gdoc_arrow_right_alt