Azure Landing Zones Documentation
Home GitHub Issue Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  1. Azure Landing Zones Documentation
  2. /
  3. Accelerator
  4. /
  5. Starter Modules
  6. /
  7. Terraform - Azure Verified Modules for Platform Landing Zone (ALZ)
  8. /
  9. Options
  10. /
  11. 13 - Turn off Defender Plans
Edit page

13 - Turn off Defender Plans

The Defender Plan policy is enabled by default. If you want to turn off individual Defender plans, you can follow these steps:

  1. Update the management_group_settings.policy_assignments_to_modify section.

  2. Find the Deploy-MDFC-Config-H224 block setting and set the enforcement mode of the individual Defender plan line settings to DoNotEnforce. See the following example to turn off a subset the Defender plans:

    If you have updated the alz management group ID, then you need to update the management group ID in this block setting to match. For example, replace alz with contoso.
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

    management_group_settings = {
  ...
  policy_assignments_to_modify = {
    alz = {
      policy_assignments = {
        Deploy-MDFC-Config-H224 = {
          parameters = {
            ascExportResourceGroupName                  = "$${asc_export_resource_group_name}"
            ascExportResourceGroupLocation              = "$${starter_location_01}"
            emailSecurityContact                        = "security_contact@replace_me"
            enableAscForServers                         = "DoNotEnforce"
            enableAscForServersVulnerabilityAssessments = "DeployIfNotExists"
            enableAscForSql                             = "DeployIfNotExists"
            enableAscForAppServices                     = "DeployIfNotExists"
            enableAscForStorage                         = "DeployIfNotExists"
            enableAscForContainers                      = "DeployIfNotExists"
            enableAscForKeyVault                        = "DeployIfNotExists"
            enableAscForSqlOnVm                         = "DoNotEnforce"
            enableAscForArm                             = "DeployIfNotExists"
            enableAscForOssDb                           = "DoNotEnforce"
            enableAscForCosmosDbs                       = "DeployIfNotExists"
            enableAscForCspm                            = "DeployIfNotExists"
          }
        }
      }
    }
  }
  ...
}
You can find the full list of parameters in the policy assignment Deploy-MDFC-Config-H224 in the library.
gdoc_arrow_left_alt 12 - Deploy Azure Monitoring Baseline Alerts (AMBA) 14 - Zero Trust Networking gdoc_arrow_right_alt