Issue with "MDE Designated Subscription Enabled" Setting Not Reflecting in Azure Security Pricing

Question

Issue with "MDE Designated Subscription Enabled" Setting Not Reflecting in Azure Security Pricing

Guo, Jianning 85

Sure! Here's a more polished and professional version of your message, with improved clarity and tone:

Hi Team,

We've assigned the Azure policy "Configure Microsoft Defender for Servers plan" to enable "MDE Designated Subscription Enabled" for our subscription. However, when we run the following PowerShell command:

Get-AzSecurityPricing -Name "VirtualMachines"

…the output consistently shows:

"name": "MdeDesignatedSubscription", "isEnabled": "False"

This remains the case even after creating and executing a remediation task to set the value to true, resulting in non-compliance with the policy.

Has anyone encountered a similar issue? Any insights into the potential root cause would be greatly appreciated.

Best regards,

Jane

Would you like to tailor this message for a specific audience (e.g., internal IT team, Microsoft support, or a broader forum)?

Siva shunmugam Nadessin 3,025 Reputation points Microsoft External Staff Moderator

2025-11-17T22:10:43.44+00:00
Hello Guo, Jianning,

Here’s what you can do to troubleshoot and possibly resolve the issue:

Verify Policy Assignment: Make sure that the policy "Configure Microsoft Defender for Servers plan" is correctly assigned to the subscription in question. Double-check the policy's compliance state through the Azure Policy portal.

Check Permissions: Ensure that you have the right permissions to modify the security settings. You should be assigned to one of the following roles: Subscription Owner, Subscription Contributor, or Security Admin.

Re-register the Microsoft.Security Resource Provider: Sometimes, registration issues can create problems with policy compliance. Follow these steps:

Go to the Azure portal and navigate to your subscription settings.

Click on Resource providers in the settings menu.

Search for Microsoft.Security, then unregister and register it again.

Manual Setup: If the policy is still showing as non-compliant, you might want to try enabling the pricing manually via PowerShell:

Set-AzSecurityPricing -Name "VirtualMachines" -PricingTier "Standard"

Replace "Standard" as necessary to enable the MDE if that’s not what you're currently using.

Execution of Remediation Task: Since you mentioned you already created and executed a remediation task, ensure that it completed successfully. You can check this in the Azure portal under the Security Policy section.

Wait for Propagation: After making changes, there can be a delay in how quickly the settings propagate across Azure. If everything checks out but the setting still shows as "False," it might just need a little more time.

Hope this helps! If you have any more questions or need further assistance, feel free to ask!

Follow-Up Questions:

Have you checked the Azure Policy compliance state for the relevant policy?

What roles do you have assigned to your Azure account?

Have you accessed the Azure Activity Log to see if there’s any information on when the pricing setting was last modified?

Can you confirm if the remediation task showed any errors during execution?

How long have you waited after making the changes to see if they reflect?
Guo, Jianning 85 Reputation points

2025-11-18T16:12:44.78+00:00

@Siva shunmugam Nadessin

Thank you for the detailed steps. I have the Subscription Owner role and was able to remediate the other parameters in the 'Configure Microsoft Defender for Servers plan' policy, except for 'MdeDesignatedSubscription.' The remediation task shows as completed without errors, but the parameter still isn’t updated. The pricingTier is set to 'Standard. The parameter remains unchanged even after a couple of days of the remediation.

2 answers

Your answer

Guo, Jianning 85 Reputation points

2025-11-18T16:12:44.78+00:00

@Siva shunmugam Nadessin

Thank you for the detailed steps. I have the Subscription Owner role and was able to remediate the other parameters in the 'Configure Microsoft Defender for Servers plan' policy, except for 'MdeDesignatedSubscription.' The remediation task shows as completed without errors, but the parameter still isn’t updated. The pricingTier is set to 'Standard. The parameter remains unchanged even after a couple of days of the remediation.

Answer 1

It seems you are experiencing an issue where the Azure policy for enabling the "MDE Designated Subscription Enabled" setting is not reflecting correctly in the Azure Security pricing. Here are a few potential reasons and troubleshooting steps you might consider:

Policy Assignment Status: Ensure that the policy assignment is in a compliant state. You can check the compliance status in the Azure Policy portal to confirm if the policy is being evaluated correctly.
Remediation Task: Since you have already created and executed a remediation task, verify that the task completed successfully. Sometimes, remediation tasks may fail or may not apply changes as expected due to permissions or other issues.
Propagation Delay: Changes in Azure policies and settings may take some time to propagate. If you have just executed the remediation task, wait a few minutes and then recheck the status using your PowerShell command.
Permissions: Ensure that the account you are using to run the PowerShell command has the necessary permissions to view and modify security settings in Azure.
Azure Support: If the issue persists, consider reaching out to Azure support for further assistance. They can provide insights specific to your subscription and the policies applied.

These steps should help you diagnose the issue further. If you find any specific error messages or behaviors during your troubleshooting, those details could also be useful for further investigation.

References:

Remediate non-compliant resources with Azure Policy

Guo, Jianning 85 Reputation points

2025-11-17T20:51:44.21+00:00

We have tried the suggest steps here, it does not help resolve nor troubleshoot the issue.

Answer 2

Suchitra Suregaunkar 3,545 Microsoft External Staff Moderator

Hello Guo, Jianning, MdeDesignatedSubscription is an extension of the VirtualMachines Defender plan. It enables the “Direct onboarding” integration between Microsoft Defender for Endpoint (MDE) and Defender for Cloud, onboarded resources are presented under a designated subscription. This extension is explicitly listed in the Microsoft.Security/pricings resource schema.

Changing plan extensions (including MdeDesignatedSubscription) is governed by directory‑level permissions. If the caller lacks the required Microsoft Entra admin role like Security Administrator, the PUT succeeds but the extension’s operationStatus.code = Failed and the value doesn’t change.

Reference: https://learn.microsoft.com/en-us/azure/templates/microsoft.security/pricings?pivots=deployment-language-bicep

For plan operations and agent/extension configuration, Defender for Cloud requires appropriate roles.

Reference: https://learn.microsoft.com/en-us/azure/defender-for-cloud/permissions#roles-and-allowed-actions

Have a tenant admin assign you Microsoft Entra Security Administrator or equivalent before changing extensions for the VirtualMachines plan.

Re‑register the provider and make sure latest schema availability for Microsoft.Security/pricings:

Register-AzResourceProvider -ProviderNamespace 'Microsoft.Security'

Enable the extension using Azure CLI:

az security pricing create \
  -n VirtualMachines \
  --tier standard \
  --subplan P2 \

The CLI supports --extensions for pricing updates (example in official reference). Use P1 or P2 as applicable

PowerShell can update pricing and pass an -Extension JSON, but the CLI exposes the extensions parameter more directly.

Reference: https://learn.microsoft.com/en-us/powershell/module/az.security/set-azsecuritypricing?view=azps-14.6.0

Re‑run policy remediation if you used Policy The built‑in policy for Defender for Servers uses DeployIfNotExists against Microsoft.Security/pricings. If the remediation identity didn’t have the required Entra role, it will appear “successful” but won’t change the extension. Assign the role and re‑run remediation.

Kindly let us know if the solution provided worked for you.

If you need any further assistance, please feel free to reach out.

Thanks,

Suchitra.

Guo, Jianning 85 Reputation points

2025-11-19T20:53:14.55+00:00

@Suchitra Suregaunkar

Thanks for your response. We have the correct setting as you suggested here. It does not make any difference to the "MdeDesignatedSubscription" setting.
Suchitra Suregaunkar 3,545 Reputation points Microsoft External Staff Moderator

2025-11-20T10:06:45.04+00:00
Hello Guo, Jianning,

If you used Azure Policy remediation, verify which Managed Identity is attached to the assignment and grant that identity the directory role.

Read the pricing with REST:

Run this GET and inspect the extensions array and operationStatus:

GET https://management.azure.com/subscriptions/{SUBSCRIPTION_ID}/providers/Microsoft.Security/pricings/VirtualMachines?api-version=2024-01-01

You should see something like: If operationStatus.code is Failed, the change was rejected (most commonly due to insufficient directory role).

If the array doesn’t include MdeDesignatedSubscription, your CLI/PowerShell call didn’t send the extension parameter correctly.

{ "properties": { "pricingTier": "Standard", "subPlan": "P1", "extensions": [ { "name": "MdeDesignatedSubscription", "isEnabled": "False", "operationStatus": { "code": "Failed", "message": "..." } } ] } }

Re‑apply using CLI (explicit extension parameter): Replace P2 with P1 if that’s your plan. The critical piece is --extensions name=MdeDesignatedSubscription isEnabled=True.

az security pricing create \ -n VirtualMachines \ --tier standard \ --subplan P2 \ --extensions name=MdeDesignatedSubscription isEnabled=True

Verify again (REST):
Re‑run the REST GET. A successful update shows:

"extensions": [ { "name": "MdeDesignatedSubscription", "isEnabled": "True" } ]

and no operationStatus.code = "Failed".

If using Azure Policy: After granting the directory role to the assignment’s managed identity, re‑run remediation.

Built‑in Defender for Servers policy (DeployIfNotExists) targets Microsoft.Security/pricings and its properties.extensions[*]. If the identity lacks directory rights, remediation will show “succeeded” but the extension remains False.

Double‑check tenant MDE integration path: In Defender for Cloud > Environment settings > (your subscription) > Defender plans, ensure Microsoft Defender for Endpoint integration is On and the “designated subscription” path is allowed by your MDE onboarding settings. If tenant‑level MDE configuration blocks designated subscription routing, the extension flip can be refused.

If you get any error messages, then please share us the screenshots.

Thanks,

Suchitra.
Guo, Jianning 85 Reputation points

2025-11-21T16:47:24.8+00:00
Here is what I got when ran the API command that you provided:

"properties": {

"enablementTime": "2025-11-12T21:55:21.3386797Z", "extensions": [ { "isEnabled": "False", "name": "MdeDesignatedSubscription" },

I do not see an operationStatus.code in the output.

Share via

Issue with "MDE Designated Subscription Enabled" Setting Not Reflecting in Azure Security Pricing

2 answers

Your answer