Enable Defender CSPM (Advanced) and CWPP via Azure Policy.

From my experience you can get close to what you want with Azure Policy, but you cannot reproduce that exact CSPM Advanced checkbox matrix one to one.

1. CSPM is controlled by a single pricing object called CloudPosture on Microsoft.Security/pricings with pricingTier set to Standard. Some of the “advanced” options you see in the portal are just extensions on that same object such as AgentlessDiscoveryForKubernetes, ContainerRegistriesVulnerabilityAssessments and SensitiveDataDiscovery, and those can be driven by policy at subscription or management group scope. Microsoft Learn There is no supported way today to say “CSPM Standard but serverless protection off” in policy. Once you enable the paid CSPM plan you get the full bundle, serverless included, and there is no separate extension flag to turn only that part off. Microsoft Learn
2. The Permissions Management or CIEM switch is tied to Entra Permissions Management which Microsoft is in the process of retiring in 2025, so I would not hard code that as a long-term dependency in a custom policy. Even if you see it in the portal now, the product is being phased out and support ends around October or November 2025. Microsoft Tech Community
3. CWPP plans are the easy part. Each plan you listed is just another Microsoft.Security/pricings entry, for example VirtualMachines, AppServices, SqlServers, StorageAccounts, KeyVaults. You can absolutely enable only those by policy and simply never create pricing entries for Containers, KubernetesService, Api or Ai, so those stay on the Free tier. Microsoft Learn

In practice what I do for customers is assign one custom initiative at the root management group that deploys CloudPosture with the extensions we actually want and then separate pricing objects for the CWPP plans we care about, and I accept that some CSPM toggles like serverless are not granularly controllable via policy today.

Hello MagoMerlino,

It looks like you're trying to use Azure Policy at the management group level to deploy a customized policy for Microsoft Defender for Cloud, specifically for enabling Defender CSPM Advanced and CWPP with selected extensions. Here's how you can approach it:

Creating a Custom Policy: If the built-in policy definitions don’t meet your granular requirements, you can create a custom policy definition with the specific settings you want to enforce. The Azure Policy feature allows you to define policies based on your organizational needs.

Policy Structure: Your custom policy should include the conditions that specify when the policy applies and the effect that details what action to take (e.g., "Enforce", "Audit", etc.). You will likely want to include conditions that pertain to enabling Defender CSPM with the extensions you mentioned and the CWPP plans for your designated resources.

Deployment Steps:

• Go to the Azure portal and navigate to Azure Policy.
• Create a new policy definition by selecting 'Definitions' and then clicking ' + Policy definition'.
• In the policy definition, define the specific parameters for each of the Defender services and extensions you want to control.
• Assign the policy to your management group.
• Inheritance: Once assigned to the management group, all sub-groups or subscriptions under that management group will inherit the policy if you've set it up correctly.
• Verification: After enabling, allow up to 24 hours to see initial compliance results in the Defender for Cloud dashboard. You should also check the Security Recommendations to see any vulnerabilities or compliance violations.

Considerations:

• Make sure you have the necessary permissions to create and assign policies (it seems like you have owner access, which is good).
• Check for any existing policies that may conflict with your new policy.
• Be aware that enabling certain features might require specific Azure role permissions, especially with agentless capabilities.

Questions:

1. Have you started creating the custom policy yet, or are you looking for guidance on where to begin?
2. Are there any specific errors or issues you've encountered while trying to set this up?
3. Are there additional resources you want to include in your settings that weren't mentioned in your initial request?

References:

• How to enable security posture in Microsoft Defender for Cloud
• Protect your resources with Defender CSPM
• Monitoring and responding to security recommendations

Hope this helps you set up your policies the way you want! Let me know if you have other questions.

Hi, @Siva shunmugam , thank you for answering.

I am looking on how to write the policy. I get ofter error that json file is not correct or that the request content was invalid and could not be deserialized: could not fin $schema...

I think a was able to include the cspm part with:

                    "type": "Microsoft.Security/settings",
                    "apiVersion": "2023-01-01",
                    "name": "DefenderCSPMSettings",
                    "properties": {
                      "agentlessVmScanning": "Enabled",
                      "kubernetesApiAccess": "Enabled",
                      "registryAccess": "Enabled",
                      "sensitiveDataDiscovery": "Enabled",
                      "permissionsManagement": "Enabled",
                      "apiSecurity": "Enabled",
                      "serverlessProtection": "Disabled"
                    }

But not how to activate the CWPP part.

And i also get error: The role definitions required by the policy definition are not used by the role assignments on the assignment identity. Please make sure you have role assignments based on the role definitions specified in the policy definition.