Scale a Defender for Servers deployment

This article helps you scale your Microsoft Defender for Servers deployment.

Defender for Servers is one of the paid plans provided by Microsoft Defender for Cloud.

Before you begin

This article is the sixth and final article in the Defender for Servers planning guide series. Before you begin, review the earlier articles: Before you begin, review the earlier articles:

1. Start planning your deployment.
2. Review Defender for Servers access roles.
3. Select a Defender for Servers plan
4. Understand how Defender for Servers collects data for assessment and when you need a workspace.
5. Understand where Defender for Servers stores data.

Enable overview

When you enable a Defender for Cloud subscription, this process occurs:

1. The microsoft.security resource provider is automatically registered on the subscription.
2. At the same time, the Cloud Security Benchmark initiative that's responsible for creating security recommendations and calculating the secure score is assigned to the subscription.
3. After you enable Defender for Cloud on the subscription, you turn on Defender for Servers Plan 1 or Defender for Servers Plan 2.

In the next sections, review considerations for specific steps as you scale your deployment:

• Scale a Microsoft Cloud Security Benchmark deployment
• Scale a Defender for Servers plan

Scale a MCSB deployment

Defender for Cloud assesses and enforces best-practice security configurations using built-in Azure policy initiatives. The Microsoft Cloud Security Benchmark (MCSB) is Defender for Cloud's default initiative.

In a scaled deployment, you might want the MCSB to be automatically assigned.

The assignment is inherited for every existing and future subscription in the management group. To set up your deployment to automatically apply the benchmark, assign the policy initiative to your management group (root) instead of to each subscription.

You can get the Microsoft Cloud Security Benchmark policy definition on GitHub.

Learn more about using a built-in policy definition to register a resource provider.

Scale a Defender for Servers plan

You can use a policy definition to enable Defender for Servers at scale:

• To get the built-in Configure Azure Defender for Servers to be enabled policy definition, in the Azure portal for your deployment, go to Azure Policy > Policy Definitions.

  

• Alternatively, you can use a custom policy to enable Defender for Servers and select the plan at the same time.

• You can enable only one Defender for Servers plan on each subscription. You can't enable both Defender for Servers Plan 1 and Plan 2 at the same subscription.

• If you want to use both plans in your environment, divide your subscriptions into two management groups. On each management group, assign a policy to enable the respective plan on each underlying subscription.

Next steps

Begin a deployment for your scenario:

• Enable a Defender for Servers plan
• Connect an on-premises machine to Azure
• Connect an AWS account to Defender for Cloud
• Connect a GCP project to Defender for Cloud