Ensure Microsoft Defender for Containers is set to 'On'

Overview

Turning on Microsoft Defender for Containers enables threat detection for Container Registries, including Kubernetes, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. The following services will be enabled for container instances:

Defender agent in Azure
Azure Policy for Kubernetes
Agentless discovery for Kubernetes
Agentless container vulnerability assessment

Rationale

Enabling Microsoft Defender for Container Registries allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).

Impact

Turning on Microsoft Defender for Containers incurs an additional cost per resource.

Default Value

By default, Microsoft Defender for Containers is off.

Remediation guidance

Remediate from Azure Portal

Open Microsoft Defender for Cloud | Environment settings
Select a subscription
Select Defender plans.
Set Status to On for Containers.
Click Save.

Remediate from Azure CLI

(Note: 'ContainerRegistry' has been deprecated and is replaced by 'Containers')

Use the command below to enable the standard pricing tier for containers.

az security pricing create -n 'Containers' --tier 'standard'

Remediate from PowerShell

(Note: 'ContainerRegistry' has been deprecated and is replaced by 'Containers')

Use the command below to enable the standard pricing tier for containers.

Set-AzSecurityPricing -Name 'Containers' -PricingTier 'Standard'

Multiple Remediation Paths

Azure

SERVICE-WIDE (RECOMMENDED when many resources are affected): Assign Azure Policy initiatives at management group/subscription scope and trigger remediation tasks.

az policy assignment create --name <assignment-name> --scope /subscriptions/<subscription-id> --policy-set-definition <initiative-id>
az policy remediation create --name <remediation-name> --policy-assignment <assignment-id>

ASSET-LEVEL: Apply the resource-specific remediation steps above to the listed non-compliant resources.

PREVENTIVE: Embed Azure Policy checks into landing zones and IaC workflows to block or auto-remediate drift.

References for Service-Wide Patterns

Azure Policy overview: https://learn.microsoft.com/en-us/azure/governance/policy/overview
Azure Policy remediation: https://learn.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources
Azure Policy initiative structure: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/initiative-definition-structure

Operational Rollout Workflow

Use this sequence to reduce risk and avoid repeated drift.

1. Contain at Service-Wide Scope First (Recommended)

Azure: assign policy initiatives at management group/subscription scope and run remediation tasks.

az policy assignment create --name <assignment-name> --scope /subscriptions/<subscription-id> --policy-set-definition <initiative-id>
az policy remediation create --name <remediation-name> --policy-assignment <assignment-id>

2. Remediate Existing Affected Assets

Execute the control-specific Console/CLI steps documented above for each flagged resource.
Prioritize internet-exposed and production assets first.

3. Validate and Prevent Recurrence

Re-scan after each remediation batch.
Track exceptions with owner and expiry date.
Add preventive checks in IaC/CI pipelines.

Query logic

These are the stored checks tied to this control.

Azure subscriptions without Microsoft Defender for Containers

Connectors

Microsoft Azure

Covered asset types

Connector

Expected check: eq []

{
  connectors(
    where: { pricing_SOME: { name: "Containers", pricingTier: "Free" } }
  ) {
    ...AssetFragment
  }
}