Enable Microsoft Defender for Cloud Only for Production Resources – Other Plans Should Remain Off

Hello Christopher Cheetham,

I understand you're trying to enable Defender for Servers Plan 2 at the resource level. Please note that Defender for Servers Plan 2 cannot be enabled at the resource level—it can only be enabled at the subscription level. However, you can disable the plan at the resource level if needed.

More details: Decide on deployment scope – Microsoft Learn

To proceed, please try enabling the plan at the subscription level:

1. Go to Microsoft Defender for Cloud → Environment settings
2. Select your subscription
3. Enable Defender for Servers (Plan 2)

If the options are still greyed out, this may be due to insufficient permissions. To enable or modify Microsoft Defender plans, you must have at least one of the following roles at the subscription level:

• Security Admin
• Contributor
• Owner

More info on required roles: Permissions for Defender for Cloud – Microsoft Learn

Please check your permissions and let me know if you're still seeing the greyed-out options.

Hi Raja,

Thanks for your response.

I've followed the instructions and enabled Defender for Servers (Plan 2) at the subscription level, as required. I also verified that I have Owner permissions on the subscription.

However, Defender for Cloud is still listing resources from non-production environments (dev, qa, staging, etc.), even though my intention is to only apply coverage to the yell-production-resources resource group.

To be clear:

I want Defender coverage ONLY for production resources.

I do not want dev/qa/staging resources to be assessed, scanned, or included in the Defender plans.

Right now, all resources from the subscription are showing up in Defender for Cloud, not just the production RG.

What’s the correct approach to scope the monitoring and billing only to the production resource group while excluding everything else?

Thanks, Christopher

Hi Christopher Cheetham,

I understand you're trying to exclude the dev, QA, and staging resource groups from Microsoft Defender for Cloud coverage and apply it only to your production resources — specifically the yell-production-resources resource group.

If you attempt to disable Defender coverage for the dev, QA, or staging resource groups within the same subscription, you may encounter an EnforcementConflict error.

This error occurs because enforcement is currently enabled at the subscription level, which forces all child scopes — including resource groups and individual VMs — to inherit the subscription’s pricing plan. As a result, overrides at the resource group level are blocked.

To support exclusions at the resource level, you’ll need to disable this enforcement flag using the Azure REST API, as this option is not currently exposed in the Azure Portal or CLI.

Here’s the REST API request you can send:

PUT https://management.azure.com/subscriptions/<your-subscription-id>/providers/Microsoft.Security/pricings/VirtualMachines?api-version=2024-01-01

{
  "properties": {
    "pricingTier": "Standard",
    "subPlan": "P2",
    "enforce": "False"
  }
}

Once enforcement is disabled, you’ll be able to assign a different pricing tier — such as Free — at the VM level using tags and Azure Policy.

Please note:

• Microsoft Defender for Servers Plan 2 (subPlan: P2) is only supported at the subscription level.

If you assign a pricing plan at the resource level (e.g., individual VMs), only Plan 1 (subPlan: P1) or Free is supported.

For complete reference, please see Microsoft’s official documentation: Pricings - Update - REST API (Azure Defender for Cloud) | Microsoft Learn

You may also find this GitHub documentation helpful: Enable Defender for Servers at the resource level using PowerShell

By default, Defender for Servers is enabled at the subscription level and covers all Azure VMs, Azure Arc-enabled servers, and VMSS nodes. However, if you want to downgrade specific machines from Plan 2 to Plan 1 or enable only Plan 1 for a subset of machines, you can use the PowerShell script referenced above.