Defender for API not enabled in latest MDFC Initiative #1885
Comments
|
@robsissons-contino thanks for raising this issue. This has been a gap since early 2024 when the product group changed the APIs for Defender for API as it transitioned from free public preview to a paid service. As part of this transition, the API commands were updated to require sub-plans appropriately sized for the service, and there is no free plan. Accordingly the originally provided policy was deprecated (it doesn't work anymore): https://www.azadvertizer.net/azpolicyadvertizer/e54d2be9-5f2e-4d65-98e4-4f0e670b23d6.html We are working with product group to provide a new policy, however, due to internal priorities this has been delayed. We are actively tracking this in our backlog, and will add the policy as soon as it becomes available. We DO enable Defender for API on all subscriptions using sub-plan 1 (the smallest) are part of the initial landing zone deployment (we do this through ARM), however, new subscriptions that would normally be remediated using the |
Describe the bug
Latest version of Deploy-MDFC Initiative does not include DefenderForApis
We use the downstream CAF Enterprise Scale Terraform module (https://github.com/Azure/terraform-azurerm-caf-enterprise-scale) and our subscriptions are not registering Defender for API with the policies which are assigned as part of the module.
I raised an issue (Azure/terraform-azurerm-caf-enterprise-scale#1167) with the team who advise that all policies are taken from this repo.
Upon investigation I see that the previous version of the 'Deploy-MDFC-Config' initiative here, which is superseded by this policy did contain a policy definition to enable Defender for Apis.
Is this intentional?
Is there a plan to add defender for Api back in to the initiative?
Steps to reproduce
The text was updated successfully, but these errors were encountered: