Mission Landing Zone - Deployment Guide using Command Line Tools

February 12, 2026 ยท View on GitHub

Home | Design | Add-Ons | Resources | Costs

Table of Contents

This guide describes how to deploy Mission Landing Zone (MLZ) using the ARM template at src/mlz.json using either Azure CLI or Azure PowerShell. The supported clouds for this guide include the Azure Commercial, Azure Government, Azure Government Secret, and Azure Government Top Secret.

MLZ has only one required parameter, identifier, and provides sensible defaults for the rest. This allows for simple deployments that specify only the parameters that need to differ from the defaults. Information on all the parameters will be provided later in this guide. First, the prerequisites must be completed before any deployments are initiated.

Prerequisites

The following prerequisites are required on the target Azure subscription(s):

Planning

Determine the values for the parameters in your deployment. Consider using a parameters file to capture those details.

Warning

Secrets should never be stored in a parameters files. Be sure to exclude those parameters and you will be prompted for their values during deployment time.

Naming Convention

Resource group and resource names are derived from the following parameters:

Parameter NameDefault ValueDescription
environmentAbbreviationdevThe abbreviation for the target environment.
resourcePrefixA prefix, 1-6 alphanumeric characters without whitespace, used to prefix resources and generate uniqueness for resources within your subscription. Ideally, the value should represent a department or project within your organization.

Deployment Scope

MLZ can deploy to a single subscription or multiple subscriptions. A test and evaluation deployment may deploy everything to a single subscription, and a production deployment may place each tier into its own subscription.

The optional parameters related to subscriptions are below. They default to the subscription used for deployment.

Parameter NameDefault ValueDescription
deployIdentityfalseChoose to deploy the identity resources. The identity resoures are not required if you plan to use cloud identities.
hubSubscriptionIdDeployment subscriptionSubscription containing the firewall and network hub
identitySubscriptionIdDeployment subscriptionTier 0 for identity solutions
locationdeployment().locationThe region to deploy resources into.
operationsSubscriptionIdDeployment subscriptionTier 1 for network operations and security tools
sharedServicesSubscriptionIdDeployment subscriptionTier 2 for shared services

Networking

The following parameters affect the networking resources. For the address prefixes, each virtual network and subnet has been given a default value to ensure they fall within the default super network. Refer to the Networking page for all the default address prefixes.

Parameter NameDefault ValueDescription
deployNetworkWatcherTrafficAnalyticsfalseWhen set to true, deploys Network Watcher Traffic Analytics.
dnsServers['168.63.129.16']The Azure Firewall DNS Proxy will forward all DNS traffic. When this value is set to true, you must provide a value for "servers". This should be a comma separated list of IP addresses to forward DNS traffic.
existingHubNetworkWatcherResourceId''The resource ID for an existing network watcher in the Hub tier for the desired deployment location. Only one network watcher per location can exist in a subscription and must be specified if it already exists. If the value is left empty, a new network watcher resource will be created.
existingIdentityNetworkWatcherResourceId''The resource ID for an existing network watcher in the Identity tier for the desired deployment location. Only one network watcher per location can exist in a subscription and must be specified if it already exists. If the value is left empty, a new network watcher resource will be created.
existingOperationsNetworkWatcherResourceId''The resource ID for an existing network watcher in the Operations tier for the desired deployment location. Only one network watcher per location can exist in a subscription and must be specified if it already exists. If the value is left empty, a new network watcher resource will be created.
existingSharedServicesNetworkWatcherResourceId''The resource ID for an existing network watcher in the Shared Services tier for the desired deployment location. Only one network watcher per location can exist in a subscription and must be specified if it already exists. If the value is left empty, a new network watcher resource will be created.
hubNetworkSecurityGroupRules[]An array of Network Security Group Rules to apply to the Hub Virtual Network. Reference
hubSubnetAddressPrefix10.0.128.128/26The CIDR Subnet Address Prefix for the default Hub subnet. It must be in the Hub Virtual Network space.
hubVirtualNetworkAddressPrefix10.0.128.0/23The CIDR Virtual Network Address Prefix for the Hub Virtual Network.
identityNetworkSecurityGroupRules[]An array of Network Security Group Rules to apply to the Identity Virtual Network. Reference
identitySubnetAddressPrefix10.0.130.0/24The CIDR Subnet Address Prefix for the default Identity subnet. It must be in the Identity Virtual Network space.
identityVirtualNetworkAddressPrefix10.0.130.0/24The CIDR Virtual Network Address Prefix for the Identity Virtual Network.
operationsNetworkSecurityGroupRules[]An array of Network Security Group rules to apply to the Operations Virtual Network. Reference
operationsSubnetAddressPrefix10.0.131.0/24The CIDR Subnet Address Prefix for the default Operations subnet. It must be in the Operations Virtual Network space.
operationsVirtualNetworkAddressPrefix10.0.131.0/24The CIDR Virtual Network Address Prefix for the Operations Virtual Network.
sharedServicesNetworkSecurityGroupRules[]An array of Network Security Group rules to apply to the SharedServices Virtual Network. Reference
sharedServicesSubnetAddressPrefix10.0.132.0/24The CIDR Subnet Address Prefix for the default Shared Services subnet. It must be in the Shared Services Virtual Network space.
sharedServicesVirtualNetworkAddressPrefix10.0.132.0/24The CIDR Virtual Network Address Prefix for the Shared Services Virtual Network.

Azure Firewall

By default, MLZ deploys Azure Firewall Premium. Not all regions support Azure Firewall Premium. Check here to see if the region you're deploying to supports Azure Firewall Premium. If necessary you can set a different firewall SKU or location.

You can manually specify which SKU of Azure Firewall to use for your deployment by specifying the firewallSkuTier parameter. This parameter only accepts the values of Premium or Standard.

Additionally, you can specify customFirewallRuleCollectionGroups parameter with a set of firewall rule collection groups that can define the firewall rules used.

Parameter NameDefault ValueDescription
enableProxytrueThe Azure Firewall DNS Proxy will forward all DNS traffic.
firewallClientPublicIPAddressAvailabilityZones[]An array of Azure Firewall Public IP Address Availability Zones. It defaults to empty, or "No-Zone", because Availability Zones are not available in every cloud. Reference
firewallClientSubnetAddressPrefix10.0.128.0/26The CIDR Subnet Address Prefix for the Azure Firewall Subnet. It must be in the Hub Virtual Network space. It must be /26.
firewallIntrusionDetectionModeAlertThe Azure Firewall Intrusion Detection mode.
firewallManagementPublicIPAddressAvailabilityZones[]An array of Azure Firewall Public IP Address Availability Zones. It defaults to empty, or "No-Zone", because Availability Zones are not available in every cloud. Reference
firewallManagementSubnetAddressPrefix10.0.128.64/26The CIDR Subnet Address Prefix for the Azure Firewall Management Subnet. It must be in the Hub Virtual Network space. It must be /26.
firewallSkuTierPremiumThe SKU for Azure Firewall. Selecting a value other than Premium is not recommended for environments that are required to be SCCA compliant.
firewallSupernetIPAddress10.0.128.0/18Supernet CIDR address for the entire network of vnets, this address allows for communication between spokes. Recommended to use a Supernet calculator if modifying vnet addresses.
firewallThreatIntelModeAlert[Alert/Deny/Off] The Azure Firewall Threat Intelligence Rule triggered logging behavior.
customFirewallRuleCollectionGroupsFirewall collection group definitionFirewall rules associated with the MLZ deployment.

Azure Firewall: Multiple Public IPs

To deploy the MLZ with multiple static public IP addresses for the Azure Firewall, use the additionalFwPipCount parameter. For example:

az deployment sub create \
  --location <location> \
  --template-file src/mlz.bicep \
  --parameters additionalFwPipCount=2

This will create two additional static public IPs for the firewall.

Azure Firewall Public IP Addresses

You can control the number of static public IP addresses (PIPs) assigned to Azure Firewall by setting the additionalFwPipCount parameter. This is useful for advanced NAT rule scenarios.

Example CLI usage:

az deployment sub create \
  --location <location> \
  --template-file src/mlz.bicep \
  --parameters additionalFwPipCount=2

This will provision two additional static PIPs for the Azure Firewall, in addition to the default one.

Monitoring

Set the following settings to enable the capture of resource logs and metrics:

Parameter NameDefault ValueDescription
firewallDiagnosticsLogsAzureFirewallApplicationRule, AzureFirewallNetworkRule, AzureFirewallDnsProxy, AZFWNetworkRule, AZFWApplicationRule, AZFWNatRule, AZFWThreatIntel, AZFWIdpsSignature, AZFWDnsQuery, AZFWFqdnResolveFailure, AZFWFatFlow, AZFWFlowTrace, AZFWApplicationRuleAggregation, AZFWNetworkRuleAggregation, AZFWNatRuleAggregationAn array of Firewall Diagnostic Logs categories to collect.
firewallDiagnosticsMetricsAllMetricsAn array of Firewall Diagnostic Metrics categories to collect. Reference
hubNetworkSecurityGroupDiagnosticsLogsNetworkSecurityGroupEvent, NetworkSecurityGroupRuleCounterAn array of Network Security Group diagnostic logs to apply to the Hub Virtual Network. Reference
hubVirtualNetworkDiagnosticsLogsVMProtectionAlertsAn array of Network Diagnostic Logs to enable for the Hub Virtual Network. Reference
hubVirtualNetworkDiagnosticsMetricsAllMetricsAn array of Network Diagnostic Metrics to enable for the Hub Virtual Network. Reference
identityNetworkSecurityGroupDiagnosticsLogsNetworkSecurityGroupEvent, NetworkSecurityGroupRuleCounterAn array of Network Security Group diagnostic logs to apply to the Identity Virtual Network. Reference
identityVirtualNetworkDiagnosticsLogsVMProtectionAlertsAn array of Network Diagnostic Logs to enable for the Identity Virtual Network. Reference
identityVirtualNetworkDiagnosticsMetricsAllMetricsAn array of Network Diagnostic Metrics to enable for the Identity Virtual Network. Reference
keyVaultDiagnosticsLogsAuditEvent, AzurePolicyEvaluationDetailsAn array of Key Vault Diagnostic Logs categories to collect. Reference
keyVaultDiagnosticsMetricsAllMetricsThe Key Vault Diagnostic Metrics to collect. Reference
logAnalyticsWorkspaceCappingDailyQuotaGb-1The daily quota for Log Analytics Workspace logs in Gigabytes. It defaults to "-1" for no quota.
logAnalyticsWorkspaceRetentionInDays30The number of days to retain Log Analytics Workspace logs without Sentinel.
logAnalyticsWorkspaceSkuNamePerGB2018The SKU for the Log Analytics Workspace. It defaults to "PerGB2018". Reference
logStorageSkuNameStandard_GRSThe Storage Account SKU to use for log storage. It defaults to "Standard_GRS". Reference
networkInterfaceDiagnosticsMetricsAllMetricsAn array of metrics to enable on the diagnostic setting for network interfaces.
networkWatcherFlowLogsRetentionDays30The number of days to retain Network Watcher Flow Logs.
networkWatcherFlowLogsTypeVirtualNetworkThe type of network watcher flow logs to enable. It defaults to "VirtualNetwork" since they provide more data and NSG flow logs will be deprecated in June 2025.
operationsNetworkSecurityGroupDiagnosticsLogsNetworkSecurityGroupEvent, NetworkSecurityGroupRuleCounterAn array of Network Security Group diagnostic logs to apply to the Operations Virtual Network. Reference
operationsVirtualNetworkDiagnosticsLogsVMProtectionAlertsAn array of Network Diagnostic Logs to enable for the Operations Virtual Network. Reference
operationsVirtualNetworkDiagnosticsMetricsAllMetricsAn array of Network Diagnostic Metrics to enable for the Operations Virtual Network. Reference
publicIPAddressDiagnosticsLogsDDoSProtectionNotifications, DDoSMitigationFlowLogs, DDoSMitigationReportsAn array of Public IP Address Diagnostic Logs for the Azure Firewall. Reference
publicIPAddressDiagnosticsMetricsAllMetricsAn array of Public IP Address Diagnostic Metrics for the Azure Firewall. Reference
sharedServicesNetworkSecurityGroupDiagnosticsLogsNetworkSecurityGroupEvent, NetworkSecurityGroupRuleCounterAn array of Network Security Group diagnostic logs to apply to the SharedServices Virtual Network. Reference
sharedServicesVirtualNetworkDiagnosticsLogsVMProtectionAlertsAn array of Network Diagnostic Logs to enable for the SharedServices Virtual Network. Reference
sharedServicesVirtualNetworkDiagnosticsMetricsAllMetricsAn array of Network Diagnostic Metrics to enable for the SharedServices Virtual Network. Reference

Azure Policy Initiatives: NISTRev4, NISTRev5, DoD IL5, & CMMC

To include one of the built in Azure policy initiatives for NIST 800-53, CMMC Level 3 or DoD IL5 compliance add the deployPolicy=true parameter with policy assigned to one of the following: NISTRev4, NISTRev5, IL5, or CMMC.

The result will be a policy assignment created for each resource group deployed by MLZ that can be viewed in the 'Compliance' view of Azure Policy in the Azure Portal.

Parameter NameDefault ValueDescription
deployPolicy'false'When set to "true", deploys the Azure Policy set defined at by the parameter "policy" to the resource groups generated in the deployment. It defaults to "false".
policyNISTRev4[NISTRev4/NISTRev5/IL5/CMMC] Built-in policy assignments to assign, it defaults to "NISTRev4". IL5 is only available for AzureUsGovernment and will switch to NISTRev4 if tried in AzureCloud.

Under the src/bicep/modules/policies directory are JSON files named for the initiatives with default parameters (except for a Log Analytics workspace ID value <LAWORKSPACE> that we substitute at deployment time -- any other parameter can be modified as needed).

Microsoft Defender for Cloud

By default Microsoft Defender for Cloud offers a free set of monitoring capabilities that are enabled via an Azure policy when you first set up a subscription and view the Microsoft Defender for Cloud portal blade.

Microsoft Defender for Cloud offers a standard/defender sku which enables a greater depth of awareness including more recomendations and threat analytics. You can enable this higher depth level of security in MLZ by setting the parameter deployDefender during deployment. In addition you can include the emailSecurityContact parameter to set a contact email for alerts.

Parameter NameDefault ValueDescription
deployDefenderfalseWhen set to "true", enables Microsoft Defender for Cloud for the subscriptions used in the deployment. It defaults to "false".
deployDefenderPlans['VirtualMachines']Paid Workload Protection plans for Defender for Cloud. It defaults to "VirtualMachines".
defenderSkuTierFreeThe SKU for Defender for Cloud
emailSecurityContact''Email address of the contact, in the form of john@doe.com

The Defender plan for Microsoft Defender for Cloud is enabled by default in the following Azure Environments: AzureCloud. To enable this for other Azure Cloud environments, this will need to executed manually. Documentation on how to do this can be found here.

Azure Sentinel

Sentinel is a scalable, cloud-native, security information and event management (SIEM) and security orchestration, automation, and response (SOAR) solution. Sentinel can be enabled using the following setting:

Parameter NameDefault ValueDescription
deploySentinelfalseWhen set to "true", enables Microsoft Sentinel within the Log Analytics Workspace created in this deployment.

Remote Access

Azure Gateway Subnet

Create a gateway subnet for the Hub virtual network. Deploying this subnet simplifies the deployment of a virtual network gateway to support a site-to-site VPN or express route connection. Set the following settings to deploy the Gateway Subnet:

Parameter NameDefault ValueDescription
azureGatewaySubnetAddressPrefix10.0.129.192/26The CIDR Subnet Address Prefix for the Azure Gateway Subnet. It must be in the Hub Virtual Network space. It must be /26.
deployAzureGatewaySubnetfalseWhen set to "true", provisions Azure Gateway Subnet only.

Azure Bastion

Remotely access the network and resources without exposing them via public endpoints using Azure Bastion. Set the following parameters to configure the Azure Bastion service:

Parameter NameDefault ValueDescription
bastionDiagnosticsLogsBastionAuditLogsThe logs enabled in the diagnostic setting for Bastion.
bastionDiagnosticsMetricsAllMetricsThe metrics enabled in the diagnostic setting for Bastion.
bastionHostPublicIPAddressAvailabilityZonesnullThe availability zones for the public IP address for Bastion.
bastionHostSubnetAddressPrefix10.0.128.192/26The address prefix for the subnet for Bastion.
deployBastionfalseWhen set to 'true', provisions Azure Bastion Host and virtual machine jumpboxes. It defaults to "false".

Windows Jumpbox

Deploy a Windows virtual machine as a jumpbox into the Hub network. The VM must be accessed using Azure Bastion. Set the following values to configure the Windows jumpbox:

Parameter NameDefault ValueDescription
deployWindowsVirtualMachinefalseWhen set to 'true', a Windows virtual machine is deployed.
hybridUseBenefitfalseThe hybrid use benefit provides a discount on virtual machines when a customer has an on-premises Windows Server license with Software Assurance.
windowsVmAdminPasswordnew guidThe administrator password the Windows virtual machine to Azure Bastion remote into. It must be > 12 characters in length. See password requirements for creating a Windows VM.
windowsVmAdminUsernamexadminThe administrator username for the Windows virtual machine for remote access.
windowsVmCreateOptionFromImageThe create option for the disk on the Windows virtual machine.
windowsVmImageOfferWindowsServerThe marketplace image offer for the Windows virtual machine.
windowsVmImagePublisherMicrosoftWindowsServerThe marketplace image publisher for the Windows virtual machine.
windowsVmImageSku2019-datacenter-gensecondThe marketplace image SKU for the Windows virtual machine.
windowsVmNetworkInterfacePrivateIPAddressAllocationMethodDynamicThe public IP Address allocation method for the Windows virtual machine.
windowsVmSizeStandard_D2s_v3The size for the Windows virtual machine.
windowsVmStorageAccountTypeStandardSSD_LRSThe disk SKU for the Windows virtual machine.
windowsVmVersionlatestThe marketplace image version for the Windows virtual machine.

Linux Jumpbox

Deploy a Linux virtual machine as a jumpbox into the Hub network. The VM must be accessed using Azure Bastion. Set the following values to configure the Linux jumpbox:

Parameter NameDefault ValueDescription
deployLinuxVirtualMachinefalseWhen set to 'true', a Linux virtual machine is deployed.
linuxNetworkInterfacePrivateIPAddressAllocationMethodDynamicThe allocation method for the private IP address on the Linux virtual machine.
linuxVmAdminPasswordOrKeynew guidThe administrator password or public SSH key for the Linux Virtual Machine to Azure Bastion remote into. See password requirements for creating a Linux VM.
linuxVmAdminUsernamexadminThe administrator username for the Linux Virtual Machine to Azure Bastion remote into.
linuxVmAuthenticationType'password'[sshPublicKey/password] The authentication type for the Linux Virtual Machine to Azure Bastion remote into. It defaults to "password".
linuxVmImageOffer0001-com-ubuntu-server-focalThe marketplace image offer for Linux images.
linuxVmImagePublisherCanonicalThe marketplace image publisher for Linux images.
linuxVmImageSku20_04-lts-gen2The marketplace image SKU for Linux images.
linuxVmOsDiskCreateOptionFromImageThe disk creation option of the Linux Virtual Machine for remote access.
linuxVmOsDiskTypeStandard_LRSThe disk SKU of the Linux Virtual Machine.
linuxVmSizeStandard_D2s_v3The size for the Linux virtual machine.

Other Settings

Parameter NameDefault ValueDescription
supportedCloudsAzureCloud, AzureUSGovernmentThe Azure clouds that support specific service features.
tags{}A string dictionary of tags to add to deployed resources. Reference

Modifying the Naming Conventions

MLZ resources are named according to the naming conventions defined in the following bicep file: src/bicep/modules/naming-convention.bicep

There are two conventions used, depending on the type of resource. One convention is used to signify the relationship between itself and parent resources so the name contains a service token. The other convention is the same except it lacks the service token. Global resources, like storage accounts, use the unique string function to create names that will prevent collisions with other Azure customers.

When modifying the naming conventions, be sure to only reorder the components or remove components for the namingConvention and namingConvention_Service variables.

Warning

When changing any bicep files, be sure to compile the changes to JSON.

Deploy MLZ

Use the New-AzSubscriptionDeployment PowerShell cmdlet or the az deployment sub AZ CLI command to deploy MLZ across one or many subscriptions. CI/CD pipelines can be wrapped around these deployment methods to support DevOps enivronments. Details on this topic are not covered by the MLZ documentation.

Connect to Azure

Before executing an deployment, first ensure you are connected to Azure. Use the following examples to connect to any of the supported Azure clouds:

# PowerShell
Connect-AzAccount -Environment '<Azure Cloud Name>' -UseDeviceAuthentication
# AZ CLI
az cloud set -n '<Azure Cloud Name>'
az login

Deployment

To deploy MLZ, specify the values for the location, parameters file, and template file.

# PowerShell
New-AzSubscriptionDeployment `
  -Location 'eastus' `
  -TemplateFile 'mlz.json' `
  -TemplateParametersFile 'mlz.parameters.json'
# AZ CLI
az deployment sub create \
  --location 'eastus' \
  --template-file './mlz.json' \
  --parameters @mlz.parameters.json

Tip

MLZ can be deployed into one or more subscriptions. To deploy into a single subscription, ensure the same subscription ID is used for the following parameters: hubSubscriptionId, identitySubscriptionId, operationsSubscriptionId, and sharedServicesSubscriptionId. Use unique values for each parameter to spread the deployment to multiple subscriptions.

Deployment Output

After you've deployed Mission Landing Zone you can integrate add-ons with the output of MLZ. PowerShell, Azure CLI, and JMESpath queries allow you to retrieve outputs from a deployment and pass them as parameters into another deployment.

  • PowerShell: use the Get-AzSubscriptionDeployment cmdlet.
  • Azure CLI: use the az deployment sub show command with a --query argument to retrieve information about the resources you deployed.

In this example, MLZ was deployed using a deployment name of myMissionLandingZone. The deployment name is the name parameter you set on az deployment sub create or New-AzSubscriptionDeployment.

When an MLZ deployment is complete, you can see all the resources provisioned in that deployment by querying the outputs property:

# PowerShell
(Get-AzSubscriptionDeployment -Name myMissionLandingZone).outputs | ConvertTo-Json
# AZ CLI
az deployment sub show \
  --name "myMissionLandingZone" \
  --query "properties.outputs"

If you need a single property value you can retrieve it like this:

# AZ CLI
az deployment sub show \
  --name "myMissionLandingZone" \
  --query "properties.outputs.firewallPrivateIPAddress.value"
# PowerShell
(Get-AzSubscriptionDeployment -Name myMissionLandingZone).outputs.firewallPrivateIPAddress

If you want to export the data for use in other ARM template deployments, like the shared variable file pattern, you can export the outputs to a json file.

# PowerShell
(Get-AzSubscriptionDeployment -Name myMissionLandingZone).outputs `
  | ConvertTo-Json `
  | Out-File -FilePath .\deploymentVariables.json
# AZ CLI
az deployment sub show \
  --name "myMissionLandingZone" \
  --query "properties.outputs" > ./deploymentVariables.json

Remove MLZ

The Bicep/ARM deployment of Mission Landing Zone can be deleted with these steps:

  1. Delete all resource groups.
  2. Delete the diagnostic settings deployed at the subscription level.
  3. If Microsoft Defender for Cloud was deployed (parameter deployDefender=true was used) then remove subscription-level policy assignments and downgrade the Microsoft Defender for Cloud pricing tiers.

Warning

If you deploy and delete Mission Landing Zone in the same subscription multiple times without deleting the subscription-level diagnostic settings, the sixth deployment will fail. Azure has a limit of five diagnostic settings per subscription. The error will be similar to this: "The limit of 5 diagnostic settings was reached."

To delete the diagnostic settings from the Azure Portal: choose the subscription blade, then Activity log in the left panel. At the top of the Activity log screen click the Diagnostics settings button. From there you can click the Edit setting link and delete the diagnostic setting.

To delete the diagnotic settings in script, use the AZ CLI or PowerShell. An AZ CLI example is below:

# View diagnostic settings in the current subscription
az monitor diagnostic-settings subscription list --query value[] --output table

# Delete a diagnostic setting
az monitor diagnostic-settings subscription delete --name <diagnostic setting name>

To delete the subscription-level policy assignments in the Azure portal:

  1. Navigate to the Policy page and select the Assignments tab in the left navigation bar.
  2. At the top, in the Scope box, choose the subscription(s) that contain the policy assignments you want to remove.
  3. In the table click the ellipsis menu ("...") and choose "Delete assignment".

To delete the subscription-level policy assignments using the AZ CLI:

# View the policy assignments for the current subscription
az policy assignment list -o table --query "[].{Name:name, DisplayName:displayName, Scope:scope}"

# Remove a policy assignment in the current subscription scope.
az policy assignment delete --name "<name of policy assignment>"

To downgrade the Microsoft Defender for Cloud pricing level in the Azure portal:

  1. Navigate to the Microsoft Defender for Cloud page, then click the "Environment settings" tab in the left navigation panel.
  2. In the tree/grid select the subscription you want to manage.
  3. Click the large box near the top of the page that says "Enhanced security off".
  4. Click the save button.

To downgrade the Microsoft Defender for Cloud pricing level using the AZ CLI:

# List the pricing tiers
az security pricing list -o table --query "value[].{Name:name, Tier:pricingTier}"

# Change a pricing tier to the default free tier
az security pricing create --name "<name of tier>" --tier Free

Note

The Azure portal allows changing all pricing tiers with a single setting, but the AZ CLI requires each setting to be managed individually.

References