The azure-native:security:Pricing resource, part of the Pulumi Azure Native provider, controls Microsoft Defender for Cloud pricing tier and feature enablement at subscription or resource level. This guide focuses on four capabilities: subscription-level plan enablement, resource-level selective protection, extension configuration for container security, and sub-plan selection with enforcement.
Pricing configurations reference existing Azure subscriptions and optionally specific resources like VMs, AKS clusters, or container registries. The examples are intentionally small. Combine them with your own subscription structure and resource topology.
Enable CloudPosture plan at subscription level
Organizations starting with Defender for Cloud often enable CloudPosture first to gain visibility into security posture across their entire subscription.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const pricing = new azure_native.security.Pricing("pricing", {
pricingName: "CloudPosture",
pricingTier: azure_native.security.PricingTier.Standard,
scopeId: "subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23",
});
import pulumi
import pulumi_azure_native as azure_native
pricing = azure_native.security.Pricing("pricing",
pricing_name="CloudPosture",
pricing_tier=azure_native.security.PricingTier.STANDARD,
scope_id="subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23")
package main
import (
security "github.com/pulumi/pulumi-azure-native-sdk/security/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := security.NewPricing(ctx, "pricing", &security.PricingArgs{
PricingName: pulumi.String("CloudPosture"),
PricingTier: pulumi.String(security.PricingTierStandard),
ScopeId: pulumi.String("subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var pricing = new AzureNative.Security.Pricing("pricing", new()
{
PricingName = "CloudPosture",
PricingTier = AzureNative.Security.PricingTier.Standard,
ScopeId = "subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.security.Pricing;
import com.pulumi.azurenative.security.PricingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var pricing = new Pricing("pricing", PricingArgs.builder()
.pricingName("CloudPosture")
.pricingTier("Standard")
.scopeId("subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23")
.build());
}
}
resources:
pricing:
type: azure-native:security:Pricing
properties:
pricingName: CloudPosture
pricingTier: Standard
scopeId: subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23
The scopeId property targets a subscription using the format subscriptions/{subscriptionId}. The pricingName identifies which Defender plan to enable (CloudPosture, VirtualMachines, Containers, etc.). Setting pricingTier to Standard activates advanced security features; Free provides basic capabilities only.
Enable VirtualMachines plan with enforcement and sub-plan
VM protection requires choosing between P1 (basic) and P2 (advanced) sub-plans, and optionally enforcing the configuration across all child resources.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const pricing = new azure_native.security.Pricing("pricing", {
enforce: azure_native.security.Enforce.True,
pricingName: "VirtualMachines",
pricingTier: azure_native.security.PricingTier.Standard,
scopeId: "subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23",
subPlan: "P2",
});
import pulumi
import pulumi_azure_native as azure_native
pricing = azure_native.security.Pricing("pricing",
enforce=azure_native.security.Enforce.TRUE,
pricing_name="VirtualMachines",
pricing_tier=azure_native.security.PricingTier.STANDARD,
scope_id="subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23",
sub_plan="P2")
package main
import (
security "github.com/pulumi/pulumi-azure-native-sdk/security/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := security.NewPricing(ctx, "pricing", &security.PricingArgs{
Enforce: pulumi.String(security.EnforceTrue),
PricingName: pulumi.String("VirtualMachines"),
PricingTier: pulumi.String(security.PricingTierStandard),
ScopeId: pulumi.String("subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23"),
SubPlan: pulumi.String("P2"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var pricing = new AzureNative.Security.Pricing("pricing", new()
{
Enforce = AzureNative.Security.Enforce.True,
PricingName = "VirtualMachines",
PricingTier = AzureNative.Security.PricingTier.Standard,
ScopeId = "subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23",
SubPlan = "P2",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.security.Pricing;
import com.pulumi.azurenative.security.PricingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var pricing = new Pricing("pricing", PricingArgs.builder()
.enforce("True")
.pricingName("VirtualMachines")
.pricingTier("Standard")
.scopeId("subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23")
.subPlan("P2")
.build());
}
}
resources:
pricing:
type: azure-native:security:Pricing
properties:
enforce: True
pricingName: VirtualMachines
pricingTier: Standard
scopeId: subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23
subPlan: P2
The subPlan property selects P1 or P2 feature sets for VirtualMachines plans. The enforce property controls inheritance: when set to True, it prevents child resources from overriding this configuration. This ensures consistent protection across all VMs in the subscription.
Enable VirtualMachines plan on a specific VM
Resource-level pricing allows you to enable Defender plans for individual VMs rather than entire subscriptions, useful for selective protection or testing.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const pricing = new azure_native.security.Pricing("pricing", {
pricingName: "virtualMachines",
pricingTier: azure_native.security.PricingTier.Standard,
scopeId: "subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/DEMO/providers/Microsoft.Compute/virtualMachines/VM-1",
subPlan: "P1",
});
import pulumi
import pulumi_azure_native as azure_native
pricing = azure_native.security.Pricing("pricing",
pricing_name="virtualMachines",
pricing_tier=azure_native.security.PricingTier.STANDARD,
scope_id="subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/DEMO/providers/Microsoft.Compute/virtualMachines/VM-1",
sub_plan="P1")
package main
import (
security "github.com/pulumi/pulumi-azure-native-sdk/security/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := security.NewPricing(ctx, "pricing", &security.PricingArgs{
PricingName: pulumi.String("virtualMachines"),
PricingTier: pulumi.String(security.PricingTierStandard),
ScopeId: pulumi.String("subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/DEMO/providers/Microsoft.Compute/virtualMachines/VM-1"),
SubPlan: pulumi.String("P1"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var pricing = new AzureNative.Security.Pricing("pricing", new()
{
PricingName = "virtualMachines",
PricingTier = AzureNative.Security.PricingTier.Standard,
ScopeId = "subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/DEMO/providers/Microsoft.Compute/virtualMachines/VM-1",
SubPlan = "P1",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.security.Pricing;
import com.pulumi.azurenative.security.PricingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var pricing = new Pricing("pricing", PricingArgs.builder()
.pricingName("virtualMachines")
.pricingTier("Standard")
.scopeId("subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/DEMO/providers/Microsoft.Compute/virtualMachines/VM-1")
.subPlan("P1")
.build());
}
}
resources:
pricing:
type: azure-native:security:Pricing
properties:
pricingName: virtualMachines
pricingTier: Standard
scopeId: subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/DEMO/providers/Microsoft.Compute/virtualMachines/VM-1
subPlan: P1
When scopeId targets a specific resource (format: subscriptions/{id}/resourceGroups/{rg}/providers/{type}/{name}), the pricing applies only to that resource. Resource-level VirtualMachines plans support only the P1 sub-plan. The configuration doesn’t inherit to or from parent scopes unless explicitly configured.
Enable Containers plan with multiple extensions on AKS
Container security requires enabling multiple extensions that work together to provide vulnerability scanning, runtime protection, and agentless discovery.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const pricing = new azure_native.security.Pricing("pricing", {
extensions: [
{
isEnabled: azure_native.security.IsEnabled.True,
name: "ContainerRegistriesVulnerabilityAssessments",
},
{
isEnabled: azure_native.security.IsEnabled.True,
name: "ContainerSensor",
},
{
isEnabled: azure_native.security.IsEnabled.True,
name: "AgentlessDiscoveryForKubernetes",
},
{
additionalExtensionProperties: {
ExclusionTags: "[]",
},
isEnabled: azure_native.security.IsEnabled.True,
name: "AgentlessVmScanning",
},
{
isEnabled: azure_native.security.IsEnabled.True,
name: "ContainerIntegrityContribution",
},
],
pricingName: "Containers",
pricingTier: azure_native.security.PricingTier.Standard,
scopeId: "subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/demo-containers-rg/providers/Microsoft.ContainerService/managedClusters/demo-aks-cluster",
});
import pulumi
import pulumi_azure_native as azure_native
pricing = azure_native.security.Pricing("pricing",
extensions=[
{
"is_enabled": azure_native.security.IsEnabled.TRUE,
"name": "ContainerRegistriesVulnerabilityAssessments",
},
{
"is_enabled": azure_native.security.IsEnabled.TRUE,
"name": "ContainerSensor",
},
{
"is_enabled": azure_native.security.IsEnabled.TRUE,
"name": "AgentlessDiscoveryForKubernetes",
},
{
"additional_extension_properties": {
"ExclusionTags": "[]",
},
"is_enabled": azure_native.security.IsEnabled.TRUE,
"name": "AgentlessVmScanning",
},
{
"is_enabled": azure_native.security.IsEnabled.TRUE,
"name": "ContainerIntegrityContribution",
},
],
pricing_name="Containers",
pricing_tier=azure_native.security.PricingTier.STANDARD,
scope_id="subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/demo-containers-rg/providers/Microsoft.ContainerService/managedClusters/demo-aks-cluster")
package main
import (
security "github.com/pulumi/pulumi-azure-native-sdk/security/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := security.NewPricing(ctx, "pricing", &security.PricingArgs{
Extensions: security.ExtensionArray{
&security.ExtensionArgs{
IsEnabled: pulumi.String(security.IsEnabledTrue),
Name: pulumi.String("ContainerRegistriesVulnerabilityAssessments"),
},
&security.ExtensionArgs{
IsEnabled: pulumi.String(security.IsEnabledTrue),
Name: pulumi.String("ContainerSensor"),
},
&security.ExtensionArgs{
IsEnabled: pulumi.String(security.IsEnabledTrue),
Name: pulumi.String("AgentlessDiscoveryForKubernetes"),
},
&security.ExtensionArgs{
AdditionalExtensionProperties: pulumi.Any(map[string]interface{}{
"ExclusionTags": "[]",
}),
IsEnabled: pulumi.String(security.IsEnabledTrue),
Name: pulumi.String("AgentlessVmScanning"),
},
&security.ExtensionArgs{
IsEnabled: pulumi.String(security.IsEnabledTrue),
Name: pulumi.String("ContainerIntegrityContribution"),
},
},
PricingName: pulumi.String("Containers"),
PricingTier: pulumi.String(security.PricingTierStandard),
ScopeId: pulumi.String("subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/demo-containers-rg/providers/Microsoft.ContainerService/managedClusters/demo-aks-cluster"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var pricing = new AzureNative.Security.Pricing("pricing", new()
{
Extensions = new[]
{
new AzureNative.Security.Inputs.ExtensionArgs
{
IsEnabled = AzureNative.Security.IsEnabled.True,
Name = "ContainerRegistriesVulnerabilityAssessments",
},
new AzureNative.Security.Inputs.ExtensionArgs
{
IsEnabled = AzureNative.Security.IsEnabled.True,
Name = "ContainerSensor",
},
new AzureNative.Security.Inputs.ExtensionArgs
{
IsEnabled = AzureNative.Security.IsEnabled.True,
Name = "AgentlessDiscoveryForKubernetes",
},
new AzureNative.Security.Inputs.ExtensionArgs
{
AdditionalExtensionProperties = new Dictionary<string, object?>
{
["ExclusionTags"] = "[]",
},
IsEnabled = AzureNative.Security.IsEnabled.True,
Name = "AgentlessVmScanning",
},
new AzureNative.Security.Inputs.ExtensionArgs
{
IsEnabled = AzureNative.Security.IsEnabled.True,
Name = "ContainerIntegrityContribution",
},
},
PricingName = "Containers",
PricingTier = AzureNative.Security.PricingTier.Standard,
ScopeId = "subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/demo-containers-rg/providers/Microsoft.ContainerService/managedClusters/demo-aks-cluster",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.security.Pricing;
import com.pulumi.azurenative.security.PricingArgs;
import com.pulumi.azurenative.security.inputs.ExtensionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var pricing = new Pricing("pricing", PricingArgs.builder()
.extensions(
ExtensionArgs.builder()
.isEnabled("True")
.name("ContainerRegistriesVulnerabilityAssessments")
.build(),
ExtensionArgs.builder()
.isEnabled("True")
.name("ContainerSensor")
.build(),
ExtensionArgs.builder()
.isEnabled("True")
.name("AgentlessDiscoveryForKubernetes")
.build(),
ExtensionArgs.builder()
.additionalExtensionProperties(Map.of("ExclusionTags", "[]"))
.isEnabled("True")
.name("AgentlessVmScanning")
.build(),
ExtensionArgs.builder()
.isEnabled("True")
.name("ContainerIntegrityContribution")
.build())
.pricingName("Containers")
.pricingTier("Standard")
.scopeId("subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/demo-containers-rg/providers/Microsoft.ContainerService/managedClusters/demo-aks-cluster")
.build());
}
}
resources:
pricing:
type: azure-native:security:Pricing
properties:
extensions:
- isEnabled: True
name: ContainerRegistriesVulnerabilityAssessments
- isEnabled: True
name: ContainerSensor
- isEnabled: True
name: AgentlessDiscoveryForKubernetes
- additionalExtensionProperties:
ExclusionTags: '[]'
isEnabled: True
name: AgentlessVmScanning
- isEnabled: True
name: ContainerIntegrityContribution
pricingName: Containers
pricingTier: Standard
scopeId: subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/demo-containers-rg/providers/Microsoft.ContainerService/managedClusters/demo-aks-cluster
The extensions array enables specific security features within a plan. Each extension has a name (like ContainerRegistriesVulnerabilityAssessments or AgentlessDiscoveryForKubernetes) and an isEnabled flag. Some extensions accept additionalExtensionProperties for fine-grained control, such as ExclusionTags for filtering which resources to scan.
Beyond these examples
These snippets focus on specific pricing configuration features: subscription and resource-level pricing, plan-specific extensions and sub-plans, and enforcement and inheritance controls. They’re intentionally minimal rather than full security deployments.
The examples reference pre-existing infrastructure such as Azure subscriptions with appropriate permissions, and VMs, AKS clusters, or container registries for resource-level pricing. They focus on configuring Defender plans rather than provisioning the underlying resources.
To keep things focused, common pricing patterns are omitted, including:
- Free tier configuration (examples show Standard tier only)
- Extension-specific configuration beyond isEnabled
- Deprecated plan handling and migration paths
- Coverage status monitoring (resourcesCoverageStatus)
These omissions are intentional: the goal is to illustrate how each pricing feature is wired, not provide drop-in security modules. See the Pricing resource reference for all available configuration options.
Let's configure Azure Defender for Cloud Pricing
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Pricing Tiers & Plans
What are the available pricing tiers for Microsoft Defender for Cloud?
Two tiers are available: Free and Standard. The Standard tier offers advanced security capabilities, while the Free tier provides basic security features.
What are the subPlan options for VirtualMachines?
VirtualMachines offers two subPlans: P1 and P2. However, resource-level pricing only supports P1; P2 is available exclusively at the subscription level.
What happens if my Defender plan is deprecated?
Deprecated plans have the
deprecated property set to true. If replacement plans exist, they’re listed in the replacedBy array.Scope & Inheritance
What's the difference between subscription-level and resource-level pricing?
Subscription-level pricing applies to all resources in a subscription using
scopeId format subscriptions/{subscriptionId}. Resource-level pricing targets specific resources with full resource path in scopeId. Currently, only VirtualMachines resources support resource-level pricing.What does the enforce property do?
The
enforce property controls inheritance behavior at the subscription level. When set to True, it prevents descendants from overriding the pricing configuration. When False, it allows descendants to set their own configuration (inherited=False). This property is only available for subscription-level pricing.What does the inherited property indicate?
inherited=True means the current scope inherits its pricing configuration from a parent scope (identified in inheritedFrom). inherited=False means the scope has its own explicit configuration. This is a read-only property available only for resource-level pricing.What does resourcesCoverageStatus tell me?
This subscription-level field indicates the coverage status of resources under the subscription. It helps identify misalignment when the subscription’s
pricingTier differs from individual resource-level pricing configurations.Extensions & Features
How do I enable extensions for a Defender plan?
Configure the
extensions array with objects containing isEnabled and name properties. For example, the Containers plan can enable extensions like ContainerRegistriesVulnerabilityAssessments, ContainerSensor, and AgentlessDiscoveryForKubernetes. Some extensions support additionalExtensionProperties for further configuration.Immutability & Constraints
What properties are immutable after creation?
Both
pricingName and scopeId are immutable. Changing either property requires replacing the resource.Can I use the P2 subPlan for resource-level VirtualMachines pricing?
No, resource-level VirtualMachines pricing only supports the P1 subPlan. P2 is available exclusively at the subscription level.