A vulnerability assessment solution should be enabled on your virtual machines – Azure

  1. General introduction
  2. Step-by-step guide
  3. Sources

General introduction

This is one of the more common alerts that may come up when you activate Defender for Cloud. This message comes up when a vulnerability assessment solution is not found in at least one virtual machine in your environment.

What happens behind the curtains? Azure virtual machine servers are constantly checked for infrastructure security misconfigurations by Defender for Cloud, which offers advice on how to fix them. Through integrated Vulnerability Assessment solutions or via agents and extensions, Defender for Cloud can also report on vulnerabilities found and the OS or application level. Since these “agents” must be configured for the process to work, you should configure the automatic provisioning of vulnerability assessment solutions on your virtual machines.

A valid VA solution is one of the following:

  • Microsoft threat and vulnerability management, included in both the Defender for Servers plans (P1 and P2). This is now the suggested solution, especially if you already use Microsoft Defender for Endpoint. You should not confuse this with the Microsoft Defender Vulnerability Management Add-on, which has a really similar name but is a different feature included with Defender for Servers Plan 2.
  •  The Qualys agent, also included in Defender for Servers, but just in Defender for Servers Plan 2. This used to be the default choice in the past.
  •  A Bring Your Own License Qualys or Rapid7 agent configured to integrate with Defender for Cloud. If you are looking at ways to incorporate them, follow this article: Integrate security solutions in Microsoft Defender for Cloud | Microsoft Docs

As we said, Microsoft threat and vulnerability management is the default solution to fix this recommendation. The only case I would use something else is if you already have Qualys or Rapid 7 in your environment and want to manage everything from a single pane. Defender for Endpoint will be onboarded in the VM through the MDE.Windows extension.

Step-by-step guide

To automatically enable a vulnerability assessment solution and resolve the alert:

  • Search Defender for Cloud from the Azure Portal (portal.azure.com)
  •  From Defender for Cloud’s menu, click on Environment settings from the left bar.
  • Click on the subscription the resource is in.
  • In the top bar, click on Settings & Monitoring.
  • Turn on (if it’s not already enabled) the vulnerability assessment for machines and select the solution you wish to use. I’ll enable Microsoft Defender vulnerability management.

Once you are done, wait for the check to be triggered again. The alert should go away automatically after 24 hours.



IdFix – Pre AdConnect assessment for your on-prem AD

IdFix is a tool to discover and remediate identity problems pre synchronization to Azure Active Directory.

To use IdFix you will need:

  • A domain joined computer / server
  • A user account with at least read access to the AD objects

The process is really straightforward.

Get IdFix from here:

Install and open IdFix, then click on “Query”.

After the process has been completed you will be shown all the problems you might have with your environment, if any.

Screen shot of the tool running
Image from https://microsoft.github.io/idfix/operation/

If no errors are shown, or you are confident you can work around them, you can begin the synchronization.


Set up synchronization:


Microsoft guide on how to use IdFix:


Microsoft Assessment and Planning (MAP) Toolkit – Minimum user requirements to run a scan

To scan the servers / PCs using the MAP Toolkit, you will need an AD user with administrative privileges on all the components to scan.

This will be enough if you need a report of what’s installed on a series of servers/clients, their roles, and all “local” related queries, or basic AD queries.

For Exchange related queries, you will need an Exchange Admin or Domain Admin.
Please refer to the following TechNet page for the full requirements: