This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(92.8, 62%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHM%3C/text%3E%3C/svg%3E)
Hello community,
We are currently using Microsoft Defender for Servers – Plan 2 in Azure, which is active and enforced at the subscription level. We have a use case where we need to exclude or deactivate Defender for Endpoint (MDE) for a specific resource group—namely, rg-kitaplus.
Here are the key details:
Subscription ID: xxxxxxxxxxxxxxxxxxxxxx
Defender Plan: Plan 2 ($15/server/month)
Scope to exclude: Resource group rg-kitaplus
Current behavior:
When we try to apply a policy that disables Defender for Servers using the pricingTier: Free for tagged resources, the remediation deployment fails.
The error is:
json Kopieren Bearbeiten { "code": "EnforcementConflict", "message": "Update resource plan is not allowed because the parent subscription enforces its pricing plan configuration. To allow an update on resource level, change the pricing plan enforcement value of the parent subscription to False" } 🔍 What I've Tried Deployed a policy targeting Microsoft.Security/pricings with pricingTier = Free on tagged VMs.
Verified that Plan 2 is applied at the subscription level.
Found no direct option in the Azure Portal to disable "enforcement mode."
Reviewed the policy definition: Built-in Policy - Disable Defender for Servers based on tag
❓ Questions Is it possible to deactivate or exclude Microsoft Defender for Endpoint for specific resource groups or VMs when Plan 2 is enforced?
Where and how can we disable the enforcementMode at the subscription level to allow resource-level overrides?
If this enforcement setting is not available in the Portal, can it be safely changed using the Azure REST API or CLI?
If so, what’s the exact call to modify enforcementMode?
What are the implications (billing, security, compliance) of disabling enforcement and handling exclusions at the resource level?
🎯 Goal We want to retain Plan 2 for most workloads while excluding a small subset (e.g., non-production resource groups) for cost control and testing purposes.
Any guidance, best practices, or official documentation references would be greatly appreciated!
Best regards, Mustafa Hotak
I think when Plan 2 is enforced at the subscription level, exclusions at the resource group or VM level are not natively supported.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 77%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
Hello Hotak, Mustafa ,
When Microsoft Defender for Servers Plan 2 is enforced at the subscription level, exclusions at the resource group or VM level are not natively supported. To exclude resources, you must first disable enforcement at the subscription level using the Azure CLI or REST API. Once enforcement is disabled, you can apply specific pricing tiers or exclusions via Azure Policy for targeted resources.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(6.4, 5%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Hello Hotak, Mustafa ,
I understand you're trying to exclude the rg-kitaplus resource group from Microsoft Defender for Endpoint while continuing to use Defender for Servers Plan 2 across the rest of your subscription.
The reason you're encountering the EnforcementConflict error is because enforcement is currently enabled at the subscription level. This setting forces all descendant scopes, including resource groups and VMs, to inherit the subscription’s pricing plan and blocks any override.
To support exclusions at the resource level, you’ll need to disable this enforcement flag using the Azure REST API. This setting isn’t currently exposed in the Azure Portal or CLI.
Here’s the request you can send:
PUT https://management.azure.com/subscriptions/<your-subscription-id>/providers/Microsoft.Security/pricings/VirtualMachines?api-version=2024-01-01
{
"properties": {
"pricingTier": "Standard",
"subPlan": "P2",
"enforce": "False"
}
}
Once enforcement is disabled, you’ll be able to assign a different pricing tier such as Free at the VM level using tags and policy.
Note that Microsoft Defender Plan 2 (subPlan: P2) is only supported at the subscription level. If you later assign a pricing plan at the resource level (such as individual VMs), only Plan 1 (subPlan: P1) or Free is allowed.
For complete reference, you can review Microsoft’s official documentation here: Pricings - Update - REST API (Azure Defender for Cloud) | Microsoft Learn
Kindly consider upvoting the comment if the information provided is helpful. This can assist other community members in resolving similar issues.