This article explains how to disable Microsoft Defender for Containers and remove its components by environment.
Turning off the Defender for Containers plan or disabling automatic provisioning stops future deployments, but doesn't uninstall Defender components that are already deployed to clusters. Those components are removed separately.
What stops working after removal
After you remove Defender for Containers components from an AKS cluster:
Runtime threat detection based on Defender sensor telemetry stops.
Kubernetes security recommendations related to Azure Policy for Kubernetes stop updating.
Alerts based on AKS runtime signals and Kubernetes audit data stop being generated.
New container image vulnerability findings for images in Azure Container Registry (ACR) are no longer generated for this environment.
Disable Defender for Containers plan
Sign in to the Azure portal.
Go to Microsoft Defender for Cloud > Environment settings.
Select the subscription that contains your AKS clusters.
In the Defender plans page, toggle Containers to Off.
Select Save.
Remove Defender extensions from AKS clusters
Remove the Defender for Containers profile from the AKS cluster
az aks update \
--name <cluster-name> \
--resource-group <resource-group> \
--disable-defender
Disable Azure Policy add-on
az aks disable-addons \
--addons azure-policy \
--name <cluster-name> \
--resource-group <resource-group>
Verify removal
Check AKS cluster pods
kubectl get pods -A | grep defender
No resources should be returned.
Verify plan status
az security pricing show --name 'Containers'
The output should show pricingTier as Free.
What stops working after removal
After you remove Defender for Containers components from an EKS cluster:
Runtime threat detection from the Defender sensor deployed through Azure Arc stops.
Kubernetes security recommendations for that cluster stop updating.
Alerts based on Kubernetes runtime and audit signals stop being generated.
Container image vulnerability findings for images in Amazon ECR stop updating for this environment.
Agentless discovery and control plane–based detections stop if related AWS-side permissions and integrations are removed.
Remove Defender extensions from EKS clusters
Defender for Containers deploys components to EKS clusters by using Azure Arc-enabled Kubernetes. The following steps remove those Arc extensions.
Remove the Defender extension
az k8s-extension delete \
--name microsoft.azuredefender.kubernetes \
--cluster-type connectedClusters \
--cluster-name <cluster-name> \
--resource-group <resource-group> \
--yes
Remove the Azure Policy extension (if installed)
az k8s-extension delete \
--name azurepolicy \
--cluster-type connectedClusters \
--cluster-name <cluster-name> \
--resource-group <resource-group> \
--yes
Disconnect clusters from Azure Arc
Note
Disconnecting a cluster from Azure Arc removes access to all Arc extensions, not only Defender for Containers.
az connectedk8s delete \
--name <cluster-name> \
--resource-group <resource-group> \
--yes
Disable Defender for Containers plan on the AWS connector
Sign in to the Azure portal.
Go to Microsoft Defender for Cloud > Environment settings.
Select the relevant AWS connector.
Select Settings.
Toggle Containers to Off.
Select Save.
Delete the AWS connector (optional)
If you no longer want Defender for Cloud to monitor your AWS account:
Sign in to the Azure portal.
Go to Microsoft Defender for Cloud > Environment settings.
Find your AWS connector.
Select the ellipsis (...).
Select Delete.
Confirm deletion.
Remove AWS resources created for runtime protection (optional)
Remove these resources only if runtime threat protection for EKS was enabled and you no longer use Defender for Containers for that cluster.
Note
These resources are created per cluster. If you remove them while runtime protection is still enabled, data collection can stop.
Remove AWS IAM roles and identity providers (optional)
If you are completely offboarding your AWS account from Microsoft Defender for Cloud, you can manually delete the IAM roles and identity providers that were created during onboarding.
Use the AWS console or CLI to delete the following roles if they exist:
MDCContainersImageAssessmentRoleMDCContainersK8sRoleMDCContainersK8sDataCollectionRoleMDCContainersK8sCloudWatchToKinesisRoleMDCContainersK8sKinesisToS3RoleNameMDCContainersAgentlessDiscoveryK8sRole
Warning
Only delete the ASCDefendersOIDCIdentityProvider OpenID Connect provider if you are removing all Defender for Cloud components from this AWS account. Deleting this shared component will affect other Defender for Cloud plans.
Verify removal
Check Azure Arc extensions
az k8s-extension list \
--cluster-type connectedClusters \
--cluster-name <cluster-name> \
--resource-group <resource-group>
Confirm that microsoft.azuredefender.kubernetes is not listed.
Check EKS cluster pods
kubectl get pods -n mdc
No resources should be returned.
What stops working after removal
After you remove Defender for Containers components from a GKE cluster:
Runtime threat detection from the Defender sensor deployed through Azure Arc stops.
Kubernetes security recommendations for that cluster stop updating.
Alerts based on Kubernetes runtime and audit signals stop being generated.
Container image vulnerability findings for images in Google Container Registry or Artifact Registry stop updating for this environment.
Remove Defender extensions from GKE clusters
Remove the Defender extension
az k8s-extension delete \
--name microsoft.azuredefender.kubernetes \
--cluster-type connectedClusters \
--cluster-name <cluster-name> \
--resource-group <resource-group> \
--yes
Remove the Azure Policy extension (if installed)
az k8s-extension delete \
--name azurepolicy \
--cluster-type connectedClusters \
--cluster-name <cluster-name> \
--resource-group <resource-group> \
--yes
Disconnect GKE clusters from Azure Arc
Note
Disconnecting a cluster from Azure Arc removes access to all Arc extensions, not only Defender for Containers.
az connectedk8s delete \
--name <cluster-name> \
--resource-group <resource-group> \
--yes
Disable Defender for Containers plan on the GCP connector
Sign in to the Azure portal.
Go to Microsoft Defender for Cloud > Environment settings.
Select the relevant GCP connector.
Select Settings.
Toggle Containers to Off.
Select Save.
Delete the GCP connector (optional)
Go to Microsoft Defender for Cloud > Environment settings.
Find your GCP connector.
Select the ... (more options) menu.
Select Delete.
Confirm deletion.
Remove GCP resources created for runtime protection (optional)
Remove these resources only if runtime threat protection for GKE was enabled and you no longer use Defender for Containers for that project.
Remove GCP service accounts and roles (optional)
If you are completely offboarding your GCP project from Microsoft Defender for Cloud, you can manually delete the service accounts and roles created during onboarding.
Use the Google Cloud console or gcloud CLI to delete the following service accounts:
ms-defender-containersms-defender-containers-streammdc-containers-k8s-operatormdc-containers-artifact-assess
Delete the following custom roles:
MicrosoftDefenderContainersDataCollectionRoleMicrosoftDefenderContainersRoleMDCGkeClusterWriteRole
Warning
Only delete the containers and containers-streams OIDC workload identity pool providers if you are removing all Defender for Cloud components. These are shared components. Additionally, ensure no other non-Defender services are using the logging.googleapis.com API before disabling it.
Verify removal
Check Azure Arc extensions
az k8s-extension list \
--cluster-type connectedClusters \
--cluster-name <cluster-name> \
--resource-group <resource-group>
Confirm that microsoft.azuredefender.kubernetes is not listed.
Check GKE cluster pods
kubectl get pods -n mdc
No resources should be returned.
Check Azure portal
Sign in to the Azure portal.
Go to Microsoft Defender for Cloud > Environment settings.
Verify the GCP connector is removed or shows Containers as disabled.
Check that no GKE-related recommendations appear.
What stops working after removal
After you remove Defender for Containers components from an Arc-enabled Kubernetes cluster:
Runtime threat detection from the Defender sensor stops.
Kubernetes security recommendations for that cluster stop updating.
Alerts based on Kubernetes runtime and audit signals stop being generated.
Azure Policy–based configuration assessments for Kubernetes workloads stop if the Azure Policy extension is removed.
Disable Defender for Containers plan
Sign in to the Azure portal.
Go to Microsoft Defender for Cloud > Environment settings.
Select the subscription that contains your Arc-enabled Kubernetes clusters.
In the Defender plans page, toggle Containers to Off.
Select Save.
Remove Defender extensions from Arc-enabled clusters
Remove the Defender extension
az k8s-extension delete \
--name microsoft.azuredefender.kubernetes \
--cluster-type connectedClusters \
--cluster-name <cluster-name> \
--resource-group <resource-group> \
--yes
Remove the Azure Policy extension (if installed)
az k8s-extension delete \
--name azurepolicy \
--cluster-type connectedClusters \
--cluster-name <cluster-name> \
--resource-group <resource-group> \
--yes
Disconnect the cluster from Azure Arc (optional)
Note
Disconnecting a cluster from Azure Arc removes access to all Arc extensions, not only Defender for Containers.
az connectedk8s delete \
--name <cluster-name> \
--resource-group <resource-group> \
--yes
Verify removal
Check Azure Arc extensions
az k8s-extension list \
--cluster-type connectedClusters \
--cluster-name <cluster-name> \
--resource-group <resource-group>
Confirm that microsoft.azuredefender.kubernetes is not listed.
Check Arc-enabled cluster pods
kubectl get pods -n mdc
No resources should be returned.