I am wondering why MS can’t separate the Defender for Cloud roles from the Azure resources RBAC roles, similar to the separation implemented for Reservations and Cost Management + Billing?

Our Azure landing zone operates as a self-service solution, where subscription owners also serve as resource administrators within their specific subscriptions.

Consequently, I have encountered difficulties enforcing certain security features provided through the Defender for Cloud. Each time these features are enabled, some subscription administrators proceed to disable them.

​I am wondering why MS can’t separate the Defender for Cloud roles from the Azure resources RBAC roles, similar to the separation implemented for Reservations and Cost Management + Billing? Our Azure landing zone operates as a self-service solution, where subscription owners also serve as resource administrators within their specific subscriptions. Consequently, I have encountered difficulties enforcing certain security features provided through the Defender for Cloud. Each time these features are enabled, some subscription administrators proceed to disable them.  Read More

​