Estimate costs with the Microsoft Defender for Cloud cost calculator

The Microsoft Defender for Cloud cost calculator is a helpful tool for estimating the potential costs associated with your cloud security needs. It allows you to configure different plans and environments, providing a detailed cost breakdown, including applicable discounts.

Access the cost calculator

To begin using the Defender for Cloud Cost Calculator, please vist this link.

Configure Defender for Cloud plans and environments

On the first page of the calculator, select the Add Assets button to start adding assets to your cost calculation. You have three methods to add assets:

• Add assets from onboarded environments: Recommended - Add assets from environments already onboarded to Defender for Cloud. This method covers all plans for Azure and works faster than the script option.
• Add assets with a script: Download and execute a script to automatically add existing assets.
• Add custom assets: Add assets manually without using automation.

Add assets from onboarded environments

1. Select from the list of Azure environments already onboarded to Defender for Cloud to include in the cost calculation.

   Note

   The calculator discovers resources for which you have permissions.

2. Choose the plans. The calculator estimates the cost based on your selections and any existing discounts.

Add assets with a script

1. Choose the environment type (Azure) and copy the script to a new *.ps1 file.

   Note

   The script only collects information that the user running it has access to.

2. Run the script in your PowerShell 7.X environment by using a privileged user account. The script collects information about your billable assets and creates a CSV file. It gathers information in two steps. First, it collects the current number of billable assets that usually stay constant. Second, it collects information about billable assets that can change a lot during the month. For these assets, it checks usage over the last 30 days to evaluate the cost. You can stop the script after the first step, which takes a few seconds. Or you can continue to collect the last 30 days of usage for dynamic assets, which might take longer for large accounts.

3. Upload this CSV file into the wizard where you downloaded the script.

4. Select the desired Defender for Cloud plans. The calculator estimates costs based on your selection and any existing discounts.

Required permissions for scripts

This section provides an overview of the permissions required to run the scripts for each cloud provider.

Azure

To run this script successfully for each subscription, the account you use needs permissions that allow it to:

• Discover and list resources (including virtual machines, storage accounts, APIM services, Cosmos DB accounts, and other resources).

• Query Resource Graph (via Search-AzGraph).

• Read Metrics (via Get-AzMetric and the Azure Monitor/Insights APIs).

Recommended built-in role:

In most cases, the Reader role at the subscription scope is sufficient. The Reader role provides the following key capabilities needed by this script:

• Read all resource types (so you can list and parse things like Storage Accounts, VMs, Cosmos DB, and APIM, etc.).
• Read metrics (Microsoft.Insights/metrics/read) so that calls to Get-AzMetric or direct Azure Monitor REST queries succeed.
• Resource Graph queries works as long as you have at least read access to those resources in the subscription.

If you already have Contributor or Owner roles:

• Contributor or Owner on the subscription is more than enough (these roles are higher-privileged than Reader).
• The script doesn't perform resource creation or deletion. Therefore, granting high-level roles (like Contributor/Owner) for the sole purpose of data collection might be overkill from a least-privilege perspective.

Summary:

Granting your user or service principal the Reader role (or any higher-privileged role) on each subscription you want to query ensures the script can:

• Retrieve the list of subscriptions.
• Enumerate and read all relevant resource information (via REST or Az PowerShell).
• Fetch the necessary metrics (Requests for APIM, RU consumption for Cosmos DB, Storage Accounts ingress, etc.).
• Run Resource Graph queries without issue.

Assign onboarded assets

1. Select from the list of Azure environments already onboarded to Defender for Cloud to include in the cost calculation.

   Note

   The calculator discovers resources for which you have permissions.

2. Choose the plans. The calculator estimates the cost based on your selections and any existing discounts.

Assign custom assets

1. Choose a name for the custom environment.
2. Specify the plans and the number of billable assets for each plan.
3. Select the types of assets you want to include in the cost calculation.
4. The calculator estimates costs based on your inputs and any existing discounts.

Adjust your report

After generating the report, you can adjust the plans and the number of billable assets:

1. Select the environment you want to modify by selecting the edit (pencil) icon.
2. A configuration page appears, where you can adjust plans, the number of billable assets, and the average monthly hours.
3. Select Recalculate to update the cost estimate.

Export the report

When you're satisfied with the report, you can export it as a CSV file:

1. Select Export to CSV at the bottom of the Summary panel on the right.
2. The cost information is downloaded as a CSV file.

Frequently asked questions

What is the cost calculator?

The cost calculator is a tool that simplifies estimating costs for your security protection needs. When you define the scope of your desired plans and environments, the calculator provides a detailed breakdown of potential expenses, including any applicable discounts.

How does the cost calculator work?

You select the environments and plans you want to enable. The calculator then performs a discovery process to automatically populate the number of billable units for each plan per environment. You can also manually adjust the unit quantities and discount levels.

What is the discovery process?

The discovery process generates a report of the selected environment, including the inventory of billable assets by the various Defender for Cloud plans. This process relies on user permissions and the environment state at the time of discovery. For large environments, this process might take approximately 30 to 60 minutes as it also samples dynamic assets.

Do I need to grant any special permission for the cost calculator to perform the discovery process?

The cost calculator uses your existing permissions to run the script and perform discovery automatically. It gathers the necessary data without requiring further access rights. To see what permissions you need to run the script, refer to the Required permissions for scripts section.

Do the estimations accurately predict my cost?

The calculator provides an estimate based on the information available when the script runs. Various factors might influence the final cost, so you should consider it an approximate calculation.

What are the billable units?

The cost of plans is based on the units they protect. Each plan charges for a different unit type, which you can find on the Microsoft Defender for Cloud Environment settings page.

Can I adjust the estimates manually?

Yes, the cost calculator supports both automatic data collection and manual adjustments. You can modify the unit quantity and discount levels to better reflect your specific needs and see how these changes affect your overall cost.

How can I share my cost estimate?

After you generate your cost estimate, you can easily export and share it for budget planning and approvals. This feature ensures that all stakeholders have access to the necessary information.

Where can I get help if I have questions?

Our support team is ready to assist you with any questions or concerns you might have. Feel free to reach out to us for assistance.

Related content

• Microsoft Defender for Cloud pricing