Estimate costs with the Microsoft Defender for Cloud cost calculator

The Microsoft Defender for Cloud cost calculator is a helpful tool for estimating the potential costs associated with your cloud security needs. It allows you to configure different plans and environments, providing a detailed cost breakdown, including applicable discounts.

Access the cost calculator

To begin using the Defender for Cloud Cost Calculator, please vist this link.

Configure Defender for Cloud plans and environments

On the first page of the calculator, select the Add Assets button to start adding assets to your cost calculation. You have three methods to add assets:

• Add assets with a script: Download and execute a script to automatically add existing assets.
• Add assets from onboarded environments: Add assets from environments already onboarded to Defender for Cloud.
• Add custom assets: Add assets manually without using automation.

Add assets with a script

1. Choose the environment type (Azure) and copy the script to a new *.ps1 file.

   Note

   The script only collects information that the user running it has access to.

2. Run the script in your PowerShell 7.X environment using a privileged user account. The script collects information on your billable assets and creates a CSV file. It gathers information in two steps. First, it collects the current number of billable assets that usually stay constant. Second, it collects information on billable assets that can change a lot during the month. For these assets, it checks usage over the last 30 days to evaluate the cost. You can stop the script after the first step, which takes a few seconds. Or you can continue to collect the last 30 days of usage for dynamic assets, which might take longer for large accounts.

3. Upload this CSV file into the wizard where you downloaded the script.

4. Select the desired Defender for Cloud plans. The calculator estimates costs based on your selection and any existing discounts.

Required permissions for scripts

This section provides an overview of the permissions required to run the scripts for each cloud provider.

Azure

To run this script successfully for each subscription, the account you use needs permissions that allow it to:

• Discover and list resources (including virtual machines, storage accounts, APIM services, Cosmos DB accounts, etc.).

• Query Resource Graph (via Search-AzGraph).

• Read Metrics (via Get-AzMetric and the Azure Monitor/Insights APIs).

Recommended built-in role:

In most cases, the Reader role at the subscription scope is sufficient. The Reader role provides the following key capabilities needed by this script:

• Read all resource types (so you can list and parse things like Storage Accounts, VMs, Cosmos DB, and APIM, etc.).
• Read metrics (Microsoft.Insights/metrics/read) so that calls to Get-AzMetric or direct Azure Monitor REST queries succeed.
• Resource Graph queries works as long as you have at least read access to those resources in the subscription.

If you already have Contributor or Owner roles:

• Contributor or Owner on the subscription is more than enough (these roles are higher-privileged than Reader).
• The script doesn't perform resource creation or deletion. Therefore, granting high-level roles (like Contributor/Owner) for the sole purpose of data collection might be overkill from a least-privilege perspective.

Summary:

Granting your user or service principal the Reader role (or any higher-privileged role) on each subscription you want to query ensures the script can:

• Retrieve the list of subscriptions.
• Enumerate and read all relevant resource information (via REST or Az PowerShell).
• Fetch the necessary metrics (Requests for APIM, RU consumption for Cosmos DB, Storage Accounts ingress, etc.).
• Run Resource Graph queries without issue.

Assign onboarded assets

1. Select from the list of Azure environments already onboarded to Defender for Cloud to include in the cost calculation.

   Note

   We only include the resources we received permission for during onboarding.

2. Choose the plans. The calculator estimates the cost based on your selections and any existing discounts.

Assign custom assets

1. Choose a name for the custom environment.
2. Specify the plans and the number of billable assets for each plan.
3. Select the types of assets you want to include in the cost calculation.
4. The calculator estimates costs based on your inputs and any existing discounts.

Adjust your report

After generating the report, you can adjust the plans and the number of billable assets:

1. Choose the environment you want to modify by selecting the edit (pencil) icon.
2. A configuration page appears, enabling you to adjust plans, the number of billable assets, and the average monthly hours.
3. Select the Recalculate button to update the cost estimate.

Export the report

Once you're satisfied with the report, you can export it as a CSV file:

1. Select the Export to CSV button located at the bottom of the Summary panel on the right.
2. The cost information is downloaded as a CSV file.

Frequently asked questions

What is the cost calculator?

The cost calculator is a tool designed to simplify the process of estimating costs for your security protection needs. When you define the scope of your desired plans and environments, the calculator provides a detailed breakdown of potential expenses, including any applicable discounts.

How does the cost calculator work?

The calculator allows you to select the environments and plans you want to enable. It then performs a discovery process to automatically populate the number of billable units for each plan per environment. You also can manually adjust the unit quantities and discount levels.

What is the discovery process?

The discovery process generates a report of the selected environment, including the inventory of billable assets by the various Defender for Cloud plans. This process is based on the user permissions and the environment state at the time of discovery. For large environments, this process might take approximately 30-60 minutes as dynamic assets are also sampled.

Do I need to grant any special permission for the cost calculator to perform the discovery process?

The Cost Calculator uses the user's existing permissions to run the script and perform discovery automatically, ensuring it gathers the necessary data without requiring further access rights. To see what permissions the user needs to run the script, refer to the Required permissions for scripts section.

Do the estimations accurately predict my cost?

The calculator provides an estimate based on the information available when the script is executed. Various factors might influence the final cost, so it should be considered an approximate calculation.

What are the billable units?

The cost of plans is based on the units they protect. Each plan charges for a different unit type, which can be found on the Microsoft Defender for Cloud Settings page.

Can I adjust the estimates manually?

Yes, the cost calculator allows for both automatic data collection and manual adjustments. You can modify the unit quantity and discount levels to better reflect your specific needs and see how these changes affect your overall cost.

How can I share my cost estimate?

Once you generated your cost estimate, you can easily export and share it for budget planning and approvals. This feature ensures that all stakeholders have access to the necessary information.

Where can I get help if I have questions?

Our support team is ready to assist you with any questions or concerns you might have. Feel free to reach out to us for assistance.

Related content

• Microsoft Defender for Cloud pricing