Microsoft.Security/autoProvisioningSettings/write
Azure
Microsoft.Security/autoProvisioningSettings/write
Event
Modifies auto-provisioning settings, potentially disabling automatic deployment of security monitoring agents.
Security Context
- Auto-provisioning automatically installs security monitoring agents on new and existing resources; disabling it creates a blind spot where new workloads deploy without security monitoring.
- Adversaries disable auto-provisioning to ensure that newly created resources used in their attack are not instrumented with monitoring agents that would detect malicious activity.
Log Source
Azure Activity Log
Sample Event
Adversarial. draco@fantasticlogs.cloud flips the subscription’s auto-provisioning setting to Off, ensuring that any new VMs (including ones he intends to spin up to host C2) will NOT auto-deploy the Log Analytics agent / AMA — so they won’t appear in Defender for Cloud or send security telemetry to the workspace.
{ "authorization": { "action": "Microsoft.Security/autoProvisioningSettings/write", "scope": "/subscriptions/20000000-0000-4000-8000-000000000001/providers/Microsoft.Security/autoProvisioningSettings/default" }, "caller": "draco@fantasticlogs.cloud", "channels": "Operation", "claims": { "appid": "04b07795-8ddb-461a-bbee-02f9e1bf7b46", "ipaddr": "203.0.113.66", "name": "Draco Malfoy", "http://schemas.microsoft.com/identity/claims/objectidentifier": "30000000-0000-4000-8000-001010011010", "puid": "1003200000000666", "http://schemas.microsoft.com/identity/claims/tenantid": "10000000-0000-4000-8000-000000000001", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "draco@fantasticlogs.cloud", "http://schemas.microsoft.com/identity/claims/wids": "e8611ab8-c189-46e8-94e1-60213ab1f814", "uti": "autoProv214ExampleUti", "ver": "1.0" }, "correlationId": "90000000-0000-4000-8000-000100100111", "description": "", "eventDataId": "90000000-0000-4000-8000-000100101000", "eventName": { "value": "EndRequest", "localizedValue": "End request" }, "category": { "value": "Administrative", "localizedValue": "Administrative" }, "eventTimestamp": "2026-04-15T17:35:42.0218107Z", "id": "/subscriptions/20000000-0000-4000-8000-000000000001/providers/Microsoft.Security/autoProvisioningSettings/default/events/90000000-0000-4000-8000-000100101000/ticks/638798200200218107", "level": "Informational", "operationId": "90000000-0000-4000-8000-000100101001", "operationName": { "value": "Microsoft.Security/autoProvisioningSettings/write", "localizedValue": "Create or Update Auto Provisioning Settings" }, "resourceGroupName": "", "resourceProviderName": { "value": "Microsoft.Security", "localizedValue": "Microsoft.Security" }, "resourceType": { "value": "Microsoft.Security/autoProvisioningSettings", "localizedValue": "Microsoft.Security/autoProvisioningSettings" }, "resourceId": "/subscriptions/20000000-0000-4000-8000-000000000001/providers/Microsoft.Security/autoProvisioningSettings/default", "status": { "value": "Succeeded", "localizedValue": "Succeeded" }, "subStatus": { "value": "OK", "localizedValue": "OK (HTTP Status Code: 200)" }, "submissionTimestamp": "2026-04-15T17:35:42.5781055Z", "subscriptionId": "20000000-0000-4000-8000-000000000001", "tenantId": "10000000-0000-4000-8000-000000000001", "properties": { "statusCode": "OK", "serviceRequestId": null, "eventCategory": "Administrative", "entity": "/subscriptions/20000000-0000-4000-8000-000000000001/providers/Microsoft.Security/autoProvisioningSettings/default", "message": "Microsoft.Security/autoProvisioningSettings/write", "hierarchy": "10000000-0000-4000-8000-000000000001/20000000-0000-4000-8000-000000000001", "requestbody": "{\"properties\":{\"autoProvision\":\"Off\"}}" }, "relatedEvents": []}MITRE ATT&CK Mapping
Tactics: Defense Impairment
Techniques:
- T1685 — Disable or Modify Tools — Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping spec...