MSPs who manage Azure-hosted client infrastructure know the pre-audit scramble. Someone asks which VMs have Defender for Endpoint coverage and whether every onboarded machine is actually reporting telemetry. The answer usually involves an intern, a CSV export, and a quiet prayer.
A new Microsoft Tech Community guide from Sayan Roy, published June 15, replaces that scramble with a Logic App. It runs daily, cross-references every running Azure VM against the MDE device inventory, and emails VM owners when something is off. No stored secrets, no connector sprawl — just a system-assigned Managed Identity doing the work.
The gap most audits miss
The guide covers three compliance states: Not Onboarded (P2, high — the VM has zero telemetry), Onboarded but Not Reporting (P3, medium — it was enrolled but went silent), and Compliant. The second category is where things go undetected. A VM that was onboarded but stopped reporting does not trigger alerts in the portal the way a missing agent does. It just sits there, looking enrolled, sending nothing. A daily cross-reference catches this within 24 hours instead of letting it fester until the next manual audit.
This matters because most compliance checklists stop at “is Defender installed?” Few ask “did it report this week?” The difference is the gap between checking a box and actually having telemetry when an incident lands.
How the workflow handles scale
The Logic App (Standard, Stateful) paginates Azure Resource Graph queries with $skipToken — up to 50,000 VMs across subscriptions. The MDE Security Center API side uses $skip offsets in pages of 10,000 devices, topping out at 500,000. VM identity matching uses the Azure VM ID first, which is immune to hostname changes, then falls back to hostname plus private IP for edge cases where the ID is unavailable. Non-matching VMs get flagged as Not Onboarded.
VM owners are resolved from the ServerOwner tag on the Azure resource. If you are not already tagging VMs with ownership metadata, this automation gives you a concrete reason to start. Untagged VMs land in a separate summary email to the IT team rather than falling through the cracks.
What it takes to deploy
The prerequisites are straightforward: a Logic App Standard plan with system-assigned Managed Identity enabled, a licensed Microsoft 365 account for the sender mailbox (emails go through the Graph API), and ServerOwner tags on the VMs you want owner-specific alerts for. The workflow triggers daily at 08:00 IST — adjust the recurrence to your time zone.
A few constraints worth knowing. This covers Azure VMs only. Azure Arc-enabled servers are explicitly out of scope, with a companion article promised later. The Stateful workflow type is required for pagination and run history; Consumption plan workflows will not handle the volume.
A compliance service hiding in plain sight
For the MSP operator, this is one of those finds where the automation maps cleanly to a recurring service deliverable. “We monitor your Defender for Endpoint coverage daily across your Azure estate and catch silences before they become gaps” is a concrete offering. The alternative — manual spot checks between quarterly audits — leaves room for exactly the kind of silent decay this workflow is built to detect.
The full guide includes step-by-step deployment instructions and code snippets. It is on the Microsoft Tech Community Core Infrastructure and Security blog.
