Auto provisioning setting fails when enabling Defender for Containers

Hello Assaf L,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I got that you are getting error message 'Log Analytics auto provisioning is deprecated and can no longer be enabled', the error is a direct consequence of Microsoft's plan to retire the Log Analytics Agent (MMA). This auto-provisioning setting was designed to install the legacy MMA agent, primarily used by the Defender for Servers plan for collecting VM security events. Since the MMA is retired, Microsoft has disabled this auto-provisioning feature.

Now, the modern Defender for Containers plan uses two primary, non-deprecated components:

• The Defender Sensor (deployed as a Kubernetes DaemonSet/Extension on the cluster).
• Agentless Discovery (API-based assessment of Kubernetes posture and container image scanning).

Crucially, the success of the Defender Sensor deployment and agentless scanning is not dependent on the deprecated MMA auto-provisioning setting.

I will try to clarify your all doubts regarding this issue but before that Can you verify that the Defender Sensor is successfully deployed and running on your Kubernetes cluster(s), and that you are seeing security recommendations (e.g., image vulnerability findings) in the Microsoft Defender for Cloud dashboard?"
Because this will confirm that the correct, modern components are active and that the deprecated setting's failure did not cause any silent, secondary failure of the new sensor deployment.

You asked, 'Does this affect usage of the service?'
The answer is No; it does not affect the usage of the core Defender for Containers protection. The crucial components for container security (the Defender sensor and agentless capabilities) are provisioned through different mechanisms (like Kubernetes extensions) that are not affected by the deprecated Log Analytics auto-provisioning.

'Do I need to perform any additional activity to have the service work correctly?'

No additional activity is required to resolve this specific Deprecated error for Defender for Containers. You can safely ignore this failed activity log entry.

The system may still attempt to provision the Azure Policy for Kubernetes component and the Defender Sensor through other, non-deprecated auto-provisioning methods that are part of the Containers plan setup. You should confirm the status of the Defender sensor on your clusters.

Please do refer below documents:

Prepare for retirement of the Log Analytics agent (MMA): https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent

This documentation confirms the retirement of the MMA agent and the deprecation of its associated auto-provisioning capability, which is the source of your error message.

Configure Microsoft Defender for Containers components: https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-containers-enable?tabs=aks-deploy-portal%2Ck8s-deploy-asc%2Ck8s-verify-asc%2Ck8s-remove-arc%2Caks-removeprofile-api&pivots=defender-for-container-aks

This document shows that the key component for protection is the Defender Sensor, which is deployed via the Kubernetes extension, separate from the MMA provisioning.

 Defender for Containers architecture: https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-containers-introduction

Hope this helps! If it answered your question, please consider clicking Accept Answer and Upvote. This will help us and others in the community as well.

If you need more info, feel free to ask in the comments. Happy to help!

Regards,

Monalisha