A company uses Microsoft Defender for Cloud with enhanced security features enabled. They recently deployed a new Azure Kubernetes Service (AKS) cluster and want to ensure it is protected by Defender for Containers. What must they do to enable protection?
This enables the workload protection plan for containers, which automatically covers AKS clusters in the subscription.
Why this answer
Defender for Containers is a plan-level feature in Microsoft Defender for Cloud that must be enabled at the subscription level. Once enabled, it automatically discovers and protects AKS clusters without requiring any manual agent installation on nodes, as it uses the Defender sensor deployed by AKS itself. This is the only action needed to enable protection for the new AKS cluster.
Exam trap
The trap here is that candidates often assume agent installation or Log Analytics workspace configuration is necessary for container protection, but Defender for Containers is a subscription-level plan that automatically provisions the required sensor without manual node-level setup.
How to eliminate wrong answers
Option B is wrong because Defender for Containers does not require installing the Microsoft Defender for Cloud agent on AKS nodes; it uses a dedicated Defender sensor that is automatically deployed by the AKS integration. Option C is wrong because a Log Analytics workspace is not a prerequisite for Defender for Containers; while logs can be collected, the plan works independently of Log Analytics. Option D is wrong because enabling Azure Policy for AKS is not required to enable Defender for Containers; Azure Policy can be used for compliance and governance but is separate from the Defender plan activation.