Verify that That 'All users with the following roles' is set to 'Owner'
Last updated: April 9, 2026
Framework Reference: A.5.24 Integration: Azure – Microsoft Defender for Cloud
Why this matters
Enabling alert notifications for users with the “Owner” role ensures that subscription owners receive security alerts directly from Microsoft Defender for Cloud. This ensures timely awareness and mitigation of security issues by those with the highest level of access.
What this check does
This Auto Check verifies whether email notifications are configured to be sent to all users with the “Owner” role.
Check passes if:
notificationsByRoleis set to"Owner"
Check fails if:
The value is unset or set to any role other than
"Owner"
Applies to:
Azure Subscriptions with Microsoft Defender for Cloud enabled
How to fix it
Azure Portal
Go to Microsoft Defender for Cloud
Click Environment Settings
Select the relevant Management Group, Subscription, or Workspace
Click Email notifications
In the All users with the following roles dropdown, select Owner
Click Save
Azure CLI
Prepare an input.json file with the following content (replace <validEmailAddress> and <Your_Subscription_Id>):
json
{ "id": "/subscriptions/<Your_Subscription_Id>/providers/Microsoft.Security/securityContacts/default1", "name": "default1", "type": "Microsoft.Security/securityContacts", "properties": { "email": "<validEmailAddress>", "alertNotifications": "On", "alertsToAdmins": "On", "notificationsByRole": "Owner" } }
Then run:
az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c ' curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" \ https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts/default1?api-version=2017-08-01-preview \ -d@"input.json"'
Exceptions
None. This setting should be enabled by default and enforced across all subscriptions.
Further resources