| title | zone resource type |
|---|---|
| description | Represents an aggregate of cloud-native environments (also referred to as cloud scope) used to manage access and security at scale within Microsoft Defender for Cloud. |
| author | Yarinle4 |
| ms.date | 11/26/2025 |
| ms.localizationpriority | medium |
| ms.subservice | security |
| doc_type | resourcePageType |
Namespace: microsoft.graph.security
[!INCLUDE beta-disclaimer]
Represents an aggregate of cloud-native environments (also referred to as a cloud scope) used to manage access and security at scale within Microsoft Defender for Cloud. Zones enable the segmentation of multi-cloud environments, such as Azure, AWS, GCP, and connected DevOps or registry sources, into meaningful groupings, allowing for the consistent application of least‑privilege access controls.
When you set up a new zone, you can assign roles to it. For more information about role‑based access control permission assignments, see rbacApplicationMultiple.
For more information, see Manage cloud scopes and unified role-based access control.
Note
A tenant has no default zone. Environments aren't automatically attached to any zone; they must be explicitly assigned to zones by administrators. An environment can be attached to multiple zones simultaneously, which allows for flexible grouping and overlapping access‑control scenarios.
Inherits from entity.
| Method | Return type | Description |
|---|---|---|
| List | microsoft.graph.security.zone collection | Get a list of the zone objects and their properties. |
| Create | microsoft.graph.security.zone | Create a new zone object. |
| Get | microsoft.graph.security.zone | Get a zone object by a specific zoneId. |
| Update | microsoft.graph.security.zone | Update the properties of a zone object. |
| Delete | None | Delete a zone object by providing the zoneId. |
| Property | Type | Description |
|---|---|---|
| created | microsoft.graph.security.auditInfo | Creation metadata, including user and timestamp. Supports $orderby (dateTime property only). Supports $filter (ge, le, gt, lt) on the dateTime property. For example, $filter=created/dateTime ge 2023-01-01T00:00:00Z. |
| description | String | Optional description of the zone. Up to 255 characters. Supports $filter (eq, contains). For example, $filter=contains(description, 'production'). |
| displayName | String | Human-readable name of the zone. Up to 1,024 characters. Supports $filter (eq, contains), and $orderby. For example, $filter=displayName eq 'Production Zone' or $orderby=displayName asc. |
| id | String | Unique identifier for the zone. Inherited from entity. Supports $filter (eq). |
| modified | microsoft.graph.security.auditInfo | Last modification metadata, including user and timestamp. Supports $orderby (dateTime property only). Supports $filter (ge, le, gt, lt) on the dateTime property. For example, $orderby=modified/dateTime desc. |
| Relationship | Type | Description |
|---|---|---|
| aggregations | microsoft.graph.security.aggregatedEnvironment collection | Environment count summaries by type. Read-only. Supports $filter (eq) on the kind property. For example, $filter=aggregations/any(a: a/kind eq 'azureSubscription'). |
| environments | microsoft.graph.security.environment collection | Collection of attached environments. Supports $expand. |
The following JSON representation shows the resource type.
{
"@odata.type": "#microsoft.graph.security.zone",
"created": {"@odata.type": "microsoft.graph.security.auditInfo"},
"description": "String",
"displayName": "String",
"id": "String (identifier)",
"modified": {"@odata.type": "microsoft.graph.security.auditInfo"}
}