diff --git a/src/bicep/README.md b/src/bicep/README.md
index ccbaba049..feb4e4ca2 100644
--- a/src/bicep/README.md
+++ b/src/bicep/README.md
@@ -129,3 +129,5 @@ spokes.value[0..2].subnetResourceId
 spokes.value[0..2].subscriptionId
 spokes.value[0..2].virtualNetworkName
 spokes.value[0..2].virtualNetworkResourceId
+deployDefender.value
+emailSecurityContact.value
diff --git a/src/bicep/add-ons/tier3/tier3.bicep b/src/bicep/add-ons/tier3/tier3.bicep
index 36cf14e32..79b2a9a79 100644
--- a/src/bicep/add-ons/tier3/tier3.bicep
+++ b/src/bicep/add-ons/tier3/tier3.bicep
@@ -43,6 +43,12 @@ param logAnalyticsWorkspaceResourceId string = mlzDeploymentVariables.logAnalyti
 param logAnalyticsWorkspaceName string = mlzDeploymentVariables.logAnalyticsWorkspaceName.Value
 param firewallPrivateIPAddress string = mlzDeploymentVariables.firewallPrivateIPAddress.Value
 
+@description('When set to "true", enables Microsoft Defender for Cloud for the subscriptions used in the deployment. It defaults to "false".')
+param deployDefender bool = mlzDeploymentVariables.deployDefender.Value
+@description('Email address of the contact, in the form of john@doe.com')
+param emailSecurityContact string = mlzDeploymentVariables.emailSecurityContact.Value
+
+
 @description('The address prefix for the network spoke vnet.')
 param virtualNetworkAddressPrefix string = '10.0.125.0/26'
 
@@ -193,6 +199,15 @@ module workloadSubscriptionActivityLogging '../../modules/central-logging.bicep'
   ]
 }
 
+module spokeDefender '../../modules/defender.bicep' = if (deployDefender) {
+  name: 'set-${workloadName}-sub-defender'
+  scope: subscription(workloadSubscriptionId)
+  params: {
+    logAnalyticsWorkspaceId: logAnalyticsWorkspaceResourceId
+    emailSecurityContact: emailSecurityContact
+  }
+}
+
 output resourceGroupName string = resourceGroup.outputs.name
 output location string = resourceGroup.outputs.location
 output tags object = resourceGroup.outputs.tags
diff --git a/src/bicep/mlz.bicep b/src/bicep/mlz.bicep
index 959f19e1e..e08253a80 100644
--- a/src/bicep/mlz.bicep
+++ b/src/bicep/mlz.bicep
@@ -1097,6 +1097,10 @@ output hub object = {
   networkSecurityGroupResourceId: hubNetwork.outputs.networkSecurityGroupResourceId
 }
 
+output deployDefender bool = deployDefender
+
+output emailSecurityContact string = emailSecurityContact
+
 output logAnalyticsWorkspaceName string = logAnalyticsWorkspace.outputs.name
 
 output logAnalyticsWorkspaceResourceId string = logAnalyticsWorkspace.outputs.id