Microsoft Defender for Cloud
Your unified security dashboard for cloud workloads — how CSPM scores your posture, and how Defender plans protect servers, databases, containers, and more.
What is Defender for Cloud?
Imagine a health check-up for your entire cloud environment.
Defender for Cloud is like having a doctor who does two things: (1) gives you a health score and tells you what to fix before you get sick (that’s CSPM — posture management), and (2) actively fights off infections when they happen (that’s cloud workload protection).
The health score is your Secure Score — a number from 0 to 100% showing how healthy your security posture is. The doctor’s prescriptions are recommendations — specific actions like “turn on encryption for this database” or “enable MFA for these admin accounts.”
You get the check-up for free. The active protection (Defender plans) costs extra.
Cloud Security Posture Management (CSPM)
CSPM is the “health check” side of Defender for Cloud. It continuously assesses your resources, identifies misconfigurations, and tells you exactly what to fix.
Secure Score
The Secure Score is a percentage (0-100%) that represents the overall security health of your environment. A higher score means fewer misconfigurations and better alignment with security best practices.
How it works:
- Defender for Cloud assesses all your resources against security controls
- Each control is worth points (for example, “Enable MFA” might be worth 10 points)
- Your score = points earned / total possible points
- As you fix recommendations, your score increases
Example: SecureBank starts at 45%. Alex follows the recommendations — enables encryption on storage accounts, configures NSGs on all subnets, and turns on MFA for admins. The score jumps to 72%.
Security policies and standards
Defender for Cloud evaluates resources against security standards — collections of rules that define what “secure” looks like:
| Standard | What it covers |
|---|---|
| Microsoft Cloud Security Benchmark (MCSB) | Microsoft’s default standard — best practices across identity, network, data, logging, and more |
| Regulatory compliance standards | CIS Benchmarks, NIST 800-53, PCI DSS, ISO 27001, SOC 2 — frameworks mapped to Azure controls |
| Custom standards | Organisations can create their own standards to match internal policies |
The MCSB is enabled automatically for every Azure subscription. Regulatory compliance standards can be added in the compliance dashboard.
Recommendations
Recommendations are the actionable output of CSPM. Each recommendation tells you:
- What is misconfigured (for example, “Storage account allows public blob access”)
- Why it matters (risk description)
- How to fix it (step-by-step remediation, often with a “Fix” button for one-click remediation)
- Which resources are affected
Scenario: Alex reviews SecureBank's Secure Score
Director Reyes asks Alex for a security posture report. Alex opens Defender for Cloud and sees:
- Secure Score: 58%
- Top recommendation: “Enable Azure DDoS Protection on virtual networks” — affects 3 VNets, worth 8 points
- Second recommendation: “Storage accounts should restrict network access” — affects 5 storage accounts, worth 6 points
- Third recommendation: “SQL databases should have transparent data encryption enabled” — affects 2 databases, worth 4 points
Alex fixes the top three recommendations, and the score rises to 73%. The compliance dashboard now shows 89% alignment with the MCSB standard.
Alex reports: “We were at 58% last month. After addressing the top recommendations, we’re at 73% — and we’ve closed the five most critical misconfigurations.”
Cloud Workload Protection (CWP)
While CSPM is about preventing problems (posture), Cloud Workload Protection is about detecting and responding to active threats. It is delivered through Defender plans — each plan protects a specific resource type.
Defender plans overview
| Defender Plan | What it protects | Example detection |
|---|---|---|
| Defender for Servers | Windows and Linux VMs (Azure and on-prem) | Suspicious process execution, brute-force RDP attempts |
| Defender for SQL | Azure SQL, SQL on VMs, open-source databases | SQL injection attempts, anomalous database access |
| Defender for Storage | Azure Storage accounts | Malware upload to blob storage, access from suspicious IPs |
| Defender for Containers | AKS clusters and container registries | Vulnerable container images, runtime threats in clusters |
| Defender for App Service | Azure App Service web apps | Command injection, suspicious outbound communication |
| Defender for Key Vault | Azure Key Vault | Unusual secret access patterns, access from anonymous IPs |
Each plan is enabled independently per resource type — you pay only for the plans you turn on.
Free vs enhanced security
| Feature | Free (Foundational CSPM) | Enhanced (Defender Plans Enabled) |
|---|---|---|
| Secure Score | Yes | Yes |
| Security recommendations | Yes | Yes — plus remediation automation |
| MCSB compliance | Yes | Yes — plus regulatory compliance standards |
| Threat detection | No | Yes — per-plan threat alerts |
| Vulnerability assessment | No | Yes — built into Defender for Servers and Containers |
| Just-in-time VM access | No | Yes — time-limited port access |
| Cost | Free for all Azure subscriptions | Per-resource pricing based on plans enabled |
Exam tip: CSPM vs CWP
The exam often tests whether you know the difference:
- CSPM = posture, prevention, Secure Score, recommendations, compliance. Think: “How healthy am I?”
- CWP = threat detection, alerts, active protection. Think: “Something is attacking me — detect and respond.”
If a question asks about “identifying misconfigurations” or “improving security posture” — the answer is CSPM. If a question asks about “detecting threats” or “alerting on suspicious activity” — the answer is CWP (Defender plans).
Multi-cloud coverage
Defender for Cloud is not limited to Azure. It can protect workloads in:
- Azure — native integration, no agents needed for CSPM
- Amazon Web Services (AWS) — connects via AWS account, assesses EC2 instances, S3 buckets, RDS databases
- Google Cloud Platform (GCP) — connects via GCP project, assesses Compute Engine, Cloud Storage, Cloud SQL
- On-premises — via Azure Arc, which projects on-prem servers into Azure for management
This means Alex can see SecureBank’s entire security posture — Azure, any AWS accounts, and on-prem servers — in a single dashboard.
🎬 Video walkthrough
🎬 Video coming soon
Microsoft Defender for Cloud — CSPM and Workload Protection (SC-900)
Microsoft Defender for Cloud — CSPM and Workload Protection (SC-900)
~10 minFlashcards
Knowledge check
Director Reyes asks Alex: 'I need a single number that tells me how secure our cloud environment is, and a prioritized list of what to fix.' Which Defender for Cloud capability provides this?
SecureBank's Defender for Cloud generates an alert: 'Suspicious login to SQL database from an unfamiliar IP address.' Which capability triggered this alert?
SecureBank has just started using Defender for Cloud on the free tier. Which of the following capabilities is available WITHOUT enabling any paid Defender plans?