Skip to main content

Security GuideDefender for CloudCSPMCWPP2026

How to Secure Azure Resources Using
Microsoft Defender for Cloud

Most Azure engineers know Microsoft Defender for Cloud as the Secure Score dashboard that flags open ports and missing encryption. That is just the surface. Underneath is a complete Cloud Native Application Protection Platform — covering posture management, active workload protection, regulatory compliance, attack path analysis, and automated remediation across Azure, AWS, and GCP. This guide shows you how to use all of it.

Free
The foundational CSPM tier — Secure Score, recommendations, asset inventory, and MCSB assessment — is enabled by default on every Azure subscription at no cost
CNAPP
Cloud Native Application Protection Platform — the category Defender for Cloud belongs to. It unifies CSPM (posture) + CWPP (runtime protection) + DevSecOps in a single pane
>85%
The Secure Score target Microsoft recommends for production environments. Below 70% indicates critical misconfigurations that represent material security risk
3 clouds
Defender for Cloud protects Azure, AWS, and GCP workloads from a single dashboard — including unified Secure Score across all three environments

CSPM vs CWPP: The Two Engines Inside Defender for Cloud

Microsoft Defender for Cloud is two fundamentally different security functions operating inside the same interface. Understanding which function does what — and which is free vs paid — is the prerequisite for using the product effectively. Engineers who treat it as a single unified "security tool" consistently underuse it because they enable one function and assume the other is covered.

The first function is Cloud Security Posture Management (CSPM) — the preventive engine. CSPM continuously assesses every resource in your Azure subscription against a set of security best practices defined by the Microsoft Cloud Security Benchmark (MCSB). It produces the Secure Score, generates actionable recommendations, and maps your environment against regulatory frameworks. CSPM is proactive: it finds misconfigurations before an attacker does. The foundational CSPM tier is free by default on every Azure subscription.

The second function is Cloud Workload Protection Platform (CWPP) — the active defense engine. CWPP is a family of paid plans, each tuned to a specific resource type, that watch for active threats in real time. Where CSPM asks "is your configuration correct?", CWPP asks "is something attacking you right now?" These are separate questions requiring separate answers.

Figure 1 — Defender for Cloud architecture: CSPM (prevention) vs CWPP (active defense) in a single platform
Microsoft Defender for Cloud — Cloud Native Application Protection Platform (CNAPP)CSPM — PREVENTIONFree foundational tier · Paid Defender CSPM for advanced features✓ Secure Score (0–100%)Single metric for your overall security posture✓ Security RecommendationsActionable misconfigurations with Quick Fix buttons✓ MCSB Compliance AssessmentMicrosoft Cloud Security Benchmark mapping✓ Asset InventoryFull visibility into all resources across subscriptions★ Paid CSPM Adds:Attack Path Analysis · Cloud Security Explorer · Agentless scanningCWPP — ACTIVE DEFENSEPaid plans · Enable per workload type · Real-time threat detection🔵 Defender for ServersJIT VM Access · Microsoft Defender for Endpoint · FIM🔵 Defender for StorageMalware scan on blob uploads · anomalous access alerts🔵 Defender for SQLSQL injection detection · anomalous queries · brute force🔵 Defender for ContainersImage vulnerability scanning · AKS runtime protection🔵 Defender for Key Vault / App Service / APIsUnusual access patterns · secret exfiltration · web attacks
CSPM asks "is your configuration correct?" — it is the home inspection. CWPP asks "is something attacking you right now?" — it is the burglar alarm. Both engines are needed. The free CSPM tier provides immediate value at zero cost. CWPP plans should be enabled at minimum for Servers, SQL, Storage, and Containers in production.
Step 1Enable Defender for Cloud on Your Subscription
Start HereFree Tier Available

Defender for Cloud's foundational CSPM is enabled automatically on all Azure subscriptions. However, to access enhanced features, manage settings across multiple subscriptions, and enable CWPP plans, you must explicitly configure it. The recommended approach for organisations with multiple subscriptions is to enable and configure Defender for Cloud at the Management Group level — this ensures consistent coverage and a single policy baseline across all subscriptions.

1

Navigate to Defender for Cloud in the Azure Portal

In the Azure Portal, search for "Microsoft Defender for Cloud" and open it. The Overview page shows your current Secure Score, active recommendations count, and security alerts. If the subscription shows "Not covered" for any resource type, foundational CSPM is active but CWPP plans are not enabled for that resource type.

2

Open Environment Settings and select your subscription

In the left menu, select Environment settings. Expand the Azure tenant to see all Management Groups and subscriptions. Select the subscription you want to configure. You will see the Defender plans page — this is where you enable and disable individual CWPP plans.

3

Enable Defender plans per workload type

Each plan is toggled independently: Defender for Servers, Defender for Storage, Defender for Databases (SQL, OSS DBs, Cosmos DB), Defender for Containers, Defender for Key Vault, Defender for App Service, Defender for APIs, Defender for Resource Manager. For a production environment, enable at minimum: Servers, Storage, SQL, and Containers. Enable All Plans is available but review pricing first — billing is per-resource and varies by plan.

4

Enable via Azure CLI for automation and consistency

Use the Azure CLI to enable plans programmatically — essential for onboarding new subscriptions through IaC pipelines. See the CLI commands below. Set this in your landing zone Terraform or Bicep templates to ensure Defender for Cloud is always enabled when a new subscription is provisioned.

5

Configure email notifications for security alerts

In Defender for Cloud → Environment Settings → Select subscription → Email notifications. Add security contact email addresses and configure which alert severities trigger notifications. Set "Send email notification for alerts of the following severity" to High and Medium at minimum. Without this, security alerts exist in the portal but no one is alerted.

Azure CLI — Enable Defender plans on a subscription# Enable foundational CSPM (free)
az security pricing create \
  --name CloudPosture \
  --tier free \
  --subscription $SUBID

# Enable Defender for Servers Plan 2 (recommended for VMs)
az security pricing create \
  --name VirtualMachines \
  --tier standard \
  --subscription $SUBID

# Enable Defender for Storage
az security pricing create \
  --name StorageAccounts \
  --tier standard \
  --subscription $SUBID

# Enable Defender for SQL (Azure SQL Database)
az security pricing create \
  --name SqlServers \
  --tier standard \
  --subscription $SUBID

# Enable Defender for Containers (AKS, ACR)
az security pricing create \
  --name Containers \
  --tier standard \
  --subscription $SUBID

# Enable Defender for Key Vault
az security pricing create \
  --name KeyVaults \
  --tier standard \
  --subscription $SUBID

# List current Defender plan status
az security pricing list --subscription $SUBID -o table
Step 2Understanding and Improving Your Secure Score
Key MetricTarget >85%

The Secure Score is a percentage from 0 to 100 that represents the security health of your Azure environment. It is calculated as the ratio of healthy resources to total assessed resources, weighted by the potential security impact of each recommendation. A score of 52% (a common starting point for unconfigured subscriptions) means nearly half your assessed resources have remediable security gaps.

How Secure Score is calculated: Each recommendation belongs to a security control (a group of related checks). The control's maximum score is divided by the number of unhealthy resources. Fixing one recommendation in a control with many unhealthy resources improves the score less than fixing the only recommendation in a different control. Prioritise controls where fixing all recommendations gives the highest score increase, not just the highest-severity individual recommendations.

Figure 2 — Secure Score calculation: how controls, recommendations, and healthy resources combine into your score
Example: A subscription with 3 security controlsControl: Enable MFAMax score: 10 pts5/10 resources healthyScore contribution:5.0 ptsFix 5 more users = +5 ptsBIGGEST gain available→ Prioritise this controlControl: Encrypt Data at RestMax score: 8 pts7/8 resources healthyScore contribution:7.0 ptsFix 1 more resource = +1 ptLow effort, small gain→ Secondary priorityControl: Restrict Management PortsMax score: 6 pts2/10 resources healthyScore contribution:1.2 ptsFix 8 more VMs = +4.8 ptsHigh effort, medium gain→ Use JIT Access as fix
Prioritise controls by potential score gain, not individual recommendation severity. Control 1 (Enable MFA) offers the highest gain (+5 pts) for effort. Control 3 (Restrict Management Ports) has the most unhealthy resources but offers less absolute gain — fix it using JIT VM Access to address all VMs simultaneously.
1

Read your current score and identify the highest-gain controls

In Defender for Cloud → Secure Score, expand each security control. The "Potential score increase" column shows how many points you gain by fixing all recommendations in that control. Sort by this column, not by severity. Fix the highest-gain controls first.

2

Use Quick Fix for bulk remediation

Many recommendations have a "Fix" button that applies the remediation to all unhealthy resources in a single click. For example, "Enable MFA for accounts with owner permissions on your subscription" shows all affected accounts and applies the MFA requirement automatically. Always review the list of affected resources before clicking Fix.

3

Set a Secure Score cadence and target

Target ≥85% for production environments. Track weekly: add the Secure Score to your team's security dashboard in Azure Workbooks. Assign governance rules (paid CSPM feature) to automatically notify resource owners when their resources contribute to score decline — with a mandatory remediation deadline of 14 days for High severity findings.

Defender Plans: Which Workload Protections to Enable

Each Defender plan adds real-time threat detection for a specific resource type. The following table shows which plans to prioritise, what threats they detect, and the approximate pricing model.

PlanProtectsKey DetectionsPriority for Production
Defender for Servers P2Azure VMs, AWS EC2, on-premises serversJIT VM Access, File Integrity Monitoring, Microsoft Defender for Endpoint integration, behavioural threat detection, vulnerability assessment (Qualys or MDVM)Mandatory. Every VM with a public IP or management port is a target. P2 includes MDE integration for endpoint detection.
Defender for StorageAzure Blob Storage, Azure Files, ADLS Gen2Malware scan on uploaded blobs, anomalous access pattern alerts, sensitive data exfiltration, ransomware upload detectionMandatory. Storage accounts are prime exfiltration targets. Malware scanning on upload catches threats before they spread.
Defender for SQLAzure SQL Database, SQL on VMs, Azure SQL MISQL injection detection, anomalous query patterns, brute force authentication, data exfiltration via excessive row readsMandatory. SQL databases hold crown-jewel data. Attack detection pays for itself after one prevented breach.
Defender for ContainersAKS clusters, Azure Container Registry, container imagesImage vulnerability scanning (registry + runtime), anomalous container behaviour, cryptomining detection, Kubernetes audit log analysisHigh priority for AKS environments. Image scanning catches CVEs before they reach production.
Defender for Key VaultAzure Key Vault instancesUnusual access from unexpected IPs, high-volume secret retrieval, access from suspended principal, secret exfiltration patternsHigh priority. Key Vault is the credential store — anomalous access may indicate a compromised identity.
Defender for App ServiceAzure App Service web apps and APIsCommand injection, web shell detection, malicious user-agent, dangling DNS, suspicious file downloads via the applicationRecommended for customer-facing apps and APIs.
Defender for APIsAPIs published via Azure API ManagementAnomalous API call patterns, data exfiltration via API responses, authentication bypass attempts, suspicious response sizesRecommended for organisations with APIM-fronted APIs.
Defender CSPM (paid)All Azure, AWS, GCP resourcesAttack path analysis, Cloud Security Explorer, agentless vulnerability scanning, data-aware security posture, governance rules with deadlinesHigh value for organisations that need Attack Path Analysis and governance enforcement. Not a workload plan — it is a posture enhancement.
Step 3Just-in-Time VM Access: Closing the RDP/SSH Attack Surface
Requires Defender for ServersHighest Impact Single Fix

Why this matters: Management ports — RDP (3389), SSH (22), and PowerShell Remoting (5986) — permanently open to the internet are the single most exploited attack vector in Azure. Automated scanners find open 3389 and SSH ports within minutes of a VM being created. Just-in-Time VM Access solves this permanently: it keeps management ports closed at the NSG level by default and grants time-limited, IP-specific access only when explicitly requested by an authorised engineer.

JIT access works by modifying the VM's Network Security Group rules on demand: when an engineer requests access, Defender for Cloud adds a temporary NSG rule opening the specified port from their IP address for a configurable window (1–24 hours). When the time expires, the rule is automatically removed and the port is closed again. Every access request is logged in the Azure Activity Log for audit purposes.

Figure 3 — JIT VM Access flow: from engineer request to time-limited port opening and automatic closure
Default StateRDP 3389 — CLOSEDSSH 22 — CLOSEDNSG blocks all mgmt portsEngineerrequestsJIT Access RequestPort: 22 (SSH)Source IP: 203.x.x.xDuration: 3 hoursDefendervalidatesNSG Rule AddedSSH 22 OPEN from 203.x.x.xExpiry: 3 hoursLogged to Activity Log3h laterautoPort Auto-ClosedNSG rule removedSSH 22 — CLOSED againPort never left openResult: Zero permanently open management ports — the port is closed unless an engineer actively requested access in the last N hoursAutomated scanners find port 22 or 3389 permanently closed. Brute force attacks cannot reach the authentication layer.Every JIT access request is logged: who requested, from what IP, for how long — full audit trail in Azure Activity Log.
JIT access eliminates the permanently-open management port vulnerability — the most exploited attack vector in Azure IaaS. The port is opened only for a specific IP, for a specific duration, logged to Activity Log, and automatically closed when the time expires.
1

Enable JIT VM Access on individual VMs

In Defender for Cloud → Workload Protections → Just-in-time VM access → Not Configured tab → select the VMs → Enable JIT on selected VMs. Configure the default maximum allowed access duration (recommend: 3 hours) and which ports JIT manages (RDP 3389, SSH 22, WinRM 5985/5986).

2

Request JIT access when you need to connect

In Defender for Cloud → Just-in-time VM access → Configured tab → select the VM → Request access. Specify the port, your source IP (auto-detected), and the requested duration. Access is granted within 30 seconds. Then connect as normal via RDP or SSH — the connection will work for the duration you specified.

3

Enable JIT at scale via Azure CLI

For fleets of VMs, use the REST API or Azure Policy to enforce JIT across all VMs in a subscription. Pair with Azure Policy in "Deny" mode to prevent VM NSGs from having permanently open RDP/SSH rules — any non-JIT port opening will be blocked by policy.

Azure CLI — Enable JIT VM access and request access# Enable JIT on a VM (requires Defender for Servers to be enabled)
az security jit-policy create \
  --resource-group rg-prod \
  --name JIT-Policy-vm-web01 \
  --virtual-machines '[{
    "id": "/subscriptions/SUB/resourceGroups/rg-prod/providers/Microsoft.Compute/virtualMachines/vm-web01",
    "ports": [
      {"number": 22, "protocol": "TCP", "allowedSourceAddressPrefix": "*", "maxRequestAccessDuration": "PT3H"},
      {"number": 3389, "protocol": "TCP", "allowedSourceAddressPrefix": "*", "maxRequestAccessDuration": "PT1H"}
    ]
  }]'

# Request JIT access from your current IP
MY_IP=$(curl -s ifconfig.me)
az security jit-policy initiate \
  --name JIT-Policy-vm-web01 \
  --resource-group rg-prod \
  --virtual-machines '[{
    "id": "/subscriptions/.../virtualMachines/vm-web01",
    "ports": [{"number": 22, "endTimeUtc": "2026-07-10T15:00:00.000Z", "allowedSourceAddressPrefix": "'$MY_IP'"}]
  }]'
Step 4Working Through Security Recommendations Systematically
Highest ROI ActivityWeekly Cadence

Security recommendations are the actionable outputs of CSPM — each one describes a specific misconfiguration, the risk it creates, and how to fix it. The Recommendations page in Defender for Cloud lists hundreds of findings, which can feel overwhelming. The key is to treat them as a sprint backlog, not a todo list — prioritise by potential Secure Score increase, assign owners, set deadlines, and track completion.

1

Sort by "Potential score increase" — not severity

In Defender for Cloud → Recommendations, change the grouping to "Security controls" and sort by "Potential score increase". This shows you exactly which recommendations to fix first to maximise Secure Score improvement. A High severity recommendation on a single resource may increase the score less than a Medium severity recommendation that affects 50 resources.

2

Use Quick Fix for bulk automatic remediation

Open a recommendation, click "View affected resources", select all unhealthy resources, and click the "Fix" button. Defender for Cloud applies the recommended configuration across all selected resources simultaneously. This is particularly effective for recommendations like "Storage accounts should prevent public access" — fix all storage accounts in one click rather than one-by-one in the portal.

3

Assign governance rules for team accountability

In Defender for Cloud → Environment Settings → Governance rules (requires paid CSPM): create rules that automatically assign recommendation owners (by email or Azure AD group) with a mandatory remediation deadline. Example rule: "All High severity recommendations on production subscriptions must be assigned to the security team with a 14-day remediation SLA." Track completion in the Governance Reports dashboard.

4

Exempt findings that are intentional (not misconfigurations)

Test environments may legitimately have open management ports. A specific storage account may require public access for a static website. In Defender for Cloud, you can exempt individual resources or entire scopes from a specific recommendation — with a required justification, expiry date, and audit trail. Exempted resources no longer contribute to Secure Score penalties for that recommendation.

Step 5Regulatory Compliance: PCI-DSS, ISO 27001, NIST, and CMMC
Audit-ReadyContinuous Assessment

Defender for Cloud automatically maps your Azure controls to regulatory frameworks — PCI-DSS, ISO 27001, NIST SP 800-53, NIST SP 800-171, CIS Benchmarks, SOC 2, HIPAA, CMMC 2.0, and more. The Regulatory Compliance dashboard shows your current compliance percentage per framework, which controls are failing, and which specific resources are causing the failures. This replaces weeks of manual auditing with a continuously updated dashboard that reflects your real-time configuration state.

1

Open the Regulatory Compliance dashboard

In Defender for Cloud → Regulatory compliance. The default view shows your compliance percentage against the Microsoft Cloud Security Benchmark. Scroll down to see each control and its assessment status (passed/failed). The dashboard is updated as resources are modified — no manual re-scan required.

2

Add frameworks relevant to your organisation

Click "Manage compliance policies" → select your subscription → Security policies. Enable additional regulatory standards from the list. Once enabled, the framework appears in the Regulatory Compliance dashboard with a compliance percentage calculated from your existing resource configurations. No additional configuration is required — Defender for Cloud maps existing controls to the new framework automatically.

3

Download compliance reports for auditors

In the Regulatory Compliance dashboard, click "Download report" → select the framework and scope. The report is generated as a PDF showing your compliance percentage, passing controls, failing controls, and the specific resources causing failures. This report is suitable for external auditor submissions and reduces the manual documentation burden during compliance assessments.

Step 6Attack Path Analysis and Cloud Security Explorer
Paid CSPM FeatureRisk Prioritisation

Attack Path Analysis is the feature that converts Defender for Cloud from a misconfiguration finder into an attacker's perspective tool. It maps the relationships between resources — public IP → VM → Service Principal → Storage Account → Sensitive Data — and identifies the multi-hop paths an attacker could take from an internet-exposed resource to your most sensitive data. This allows security teams to prioritise remediation based on actual risk exposure, not theoretical severity.

Example attack path: A public-facing VM with an open SSH port (step 1) is running an application that uses a Service Principal (step 2) with Contributor access to a Storage Account (step 3) containing customer PII that has been classified as sensitive (step 4). Each individual misconfiguration may appear as a Medium severity recommendation. The combination creates a critical attack path — an attacker who compromises the VM through SSH can directly exfiltrate the customer data.

1

Enable Defender CSPM (paid) to unlock Attack Path Analysis

In Environment Settings → Defender plans → toggle Defender CSPM to On. This is a subscription-level plan charged per billable resource. The paid CSPM plan includes Attack Path Analysis, Cloud Security Explorer, agentless vulnerability scanning, and governance rules.

2

Review Attack Paths sorted by risk score

In Defender for Cloud → Attack path analysis. Each path shows the entry point (internet-exposed resource), intermediate hops (VMs, service principals, managed identities), and the target (sensitive data or high-value resource). Sort by Risk score to see the highest-priority paths first. A path that reaches a database with customer data outranks one that reaches an empty development storage account.

3

Use Cloud Security Explorer for custom queries

Cloud Security Explorer is a graph-based query interface over your entire cloud resource inventory. Run queries like "Show me all internet-exposed VMs with High severity vulnerabilities that have write permissions to storage accounts containing sensitive data." This proactive querying finds attack surface that standard recommendations do not surface because they evaluate resources in isolation.

Step 7Automated Remediation with Workflow Automation and Azure Policy
Scalable SecurityPrevention over Detection

Manual review of security recommendations works at small scale. At enterprise scale — hundreds of resources across dozens of subscriptions — automated remediation is the only viable approach. Defender for Cloud provides two complementary automation mechanisms: Workflow Automation (reactive — triggered by alerts or recommendations) and Azure Policy (preventive — blocks non-compliant resources before they are created).

1

Create a Workflow Automation for High-severity alerts

In Defender for Cloud → Workflow automation → Add workflow automation. Trigger: "A security alert is generated" with severity = High. Action: Logic App that sends a Teams notification with the alert details, resource name, and a link to the recommendation. This ensures High severity alerts reach the security team within minutes, not days.

2

Assign Azure Policies in Deny mode for critical controls

Many Defender for Cloud recommendations map directly to Azure Policy definitions. Assigning these policies in "Deny" mode prevents the misconfiguration from being created rather than detecting it after the fact. For example: "Storage accounts should restrict network access" as a Deny policy prevents any engineer from creating a storage account with public blob access — the most common data exposure vector in Azure.

3

Use Logic Apps for automated remediation of specific alerts

For specific alert types with safe automatic responses, create Logic Apps that remediate the issue without human intervention. Example: when Defender for Storage generates a "Malware uploaded" alert, the Logic App automatically quarantines the blob by moving it to a quarantine container and sending an alert to the security team. The human reviews after the threat is contained, not before.

Azure CLI + PowerShell — Assign Deny policy for storage public access prevention# Get the built-in policy definition ID for "Storage accounts should restrict public access"
POLICY_DEF=$(az policy definition list \
  --query "[?displayName=='Storage accounts should restrict public network access'].id" \
  -o tsv)

# Assign the policy in Audit mode first — to see what would be blocked
az policy assignment create \
  --name no-public-storage \
  --scope /subscriptions/$SUBID \
  --policy $POLICY_DEF \
  --enforcement-mode Default # Audit mode

# After reviewing compliance report, switch to DoNotEnforce (Deny)
az policy assignment update \
  --name no-public-storage \
  --scope /subscriptions/$SUBID \
  --enforcement-mode Default
  # Change effect in policy definition to "Deny" to block creation

# View Defender for Cloud alerts via CLI
az security alert list --subscription $SUBID \
  --query "[?properties.severity=='High'].{Name:name,Alert:properties.alertDisplayName,Time:properties.timeGeneratedUtc}" \
  -o table
Step 8Microsoft Sentinel Integration: From Detection to Response
SIEM + SOAREnterprise Security

Defender for Cloud handles detection — it generates security alerts when threats are identified. Microsoft Sentinel handles response — it correlates alerts from Defender for Cloud with signals from other sources (Entra ID, Office 365, network logs, endpoint telemetry) to surface incidents, run automated playbooks, and provide SOC analysts with a unified investigation workspace.

The integration is bidirectional: Defender for Cloud alerts flow into Sentinel as incidents, and Sentinel analytics rules can query Defender for Cloud recommendations to find resource configurations correlated with active attacks. Together, they form a complete detect-investigate-respond cycle.

1

Connect Defender for Cloud to Microsoft Sentinel

In Microsoft Sentinel → Data connectors → search for "Microsoft Defender for Cloud" → Open connector page → Connect. Select the subscriptions to stream alerts from. All future Defender for Cloud alerts will appear as Sentinel incidents within 5 minutes of generation. Historical alerts can also be imported retroactively.

2

Configure incident creation rules

In Sentinel → Analytics → Rule templates → filter by "Microsoft Defender for Cloud". Enable rules like "Create incidents based on Microsoft Defender for Cloud alerts" — this creates a Sentinel incident automatically for every Defender for Cloud alert above a specified severity. Incidents aggregate related alerts into a single investigation thread.

3

Deploy automated response playbooks for common threats

In Sentinel → Automation → Create automation rule → trigger: "Incident created" → action: run a Logic App playbook. For Defender for Cloud storage malware alerts, the playbook: (1) quarantines the malicious blob, (2) revokes the uploader's SAS token, (3) notifies the security team via Teams, (4) creates a ServiceNow ticket. The entire response is automated — the SOC analyst investigates an already-contained incident.

Defender for Cloud + Sentinel: Complementary Roles

Defender for Cloud: Detects threats at the Azure resource level (VM malware, storage anomaly, SQL injection, Key Vault exfiltration) and provides CSPM posture management.

Microsoft Sentinel: Correlates Defender for Cloud alerts with identity signals, network logs, and endpoint telemetry to surface incidents that span multiple attack vectors — and runs automated response playbooks. Neither product replaces the other.

Implementation Priority Summary

Start with free CSPM — today. Foundational CSPM is already enabled on your Azure subscription. Go to Microsoft Defender for Cloud → Secure Score right now and read the top 5 recommendations by potential score increase. These are your first sprint of security improvements at zero cost.
Enable JIT VM Access before any other paid feature. Permanently open RDP and SSH ports are the single highest-risk misconfiguration in Azure IaaS. JIT Access closes this in 10 minutes and requires only Defender for Servers — the cost is justified by preventing one single VM compromise.
In production, Defender for Servers, Storage, SQL, and Containers are non-optional. These four plans cover the most exploited resource types. The additional cost is a fraction of the cost of responding to one breach in any of these resource categories.
The Regulatory Compliance dashboard replaces manual audit preparation. Enable the frameworks your organization is subject to (PCI-DSS, ISO 27001, NIST, CMMC) and the compliance percentage updates continuously. Download the report for auditors — no manual evidence collection required.
Attack Path Analysis changes how you prioritize security work. Individual recommendations evaluated in isolation miss the compounding risk of multiple medium-severity misconfigurations that together create a critical attack path. Attack Path Analysis shows you which misconfigurations matter most in the context of your actual environment.
Use Azure Policy in Deny mode to prevent misconfigurations, not just detect them. The highest-return security investment is blocking non-compliant resources from being created. A Deny policy on storage public access is more effective than detecting public storage after it is deployed and in use.
Aim for Secure Score ≥85% within 90 days of enabling Defender for Cloud. Track it weekly. Assign governance rules with deadlines. A visible, numeric security metric creates accountability that abstract security policies cannot.

Frequently Asked Questions

What is the difference between Microsoft Defender for Cloud and Microsoft Sentinel?
They solve different parts of the security problem and are designed to be used together. Defender for Cloud is a CNAPP — it continuously assesses your cloud resource configurations (CSPM) and detects active threats against specific Azure workloads like VMs, storage, SQL, and containers (CWPP). It tells you "this VM has a vulnerability" or "a malicious file was uploaded to this storage account." Microsoft Sentinel is a SIEM and SOAR — it collects logs and alerts from hundreds of sources (including Defender for Cloud), correlates them into incidents using machine learning and analytics rules, and runs automated response playbooks. Defender for Cloud generates the detection; Sentinel orchestrates the response. Neither replaces the other.
How much does Microsoft Defender for Cloud cost in 2026?
Foundational CSPM is free — Secure Score, recommendations, asset inventory, and MCSB assessment cost nothing. Paid CWPP plans are charged per-resource: Defender for Servers is approximately $15/server/month (Plan 1) or $19/server/month (Plan 2). Defender for Storage is approximately $10/storage account/month. Defender for SQL is approximately $15/SQL instance/month. Defender for Containers is approximately $7/CPU core/month. Defender CSPM (paid) is approximately $8/resource/month for billable resource types. Pricing changes — always confirm current pricing at the Azure Pricing Calculator before budgeting. The per-resource model means you can enable plans selectively on your highest-risk resources rather than everything at once.
My Secure Score is 45%. Where do I start?
Sort the Recommendations page by "Potential score increase" (not severity) and focus on the top 5 controls. At 45%, the highest-gain controls are almost always: Enable MFA for accounts with privileged roles (often +8–12 points), Enable disk encryption on VMs (+5–8 points), Enable Microsoft Defender plans on unprotected resource types (+4–6 points), Restrict public access to storage accounts (+4–6 points), and Enable network security groups on subnets (+3–5 points). Use Quick Fix where available to fix multiple resources simultaneously. A realistic target is 70% within 30 days and 85% within 90 days for a previously unmanaged subscription.
Can I use Defender for Cloud to protect AWS or GCP resources?
Yes. Defender for Cloud supports multicloud protection through cloud connectors. For AWS, go to Defender for Cloud → Environment settings → Add environment → Amazon Web Services. Connect AWS accounts using a CloudFormation template that creates an IAM role for Defender for Cloud. Once connected, AWS EC2 instances appear in the Secure Score alongside Azure VMs, and Defender for Servers can be extended to cover EC2. For GCP, connect GCP projects using a similar connector that creates a GCP Service Account. The unified multicloud dashboard shows a single Secure Score across Azure, AWS, and GCP, enabling centralised security posture management for the entire estate.

Related FAVRITE Articles

Popular posts from this blog

The Cloud Incumbent: AWS Bedrock Hosts Every Frontier Model and Amazon Is Betting on Neutrality AWS at $37.6 billion quarterly revenue, growing 28%. $13 billion invested in Anthropic. A $100 billion Anthropic-to-AWS commitment. Trainium with $225 billion in customer revenue commitments. The most quietly powerful AI strategy in the race. By Francis Avorgbedor | Azure Engineer  ·  July 4, 2026  ·  14 min read  ·  Amazon · AWS · Cloud AI 74 SEVENAI Momentum Score — Rank #5 $37.6B AWS Q1 2026 revenue — 28% YoY growth ▲ Fastest in 15 quarters $13B Total Amazon investment in Anthropic to date ▲ Strategic anchor 100K+ Customers running Claude on AWS Bedrock ▲ Distribution moat Amazon's AI strategy is built on a thesis that every other Magnificent Seven company is testing against — and that Amazon is uniquely positioned to win regardless of the outcome. The thesis is neutrality. In a race where Microsoft has bet on OpenAI, Google has bet on Gemini, and Meta has bet...
Performance Fix Foundry Local 1.2 Linux ARM64 Embeddings Offline ASR The Edge Latency Drop: Fixing Latency Spikes by Offloading Embeddings to Foundry Local 1.2 You are paying a full cloud round trip — network, TLS, queue, throttle risk — to turn a twelve-word search query into a vector. That is the most expensive way possible to do one of the cheapest computations in your stack. Foundry Local 1.2 now runs on Linux ARM64, which means embeddings and speech recognition can happen on a Raspberry Pi, a Jetson, or a Graviton instance — offline, unmetered, and in single-digit milliseconds. The failure signature this guide resolves # Application Insights — the embedding call, not the LLM, is your tail latency: name p50 p95 p99 calls/day POST /embeddings (cloud) 89 ms 412 ms 3,847 ms 1,240,000 POST /chat/completions (cloud) 940 ms 1,720 ms 2,910 ms 38,000 ^^^^^^^^ ...
  The 500GB System File That Eats Your Hard Drive Something on your Windows 10 drive is consuming hundreds of gigabytes and the normal tools cannot find it. This guide identifies every known culprit — from hibernation files and shadow copies to runaway backups and the Windows component store — and tells you exactly what is safe to delete, what to leave alone, and what the commands actually do.
How to Reset an Azure Virtual Machine to Factory Settings Using a Managed Disk Azure does not have a single "factory reset" button. What it does have is something better: the OS Disk Swap — a method that swaps out the corrupted or misconfigured OS disk for a clean Windows Server managed disk without deleting the VM, its NICs, its IP addresses, or any attached data disks. Here is how it works, when to use it, and the exact steps to execute it safely. FA Francis Avorgbedor Azure Engineer July 16, 2026 15 min read Azure VMs · Windows Server · Real-World Fix 3 Methods to achieve a clean Windows Server installation on an existing Azure VM ~15min Typical OS Disk Swap duration — VM retains its NICs, IPs, and data disks throughout 0 Data disks affected by an OS Disk Swap — data disks remain attached and untouched 1 Snapshot of the original OS disk you must take before starting — no exceptions Introduction Why Azure Does Not Have a Simple Factory Reset — and What to Do Instead On a ph...

AKS CrashLoopBackOff, Pending Pods, and NotReady Nodes — The Real Fixes Engineers Use

Incident Playbook AKS Kubernetes kubectl 2026 AKS CrashLoopBackOff, Pending Pods, and NotReady Nodes — The Real Fixes Engineers Use Every AKS engineer eventually faces the same nightmare: CrashLoopBackOff at 2am, pods stuck Pending for no clear reason, or nodes flipping to NotReady mid-deployment. The difference between panic and control is knowing the exact diagnostic sequence — and the real fixes that work in production. This guide gives you both. 3 commands get pods, describe pod, and logs diagnose roughly 90% of AKS incidents before you touch anything else Exit 137 The code that means OOMKilled — the container hit its memory limit and was killed by the kernel (128 + SIGKILL 9) Events The bottom of kubectl describe is where the real cause lives — Pending, FailedScheduling, and image errors all surface there CoreDNS The single component behind most "intermittent" production failures — service discovery breaks quietly and looks like an app bug Table of Contents 01 The 3 Comm...
Can I Update My Old Computer to Windows 11 — and How Much Will It Cost? Your i7, 16GB RAM, 512GB SSD machine is powerful enough to run Windows 11 comfortably. The TPM 2.0 and Secure Boot wall is a security checkbox, not a performance ceiling. Here are two proven ways to get past it, what each one costs, and what you are trading away by doing so. $0 Cost of the Windows 11 licence if your existing Windows 10 is genuine — the upgrade remains free in 2026 2 Proven methods to bypass TPM 2.0 and Secure Boot — Rufus (easy) and Registry edit (manual) 25H2 Current Windows 11 version — all known bypass methods tested and confirmed working as of July 2026 Oct 2025 Windows 10 end of life — no more security updates. Staying on Windows 10 now carries real risk. First — Check Your BIOS Before Anything Else You Might Not Actually Need a Bypass Before running any bypass, open your BIOS and look at two settings. Many computers that fail the Windows 11 compatibility check have TPM 2.0 present in the hard...
2026 Edition 100 Tools Software Engineering DevOps AIOps Top 100 Best AI Tools for Azure  Engineers and DevOps Professionals in 2026 85% of developers now regularly use AI tools. Fully AI-generated code accounts for nearly 28% of all pull requests. The question is no longer whether to use AI tools — it is which ones, in which combination, for which part of the lifecycle. This guide cuts through the noise: 100 tools, 10 categories, honest pricing, real use cases, and a selection framework for building your stack without redundancy. 85% Percentage of developers who now regularly use AI tools, per JetBrains' 2025 State of Developer Ecosystem report — up from near zero three years ago 28% Share of all pull requests containing primarily AI-generated code in 2026 — the metric that signals AI coding assistants have moved from experiment to workflow $50B Cursor's reported valuation in April 2026 Series D talks — the number that signals investor confidence in the AI developer tools mark...

Azure Files vs Azure NetApp Files: Which One Should You Choose?

Azure Files vs Azure NetApp Files: Which One Should You Choose? Performance tiers, protocol support, dual-protocol capability, pricing models, SAP/Oracle/HPC suitability, data management features, and the decision framework that maps each workload type to the right service — with step-by-step setup procedures for both. FA Francis Avorgbedor Azure Engineer July 15, 2026 20 min read Azure Storage · Architecture 4 Azure Files tiers: Premium SSD, Standard Hot, Cool, Tx Optimized 3 ANF performance tiers: Standard, Premium, Ultra — all SSD-backed 4TiB ANF minimum provisioning — significant cost floor for small workloads Dual ANF serves the same data via SMB and NFS simultaneously — AF cannot Introduction Two Services, One Surface Area — Completely Different Purposes Microsoft offers two fully managed, enterprise-grade file storage services in Azure. They share a surface area — both serve file shares over standard protocols, both run on managed infrastructure, and both integrate with Microsof...
Troubleshooting Guide AKS Kubernetes Real Solutions kubectl Azure Kubernetes Service (AKS) Troubleshooting Guide: Real Solutions to Common Problems CrashLoopBackOff at 2am. Pods stuck Pending with no obvious cause. Nodes going NotReady mid-deployment. DNS resolution silently failing in production. Every AKS engineer encounters these — the difference between engineers who panic and engineers who stay calm is knowing the exact sequence of diagnostic commands to run. This guide gives you that sequence, the root cause analysis for each failure mode, and the fix. 3 commands 90% of AKS problems are diagnosed with the same three kubectl commands: describe pod, logs --previous, and get events — in that order, every time Exit 137 The exit code that tells you everything: container killed by SIGKILL — either the Linux OOM killer (memory limit exceeded) or kubelet after grace period expired 5 min The CrashLoopBackOff ceiling: Kubernetes applies exponential backoff (10s → 20s → 40s → 80s → 160s → 3...

How to Deploy an AI Chatbot on Azure Using Azure OpenAI and App Service

Step-by-Step Guide Azure OpenAI App Service Production Python How to Deploy an AI Chatbot on Azure Using Azure OpenAI and App Service From zero to a production-grade AI chatbot: provision Azure OpenAI, write a streaming Flask API backend, deploy it on Azure App Service with Managed Identity, wire in conversation history and content safety, and instrument it with Application Insights — all with complete code and Terraform IaC. No API keys in environment variables. No hardcoded secrets. No half-finished PoC patterns. 7 phases This guide covers the full deployment lifecycle: architecture design → resource provisioning → backend code → App Service deployment → streaming → security → monitoring Zero keys The chatbot authenticates to Azure OpenAI using Managed Identity and DefaultAzureCredential — no API keys stored in environment variables, Key Vault, or code SSE Server-Sent Events stream GPT tokens to the browser as they generate — the same token-by-token typing effect users expect from pr...