How to Secure Azure Resources Using
Microsoft Defender for Cloud
Most Azure engineers know Microsoft Defender for Cloud as the Secure Score dashboard that flags open ports and missing encryption. That is just the surface. Underneath is a complete Cloud Native Application Protection Platform — covering posture management, active workload protection, regulatory compliance, attack path analysis, and automated remediation across Azure, AWS, and GCP. This guide shows you how to use all of it.
FreeThe foundational CSPM tier — Secure Score, recommendations, asset inventory, and MCSB assessment — is enabled by default on every Azure subscription at no costCNAPPCloud Native Application Protection Platform — the category Defender for Cloud belongs to. It unifies CSPM (posture) + CWPP (runtime protection) + DevSecOps in a single pane>85%The Secure Score target Microsoft recommends for production environments. Below 70% indicates critical misconfigurations that represent material security risk3 cloudsDefender for Cloud protects Azure, AWS, and GCP workloads from a single dashboard — including unified Secure Score across all three environments
Most Azure engineers know Microsoft Defender for Cloud as the Secure Score dashboard that flags open ports and missing encryption. That is just the surface. Underneath is a complete Cloud Native Application Protection Platform — covering posture management, active workload protection, regulatory compliance, attack path analysis, and automated remediation across Azure, AWS, and GCP. This guide shows you how to use all of it.
CSPM vs CWPP: The Two Engines Inside Defender for Cloud
Microsoft Defender for Cloud is two fundamentally different security functions operating inside the same interface. Understanding which function does what — and which is free vs paid — is the prerequisite for using the product effectively. Engineers who treat it as a single unified "security tool" consistently underuse it because they enable one function and assume the other is covered.
The first function is Cloud Security Posture Management (CSPM) — the preventive engine. CSPM continuously assesses every resource in your Azure subscription against a set of security best practices defined by the Microsoft Cloud Security Benchmark (MCSB). It produces the Secure Score, generates actionable recommendations, and maps your environment against regulatory frameworks. CSPM is proactive: it finds misconfigurations before an attacker does. The foundational CSPM tier is free by default on every Azure subscription.
The second function is Cloud Workload Protection Platform (CWPP) — the active defense engine. CWPP is a family of paid plans, each tuned to a specific resource type, that watch for active threats in real time. Where CSPM asks "is your configuration correct?", CWPP asks "is something attacking you right now?" These are separate questions requiring separate answers.
Figure 1 — Defender for Cloud architecture: CSPM (prevention) vs CWPP (active defense) in a single platformCSPM asks "is your configuration correct?" — it is the home inspection. CWPP asks "is something attacking you right now?" — it is the burglar alarm. Both engines are needed. The free CSPM tier provides immediate value at zero cost. CWPP plans should be enabled at minimum for Servers, SQL, Storage, and Containers in production.Step 1Enable Defender for Cloud on Your SubscriptionStart HereFree Tier AvailableDefender for Cloud's foundational CSPM is enabled automatically on all Azure subscriptions. However, to access enhanced features, manage settings across multiple subscriptions, and enable CWPP plans, you must explicitly configure it. The recommended approach for organisations with multiple subscriptions is to enable and configure Defender for Cloud at the Management Group level — this ensures consistent coverage and a single policy baseline across all subscriptions.
1
Microsoft Defender for Cloud is two fundamentally different security functions operating inside the same interface. Understanding which function does what — and which is free vs paid — is the prerequisite for using the product effectively. Engineers who treat it as a single unified "security tool" consistently underuse it because they enable one function and assume the other is covered.
The first function is Cloud Security Posture Management (CSPM) — the preventive engine. CSPM continuously assesses every resource in your Azure subscription against a set of security best practices defined by the Microsoft Cloud Security Benchmark (MCSB). It produces the Secure Score, generates actionable recommendations, and maps your environment against regulatory frameworks. CSPM is proactive: it finds misconfigurations before an attacker does. The foundational CSPM tier is free by default on every Azure subscription.
The second function is Cloud Workload Protection Platform (CWPP) — the active defense engine. CWPP is a family of paid plans, each tuned to a specific resource type, that watch for active threats in real time. Where CSPM asks "is your configuration correct?", CWPP asks "is something attacking you right now?" These are separate questions requiring separate answers.
Defender for Cloud's foundational CSPM is enabled automatically on all Azure subscriptions. However, to access enhanced features, manage settings across multiple subscriptions, and enable CWPP plans, you must explicitly configure it. The recommended approach for organisations with multiple subscriptions is to enable and configure Defender for Cloud at the Management Group level — this ensures consistent coverage and a single policy baseline across all subscriptions.
Navigate to Defender for Cloud in the Azure Portal
Open Environment Settings and select your subscription
Enable Defender plans per workload type
Enable via Azure CLI for automation and consistency
Configure email notifications for security alerts
Step 2Understanding and Improving Your Secure ScoreKey MetricTarget >85%The Secure Score is a percentage from 0 to 100 that represents the security health of your Azure environment. It is calculated as the ratio of healthy resources to total assessed resources, weighted by the potential security impact of each recommendation. A score of 52% (a common starting point for unconfigured subscriptions) means nearly half your assessed resources have remediable security gaps.
How Secure Score is calculated: Each recommendation belongs to a security control (a group of related checks). The control's maximum score is divided by the number of unhealthy resources. Fixing one recommendation in a control with many unhealthy resources improves the score less than fixing the only recommendation in a different control. Prioritise controls where fixing all recommendations gives the highest score increase, not just the highest-severity individual recommendations.
Figure 2 — Secure Score calculation: how controls, recommendations, and healthy resources combine into your scorePrioritise controls by potential score gain, not individual recommendation severity. Control 1 (Enable MFA) offers the highest gain (+5 pts) for effort. Control 3 (Restrict Management Ports) has the most unhealthy resources but offers less absolute gain — fix it using JIT VM Access to address all VMs simultaneously.1
The Secure Score is a percentage from 0 to 100 that represents the security health of your Azure environment. It is calculated as the ratio of healthy resources to total assessed resources, weighted by the potential security impact of each recommendation. A score of 52% (a common starting point for unconfigured subscriptions) means nearly half your assessed resources have remediable security gaps.
How Secure Score is calculated: Each recommendation belongs to a security control (a group of related checks). The control's maximum score is divided by the number of unhealthy resources. Fixing one recommendation in a control with many unhealthy resources improves the score less than fixing the only recommendation in a different control. Prioritise controls where fixing all recommendations gives the highest score increase, not just the highest-severity individual recommendations.
Read your current score and identify the highest-gain controls
Use Quick Fix for bulk remediation
Set a Secure Score cadence and target
Defender Plans: Which Workload Protections to Enable
Each Defender plan adds real-time threat detection for a specific resource type. The following table shows which plans to prioritise, what threats they detect, and the approximate pricing model.
Plan Protects Key Detections Priority for Production Defender for Servers P2 Azure VMs, AWS EC2, on-premises servers JIT VM Access, File Integrity Monitoring, Microsoft Defender for Endpoint integration, behavioural threat detection, vulnerability assessment (Qualys or MDVM) Mandatory. Every VM with a public IP or management port is a target. P2 includes MDE integration for endpoint detection. Defender for Storage Azure Blob Storage, Azure Files, ADLS Gen2 Malware scan on uploaded blobs, anomalous access pattern alerts, sensitive data exfiltration, ransomware upload detection Mandatory. Storage accounts are prime exfiltration targets. Malware scanning on upload catches threats before they spread. Defender for SQL Azure SQL Database, SQL on VMs, Azure SQL MI SQL injection detection, anomalous query patterns, brute force authentication, data exfiltration via excessive row reads Mandatory. SQL databases hold crown-jewel data. Attack detection pays for itself after one prevented breach. Defender for Containers AKS clusters, Azure Container Registry, container images Image vulnerability scanning (registry + runtime), anomalous container behaviour, cryptomining detection, Kubernetes audit log analysis High priority for AKS environments. Image scanning catches CVEs before they reach production. Defender for Key Vault Azure Key Vault instances Unusual access from unexpected IPs, high-volume secret retrieval, access from suspended principal, secret exfiltration patterns High priority. Key Vault is the credential store — anomalous access may indicate a compromised identity. Defender for App Service Azure App Service web apps and APIs Command injection, web shell detection, malicious user-agent, dangling DNS, suspicious file downloads via the application Recommended for customer-facing apps and APIs. Defender for APIs APIs published via Azure API Management Anomalous API call patterns, data exfiltration via API responses, authentication bypass attempts, suspicious response sizes Recommended for organisations with APIM-fronted APIs. Defender CSPM (paid) All Azure, AWS, GCP resources Attack path analysis, Cloud Security Explorer, agentless vulnerability scanning, data-aware security posture, governance rules with deadlines High value for organisations that need Attack Path Analysis and governance enforcement. Not a workload plan — it is a posture enhancement.
Step 3Just-in-Time VM Access: Closing the RDP/SSH Attack SurfaceRequires Defender for ServersHighest Impact Single FixWhy this matters: Management ports — RDP (3389), SSH (22), and PowerShell Remoting (5986) — permanently open to the internet are the single most exploited attack vector in Azure. Automated scanners find open 3389 and SSH ports within minutes of a VM being created. Just-in-Time VM Access solves this permanently: it keeps management ports closed at the NSG level by default and grants time-limited, IP-specific access only when explicitly requested by an authorised engineer.
JIT access works by modifying the VM's Network Security Group rules on demand: when an engineer requests access, Defender for Cloud adds a temporary NSG rule opening the specified port from their IP address for a configurable window (1–24 hours). When the time expires, the rule is automatically removed and the port is closed again. Every access request is logged in the Azure Activity Log for audit purposes.
Figure 3 — JIT VM Access flow: from engineer request to time-limited port opening and automatic closureJIT access eliminates the permanently-open management port vulnerability — the most exploited attack vector in Azure IaaS. The port is opened only for a specific IP, for a specific duration, logged to Activity Log, and automatically closed when the time expires.1
Each Defender plan adds real-time threat detection for a specific resource type. The following table shows which plans to prioritise, what threats they detect, and the approximate pricing model.
| Plan | Protects | Key Detections | Priority for Production |
|---|---|---|---|
| Defender for Servers P2 | Azure VMs, AWS EC2, on-premises servers | JIT VM Access, File Integrity Monitoring, Microsoft Defender for Endpoint integration, behavioural threat detection, vulnerability assessment (Qualys or MDVM) | Mandatory. Every VM with a public IP or management port is a target. P2 includes MDE integration for endpoint detection. |
| Defender for Storage | Azure Blob Storage, Azure Files, ADLS Gen2 | Malware scan on uploaded blobs, anomalous access pattern alerts, sensitive data exfiltration, ransomware upload detection | Mandatory. Storage accounts are prime exfiltration targets. Malware scanning on upload catches threats before they spread. |
| Defender for SQL | Azure SQL Database, SQL on VMs, Azure SQL MI | SQL injection detection, anomalous query patterns, brute force authentication, data exfiltration via excessive row reads | Mandatory. SQL databases hold crown-jewel data. Attack detection pays for itself after one prevented breach. |
| Defender for Containers | AKS clusters, Azure Container Registry, container images | Image vulnerability scanning (registry + runtime), anomalous container behaviour, cryptomining detection, Kubernetes audit log analysis | High priority for AKS environments. Image scanning catches CVEs before they reach production. |
| Defender for Key Vault | Azure Key Vault instances | Unusual access from unexpected IPs, high-volume secret retrieval, access from suspended principal, secret exfiltration patterns | High priority. Key Vault is the credential store — anomalous access may indicate a compromised identity. |
| Defender for App Service | Azure App Service web apps and APIs | Command injection, web shell detection, malicious user-agent, dangling DNS, suspicious file downloads via the application | Recommended for customer-facing apps and APIs. |
| Defender for APIs | APIs published via Azure API Management | Anomalous API call patterns, data exfiltration via API responses, authentication bypass attempts, suspicious response sizes | Recommended for organisations with APIM-fronted APIs. |
| Defender CSPM (paid) | All Azure, AWS, GCP resources | Attack path analysis, Cloud Security Explorer, agentless vulnerability scanning, data-aware security posture, governance rules with deadlines | High value for organisations that need Attack Path Analysis and governance enforcement. Not a workload plan — it is a posture enhancement. |
Why this matters: Management ports — RDP (3389), SSH (22), and PowerShell Remoting (5986) — permanently open to the internet are the single most exploited attack vector in Azure. Automated scanners find open 3389 and SSH ports within minutes of a VM being created. Just-in-Time VM Access solves this permanently: it keeps management ports closed at the NSG level by default and grants time-limited, IP-specific access only when explicitly requested by an authorised engineer.
JIT access works by modifying the VM's Network Security Group rules on demand: when an engineer requests access, Defender for Cloud adds a temporary NSG rule opening the specified port from their IP address for a configurable window (1–24 hours). When the time expires, the rule is automatically removed and the port is closed again. Every access request is logged in the Azure Activity Log for audit purposes.
Enable JIT VM Access on individual VMs
Request JIT access when you need to connect
Enable JIT at scale via Azure CLI
Step 4Working Through Security Recommendations SystematicallyHighest ROI ActivityWeekly CadenceSecurity recommendations are the actionable outputs of CSPM — each one describes a specific misconfiguration, the risk it creates, and how to fix it. The Recommendations page in Defender for Cloud lists hundreds of findings, which can feel overwhelming. The key is to treat them as a sprint backlog, not a todo list — prioritise by potential Secure Score increase, assign owners, set deadlines, and track completion.
1
Security recommendations are the actionable outputs of CSPM — each one describes a specific misconfiguration, the risk it creates, and how to fix it. The Recommendations page in Defender for Cloud lists hundreds of findings, which can feel overwhelming. The key is to treat them as a sprint backlog, not a todo list — prioritise by potential Secure Score increase, assign owners, set deadlines, and track completion.
Sort by "Potential score increase" — not severity
Use Quick Fix for bulk automatic remediation
Assign governance rules for team accountability
Exempt findings that are intentional (not misconfigurations)
Step 5Regulatory Compliance: PCI-DSS, ISO 27001, NIST, and CMMCAudit-ReadyContinuous AssessmentDefender for Cloud automatically maps your Azure controls to regulatory frameworks — PCI-DSS, ISO 27001, NIST SP 800-53, NIST SP 800-171, CIS Benchmarks, SOC 2, HIPAA, CMMC 2.0, and more. The Regulatory Compliance dashboard shows your current compliance percentage per framework, which controls are failing, and which specific resources are causing the failures. This replaces weeks of manual auditing with a continuously updated dashboard that reflects your real-time configuration state.
1
Defender for Cloud automatically maps your Azure controls to regulatory frameworks — PCI-DSS, ISO 27001, NIST SP 800-53, NIST SP 800-171, CIS Benchmarks, SOC 2, HIPAA, CMMC 2.0, and more. The Regulatory Compliance dashboard shows your current compliance percentage per framework, which controls are failing, and which specific resources are causing the failures. This replaces weeks of manual auditing with a continuously updated dashboard that reflects your real-time configuration state.
Open the Regulatory Compliance dashboard
Add frameworks relevant to your organisation
Download compliance reports for auditors
Step 6Attack Path Analysis and Cloud Security ExplorerPaid CSPM FeatureRisk PrioritisationAttack Path Analysis is the feature that converts Defender for Cloud from a misconfiguration finder into an attacker's perspective tool. It maps the relationships between resources — public IP → VM → Service Principal → Storage Account → Sensitive Data — and identifies the multi-hop paths an attacker could take from an internet-exposed resource to your most sensitive data. This allows security teams to prioritise remediation based on actual risk exposure, not theoretical severity.
Example attack path: A public-facing VM with an open SSH port (step 1) is running an application that uses a Service Principal (step 2) with Contributor access to a Storage Account (step 3) containing customer PII that has been classified as sensitive (step 4). Each individual misconfiguration may appear as a Medium severity recommendation. The combination creates a critical attack path — an attacker who compromises the VM through SSH can directly exfiltrate the customer data.
1
Attack Path Analysis is the feature that converts Defender for Cloud from a misconfiguration finder into an attacker's perspective tool. It maps the relationships between resources — public IP → VM → Service Principal → Storage Account → Sensitive Data — and identifies the multi-hop paths an attacker could take from an internet-exposed resource to your most sensitive data. This allows security teams to prioritise remediation based on actual risk exposure, not theoretical severity.
Example attack path: A public-facing VM with an open SSH port (step 1) is running an application that uses a Service Principal (step 2) with Contributor access to a Storage Account (step 3) containing customer PII that has been classified as sensitive (step 4). Each individual misconfiguration may appear as a Medium severity recommendation. The combination creates a critical attack path — an attacker who compromises the VM through SSH can directly exfiltrate the customer data.
Enable Defender CSPM (paid) to unlock Attack Path Analysis
Review Attack Paths sorted by risk score
Use Cloud Security Explorer for custom queries
Step 7Automated Remediation with Workflow Automation and Azure PolicyScalable SecurityPrevention over DetectionManual review of security recommendations works at small scale. At enterprise scale — hundreds of resources across dozens of subscriptions — automated remediation is the only viable approach. Defender for Cloud provides two complementary automation mechanisms: Workflow Automation (reactive — triggered by alerts or recommendations) and Azure Policy (preventive — blocks non-compliant resources before they are created).
1
Manual review of security recommendations works at small scale. At enterprise scale — hundreds of resources across dozens of subscriptions — automated remediation is the only viable approach. Defender for Cloud provides two complementary automation mechanisms: Workflow Automation (reactive — triggered by alerts or recommendations) and Azure Policy (preventive — blocks non-compliant resources before they are created).
Create a Workflow Automation for High-severity alerts
Assign Azure Policies in Deny mode for critical controls
Use Logic Apps for automated remediation of specific alerts
Step 8Microsoft Sentinel Integration: From Detection to ResponseSIEM + SOAREnterprise SecurityDefender for Cloud handles detection — it generates security alerts when threats are identified. Microsoft Sentinel handles response — it correlates alerts from Defender for Cloud with signals from other sources (Entra ID, Office 365, network logs, endpoint telemetry) to surface incidents, run automated playbooks, and provide SOC analysts with a unified investigation workspace.
The integration is bidirectional: Defender for Cloud alerts flow into Sentinel as incidents, and Sentinel analytics rules can query Defender for Cloud recommendations to find resource configurations correlated with active attacks. Together, they form a complete detect-investigate-respond cycle.
1
Defender for Cloud handles detection — it generates security alerts when threats are identified. Microsoft Sentinel handles response — it correlates alerts from Defender for Cloud with signals from other sources (Entra ID, Office 365, network logs, endpoint telemetry) to surface incidents, run automated playbooks, and provide SOC analysts with a unified investigation workspace.
The integration is bidirectional: Defender for Cloud alerts flow into Sentinel as incidents, and Sentinel analytics rules can query Defender for Cloud recommendations to find resource configurations correlated with active attacks. Together, they form a complete detect-investigate-respond cycle.
Connect Defender for Cloud to Microsoft Sentinel
Configure incident creation rules
Deploy automated response playbooks for common threats
Implementation Priority Summary
Start with free CSPM — today. Foundational CSPM is already enabled on your Azure subscription. Go to Microsoft Defender for Cloud → Secure Score right now and read the top 5 recommendations by potential score increase. These are your first sprint of security improvements at zero cost.Enable JIT VM Access before any other paid feature. Permanently open RDP and SSH ports are the single highest-risk misconfiguration in Azure IaaS. JIT Access closes this in 10 minutes and requires only Defender for Servers — the cost is justified by preventing one single VM compromise.In production, Defender for Servers, Storage, SQL, and Containers are non-optional. These four plans cover the most exploited resource types. The additional cost is a fraction of the cost of responding to one breach in any of these resource categories.The Regulatory Compliance dashboard replaces manual audit preparation. Enable the frameworks your organization is subject to (PCI-DSS, ISO 27001, NIST, CMMC) and the compliance percentage updates continuously. Download the report for auditors — no manual evidence collection required.Attack Path Analysis changes how you prioritize security work. Individual recommendations evaluated in isolation miss the compounding risk of multiple medium-severity misconfigurations that together create a critical attack path. Attack Path Analysis shows you which misconfigurations matter most in the context of your actual environment.Use Azure Policy in Deny mode to prevent misconfigurations, not just detect them. The highest-return security investment is blocking non-compliant resources from being created. A Deny policy on storage public access is more effective than detecting public storage after it is deployed and in use.Aim for Secure Score ≥85% within 90 days of enabling Defender for Cloud. Track it weekly. Assign governance rules with deadlines. A visible, numeric security metric creates accountability that abstract security policies cannot.
Frequently Asked Questions
What is the difference between Microsoft Defender for Cloud and Microsoft Sentinel?They solve different parts of the security problem and are designed to be used together. Defender for Cloud is a CNAPP — it continuously assesses your cloud resource configurations (CSPM) and detects active threats against specific Azure workloads like VMs, storage, SQL, and containers (CWPP). It tells you "this VM has a vulnerability" or "a malicious file was uploaded to this storage account." Microsoft Sentinel is a SIEM and SOAR — it collects logs and alerts from hundreds of sources (including Defender for Cloud), correlates them into incidents using machine learning and analytics rules, and runs automated response playbooks. Defender for Cloud generates the detection; Sentinel orchestrates the response. Neither replaces the other.How much does Microsoft Defender for Cloud cost in 2026?Foundational CSPM is free — Secure Score, recommendations, asset inventory, and MCSB assessment cost nothing. Paid CWPP plans are charged per-resource: Defender for Servers is approximately $15/server/month (Plan 1) or $19/server/month (Plan 2). Defender for Storage is approximately $10/storage account/month. Defender for SQL is approximately $15/SQL instance/month. Defender for Containers is approximately $7/CPU core/month. Defender CSPM (paid) is approximately $8/resource/month for billable resource types. Pricing changes — always confirm current pricing at the Azure Pricing Calculator before budgeting. The per-resource model means you can enable plans selectively on your highest-risk resources rather than everything at once.My Secure Score is 45%. Where do I start?Sort the Recommendations page by "Potential score increase" (not severity) and focus on the top 5 controls. At 45%, the highest-gain controls are almost always: Enable MFA for accounts with privileged roles (often +8–12 points), Enable disk encryption on VMs (+5–8 points), Enable Microsoft Defender plans on unprotected resource types (+4–6 points), Restrict public access to storage accounts (+4–6 points), and Enable network security groups on subnets (+3–5 points). Use Quick Fix where available to fix multiple resources simultaneously. A realistic target is 70% within 30 days and 85% within 90 days for a previously unmanaged subscription.Can I use Defender for Cloud to protect AWS or GCP resources?Yes. Defender for Cloud supports multicloud protection through cloud connectors. For AWS, go to Defender for Cloud → Environment settings → Add environment → Amazon Web Services. Connect AWS accounts using a CloudFormation template that creates an IAM role for Defender for Cloud. Once connected, AWS EC2 instances appear in the Secure Score alongside Azure VMs, and Defender for Servers can be extended to cover EC2. For GCP, connect GCP projects using a similar connector that creates a GCP Service Account. The unified multicloud dashboard shows a single Secure Score across Azure, AWS, and GCP, enabling centralised security posture management for the entire estate.
Related FAVRITE Articles
- Stop Using Connection Strings: A Step-by-Step Guide to Azure Managed Identities in 2026
- Top 100 Azure CLI Commands Every Cloud Engineer Should Know
- Azure Conditional Access for Approved Client Apps: A Complete Guide
- The Hidden Cloud Drain: How to Find and Kill Orphaned Azure Resources Automatically
- Stop Using Connection Strings: A Step-by-Step Guide to Azure Managed Identities in 2026
- Top 100 Azure CLI Commands Every Cloud Engineer Should Know
- Azure Conditional Access for Approved Client Apps: A Complete Guide
- The Hidden Cloud Drain: How to Find and Kill Orphaned Azure Resources Automatically