Skip to main content

Microsoft Defender for Cloud — Secure Your Azure Workloads

· 8 min read
Goel Academy
Goel Academy
DevOps & Cloud Learning Hub

You have deployed your workloads, configured your network, and set up policies. But how do you know if your environment is actually secure? Are your VMs patched? Is your storage account leaking data? Are there brute-force attacks hitting your SQL database right now? Microsoft Defender for Cloud answers all of these questions from a single dashboard — and it can fix most of the problems it finds.

Defender for Cloud Overview

Microsoft Defender for Cloud (formerly Azure Security Center) is a Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP) built into Azure. It does two things:

  1. CSPM (Free): Continuously assesses your resources against security best practices and gives you a Secure Score with actionable recommendations.
  2. CWPP (Paid Plans): Adds threat detection, vulnerability assessment, and advanced protection for specific resource types.

The free tier is enabled on every Azure subscription by default. You opt into paid Defender plans per resource type.

# Check the current Defender for Cloud pricing tier for your subscription
az security pricing list \
  --query "[].{Plan:name, Tier:pricingTier}" \
  --output table

Secure Score

Secure Score is a number from 0 to 100 that represents how well your Azure environment follows security best practices. Every recommendation you implement increases your score. The portal groups recommendations by security control:

Security ControlMax Score PointsExample Recommendations
Enable MFA10Enable MFA for accounts with owner permissions
Secure management ports8Close RDP/SSH ports, enable JIT access
Apply system updates6Install missing security patches on VMs
Remediate vulnerabilities6Fix vulnerabilities found by Qualys/MDVM
Encrypt data in transit4Enforce HTTPS on storage accounts, web apps
Restrict network access4Add NSGs to subnets, restrict public access
Enable endpoint protection4Install antimalware on VMs
# Get your current Secure Score
az security secure-score list \
  --query "[].{Name:displayName, Current:score.current, Max:score.max, Percentage:score.percentage}" \
  --output table

# List all security recommendations
az security assessment list \
  --query "[?status.code=='Unhealthy'].{Name:displayName, Severity:metadata.severity, Resource:resourceDetails.id}" \
  --output table

A production environment should target a Secure Score above 70. Most organizations start around 30-40 on their first assessment. Do not panic — the recommendations tell you exactly what to fix and how.

Security Recommendations

Recommendations are the heart of Defender for Cloud. Each one includes:

  • Severity (High, Medium, Low)
  • Affected resources (which specific VMs, storage accounts, etc.)
  • Remediation steps (often with a "Fix" button that does it for you)
  • Impact on Secure Score (how many points you gain)

The quick wins are usually:

  • Enable MFA for privileged accounts
  • Close management ports (RDP/SSH) from the internet
  • Enable encryption in transit for storage accounts
  • Install the Log Analytics agent on VMs
  • Enable Defender plans for your most critical resource types

Defender Plans

Each Defender plan protects a specific resource type with threat detection, vulnerability scanning, and advanced security features.

Defender PlanProtectsKey FeaturesCost (approx.)
Servers (P2)VMs, Arc serversVulnerability assessment, FIM, adaptive app controls, JIT access~$15/server/month
StorageStorage accountsMalware scanning, sensitive data threat detection~$10/account/month
SQLAzure SQL, SQL on VMsVulnerability assessment, anomalous query detection~$15/instance/month
ContainersAKS, ACR, K8sRuntime threat detection, image vulnerability scanning~$7/vCPU/month
App ServiceWeb apps, APIsDangling DNS detection, anomalous access patterns~$15/instance/month
Key VaultKey VaultUnusual access patterns, suspicious operations~$0.02/10K transactions
Resource ManagerARM operationsSuspicious management operations, lateral movement~$4/subscription/month
DNSDNS queriesCommunication with malicious domains~$0.70/million queries
DevOpsAzure DevOps, GitHubCode scanning, IaC misconfigurations, exposed secretsFree (preview features)
# Enable Defender for Servers P2
az security pricing create \
  --name VirtualMachines \
  --tier Standard \
  --subplan P2

# Enable Defender for Storage
az security pricing create \
  --name StorageAccounts \
  --tier Standard

# Enable Defender for Containers
az security pricing create \
  --name Containers \
  --tier Standard

# Enable Defender for SQL
az security pricing create \
  --name SqlServers \
  --tier Standard

Start with Servers and SQL if you have VMs and databases. Add Containers if you run AKS. Storage is worth enabling if you handle sensitive data or accept file uploads.

Just-in-Time VM Access

JIT eliminates the need to keep management ports (SSH/RDP) permanently open. When an engineer needs access, they request it. Defender for Cloud opens the port for a limited time, from their specific IP, then automatically closes it.

# Request JIT access to a VM (opens SSH for 3 hours from your IP)
az security jit-policy initiate \
  --resource-group rg-production \
  --location eastus \
  --name "default" \
  --virtual-machines '[{
    "id": "/subscriptions/<sub-id>/resourceGroups/rg-production/providers/Microsoft.Compute/virtualMachines/vm-app-01",
    "ports": [{
      "number": 22,
      "duration": "PT3H",
      "allowedSourceAddressPrefix": "203.0.113.50"
    }]
  }]'

Behind the scenes, JIT modifies the NSG rules to allow inbound traffic on the requested port from the specified source IP. When the time expires, the rule is automatically removed. Every request is logged for audit purposes.

Adaptive Application Controls

Adaptive Application Controls learn which applications normally run on your VMs and create allowlisting policies. If an unexpected executable runs — potentially malware or an attacker's tool — Defender generates an alert.

The workflow:

  1. Defender monitors running processes on your VMs for two weeks
  2. It builds a baseline of normal applications
  3. It recommends allowlist rules
  4. You review and approve the rules
  5. Violations generate security alerts

This is particularly powerful for production servers that should only run your application stack. A crypto miner or reverse shell popping up on a web server triggers an immediate alert.

File Integrity Monitoring

File Integrity Monitoring (FIM) tracks changes to critical system files, Windows registry, and application configuration files. Unauthorized changes to /etc/passwd, web.config, or system binaries are strong indicators of compromise.

# Enable File Integrity Monitoring on a Log Analytics workspace
az security workspace-setting create \
  --name "default" \
  --target-workspace "/subscriptions/<sub-id>/resourceGroups/rg-monitoring/providers/Microsoft.OperationalInsights/workspaces/law-security"

FIM monitors these by default:

  • Linux: /etc/passwd, /etc/shadow, /etc/ssh/sshd_config, /usr/bin, /usr/sbin
  • Windows: C:\Windows\System32, C:\Windows\SysWOW64, registry keys for autorun, services
  • Custom paths you configure

Changes appear in Log Analytics and can trigger alerts through Azure Monitor alert rules.

Regulatory Compliance Dashboard

The compliance dashboard maps your security posture against industry frameworks. Built-in standards include:

  • Azure Security Benchmark (default)
  • NIST SP 800-53
  • ISO 27001
  • PCI DSS
  • SOC 2 Type 2
  • CIS Azure Foundations Benchmark
  • HIPAA/HITRUST
# List available regulatory compliance standards
az security regulatory-compliance-standards list \
  --query "[].{Name:name, State:state}" \
  --output table

# Check compliance for a specific standard
az security regulatory-compliance-controls list \
  --standard-name "Azure-CIS-1.3.0" \
  --query "[].{Control:name, State:state, Passed:passedAssessments, Failed:failedAssessments}" \
  --output table

Each standard breaks down into controls, and each control maps to specific security assessments. You can export compliance reports as PDFs for auditors. The dashboard shows your compliance percentage over time so you can demonstrate improvement during audit cycles.

Defender for DevOps

Defender for DevOps extends security left into your CI/CD pipelines. Connect your Azure DevOps or GitHub repositories, and Defender will:

  • Scan Infrastructure as Code templates (Bicep, Terraform, ARM) for misconfigurations
  • Detect exposed secrets in code
  • Find vulnerabilities in container images
  • Surface findings as PR annotations
# Connect a GitHub organization to Defender for DevOps (via portal or API)
az security github-connector create \
  --name "my-github-org" \
  --resource-group rg-security

The IaC scanning catches problems before deployment — a storage account configured without encryption in a Bicep template gets flagged in the pull request, not after it hits production.

Alert Management

When Defender detects threats, it generates security alerts with severity levels (High, Medium, Low, Informational). Alerts include:

  • A description of the detected threat
  • MITRE ATT&CK tactics and techniques
  • Affected resources
  • Recommended investigation and response steps
# List active security alerts
az security alert list \
  --query "[?status=='Active'].{Name:alertDisplayName, Severity:severity, Resource:associatedResource, Time:timeGeneratedUtc}" \
  --output table

# Update alert status (dismiss false positive)
az security alert update \
  --name "<alert-name>" \
  --location "<location>" \
  --status "Dismissed"

Connect alerts to Azure Sentinel (Microsoft's SIEM) for correlation across your entire estate. You can also route them to email, SMS, Logic Apps, or third-party SIEM tools through Action Groups.

Wrapping Up

Defender for Cloud is not optional — the free CSPM tier should be your security baseline from day one. Start by reviewing your Secure Score and fixing the high-severity recommendations. Enable JIT access to replace permanently open management ports. Then progressively enable paid Defender plans for your most critical workloads — servers, databases, and containers first. Use the regulatory compliance dashboard to satisfy auditors. The goal is to detect misconfigurations before attackers find them and catch threats in real time when they do get through.

Next up: We will learn Azure Bicep — writing Infrastructure as Code that is actually readable, modular, and deployable through your CI/CD pipelines.