What Is Defender for Cloud? Security Definition
This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.
On This Page
What do you want to do?
Quick Definition
Microsoft Defender for Cloud is a tool that helps you find and fix security weaknesses in your cloud resources and protects them from threats. It works across your Azure, AWS, and Google Cloud environments. The tool gives you a security score to show how well protected you are and offers recommendations to make your cloud setup safer.
Common Commands & Configuration
az security pricing show --name VirtualMachinesShows the current tier and pricing for the Defender for Servers plan (VirtualMachines) in a subscription.
Tests how to check if a Defender plan is enabled and the pricing tier. Often used in AZ-104 and SC-900 scenarios.
az security pricing create --name VirtualMachines --tier StandardEnables the paid Defender for Servers plan (Standard tier) for the current subscription.
Used to upgrade from free to paid tier. Exam questions may ask which command enables advanced threat protection for VMs.
az security alert list --query "[?status=='Active']"Lists all active security alerts in the subscription, filtering only those with 'Active' status.
Tests understanding of alert status filtering. Active alerts are unresolved. Useful for incident response scenarios.
az security assessment list --query "[?status.code=='Unhealthy']"Lists all security assessments with 'Unhealthy' status, which indicates failed recommendations affecting the Secure Score.
Assessments are recommendations. Shows how to find unsecure resources. Common in AZ-104 and SC-900 exam questions about Secure Score.
az security auto-provisioning-setting update --name default --auto-provision OnEnables auto-provisioning of the Log Analytics agent on all new and existing VMs for Defender for Cloud data collection.
Required to collect security telemetry. If auto-provisioning is off, VMs won't generate alerts. Frequently tested in exam scenarios.
az security regulatory-compliance-standard list --subscription <sub-id>Lists the regulatory compliance standards available for the subscription, such as SOC 2, PCI DSS, or ISO 27001.
Tests knowledge of regulatory compliance features and how to view available frameworks. Relevant for SC-900 and industry compliance questions.
az security security-solutions-reference-data listLists the bundled security solutions available, including vulnerability assessment tools and endpoint protection.
Used to show integrated partner solutions. Exam questions may ask which solutions are supported, like Qualys or Microsoft Defender for Endpoint.
Invoke-AzSecurityAssessment -AssessmentName "storage-encryption-at-rest" -Status Code "Healthy"PowerShell command to manually set an assessment status to 'Healthy' if remediation is completed outside Defender for Cloud.
Tests the ability to update assessment status programmatically. Useful for automated reporting and Secure Score management.
Defender for Cloud appears directly in 721exam-style practice questions in Courseiva's question bank — one of the most-tested concepts on SC-900. Practise them →
Must Know for Exams
Microsoft Defender for Cloud appears in multiple Microsoft certification exams, especially those focused on security, Azure administration, and fundamentals. For the SC-900 (Microsoft Security, Compliance, and Identity Fundamentals), Defender for Cloud is a core topic. You are expected to understand its capabilities, how it provides CSPM and CWPP, and its role in securing hybrid and multi-cloud environments. Questions may ask you to describe what a secure score is, how recommendations work, or which plans are available.
In the AZ-104 (Azure Administrator Associate) exam, Defender for Cloud is covered under the Manage identities and governance section. You may see questions about enabling Defender for Cloud plans, configuring just-in-time VM access, or interpreting security alerts. Knowing when to use Defender for Cloud versus Azure Policy versus Azure Sentinel is important.
The AZ-500 (Microsoft Azure Security Technologies) exam goes even deeper. You will need to know the configuration details of each Defender plan, understand how to set up security policies, manage secure scores, and integrate with Microsoft Sentinel. Expect scenario-based questions where you must choose the correct Defender plan for a given workload or troubleshoot an alert.
For non-Microsoft exams on the list, Defender for Cloud is light supporting or also useful. For example, in CompTIA Security+ (SY0-601) or CySA+, understanding cloud security posture management concepts is helpful, but they will not test Azure-specific product details. In AWS certifications like AWS Certified Solutions Architect Associate, knowing that Defender for Cloud can monitor AWS resources helps in multi-cloud scenarios, but it is not a core objective.
In exam questions, you might be asked to identify which tool a company should use to get a unified security score across Azure and AWS. The correct answer would be Defender for Cloud. Or you might need to determine why a secure score dropped after a new resource deployment. Understanding that each unsecured resource reduces the score is key.
Always pay attention to the specific wording. If a question mentions 'security posture management across multiple clouds,' Defender for Cloud is the likely answer. If it talks about 'SIEM and SOAR capabilities,' that is Microsoft Sentinel, not Defender for Cloud. Differentiating between CSPM (posture) and CWPP (threat detection) is critical.
For the Google Cloud certifications like ACE and Cloud Digital Leader, Defender for Cloud is not a focus, but the concept of CSPM tools is relevant. You may see questions about Google's Security Command Center, and understanding the parallel helps with comparative analysis.
Overall, for exam success, focus on the core features: secure score, recommendations, security alerts, compliance dashboard, just-in-time access, adaptive application controls, and the multi-cloud connectors. Practice scenarios where you enable a Defender plan and see how it affects the secure score.
Simple Meaning
Think of Microsoft Defender for Cloud as a security guard and an inspector combined for your digital property in the cloud. Imagine you own a large office building with many doors, windows, and valuable items inside. You need someone to walk around the building, check if all the doors are locked, verify that the alarm systems are working, and watch for any suspicious activity. That is exactly what Defender for Cloud does for your cloud resources like virtual machines, databases, storage accounts, and apps.
When you first start using Defender for Cloud, it gives you a security score, which is like a report card for how well protected your cloud is. A score of 100 percent means everything is as secure as possible according to best practices. If the score is lower, the tool tells you exactly what is wrong and how to fix it. For example, if one of your storage accounts does not have encryption enabled, Defender for Cloud will flag that as a weakness and suggest you turn it on.
Defender for Cloud also watches for threats in real time. This is like having security cameras and motion sensors that alert you if someone is trying to break in. If an attacker tries to log in to your system from an unusual location or tries to run malicious software, Defender for Cloud can detect that activity and alert you immediately. Some alerts even include steps to stop the attack.
Another useful feature is that Defender for Cloud works across different cloud providers, not just Microsoft Azure. If your company uses Amazon Web Services or Google Cloud Platform alongside Azure, Defender for Cloud can monitor all of them from one dashboard. This saves you from having to log into separate tools for each cloud provider.
Defender for Cloud also has a feature called just-in-time access, which is like giving a visitor a temporary badge that expires after a certain time. Instead of leaving your management ports open all the time, you can request temporary access when you need it, and Defender for Cloud automatically closes the port after the allowed time. This reduces the risk of attackers finding open ports to exploit.
Overall, Defender for Cloud helps you manage security in a proactive way. It does not wait for something bad to happen. Instead, it continuously checks your setup, recommends improvements, and watches for threats so you can respond quickly. For anyone studying cloud security, understanding Defender for Cloud is important because it brings together several security concepts like posture management, threat detection, and compliance monitoring into one service.
Full Technical Definition
Microsoft Defender for Cloud is a unified infrastructure security management system that strengthens the security posture of cloud resources and provides advanced threat protection across hybrid and multi-cloud workloads. It is natively integrated into the Azure portal and can be extended to cover AWS and Google Cloud environments through connector configurations.
At its core, Defender for Cloud operates on two major pillars: Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP). The CSPM aspect continuously assesses your cloud resources against security benchmarks such as the Microsoft cloud security benchmark (formerly Azure Security Benchmark), CIS controls, and regulatory compliance frameworks like PCI DSS and ISO 27001. It generates a secure score (0 to 100 percent) based on how many recommended security controls you have implemented. Each recommendation is tied to a specific control, such as enabling encryption at rest on storage accounts or enabling network security groups on subnets.
The CWPP side provides threat detection and response capabilities. This includes multiple plans that can be enabled individually: Defender for Servers, Defender for App Service, Defender for Storage, Defender for SQL, Defender for Kubernetes, Defender for Container Registries, Defender for Key Vault, Defender for Resource Manager, Defender for DNS, and Defender for Open-Source Relational Databases. Each plan uses a combination of behavioral analytics, machine learning models, anomaly detection, and threat intelligence feeds from Microsoft's global network to detect malicious activity.
Under the hood, Defender for Cloud collects telemetry from Azure resources through the Log Analytics agent or Azure Monitor Agent. It also integrates with Microsoft Sentinel for advanced security information and event management (SIEM). When a threat is detected, it generates a security alert with a severity level (Informational, Low, Medium, High). Each alert provides a detailed description, affected resources, remediation steps, and a link to investigate in Microsoft Sentinel. Alerts can be automated using Azure Logic Apps or via integration with incident response tools.
For multi-cloud support, Defender for Cloud uses AWS and GCP connectors. These connectors require you to grant read-only permissions for Defender for Cloud to access your cloud resources via APIs. Once connected, Defender for Cloud collects configuration data and threat signals from those environments, applying the same CSPM and CWPP logic where supported. For example, Defender for Cloud can assess AWS EC2 instances for missing security groups or outdated patches.
Defender for Cloud also includes features like just-in-time VM access, which locks down inbound traffic to management ports and opens them only when an authenticated user requests access via Azure RBAC. Adaptive application controls use machine learning to build whitelists of allowed applications running on your VMs and alert you when unknown processes start. File integrity monitoring tracks changes to critical system files, registry keys, and software installations.
From a compliance perspective, Defender for Cloud provides a compliance dashboard that maps your resources to specific regulatory frameworks. It shows which controls are passing and failing, and gives you the ability to export compliance reports. This is especially useful for audits.
On the network layer, Defender for Cloud integrates with Azure Network Security Group (NSG) flow logs and Azure Firewall logs to detect anomalous traffic patterns. It also uses adaptive network hardening to analyze traffic patterns and recommend rules that restrict overly permissive NSG rules.
Security policies in Defender for Cloud are defined at the management group, subscription, or resource group level. These policies are based on Azure Policy and include built-in initiative definitions. You can customize them to meet your organization's specific requirements.
Finally, Defender for Cloud provides a Secure Score API for programmatic access to security posture data, enabling integration with custom dashboards and reporting tools. It also supports continuous export of alerts and recommendations to Azure Event Hubs or Log Analytics workspaces for long-term analysis and automation.
Real-Life Example
Imagine you are the manager of a large apartment complex. The complex has dozens of buildings, each with multiple apartments, common areas, a parking garage, and a swimming pool. As the manager, you are responsible for keeping everyone safe. You cannot be everywhere at once, so you rely on a system of tools and procedures.
Now, think of Microsoft Defender for Cloud as a team of security experts that you hire to help you. They do not just stand at the front gate. They walk through every building, check every door lock, test every smoke detector, and inspect the fence around the pool. They give you a report card that shows how safe each building is. If a building scores 85 out of 100, they tell you exactly what needs fixing to get to 100. Maybe Building A is missing a lock on the back door, or Building B has a broken security camera.
That is the Cloud Security Posture Management part: it continuously checks your cloud resources (the buildings) against best practice rules. If a virtual machine does not have disk encryption (like a door without a lock), Defender for Cloud will flag it and tell you to turn on encryption.
the security team also monitors live video feeds and motion sensors. If someone tries to break into a building at 3 AM from a strange direction, the team sends you an alert immediately. They might even have a protocol to automatically call the police. That is the threat protection part: it watches for real-time attacks like a hacker trying to log in from a foreign country or malware trying to run on your server.
Defender for Cloud also works across multiple cities if your apartment empire spans different locations. Even if some buildings are managed by a different company (like using AWS or Google Cloud), your security team can still keep an eye on them from their central office. They just need permission to access those buildings' security systems.
There is also a cool feature for your maintenance workers. Instead of leaving the key under the mat (permanently open management ports like RDP or SSH), you can give them a temporary key that works only during the hours they need to do repairs. That is just-in-time access.
In real life, a company running cloud infrastructure uses Defender for Cloud to reduce the attack surface, stay compliant with regulations like HIPAA or PCI DSS, and get early warnings of potential breaches. It saves security teams from manually checking every setting and guessing what might be a threat.
Why This Term Matters
Defender for Cloud matters because cloud environments are complex and constantly changing. A traditional security perimeter does not exist in the cloud, so you need a tool that continuously monitors and adapts. Without Defender for Cloud, security teams would have to manually check each resource for misconfigurations, patch missing updates, and try to identify suspicious activity by sifting through logs. That is not scalable for modern multi-cloud deployments.
From a practical IT standpoint, Defender for Cloud provides a single pane of glass for security. Instead of logging into Azure Security Center, AWS Security Hub, and Google Security Command Center separately, you can see everything in one dashboard. This reduces the time needed to assess your overall security posture and helps prioritize remediation efforts based on the most critical risks.
Compliance is another big reason it matters. Many organizations must follow regulations like SOC 2, HIPAA, PCI DSS, or GDPR. Defender for Cloud maps your resources to these frameworks and shows you exactly which controls pass or fail. This simplifies audit preparation and helps you avoid fines.
Defender for Cloud helps prevent data breaches. By providing actionable recommendations and real-time threat detection, it reduces the window of exposure. A misconfigured storage account or an open SSH port can lead to a breach within minutes. Defender for Cloud identifies these issues quickly and can even automate remediation through policies and workflows.
Finally, it matters because cloud security is a shared responsibility. The cloud provider secures the infrastructure, but you secure what you put in it. Defender for Cloud gives you the tools to fulfill your part of that responsibility efficiently, without requiring a huge security team.
How It Appears in Exam Questions
Exam questions about Defender for Cloud typically fall into three categories: scenario-based questions, configuration questions, and troubleshooting questions.
Scenario-based questions present a company with a specific security concern and ask you to choose the best solution. For example: 'A company has virtual machines in Azure and on-premises that need to be monitored for missing security updates. What should they use?' The answer is Microsoft Defender for Cloud, because it covers both environments. Another scenario: 'A company uses AWS and Azure and wants a single dashboard to track security misconfigurations.' Again, Defender for Cloud is the solution.
Configuration questions might ask about enabling a specific Defender plan or understanding the default state. For instance: 'You need to protect Azure SQL databases from SQL injection attacks. Which Defender plan should you enable?' The answer is Defender for SQL. Or: 'Which role must you assign to a user to view Defender for Cloud recommendations?' The answer is Security Reader or Security Admin.
Troubleshooting questions focus on why something is not working. For example: 'You enabled Defender for Cloud but see no security alerts. What is the most likely reason?' The Log Analytics agent might not be installed on the VMs, or the Defender plan for the specific workload type is not enabled. Another: 'Your secure score is lower than expected, even though you implemented all recommendations.' This could be because new resources were deployed without applying security controls, or some recommendations are in a 'not applicable' state.
Questions may also test your ability to interpret a secure score graph and determine what action would increase the score. The key is knowing that implementing high-severity recommendations that affect many resources gives the largest score boost.
Know the difference between Defender for Cloud and Microsoft Sentinel. A question like: 'Which Azure service provides automated threat response with playbooks?' That is Microsoft Sentinel, not Defender for Cloud, unless they mention that Defender for Cloud integrates with Sentinel.
Also, be aware of exam tricks: 'Which tool provides continuous assessment of security best practices?' That is Defender for Cloud CSPM. 'Which tool analyzes network traffic to detect threats?' That could be Defender for Cloud CWPP or Azure Network Watcher. Read carefully.
Finally, some questions test knowledge of the compliance dashboard. 'Which framework can you monitor using Defender for Cloud compliance dashboard?' All of the commonly used ones: CIS, PCI DSS, ISO 27001, SOC 2, etc., depending on what you have enabled.
Practise Defender for Cloud Questions
Test your understanding with exam-style practice questions.
Example Scenario
A small business named 'Cloud Bakery' runs its online ordering system on Azure. They have a virtual machine that hosts their website, a SQL database for order data, and a storage account for customer photos. The IT manager, Maria, wants to improve security because they recently heard about data breaches in the news.
Maria logs into the Azure portal and goes to Defender for Cloud. She sees the secure score is only 30 percent out of 100. The dashboard shows 15 critical recommendations. One recommendation says 'Enable encryption at rest for storage accounts.' Another says 'Enable Azure Defender for SQL.' A third recommends 'Install the Log Analytics agent on the virtual machine.'
Maria decides to start with the storage account encryption. She clicks the recommendation, sees the 'Fix' option, and applies it. The encryption is enabled within minutes. Next, she enables the free trial of Defender for SQL. She also installs the Log Analytics agent on the VM by following the on-screen instructions.
After a week, Maria checks Defender for Cloud again. The secure score has increased to 65 percent. She also sees a security alert: 'Suspicious login from an unusual location' for the VM. The alert says someone tried to log in from a country where Cloud Bakery has no customers. Maria investigates by clicking the alert and sees the time, source IP, and affected resource. She confirms the IP is not legitimate and blocks it using a network security group rule.
Because of Defender for Cloud, Maria prevented a potential breach and improved her company's security posture. She now schedules weekly reviews of the recommendations and alerts.
Common Mistakes
Confusing Defender for Cloud with Microsoft Sentinel
Defender for Cloud is a CSPM and CWPP tool, not a full SIEM/SOAR. Sentinel provides advanced analytics, incident management, and playbook automation. They are complementary, not the same.
Think of Defender for Cloud as posture and threat detection for workloads, and Sentinel as the central hub for all security logs and incident response across the entire environment.
Thinking Defender for Cloud requires manual configuration for every resource
Defender for Cloud automatically gathers data from Azure resources once enabled. However, some features (like agent installation) need to be configured, but many assessments are automatic.
Enable Defender for Cloud at the subscription level and let it scan automatically. Install agents only where required for deeper monitoring (like on VMs).
Believing that a secure score of 100 means you are unhackable
A secure score of 100 means you have implemented all recommended security controls based on the current benchmarks. It does not guarantee you are immune from zero-day exploits or sophisticated attacks.
Treat the secure score as a baseline for good hygiene, not a guarantee of perfect security. Always layer additional defenses like threat detection, backup, and incident response.
Assuming Defender for Cloud only works with Azure
Defender for Cloud supports multi-cloud environments including AWS and Google Cloud. You can connect them via connectors and monitor them alongside Azure resources.
When studying multi-cloud, remember that Defender for Cloud can provide CSPM and limited CWPP for non-Azure clouds, but it is most powerful as an Azure-native tool.
Ignoring the free tier and thinking you must pay for everything
Defender for Cloud has a free foundational tier that provides secure score, recommendations, and security policies. The paid plans (Defender for Servers, etc.) enable advanced threat detection features.
Use the free tier for posture management. Enable paid plans only for workloads that need advanced threat protection, like critical production servers or sensitive databases.
Thinking that enabling a Defender plan automatically protects all resources
Enabling a plan at the subscription level only activates the feature for that subscription's resources. You may still need to configure specific settings such as auto-provisioning of agents or data collection rules.
After enabling a plan, check the policy settings and ensure data collection is properly configured. Also verify that all resources are being scanned by reviewing the inventory and coverage.
Exam Trap — Don't Get Fooled
{"trap":"The question describes a security alert about a VM and asks which service generated it. Options include 'Azure Monitor,' 'Microsoft Sentinel,' 'Defender for Cloud,' and 'Azure Policy.' The trap is that both Sentinel and Defender for Cloud can generate alerts.
However, if the alert specifically mentions a workload threat (e.g., suspicious PowerShell command on a VM), it is likely Defender for Cloud. Sentinel would have more contextual investigation data."
,"why_learners_choose_it":"Learners may choose 'Microsoft Sentinel' because they associate all security alerts with a SIEM. They forget that Defender for Cloud has its own alerting engine for workload threats.","how_to_avoid_it":"Focus on the source of the alert.
If it is a security recommendation or a threat detected directly on a workload (like a VM or SQL database), it is Defender for Cloud. Sentinel aggregates alerts from multiple sources including Defender for Cloud, but it does not generate the initial workload detection by itself."
Commonly Confused With
Defender for Cloud focuses on cloud security posture management and workload protection, while Microsoft Sentinel is a SIEM (Security Information and Event Management) solution that collects logs from across the entire IT environment, including on-premises, cloud, and third-party sources. Defender for Cloud provides alerts and recommendations; Sentinel uses those alerts to build incidents and drive automated response playbooks.
If you need to check if your storage account is encrypted, use Defender for Cloud. If you need to correlate that encryption event with a user login anomaly from a different system, use Sentinel.
Azure Policy enforces rules on resource configurations (e.g., 'all storage accounts must have encryption') and can automatically remediate non-compliant resources. Defender for Cloud uses Azure Policy behind the scenes to define security initiatives, but adds a security score, threat detection, and multi-cloud support. Azure Policy alone does not give you threat alerts.
Azure Policy can automatically tag resources; Defender for Cloud tells you if your network security group is too permissive and includes threat intelligence.
The Azure Security Benchmark is a set of security best-practice controls that Azure services should follow. Defender for Cloud uses that benchmark to calculate your secure score and generate recommendations. The benchmark is the standard, Defender for Cloud is the tool that measures against that standard.
The security benchmark says 'enable encryption.' Defender for Cloud checks whether you have done it and tells you if you haven't.
AWS Security Hub is Amazon's CSPM and compliance service for AWS environments. It provides a similar secure score and findings but only for AWS. Defender for Cloud can connect to AWS and ingest findings from Security Hub, allowing you to see both Azure and AWS posture in one place.
If your company uses AWS only, you would use Security Hub. If you use both Azure and AWS, Defender for Cloud can be your single pane of glass.
Google Cloud's Security Command Center offers similar CSPM and threat detection for Google Cloud resources. Defender for Cloud can also connect to Google Cloud to bring those findings into Azure.
You would use Security Command Center for GCP-native monitoring, but use Defender for Cloud if you want a multi-cloud overview.
Step-by-Step Breakdown
Enable Defender for Cloud
In the Azure portal, search for 'Microsoft Defender for Cloud' and open it. It is automatically enabled on your subscription with the free foundational tier. You can then enable paid plans for additional protection.
Review the Secure Score
The secure score is shown as a percentage. It reflects how well you are following security recommendations. Clicking on it shows the breakdown by control group. This tells you where you are weak and prioritizes improvements.
Examine Security Recommendations
Defender for Cloud lists every security recommendation that applies to your resources. Each recommendation includes a description, affected resources, severity, and steps to remediate. You can also see the 'fix' option to apply a remediation automatically.
Implement a Recommendation
Choose a high-severity recommendation like 'Enable encryption on storage accounts.' Click the recommendation, then click 'Fix' to apply the policy. The change is made immediately. You can verify that the resource is now compliant.
Enable a Paid Defender Plan
Under 'Environment settings,' select your subscription and choose a plan like 'Defender for Servers' or 'Defender for SQL.' Enable it to activate advanced threat detection. This may require monitoring agent installation and additional configuration.
Monitor Security Alerts
After enabling a plan, check the 'Security alerts' tab. Alerts are generated when suspicious activity is detected. Each alert includes severity, affected resources, detection time, and steps for investigation and response.
Use Just-in-Time VM Access
Enable just-in-time access from Defender for Cloud's menu. Select the VM, configure source IP ranges and ports (like RDP or SSH), and set a request duration. Users must then authenticate via Azure AD to request access, which opens the port temporarily.
Connect AWS or GCP Environments
From Defender for Cloud's 'Multi-cloud' section, add a connector. Provide AWS account ID or GCP project ID and grant read permissions. Defender for Cloud will begin collecting posture data and alerts from those clouds.
Generate Compliance Reports
Go to the 'Regulatory compliance' tab. Select a compliance standard like CIS or PCI DSS. The dashboard shows which controls are passing. You can export the report in PDF or CSV format for audit evidence.
Practical Mini-Lesson
To effectively use Microsoft Defender for Cloud in a real-world environment, start by understanding your organization's security requirements. Most companies first deploy Defender for Cloud with the free foundational tier to get a baseline of their security posture. The secure score will likely be low because many resources are not following best practices. The first step is to triage the recommendations by severity. Focus on critical and high-severity issues that affect your most sensitive workloads, such as databases, domain controllers, and internet-facing applications.
When you enable a paid Defender plan, be aware of the cost implications. Defender for Servers charges per vCPU per hour, while Defender for Storage costs per storage account per month. Budget accordingly and enable plans only for subscriptions that contain workloads needing that protection. A common practice is to enable Defender for Cloud on a management group level so that all child subscriptions inherit the settings.
Configuration of the Log Analytics agent (or Azure Monitor Agent) is crucial for threat detection on virtual machines. Without the agent, Defender for Cloud cannot collect security event logs, network data, or detect file integrity changes. Automate the installation using Azure Policy so that new VMs automatically get the agent.
Security professionals should also set up automated responses using Azure Logic Apps or integration with Microsoft Sentinel. For example, when a high-severity alert is generated, you can trigger a runbook to isolate the VM by attaching a network security group that blocks all traffic. This reduces response time from hours to seconds.
Another critical aspect is managing the secure score. Understand that the secure score is calculated based on the percentage of compliant resources within each control. If you have 100 VMs and 50 are encrypted, the encryption control is 50% compliant, which reduces your score. To maximize your score, you must apply the recommendation to all applicable resources, not just one.
What can go wrong? A common issue is 'recommendation drift.' Over time, new resources are deployed without security controls, or existing resources change configurations. Defender for Cloud continuously rescans, so the score will drop if you add unencrypted storage accounts. Another issue is alert fatigue if you enable too many Defender plans without proper tuning. Use suppression rules or whitelisting to filter out noise.
Finally, never rely solely on Defender for Cloud. It is part of a defense-in-depth strategy. Combine it with regular vulnerability scanning (via Defender for Servers includes Qualys), network security groups, Azure Firewall, identity protection (Azure AD Identity Protection), and backup solutions. Defender for Cloud provides visibility and recommendations, but it is your responsibility to act on them and implement a layered security architecture.
How Defender for Cloud Cost and Billing Works
Microsoft Defender for Cloud is a cloud-native application protection platform that provides unified security management and advanced threat protection across hybrid and multi-cloud environments. Understanding how Defender for Cloud incurs costs is critical for exam success and real-world deployment. Defender for Cloud offers two primary tiers: the free foundational CSPM (Cloud Security posture management) tier and the paid enhanced security tier. The free tier includes asset discovery, continuous assessment of security configurations via the Secure Score, and recommendations based on Azure Security Benchmarks and industry standards. The paid tier, known as Defender for Cloud plans, adds advanced protections such as just-in-time VM access, adaptive application controls, file integrity monitoring, and vulnerability scanning for virtual machines, containers, and databases.
Each Defender for Cloud plan is billed separately. For example, the Defender for Servers plan is charged per vCPU or per node, while Defender for SQL is charged per logical server or per database. Defender for Storage is billed per storage account, and Defender for App Service is billed per App Service plan. The total cost depends on the number and type of resources protected. There is also a multi-cloud connector that allows AWS and Google Cloud resources to be onboarded, with billing continuing per resource. The Secure Score is updated in real time as resources are assessed, and the recommendations help prioritize actions that improve security posture without necessarily increasing cost. However, the paid plans are required to get advanced threat detection and security alerts.
Exam questions often test the distinction between free and paid features, and how billing is calculated per resource type. For instance, a question might ask which Defender plan is needed to enable vulnerability scanning for VMs, or how to estimate cost for a mixed workload of servers, databases, and storage. Understanding that the free tier gives posture management only, while the paid plans add workload protection, is essential. Also note that some features like Alerts and Security Incidents are only available in the paid tier. Cost management is tracked in the Azure portal under Defender for Cloud Plans and Pricing, where you can enable or disable plans per subscription and see estimated costs. The exam also tests that enabling Defender for Cloud on a management group automatically applies to all child subscriptions, with billing aggregated. Finally, remember that the free tier is always enabled by default for Azure subscriptions, with no additional cost, so you always have basic security assessments running.
Defender for Cloud Resource States and Security Configurations
In Microsoft Defender for Cloud, every protected resource exists in one of several states that determine its security posture and available actions. The primary states are Healthy, Unhealthy, and Not Applicable. A resource is Healthy if all applicable security recommendations have been remediated for that resource. For example, a virtual machine that has all required security updates installed, has disk encryption enabled, and has just-in-time access configured would be marked Healthy. Conversely, an Unhealthy resource fails at least one security recommendation. The recommendations are generated by continuous assessment policies that compare resource configurations against built-in security benchmarks like the Azure Security Benchmark or CIS controls. The Not Applicable state occurs when a recommendation is not relevant to a specific resource type. For instance, a recommendation about SQL auditing would be Not Applicable for a virtual machine that doesn't run SQL Server.
The Secure Score is the aggregate measure of resource health across all recommendations. Each recommendation contributes a potential score increase if remediated. The score is calculated as a percentage of the total possible points. Resources in a Healthy state do not contribute to score improvement, while Unhealthy ones do. The Secure Score is used in exam questions to test understanding of how recommendations affect the score. For example, a question might ask what happens to the Secure Score when a recommendation is remediated for an unhealthy VM. The answer is that the score increases by the point value of that recommendation.
Another critical state is the compliance state for regulatory standards. Defender for Cloud can map recommendations to regulatory frameworks such as SOC 2, PCI DSS, ISO 27001, and FedRAMP. Each standard has its own compliance state: Compliant, Non-compliant, or Not applicable. A resource can be Healthy for Azure Security Benchmark but Non-compliant for PCI DSS if a specific PCI control is not met. This distinction is frequently tested in scenario-based questions. The adaptive application control feature creates a state of whitelisted vs. blocklisted applications, and the file integrity monitoring state shows baseline vs. current state changes. The just-in-time VM access state shows whether VM ports are open or locked. Understanding these states helps you answer exam questions about which resources are protected and how the Secure Score reflects remediation. Finally, the inventory blade in Defender for Cloud provides a real-time view of resource health states, and filters allow you to see only unhealthy resources or resources with high severity recommendations. This is a key tool for daily operations and exam scenarios about managing security posture.
Defender for Cloud Security Alerts and Incidents
Security alerts in Microsoft Defender for Cloud are generated when suspicious activities or known attack patterns are detected across your cloud workloads. These alerts are derived from telemetry collected by the various Defender plans and by Azure Monitor, Azure Sentinel, and third-party security tools. Alerts have severity levels: High, Medium, Low, and Informational. High severity alerts indicate a likely breach that requires immediate action, such as a detected malware execution, a suspicious logon from an unusual location, or a brute force attack that succeeded. Medium severity suggests potential compromise that should be investigated, like a failed logon attempt from a malicious IP. Low severity includes policy violations or misconfigurations that could be exploited. Informational alerts provide audit and anomaly data without immediate risk.
Defender for Cloud automatically correlates related alerts into Security Incidents. An incident is a collection of alerts that are part of the same attack chain. For example, if an attacker performs reconnaissance, then a brute force attempt, then a successful login, and then a data exfiltration, Defender for Cloud would combine these alerts into one incident with a timeline and kill chain diagram. The incident view gives security teams a single pane to investigate the full attack path. Incidents are only available in the paid tier. In the free tier, you see individual alerts but not the automated correlation.
Exam questions frequently test the difference between alerts and incidents. A question might ask: 'What is the primary difference between a security alert and a security incident in Defender for Cloud?' The correct answer is that an incident is a collection of related alerts that represent an attack chain. Another question could ask about severity levels: 'Which severity level indicates a confirmed compromise?' The answer is High. Alerts also include a 'compromised' or 'false positive' classification after investigation, which updates the alert state. The state of an alert can be New, Acknowledged, or Dismissed. New alerts need review, Acknowledged indicates you are working on it, and Dismissed means you resolved or deemed it unimportant.
Integration with Microsoft Sentinel (SIEM) allows forwarding alerts to Sentinel for advanced analysis and incident response. Defender for Cloud also supports automatic response using Azure Logic Apps and the 'Automated Response' feature, which can run a playbook when an alert fires. For example, you can automatically shut down a VM if a high severity alert occurs. This is a common exam scenario about automation. Also note that alerts are stored for 90 days in the Azure portal, but you can export them to Log Analytics for longer retention. Understanding alert lifecycle, severity, and incident correlation is essential for the SC-900, AZ-104, and industry certification exams that include Defender for Cloud.
Defender for Cloud Multi-Cloud and Hybrid Protection
Microsoft Defender for Cloud is not limited to Azure; it provides unified security management for Amazon Web Services (AWS), Google Cloud Platform (GCP), and on-premises resources. This multi-cloud capability is a key differentiator and is heavily tested in exams like aws-cloud-practitioner, google-ace, and azure-fundamentals. To protect AWS resources, you deploy a multi-cloud connector in Defender for Cloud. This connector uses AWS CloudFormation or a similar template to create a role-based trust relationship between Azure and AWS. It then pulls AWS security findings from AWS Security Hub, AWS GuardDuty, and AWS Inspector, and presents them in the Defender for Cloud dashboard. Similarly, for GCP, you use a service account and the Security Command Center integration to bring in GCP findings.
The free CSPM tier covers posture management for AWS and GCP resources, such as checking S3 bucket permissions, VM instance configurations, and IAM policies. The paid Defender for Cloud plans also extend advanced threat protection to these environments. For example, Defender for Servers can protect EC2 instances by installing the Log Analytics agent and using Azure Arc to manage them. Security alerts generated on AWS or GCP resources appear alongside Azure alerts in the same portal. The multi-cloud dashboard shows coverage by cloud provider, Secure Score per cloud, and cross-cloud recommendations, such as enabling encryption at rest across all clouds.
For hybrid protection, on-premises servers can be onboarded using Azure Arc, which registers the server as a non-Azure machine in Defender for Cloud. Then you can enable Defender for Servers for that machine to get vulnerability assessments, just-in-time access, and file integrity monitoring. The Secure Score includes non-Azure servers if they are Arc-enabled and have the agent installed. This is critical for exam scenarios where a company has a mix of on-prem, Azure, AWS, and GCP resources. A question might ask: 'How can you protect an on-premises server with Defender for Cloud?' The answer is to install the Log Analytics agent and use Azure Arc.
Another exam-relevant concept is that multi-cloud features are available in the same Defender for Cloud plan pricing as Azure resources. That is, you pay per vCPU or per resource for the cloud provider. However, there are some limitations: some features like just-in-time access are only supported for Azure and Arc-enabled machines, not for native AWS or GCP VMs. Also, the regulatory compliance dashboard includes standards like CIS for AWS and GCP, so exam questions may ask which frameworks are available for non-Azure clouds. Overall, understanding that Defender for Cloud unifies security across multiple environments from one pane of glass is a foundational concept for the SC-900, AZ-104, and multi-cloud certification exams.
Troubleshooting Clues
Secure Score not increasing after remediation
Symptom: User remediates a recommendation but the Secure Score value does not change.
The Secure Score recalculates periodically (typically every 24 hours or when data is refreshed). Also, some recommendations have a grace period or require all linked resources to be healthy before the score changes.
Exam clue: Exam questions may ask why the Secure Score doesn't update immediately, testing understanding of periodic calculation and caching.
No security alerts appearing
Symptom: After enabling Defender for Cloud, no alerts are generated even when known malicious activity occurs.
Either the auto-provisioning of the Log Analytics agent is disabled (so no telemetry is collected), or the relevant Defender plan (e.g., Defender for Servers) is not enabled. Also, alerts are only generated for paid tiers.
Exam clue: Common exam scenario: a user enables Defender for Cloud but no alerts; the cause is missing auto-provisioning or the free tier.
Cannot onboard AWS resources
Symptom: Attempting to enable the multi-cloud connector for AWS gives an error about missing permissions or deployment failure.
The IAM role in AWS must have specific permissions (e.g., SecurityAudit, GuardDuty findings access). The CloudFormation template might fail if not deployed in the correct region or if the AWS account lacks sufficient privileges.
Exam clue: Exam questions about multi-cloud setup often test that the IAM role requires read access to AWS Security Hub and GuardDuty.
Recommendation shows 'Not Applicable' incorrectly
Symptom: A recommendation like 'Enable disk encryption' shows as 'Not Applicable' for a VM that actually has unencrypted disks.
Defender for Cloud might not have the correct resource type. For example, if the VM is using premium SSDs that are not compatible with certain encryption methods, or the VM is in a stopped state, some assessments are skipped.
Exam clue: Exam questions test that 'Not Applicable' can occur due to unsupported resource configurations or maintenance mode.
Regulatory compliance dashboard shows zero standards
Symptom: The regulatory compliance blade in Defender for Cloud shows no standards or all standards are empty.
Regulatory compliance standards must be explicitly added to the subscription. Also, if no assessments are mapped to a standard, it shows zero progress. The free tier only includes Azure Security Benchmark by default.
Exam clue: A question might ask why PCI DSS is not visible; answer: you need to add it via the regulatory compliance settings.
Just-in-time VM access not working
Symptom: User enables just-in-time VM access but cannot connect via RDP or SSH even after requesting access.
The just-in-time policy may not be properly configured to open the correct port (3389 for RDP, 22 for SSH). Also, the request must be approved, and network security groups (NSGs) or Azure Firewall might block the traffic.
Exam clue: Exam questions often test that just-in-time access requires the NSG to be managed by Defender for Cloud and that the user must be in the approver role.
Agent installation fails on Linux servers
Symptom: The Log Analytics agent fails to install on Linux servers via Azure Arc, showing 'dependency not satisfied' errors.
The Linux server must have certain dependencies like Python 2.x, curl, and openssl. Also, the agent may not support older kernel versions (e.g., RHEL 6).
Exam clue: Exam questions may ask about prerequisites for the Log Analytics agent on Linux, testing knowledge of required packages and supported OS versions.
Alerts not forwarding to Microsoft Sentinel
Symptom: After configuring data connector from Defender for Cloud to Sentinel, alerts do not appear in Sentinel.
The data connector must be enabled in Sentinel under 'Data connectors', and the correct subscription must be selected. Also, alerts are only forwarded if they are in 'Active' or 'New' state, not 'Dismissed'.
Exam clue: An exam question might ask why alerts are missing in Sentinel; answer: the connector needs to be configured per subscription and state filters apply.
Memory Tip
Think 'CSPM + CWPP = Defender for Cloud' – Cloud Security Posture Management tells you what's wrong, Cloud Workload Protection catches the attacks.
Learn This Topic Fully
This glossary page explains what Defender for Cloud means. For a complete lesson with labs and practice, see the topic guide.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
CS0-003CompTIA CySA+ →ACEGoogle ACE →CDLGoogle CDL →AZ-104AZ-104 →SC-900SC-900 →AZ-900AZ-900 →CLF-C02CLF-C02 →SAA-C03SAA-C03 →DVA-C02DVA-C02 →220-1102CompTIA A+ Core 2 →MS-900MS-900 →ISC2 CCISC2 CC →Legacy Exam Context
Older materials may mention these exam versions, but learners should use the current objectives for their target exam.
SY0-601SY0-701(current version)Related Glossary Terms
Two-factor authentication (2FA) is a security method that requires two different types of proof before granting access to an account or system.
An A record is a type of DNS resource record that maps a domain name to an IPv4 address.
AAA (Authentication, Authorization, and Accounting) is a security framework that controls who can access a network, what they are allowed to do, and tracks what they did.
Quick Knowledge Check
1.Which Defender for Cloud tier provides advanced threat detection and security alerts for virtual machines?
2.A security administrator notices that the Secure Score has not changed after remediating several high-priority recommendations. What is the most likely cause?
3.When protecting a Linux on-premises server with Defender for Cloud, what must be installed first to enable vulnerability scanning and alerts?
4.A user sees a security alert with severity 'Medium' for a failed login attempt from an unusual IP address. Which classification best describes this alert?
5.In Defender for Cloud, what is the primary purpose of a security incident?
Frequently Asked Questions
Is Defender for Cloud free?
Defender for Cloud has a free foundational tier that provides secure score, recommendations, and Azure Policy integration. Paid plans for advanced threat detection (e.g., Defender for Servers) incur additional costs based on the number of resources.
Can Defender for Cloud protect my on-premises servers?
Yes. You can install the Log Analytics agent on on-premises servers and connect them to a Log Analytics workspace. Defender for Cloud will then monitor those servers as hybrid resources.
Does Defender for Cloud replace Azure Policy?
No. Defender for Cloud uses Azure Policy to define security initiatives and evaluate compliance, but Azure Policy is a broader tool that can enforce any kind of rule. They work together.
How often does Defender for Cloud update the secure score?
The secure score is updated almost in real time. When you apply a recommendation, the score typically reflects the change within minutes. However, some assessments may take hours to complete.
What is the difference between a security alert and a recommendation?
A recommendation is advice to improve your security posture (e.g., enable encryption). A security alert indicates an active or suspected threat that requires investigation (e.g., a suspicious login attempt).
Do I need Microsoft Sentinel if I have Defender for Cloud?
Not necessarily. Defender for Cloud handles posture and workload threat detection. Sentinel is for advanced SIEM, cross-environment log correlation, and automated incident response. Many organizations use both.
Can Defender for Cloud prevent zero-day exploits?
It can help detect unusual behavior that may indicate a zero-day exploit using behavioral analytics and machine learning. However, it is not a guarantee. Maintaining up-to-date patching and using defense-in-depth is essential.
Summary
Microsoft Defender for Cloud is an essential tool for anyone managing cloud security, especially in Microsoft Azure environments. It combines two critical functions: Cloud Security Posture Management (CSPM) and Cloud Workload Protection (CWPP). The CSPM side gives you a continuous assessment of your security configuration through a secure score and actionable recommendations. The CWPP side provides real-time threat detection for workloads like VMs, databases, storage, and containers, covering Azure, on-premises, and even multi-cloud setups like AWS and Google Cloud.
Understanding Defender for Cloud is crucial for IT professionals pursuing certifications like SC-900, AZ-104, or AZ-500. Exam questions often test your ability to differentiate it from other security services like Microsoft Sentinel or Azure Policy. You should be comfortable with the concepts of secure score, security alerts, just-in-time VM access, adaptive application controls, and the compliance dashboard. Practical knowledge of enabling plans and interpreting recommendations matters more than memorizing product names.
In the real world, Defender for Cloud helps organizations reduce their attack surface, meet compliance requirements, and respond to threats faster. It is not a silver bullet, but it provides the visibility and automation needed to keep cloud workloads secure in a dynamic environment. As cloud adoption grows, expertise in tools like Defender for Cloud will become increasingly valuable for security administrators, cloud architects, and IT managers.