This chapter covers Microsoft Defender for Cloud (formerly Azure Security Center and Azure Defender) as it relates to architecture decisions for the AZ-305 exam. You will learn how Defender for Cloud provides unified security management, threat protection, and compliance assessment across Azure, on-premises, and other clouds. Approximately 10-15% of AZ-305 questions touch on security monitoring and protection tools, with Defender for Cloud being a key component. Understanding its capabilities, pricing tiers, and integration points is critical for designing secure Azure solutions.
Jump to a section
Imagine a large office building with multiple floors, each floor representing a different Azure resource (VMs, databases, storage accounts). The building has a central security office (Microsoft Defender for Cloud) that monitors every entrance, hallway, and room through cameras and sensors. The security team receives a live feed of all activities, analyzes patterns for suspicious behavior, and can automatically lock down areas if a breach is detected. They also conduct periodic walkthroughs to check for unlocked doors (vulnerability assessments) and ensure compliance with building codes (regulatory compliance). The team provides a prioritized list of issues to fix, and can even trigger automatic responses like closing a door or calling the police (automated remediation). This mirrors how Defender for Cloud continuously assesses, secures, and defends Azure resources by providing unified security management and threat protection across hybrid and multi-cloud workloads.
What is Microsoft Defender for Cloud?
Microsoft Defender for Cloud is a Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP) that provides unified security management across Azure, on-premises, and multi-cloud environments (AWS and GCP). It assesses resources for vulnerabilities, enforces security policies, and provides threat detection and response. The service is natively integrated into Azure and can be enabled at the subscription or resource level.
Key Capabilities and Why They Exist
Defender for Cloud addresses two primary security needs: - Security posture management: Continuously assess resources against built-in or custom security policies (e.g., CIS, NIST, Azure Security Benchmark). Provides a secure score that quantifies your security posture. - Threat protection: Detect and respond to threats using advanced analytics, Microsoft Threat Intelligence, and integration with Microsoft Sentinel.
How It Works Internally
Defender for Cloud uses the following mechanisms: - Data collection: The Log Analytics agent (or Azure Monitor Agent) collects security-relevant data from VMs (event logs, syslog, performance counters). For PaaS services (e.g., SQL, Storage), telemetry is collected via Azure resource logs. - Assessment engine: The engine evaluates resources against enabled policies. For example, a policy might check that VMs have just-in-time (JIT) network access enabled. Each policy has a built-in logic that produces a compliance state: Compliant, Non-compliant, or Unknown. - Secure score: Each control (group of policies) contributes points to the secure score. The score is calculated as a percentage of achieved points out of total possible points. For example, enabling MFA on all accounts might give 10 points out of 10. - Threat detection: Uses behavioral analytics, machine learning, and signature-based detection. For example, a VM communicating with a known malicious IP triggers an alert. The detection rules are updated via Microsoft Threat Intelligence.
Key Components, Values, and Defaults
- Defender for Cloud plans: - Defender CSPM (Free): Basic secure score, policy assessment, and regulatory compliance. No threat protection. - Defender for Cloud (Paid): Includes CSPM plus workload protection plans. Each plan covers specific resource types: Servers, App Service, Databases (SQL, Cosmos DB), Storage, Key Vault, Kubernetes, Container Registries, etc. Pricing is per resource per hour (e.g., ~$15/node/month for servers, ~$0.015/GB/month for storage). - Secure score: Ranges from 0% to 100%. Default target is 100%, but you can set a custom target. - Policy initiatives: By default, the Azure Security Benchmark is assigned. You can add custom initiatives. - Data retention: Security alerts are retained for 90 days. Raw logs depend on Log Analytics retention (default 30 days). - Integration with Microsoft Sentinel: Alerts can be streamed to Sentinel for SIEM capabilities.
Configuration and Verification
Enable Defender for Cloud at the subscription level:
# Enable Defender for Cloud on a subscription
Set-AzSecurityPricing -Name "subscriptionId" -PricingTier "Standard"Enable specific plans:
Set-AzSecurityPricing -Name "VirtualMachines" -PricingTier "Standard"Check current security posture:
az security secure-score listView alerts:
az security alert listInteraction with Related Technologies
Azure Policy: Defender for Cloud uses Azure Policy to enforce security controls. When you enable a policy initiative in Defender for Cloud, it creates policy assignments.
Azure Monitor: Alerts from Defender for Cloud can be sent to Azure Monitor for further processing or integration with ITSM tools.
Microsoft Sentinel: For advanced SIEM and SOAR, stream Defender for Cloud alerts to Sentinel. This is a common architecture for large enterprises.
Azure Arc: Extends Defender for Cloud to on-premises and other clouds by enabling Azure Arc on those servers.
Key Defaults and Timers
Secure score refresh: The score is recalculated approximately every 15 minutes.
Policy evaluation: Non-compliance is reported within 30 minutes of resource change.
Alert generation: Most alerts are generated within 5 minutes of detection.
Data collection for VMs: The Log Analytics agent sends data every 5-10 minutes by default. You can configure collection frequency.
Exam-Relevant Details
The free tier (Defender CSPM) provides only security posture management and recommendations. Threat detection requires a paid plan.
Regulatory compliance dashboard is available in both tiers, but the paid tier adds continuous monitoring and additional standards.
Just-in-time (JIT) VM access is a feature of the paid plan that reduces attack surface by locking down inbound traffic to VMs.
Adaptive application controls use machine learning to allowlist known safe applications and block others.
File integrity monitoring (FIM) monitors changes to critical files and registry keys.
Vulnerability assessment for VMs uses Qualys or Microsoft Defender for Cloud built-in scanner (integrated).
Container security includes image scanning in Azure Container Registry and runtime protection for AKS clusters.
Common Misconfigurations
Enabling only the free tier when threat protection is required.
Not installing the Log Analytics agent on hybrid machines, leading to missing assessments.
Overlooking the need to enable specific plans per resource type (e.g., enabling only servers but not databases).
Not integrating with Sentinel for centralized incident response.
Enable Defender for Cloud on subscription
Navigate to Microsoft Defender for Cloud in the Azure portal and select 'Environment settings'. Choose your subscription and toggle the 'Defender for Cloud' plan to 'On'. This activates the free tier (Defender CSPM). To enable paid plans, you must select individual plans (e.g., Servers, SQL) and set their pricing tier to 'Standard'. At this point, the service begins assessing resources against built-in policies. The secure score will appear within 15 minutes.
Install Log Analytics agent on VMs
For VMs, the Log Analytics agent must be installed to collect security events, syslog, and performance data. In the portal, under 'Auto-provisioning', you can enable automatic installation for new VMs. For existing VMs, you can install via the 'Vulnerability assessment' blade. The agent sends data to a Log Analytics workspace (default created in the same region as the VM). Without the agent, many security recommendations (e.g., missing system updates) will not be generated.
Review and implement security recommendations
Defender for Cloud generates a list of recommendations based on policy evaluation. Each recommendation has a severity (High, Medium, Low) and a 'Fix' option for automated remediation. For example, 'MFA should be enabled on accounts with owner permissions on your subscription' can be fixed by enabling Azure AD Conditional Access. The secure score increases as you remediate. Prioritize high-severity recommendations first.
Enable workload protection plans
To get threat detection, go to 'Environment settings' > select subscription > 'Defender plans'. Toggle on specific plans such as 'Servers', 'SQL servers on machines', 'Storage', 'Key Vault', etc. Each plan has a cost. For example, enabling 'Servers' costs approximately $15/node/month. Without these plans, you only get posture management. After enabling, threat detection rules become active within minutes.
Configure security alerts and automation
When a threat is detected, an alert appears in the 'Security alerts' blade. You can view details, classify (true positive/benign), and suppress. For automated response, use 'Workflow automation' to trigger a Logic App (e.g., send email, create ticket). Alerts can also be streamed to Microsoft Sentinel via continuous export. Ensure that alerts are integrated with your incident response process.
Scenario 1: Enterprise Hybrid Cloud Security
A large financial services company runs 500 VMs in Azure and 200 on-premises servers. They need unified security posture management and threat detection. They enable Defender for Cloud on the Azure subscription and install the Log Analytics agent on all VMs (including on-prem via Azure Arc). They enable the 'Servers' plan for threat detection. They also enable 'SQL servers on machines' to protect their on-prem SQL databases. The secure score starts at 40%. They prioritize high-severity recommendations: enabling MFA, applying just-in-time VM access, and installing system updates. Within a month, the score reaches 75%. Alerts are streamed to Microsoft Sentinel for SOC analysts. One challenge: on-prem servers require Azure Arc to be enabled, which adds a small management overhead. Performance impact is minimal (agent uses ~1% CPU). Misconfiguration: initially they forgot to enable the 'SQL servers on machines' plan, leaving databases unprotected.
Scenario 2: Multi-Cloud Security Posture
A tech startup uses AWS and Azure. They want a single pane of glass for security. They enable Defender for Cloud on Azure and connect their AWS account using the connector feature (requires AWS IAM roles). Defender for Cloud assesses AWS resources (EC2, S3, IAM) against Azure Security Benchmark. They get a unified secure score across both clouds. They enable the paid plan for Azure VMs but only use free CSPM for AWS. They find that AWS recommendations are limited compared to Azure (e.g., no threat detection for AWS). For full protection, they consider using third-party tools for AWS. Common mistake: assuming Defender for Cloud provides equal protection for AWS as Azure; it only provides posture assessment, not threat detection.
Scenario 3: Compliance-Driven Architecture
A healthcare organization must comply with HIPAA. They enable Defender for Cloud and assign the HIPAA HITRUST initiative. The regulatory compliance dashboard shows compliance status for each control. They enable continuous monitoring (paid plan) to get real-time compliance assessments. They use the secure score to track progress. They integrate with Azure Policy to enforce encryption at rest and in transit. A common issue: the built-in HIPAA initiative may not cover all requirements, so they must add custom policies. They also enable workload protection for their Azure SQL databases to detect SQL injection attempts. Performance: no noticeable impact on database performance.
What AZ-305 Tests on This Topic
AZ-305 objective 1.2 focuses on designing identity governance solutions, which includes security monitoring and protection. Defender for Cloud is tested in the context of: - Designing a security monitoring solution (objective 1.2.3) - Designing for security posture management (objective 1.2.4) - Designing for workload protection (objective 1.2.5)
Common Wrong Answers and Why
'Defender for Cloud free tier provides threat detection' – Wrong. The free tier only provides posture management and recommendations. Threat detection requires paid plans.
'Defender for Cloud can replace Microsoft Sentinel' – Wrong. Defender for Cloud is a CSPM/CWPP; Sentinel is a SIEM/SOAR. They complement each other. Sentinel ingests alerts from Defender for Cloud.
'Just-in-time VM access is available in the free tier' – Wrong. JIT is a paid feature.
'Defender for Cloud protects on-premises servers without additional setup' – Wrong. On-prem servers require Azure Arc and the Log Analytics agent.
Specific Numbers and Terms
Secure score range: 0% to 100%.
Default policy initiative: Azure Security Benchmark.
Pricing: ~$15/node/month for servers; ~$0.015/GB/month for storage.
Alert retention: 90 days.
Data collection interval: 5-10 minutes.
Supported clouds: Azure, AWS, GCP (via connectors).
Edge Cases and Exceptions
Multi-cloud: Only posture assessment for AWS/GCP; no threat detection.
Containers: Defender for Cloud can protect AKS clusters, but requires Azure Policy for Kubernetes add-on.
Serverless: Azure Functions can be protected via App Service plan.
Regulatory compliance: The free tier provides a snapshot; paid tier provides continuous monitoring.
How to Eliminate Wrong Answers
If a question asks about 'threat detection', the answer must involve a paid plan.
If a question mentions 'unified security management across hybrid and multi-cloud', the answer is likely Defender for Cloud.
If a question asks about 'SIEM', the answer is Sentinel, not Defender for Cloud.
Remember that secure score is a percentage; recommendations improve it.
Defender for Cloud free tier = posture management only; paid tier adds threat protection.
Secure score is calculated from achieved points out of total possible points (0-100%).
Default policy initiative is Azure Security Benchmark; custom initiatives can be added.
On-premises servers require Azure Arc and Log Analytics agent for protection.
AWS and GCP connectors only provide posture assessment, not threat detection.
JIT VM access is a paid feature that reduces attack surface by locking down inbound traffic.
Defender for Cloud alerts are retained for 90 days; integrate with Sentinel for SIEM.
Pricing: ~$15/node/month for servers; ~$0.015/GB/month for storage.
These come up on the exam all the time. Here's how to tell them apart.
Defender for Cloud (Free - CSPM)
Provides secure score and security recommendations
Includes regulatory compliance dashboard (snapshot)
No threat detection or alerts
No just-in-time VM access or adaptive controls
No vulnerability assessment for VMs
Defender for Cloud (Paid - CWPP)
Includes all free features plus threat detection
Continuous regulatory compliance monitoring
Generates security alerts for detected threats
Includes just-in-time VM access, adaptive application controls, FIM
Provides built-in vulnerability assessment (Qualys or Microsoft)
Mistake
Defender for Cloud free tier includes threat detection for VMs.
Correct
The free tier (Defender CSPM) only provides security posture management, secure score, and policy compliance. Threat detection requires enabling paid plans (e.g., Defender for Servers).
Mistake
Defender for Cloud can replace Microsoft Sentinel.
Correct
Defender for Cloud is a CSPM/CWPP tool, while Sentinel is a SIEM/SOAR. Sentinel ingests alerts from Defender for Cloud and other sources for advanced correlation and incident response. They are complementary.
Mistake
Just-in-time (JIT) VM access is available in the free tier.
Correct
JIT VM access is a feature of the paid Defender for Servers plan. The free tier does not include JIT or any adaptive controls.
Mistake
Defender for Cloud automatically protects on-premises servers without any setup.
Correct
On-premises servers require Azure Arc to be enabled and the Log Analytics agent installed. Only then can Defender for Cloud assess and protect them.
Mistake
Defender for Cloud provides equal threat protection for AWS and GCP as it does for Azure.
Correct
For AWS and GCP, Defender for Cloud only provides security posture assessment (CSPM) using the free tier. Threat detection (CWPP) is not available for non-Azure workloads.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The free tier (Defender CSPM) provides security posture management: secure score, recommendations, and regulatory compliance snapshot. The paid tier adds workload protection plans (e.g., Servers, SQL, Storage) that include threat detection, vulnerability assessment, just-in-time VM access, and adaptive application controls. For the exam, remember that threat detection requires a paid plan.
Yes, but only if the servers are connected via Azure Arc and have the Log Analytics agent installed. Once connected, they appear in Defender for Cloud and can be assessed and protected like Azure VMs. Without Azure Arc, on-prem servers are not visible.
Defender for Cloud can stream security alerts to Microsoft Sentinel via the 'Continuous export' feature or by connecting the Defender for Cloud data connector. Sentinel then correlates these alerts with other data sources for advanced threat hunting and incident response. This integration is a common architectural pattern for enterprise security operations.
The secure score is a percentage that measures your security posture based on how many controls (groups of recommendations) you have satisfied. Each control has a maximum number of points. For example, enabling MFA might give 10 points. Your score is (achieved points / total possible points) * 100. The score refreshes every 15 minutes.
Yes, Defender for Cloud can connect to AWS and GCP accounts using connectors. However, it only provides security posture assessment (CSPM) for these clouds, not threat detection. For AWS, you need to configure IAM roles; for GCP, you need a service account. This is a common exam scenario.
JIT VM access is a feature of the paid Defender for Servers plan that locks down inbound traffic to VMs by default. Users request access through the portal or API, and rules are temporarily created in the NSG to allow traffic for a specified duration (default 3 hours). This reduces the attack surface.
In the paid tier, you can enable the built-in vulnerability assessment (powered by Qualys) or use Microsoft Defender for Cloud's own scanner. This is done via the 'Vulnerability assessment' blade. The scanner runs weekly and provides a list of vulnerabilities with remediation steps.
You've just covered Microsoft Defender for Cloud in Architecture — now see how well it sticks with free AZ-305 practice questions. Full explanations included, no account needed.
Done with this chapter?