This chapter covers Microsoft Defender for Servers, a critical component of Microsoft Defender for Cloud that provides advanced threat protection for your Azure, on-premises, and other cloud virtual machines. For the AZ-500 exam, this topic appears in approximately 10-15% of questions under Security Operations (Objective 4.1), focusing on deployment, configuration, and integration with other security services. Mastering Defender for Servers is essential for understanding how Microsoft's unified security platform protects hybrid workloads and how to leverage its capabilities for threat detection, vulnerability management, and compliance.
Jump to a section
Imagine a corporate office building with multiple floors and rooms (servers). A traditional security guard at the entrance checks IDs (antivirus) but cannot see inside rooms or detect unusual activity. Microsoft Defender for Servers is like installing a comprehensive security system: motion sensors in every room (file integrity monitoring), cameras that record all movements (audit logging), a central monitoring station that correlates alarms (Microsoft Sentinel integration), and a security team that can remotely lock doors or shut down HVAC (adaptive application controls and just-in-time VM access). The system learns normal patterns—like which employees enter which rooms at what times—and raises alerts when something deviates, such as an unknown person entering a server room at 3 AM (anomaly detection). It also automatically applies patches to weak locks (vulnerability assessment) and provides a dashboard for the security director to see the entire building's status at a glance (Microsoft Defender for Cloud dashboard). Just as a building security system integrates alarms, cameras, and access control, Defender for Servers unifies multiple security layers into a single, cloud-delivered solution.
What is Microsoft Defender for Servers?
Microsoft Defender for Servers is a cloud-delivered, integrated security solution that extends Microsoft Defender for Cloud's capabilities to protect Windows and Linux servers. It provides advanced threat detection, vulnerability management, and security hardening for servers running in Azure, on-premises, or in other clouds (AWS, GCP). Defender for Servers is not a standalone product; it is enabled as a plan within Microsoft Defender for Cloud (formerly Azure Security Center and Azure Defender).
Why It Exists
Traditional endpoint protection (antivirus) is insufficient against modern, sophisticated attacks that exploit misconfigurations, unpatched vulnerabilities, and weak credentials. Defender for Servers addresses this by layering multiple detection and prevention capabilities:
File Integrity Monitoring (FIM): Tracks changes to critical files, registries, and system settings.
Adaptive Application Controls (AAC): Whitelists allowed applications and blocks unknown executables.
Just-In-Time (JIT) VM Access: Reduces attack surface by locking down inbound traffic to VMs.
Vulnerability Assessment (VA): Scans for missing patches and misconfigurations using Qualys or Microsoft's built-in scanner.
Network Security: Integrates with Azure Firewall and NSGs for traffic inspection.
Threat Detection: Uses behavioral analytics, machine learning, and threat intelligence to detect attacks in real time.
How It Works Internally
Defender for Servers operates through the Log Analytics Agent (or Azure Monitor Agent) installed on each VM. The agent collects security-related events, such as process creation, network connections, file changes, and registry modifications. These events are sent to the Log Analytics workspace associated with the Defender for Cloud subscription. The security engine analyzes the data using:
Behavioral analytics: Establishes baselines of normal activity and flags deviations.
Machine learning models: Trained on millions of signals to identify malicious patterns.
Threat intelligence feeds: Microsoft's global threat intelligence network provides indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs).
When a suspicious activity is detected, Defender for Cloud generates a security alert. Alerts are categorized by severity (Low, Medium, High, Critical) and include details such as the affected resource, attack vector, and recommended remediation steps. Alerts can be viewed in the Defender for Cloud dashboard, exported to Microsoft Sentinel for SIEM integration, or trigger automated responses via Azure Logic Apps.
Key Components and Defaults
- Log Analytics Agent (MMA): Default port 443 for communication with Azure. Heartbeat every 5 minutes. Required for most Defender for Servers features except vulnerability assessment (which can use Qualys cloud agent). - Defender for Cloud Pricing Tiers: - Free tier (Defender for Cloud without enhanced security): Provides only security recommendations and a secure score. - Enhanced security (Defender for Servers Plan 1 or Plan 2): Enables all threat detection capabilities. Plan 1 includes foundational features like JIT, FIM, and adaptive application controls. Plan 2 adds advanced features such as fileless attack detection, brute-force protection, and host-based firewall rules. - Vulnerability Assessment: By default, uses the integrated Qualys scanner. No additional license required. Scans run automatically on a schedule (default: every 12 hours) or on demand. Results appear in the Defender for Cloud recommendations. - File Integrity Monitoring: Monitors critical system files and registry keys (e.g., Windows Registry hives, Linux /etc/passwd). Default monitoring includes changes to file attributes, content, and permissions. - Adaptive Application Controls: Requires at least 14 days of telemetry to establish a baseline. After learning, it generates a whitelist of known-safe executables. Administrators can fine-tune the rules. - Just-In-Time VM Access: Opens ports (default: 3389 for RDP, 22 for SSH) only when requested by an authorized user. Requests are logged and approved via Azure RBAC. The port is opened for a configurable duration (default: 3 hours).
Configuration and Verification
Enable Defender for Servers on a subscription via Azure portal:
Navigate to Microsoft Defender for Cloud > Environment settings > Select subscription > Defender plans > Servers > Select Plan 1 or Plan 2 > Save.To enable on a single VM, use the Defender for Cloud recommendations page. For automated deployment, use Azure Policy:
Deploy 'Configure Microsoft Defender for Servers to be enabled' policy initiative.Verify agent installation:
# On Linux VM
sudo /opt/microsoft/omsagent/bin/omsadmin.sh -l
# On Windows VM
# Check service: 'HealthService' (Log Analytics agent) or 'AzureMonitorAgent' (AMA)Check security events in Log Analytics:
SecurityEvent
| where TimeGenerated > ago(1h)
| summarize count() by EventIDIntegration with Related Technologies
Defender for Servers integrates tightly with:
Microsoft Sentinel: Security alerts can be streamed to Sentinel for advanced correlation and incident response.
Azure Policy: Enforce Defender for Servers deployment across subscriptions using built-in policies.
Azure Automation: Use runbooks to respond to alerts automatically (e.g., isolate a VM).
Microsoft Defender for Endpoint: Plan 2 of Defender for Servers includes Microsoft Defender for Endpoint for servers (formerly ATP), providing endpoint detection and response (EDR) capabilities.
Azure Firewall and NSGs: JIT VM access automatically modifies NSG rules to allow traffic; Azure Firewall can inspect traffic to VMs.
Trap Patterns for the Exam
Common wrong answers on AZ-500:
Confusing Defender for Servers with Microsoft Defender for Cloud: The exam may ask which plan enables a specific feature. Remember: Defender for Servers is a plan within Defender for Cloud, not a separate product.
Assuming all features require the Log Analytics agent: Vulnerability assessment using Qualys does not require the agent; it uses a cloud-based scanner. However, FIM, AAC, and JIT require the agent.
Mixing up Plan 1 and Plan 2 features: Plan 1 includes JIT, FIM, and adaptive application controls. Plan 2 adds Microsoft Defender for Endpoint integration, fileless attack detection, and brute-force protection.
Forgetting that JIT modifies NSGs: JIT works by creating allow rules in the NSG for the requested port and source IP. It does not modify the VM's guest firewall.
Believing that vulnerability assessment requires a separate license: The integrated Qualys scanner is included with Defender for Servers (both plans). No additional Qualys license needed.
Specific Numbers and Values to Memorize
Default scan interval for vulnerability assessment: every 12 hours.
Default JIT request duration: 3 hours.
Log Analytics agent heartbeat interval: 5 minutes.
Minimum telemetry period for adaptive application controls to generate baseline: 14 days.
Defender for Servers Plan 2 includes Microsoft Defender for Endpoint for servers.
File Integrity Monitoring tracks changes to critical files and registry keys; default monitored paths include Windows system32 and Linux /etc.
Enable Defender for Servers Plan
Navigate to Microsoft Defender for Cloud in the Azure portal. Under 'Environment settings', select the target subscription or management group. Click on 'Defender plans' and toggle the 'Servers' plan to On. Choose either Plan 1 (foundational) or Plan 2 (advanced). Plan 2 includes endpoint detection and response (EDR) via Microsoft Defender for Endpoint. After saving, the plan is active for all current and future VMs in that scope. This step enables the underlying security monitoring infrastructure.
Install Log Analytics Agent on VMs
The Log Analytics agent (or Azure Monitor Agent) is required for most Defender for Servers features. For new VMs, you can enable auto-provisioning in Defender for Cloud settings. For existing VMs, use the 'Install monitoring agent on your machines' recommendation. The agent connects to the Log Analytics workspace associated with the subscription. It sends security events, performance data, and change tracking information every few minutes. Without the agent, features like FIM, AAC, and JIT will not function.
Configure Vulnerability Assessment
By default, Defender for Servers uses the integrated Qualys vulnerability scanner. No additional configuration is needed; it starts scanning automatically within 24 hours of enabling the plan. Scans run every 12 hours. Results appear as recommendations in Defender for Cloud (e.g., 'Vulnerabilities in your virtual machines should be remediated'). You can also trigger on-demand scans via the API or PowerShell. For Linux VMs, the scanner requires Python and the OMS agent.
Enable File Integrity Monitoring (FIM)
FIM tracks changes to critical system files, registries, and configuration files. Enable it per VM or via policy. In the Azure portal, go to Defender for Cloud > Workload protections > File Integrity Monitoring. Select a VM and enable monitoring. You can customize which files and registry keys to monitor. The agent collects baseline snapshots and then reports changes. Alerts are generated for suspicious modifications (e.g., changes to /etc/passwd). FIM uses the Log Analytics agent and writes to the ChangeTracking table.
Configure Adaptive Application Controls (AAC)
AAC creates whitelisting rules to allow only known-safe applications to run. After enabling, the system requires at least 14 days of telemetry to establish a baseline. During this period, it logs all executables run on the VM. After the learning period, it generates a recommendation with a list of allowed applications. Administrators can review and approve the rules. Once enforced, any unknown executable is blocked and an alert is generated. AAC is particularly effective against ransomware and malware that use unknown executables.
Enterprise Scenario 1: Hybrid Cloud Migration
A financial services company is migrating 500 on-premises Windows and Linux servers to Azure. The security team needs to maintain visibility and protection during and after migration. They enable Defender for Servers Plan 2 on the target subscription. The Log Analytics agent is deployed via Group Policy to on-premises servers before migration, ensuring continuous monitoring. During migration, JIT VM access is configured to lock down RDP/SSH ports except for authorized jump boxes. Vulnerability assessment scans run automatically, identifying missing patches and misconfigurations. The security team uses the Defender for Cloud dashboard to track the secure score and remediate critical vulnerabilities before go-live. Post-migration, they integrate alerts with Microsoft Sentinel for advanced threat hunting and automated incident response.
Enterprise Scenario 2: Compliance-Driven Deployment
A healthcare organization must comply with HIPAA and PCI DSS. They use Defender for Servers to meet regulatory requirements for continuous monitoring, vulnerability management, and change detection. File Integrity Monitoring is configured on all VMs to track changes to sensitive files (e.g., patient databases, configuration files). Adaptive Application Controls are enforced on production servers to prevent unauthorized software. The vulnerability assessment scanner runs every 12 hours, and results are exported to a SIEM for audit trails. JIT VM access is used for all administrative access, with requests logged and approved via Azure AD. The organization achieves a 95% secure score and passes external audits with evidence from Defender for Cloud reports.
Common Misconfigurations and Pitfalls
Not enabling auto-provisioning: If the Log Analytics agent is not automatically deployed on new VMs, they remain unprotected. Always enable auto-provisioning in Defender for Cloud settings.
Ignoring the 14-day learning period for AAC: Administrators sometimes enforce AAC rules prematurely, causing application failures. Always wait for the baseline recommendation.
Overlooking JIT request logging: JIT approvals are logged, but if not monitored, unauthorized requests can go unnoticed. Integrate JIT logs with Sentinel or a SIEM.
Assuming Plan 1 provides full EDR: Plan 1 does not include Microsoft Defender for Endpoint. For advanced endpoint detection, Plan 2 is required.
What AZ-500 Tests on Defender for Servers
The AZ-500 exam covers Defender for Servers primarily under objective 4.1 (Configure security policies and manage security alerts). Specific topics include:
Plan selection: Know the difference between Plan 1 and Plan 2, and which features belong to each.
Agent requirements: Understand that the Log Analytics agent (or Azure Monitor Agent) is required for most features, but vulnerability assessment using Qualys does not require an agent.
JIT VM access: How it works (modifies NSGs), default timeout (3 hours), and that it is part of Plan 1.
File Integrity Monitoring: Default monitored paths, what triggers alerts, and that it requires the agent.
Adaptive Application Controls: Learning period (14 days), how rules are created, and that it blocks unknown executables.
Vulnerability assessment: Default scan interval (12 hours), integrated scanner (Qualys), and no additional license needed.
Integration with Microsoft Sentinel: Alerts can be streamed to Sentinel for SIEM.
Common Wrong Answers and Why Candidates Choose Them
'Defender for Servers requires Microsoft Defender for Endpoint license.' Actually, Plan 2 includes Defender for Endpoint for servers at no extra cost. Plan 1 does not include it. Candidates see 'Defender for Endpoint' in the documentation and assume it is a separate purchase.
'File Integrity Monitoring does not require an agent.' FIM relies on the Log Analytics agent to collect file changes. Candidates confuse FIM with Azure Policy's guest configuration, which does not require an agent for some settings.
'Just-In-Time VM access modifies the guest firewall.' JIT works at the network level by creating NSG rules. It does not touch the VM's internal firewall. Candidates familiar with on-premises solutions may assume a host-based change.
'Adaptive Application Controls can be enforced immediately.' AAC requires a 14-day learning period. Candidates may think it works like a traditional application whitelist that can be configured manually from day one.
Verbatim Exam Terms
'Plan 1' vs 'Plan 2'
'Log Analytics agent' (or 'Azure Monitor Agent')
'Qualys' (integrated vulnerability scanner)
'12-hour scan interval'
'3-hour default JIT request duration'
'14-day learning period' for AAC
'File Integrity Monitoring' (FIM)
'Adaptive Application Controls' (AAC)
'Just-In-Time VM Access' (JIT)
Edge Cases and Exceptions
Linux VMs: Vulnerability assessment on Linux requires Python and the OMS agent. If Python is missing, scans fail.
Azure Arc-enabled servers: Defender for Servers can protect on-premises and multi-cloud servers via Azure Arc. The same features apply, but the agent must be deployed on the Arc-connected machine.
Multiple subscriptions: Defender for Servers must be enabled per subscription. If a VM is moved to a subscription without the plan, it loses protection.
Custom Log Analytics workspace: If you use a custom workspace, ensure it is in the same region as the VMs to avoid data egress charges.
How to Eliminate Wrong Answers
If a question mentions a feature that requires host-level monitoring (e.g., file changes, process creation), the answer likely requires the Log Analytics agent.
If a question asks about reducing the attack surface for management ports, think JIT VM access.
If a question describes blocking unknown executables, think Adaptive Application Controls.
For vulnerability management, the default scanner is Qualys (included).
Defender for Servers is a plan within Microsoft Defender for Cloud, not a standalone product.
Plan 1 includes JIT, FIM, and AAC; Plan 2 adds Microsoft Defender for Endpoint and advanced detections.
The Log Analytics agent is required for most features except vulnerability assessment (Qualys).
Vulnerability assessment scans run every 12 hours by default using the integrated Qualys scanner.
JIT VM access modifies NSGs to allow inbound traffic for a default duration of 3 hours.
Adaptive Application Controls require a 14-day learning period before enforcement.
File Integrity Monitoring tracks changes to critical system files and registry keys.
Defender for Servers can protect Azure, on-premises (via Azure Arc), and other cloud VMs.
These come up on the exam all the time. Here's how to tell them apart.
Defender for Servers Plan 1
Includes Just-In-Time VM Access (JIT).
Includes File Integrity Monitoring (FIM).
Includes Adaptive Application Controls (AAC).
Does NOT include Microsoft Defender for Endpoint for servers.
Suitable for basic threat protection and compliance.
Defender for Servers Plan 2
Includes all Plan 1 features.
Includes Microsoft Defender for Endpoint for servers (EDR).
Includes fileless attack detection and brute-force protection.
Includes host-based firewall rules.
Suitable for advanced threat detection and response.
Mistake
Defender for Servers is a standalone product separate from Microsoft Defender for Cloud.
Correct
Defender for Servers is a plan within Microsoft Defender for Cloud. It is enabled as an enhanced security feature of Defender for Cloud, not a separate service.
Mistake
All Defender for Servers features require the Log Analytics agent.
Correct
Vulnerability assessment using the integrated Qualys scanner does not require the Log Analytics agent. However, features like FIM, AAC, and JIT do require the agent.
Mistake
Just-In-Time VM access modifies the guest operating system firewall.
Correct
JIT works by creating Azure Network Security Group (NSG) rules to allow inbound traffic. It does not modify the VM's internal firewall (e.g., Windows Firewall or iptables).
Mistake
Adaptive Application Controls can be configured immediately after enabling Defender for Servers.
Correct
AAC requires a 14-day learning period to establish a baseline of allowed applications. Only after this period can rules be enforced.
Mistake
Defender for Servers Plan 1 includes Microsoft Defender for Endpoint for servers.
Correct
Microsoft Defender for Endpoint for servers is included only in Plan 2. Plan 1 provides foundational features like JIT, FIM, and AAC.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Plan 1 includes foundational features like Just-In-Time VM Access, File Integrity Monitoring, and Adaptive Application Controls. Plan 2 includes all Plan 1 features plus Microsoft Defender for Endpoint for servers, fileless attack detection, brute-force protection, and host-based firewall rules. Plan 2 provides endpoint detection and response (EDR) capabilities.
Most features require the Log Analytics agent (or Azure Monitor Agent) to be installed on the VM. However, the integrated vulnerability assessment (Qualys) does not require an agent; it uses a cloud-based scanner. Features like FIM, AAC, and JIT require the agent.
JIT VM Access reduces the attack surface by locking down inbound traffic to VMs. When an authorized user requests access to a port (e.g., RDP 3389), Defender for Cloud creates an NSG rule allowing traffic from the user's IP address for a configurable duration (default 3 hours). After the time expires, the rule is removed.
The integrated Qualys vulnerability scanner runs automatically every 12 hours. You can also trigger on-demand scans via the API or PowerShell. The scanner checks for missing patches, misconfigurations, and vulnerabilities.
Yes, via Azure Arc. By connecting on-premises servers to Azure Arc and enabling Defender for Servers, you can extend the same protection (JIT, FIM, vulnerability assessment, etc.) to on-premises and multi-cloud environments.
Adaptive Application Controls require at least 14 days of telemetry to establish a baseline of allowed applications. During this period, the system logs all executables run on the VM. After the learning period, it generates a recommendation with a whitelist that administrators can approve.
You can enable Defender for Servers at the management group level, which applies the plan to all subscriptions under that management group. Alternatively, enable it per subscription in the Defender for Cloud environment settings. Use Azure Policy to enforce deployment.
You've just covered Microsoft Defender for Servers — now see how well it sticks with free AZ-500 practice questions. Full explanations included, no account needed.
Done with this chapter?