This chapter covers Microsoft Defender for Cloud, a unified infrastructure security management service that strengthens the security posture of your data centers and provides advanced threat protection across your hybrid cloud workloads. For AZ-900, this is part of Objective 2.5 (Azure Architecture Services), which typically accounts for about 5-10% of the exam. You will learn what Defender for Cloud is, how it works, its key features (including secure score, security alerts, and regulatory compliance), and how to enable it. We'll also cover common exam traps and misconceptions so you can confidently answer any question on this topic.
Jump to a section
Imagine you own a large office building with multiple floors, each floor having different types of rooms—some are server rooms, some are executive offices, and some are general workspaces. You hire a security guard team that does three things: First, they constantly patrol the building, checking every door, window, and alarm system to see if anything is left unlocked or vulnerable (this is the 'vulnerability assessment' and 'secure score' feature). Second, they monitor all security camera feeds in real-time to spot any intruders or suspicious behavior (this is 'threat detection' and 'security alerts'). Third, if they see a break-in in progress, they immediately lock down the affected area, call the police, and send you a detailed report (this is 'just-in-time VM access' and 'adaptive application controls'). The key mechanism: the guards don't just watch—they also give you a daily 'security score' (like a credit score) that tells you how secure your building is overall, and they prioritize which doors to fix first. In Azure, Defender for Cloud does exactly this for your cloud resources: continuously assesses configurations, detects threats, and provides actionable recommendations to improve your security posture. Just as you wouldn't rely on a single guard who only checks once a day, Defender for Cloud works 24/7 across all your subscriptions, automatically adapting to new threats and resources.
What is Microsoft Defender for Cloud and What Business Problem Does It Solve?
Microsoft Defender for Cloud is a Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP) that provides unified security management across your Azure, on-premises, and other cloud environments (like AWS and GCP). The core business problem it solves is the complexity and fragmentation of securing modern IT environments. Without it, security teams must manually check configurations, monitor logs from multiple sources, and respond to threats reactively. Defender for Cloud automates this by continuously assessing your resources, identifying misconfigurations, detecting threats, and providing prioritized recommendations.
For AZ-900, you need to understand that Defender for Cloud is not a single product but a suite of capabilities. It includes two main components: (1) Cloud Security Posture Management (CSPM) – free features that give you a secure score and recommendations based on security best practices (like Azure Security Benchmark). (2) Cloud Workload Protection (CWP) – paid features (Microsoft Defender for Cloud plans) that provide advanced threat protection for specific workloads like servers, databases, storage, and containers.
How It Works – Step by Step Mechanism
Enablement: Defender for Cloud is automatically enabled for all Azure subscriptions at no extra cost (the free CSPM tier). To use advanced protections, you enable specific Defender plans (e.g., Defender for Servers, Defender for SQL) which incur per-resource costs.
Data Collection: Defender for Cloud collects data from your Azure resources via the Log Analytics agent (or Azure Monitor Agent) installed on VMs, and from Azure resource providers (e.g., Azure SQL, Storage). It also integrates with other security tools like Microsoft Sentinel.
Assessment and Scoring: It continuously assesses your resources against built-in security policies (based on Azure Security Benchmark and other standards). Each resource gets a compliance score, and an aggregate Secure Score is calculated (0-100%). The higher the score, the lower the risk.
Recommendations: Based on assessments, it generates security recommendations (e.g., 'Enable encryption on storage account', 'Apply just-in-time VM access'). Each recommendation includes a description, remediation steps, and the impact on your secure score if fixed.
Threat Detection: For enabled Defender plans, it uses behavioral analytics, machine learning, and threat intelligence to detect suspicious activities (e.g., unusual logins, malware, data exfiltration). Alerts are generated with severity levels (Low, Medium, High, Critical).
Response and Remediation: You can respond directly from the portal (e.g., trigger a runbook, block an IP, or apply a fix). Defender for Cloud also supports 'Just-In-Time (JIT) VM Access' and 'Adaptive Application Controls' to block unauthorized apps and reduce attack surface.
Key Components, Tiers, and Pricing Models
Free Tier (CSPM): Includes secure score, assessments, recommendations, and regulatory compliance dashboard (with up to 10 free assessments per subscription). No cost.
Defender for Cloud Plans (Paid): Each plan has a per-resource hourly or monthly cost. Examples:
- Defender for Servers: ~$15/server/month - Defender for SQL: ~$15/SQL server/month - Defender for Storage: ~$10/storage account/month (per GB of data processed) - Defender for App Service: ~$30/App Service plan/month - Defender for Containers: ~$30/core/month (AKS clusters) - Defender for Key Vault: ~$0.01/10k transactions - Regulatory Compliance Dashboard: Available in both free and paid tiers, but the number of standards you can monitor is limited in free (up to 10). Paid plans allow unlimited standards (e.g., SOC 2, ISO 27001, NIST, PCI DSS). - Security Alerts: Only generated when a Defender plan is enabled. Alerts include details like affected resources, attack type, and recommended steps. - Workload Protections Dashboard: Shows the security status of each workload type (VMs, SQL, Storage, etc.).
How It Compares to On-Premises Equivalent
In an on-premises environment, security posture management typically requires multiple tools: vulnerability scanners (e.g., Nessus), configuration management (e.g., SCCM), SIEM (e.g., Splunk), and manual audits. Defender for Cloud replaces all of these with a single, cloud-native service. It also provides continuous monitoring (not periodic scans) and integrates with Azure policies and automation. For hybrid environments, you can extend Defender for Cloud to on-premises servers by installing the Azure Arc agent and enabling Defender for Servers. This gives you the same CSPM and threat detection capabilities for your on-premises VMs.
Azure Portal and CLI Touchpoints
- Azure Portal: Navigate to 'Microsoft Defender for Cloud' (or search for it). The main dashboard shows Secure Score, regulatory compliance, inventory, and alerts. You can drill down into recommendations, enable plans, and configure policies.
- Azure CLI: Use the az security command group. For example:
- az security secure-score list – get secure scores
- az security alert list – list alerts
- az security auto-provisioning-setting update --name default --auto-provision on – enable Log Analytics agent auto-provisioning
- Azure PowerShell: Use Get-AzSecurity* cmdlets, e.g., Get-AzSecuritySecureScore.
- ARM/Bicep: You can enable Defender plans programmatically using resource provider 'Microsoft.Security'. Example Bicep snippet:
resource defenderPlan 'Microsoft.Security/pricings@2023-01-01' = {
name: 'VirtualMachines'
properties: {
pricingTier: 'Standard'
}
}Concrete Business Scenarios
Scenario 1: A retail company with 500 VMs wants to ensure all VMs have endpoint protection (antimalware) installed. Defender for Cloud can assess all VMs and recommend enabling Microsoft Antimalware. It also alerts if any VM is missing the agent.
Scenario 2: A financial services firm needs to comply with PCI DSS. Defender for Cloud's regulatory compliance dashboard tracks compliance against PCI DSS controls and shows which resources are non-compliant.
Scenario 3: A startup uses Azure SQL Database and wants to detect SQL injection attacks. Enabling Defender for SQL provides alerts for suspicious queries and potential brute-force attempts.
Enable Defender for Cloud
In the Azure portal, search for 'Microsoft Defender for Cloud' and open the service. If it's your first time, you'll see a welcome screen. Select 'Upgrade' to enable the free CSPM tier—this happens automatically for all subscriptions. For advanced protection, click on 'Environment settings' > select your subscription > toggle on specific Defender plans (e.g., Servers, SQL). Each plan incurs costs, so only enable what you need. Behind the scenes, Azure registers the Microsoft.Security resource provider and begins collecting configuration data.
Review Secure Score
Once enabled, the 'Secure Score' dashboard shows your overall score (0-100%) and a breakdown by control groups (e.g., 'Enable MFA', 'Apply disk encryption'). Each control has a 'Max score' and 'Current score'. Click on a control to see specific recommendations and the resources that are non-compliant. The score is calculated as a percentage of completed recommendations weighted by severity. For example, fixing a critical recommendation might increase your score by 2%, while a low-severity one might add 0.5%. The goal is to reach 100% by remediating all recommendations.
Implement Recommendations
Navigate to 'Recommendations' to see a list of all security issues. Each recommendation includes a description, affected resources, and remediation steps. You can either manually fix the issue (e.g., enable encryption) or use the 'Fix' button to apply a built-in script. For example, for 'Disk encryption should be applied on virtual machines', you can select the VM and click 'Fix' to enable Azure Disk Encryption. Behind the scenes, Defender for Cloud uses Azure Policy to enforce the change. After remediation, the recommendation status updates within a few hours.
Monitor Security Alerts
If you have enabled any Defender plan (e.g., Defender for Servers), you will see 'Security alerts' in the Defender for Cloud menu. Alerts are generated in real-time when suspicious activity is detected. For example, if a VM is communicating with a known malicious IP address, an alert with severity 'High' appears. Click on the alert to see details: affected resource, time, attack vector, and recommended actions (e.g., isolate the VM, run a malware scan). You can also integrate with Microsoft Sentinel for automated response (SOAR).
Configure Regulatory Compliance
Go to 'Regulatory compliance' to track compliance against standards like Azure CIS, PCI DSS, ISO 27001, and SOC 2. By default, Azure CIS is enabled. To add more standards, click 'Manage compliance policies' and select the standards you need (free tier supports up to 10; paid plans support unlimited). The dashboard shows a compliance score per standard and a list of controls with pass/fail status. For example, under PCI DSS control 7.2.1, you might see that 'MFA should be enabled on accounts with owner permissions on your subscription' is not compliant. You can then remediate the recommendation to improve compliance.
Scenario 1: E-Commerce Company Securing Hybrid Workloads
Problem: An e-commerce company runs its web application on Azure VMs and also has legacy on-premises servers for database processing. They need unified security visibility and threat detection across both environments. Solution: They enable Defender for Cloud for their Azure subscription and install Azure Arc on their on-premises servers. Then they enable Defender for Servers plan (paid) for all VMs (both Azure and on-premises). Defender for Cloud now provides a single dashboard showing secure score, recommendations, and alerts for all servers. They configure JIT VM access to reduce exposure of management ports. The security team receives alerts for suspicious logins and potential malware. Over time, they remediate recommendations and improve their secure score from 40% to 85%. Cost: Approximately $15/server/month for Defender for Servers. For 50 servers, that's $750/month. What goes wrong: If they forget to enable the Defender plan for on-premises servers, those servers won't generate alerts. Also, if they don't install the Log Analytics agent properly, data won't be collected. Incorrect configuration of JIT can block legitimate admin access if not whitelisted correctly.
Scenario 2: Financial Services Firm Achieving Compliance
Problem: A bank must comply with PCI DSS and SOC 2 for its Azure-hosted payment processing system. Manual compliance audits are time-consuming and error-prone. Solution: They enable Defender for Cloud and configure the regulatory compliance dashboard with PCI DSS and SOC 2 standards. They assign a dedicated security team to review the dashboard weekly. They remediate all critical and high-severity recommendations that affect compliance. For example, they enable encryption on all storage accounts and SQL databases. They also enable Defender for SQL to detect SQL injection attempts. The compliance dashboard shows a 95% compliance score for PCI DSS, which satisfies auditors. Cost: Free CSPM tier covers up to 10 compliance standards; they use paid plans only for SQL and storage protection (approx. $200/month). What goes wrong: If they don't regularly update the compliance dashboard, new resources might be non-compliant. Also, if they rely solely on the dashboard without remediating recommendations, the score will drop.
Scenario 3: Startup Using Containerized Applications
Problem: A startup deploys microservices on Azure Kubernetes Service (AKS) and wants to secure container workloads without a dedicated security team. Solution: They enable Defender for Containers plan (paid) on their AKS cluster. Defender for Cloud scans container images for vulnerabilities, monitors runtime behavior for threats, and provides recommendations like 'Container should not run as root' or 'Limit container capabilities'. They also enable the free CSPM to get a secure score for their subscription. The security alerts help them detect cryptominers or unauthorized container access. Cost: Defender for Containers is priced per core per hour. For a small cluster with 10 cores, it might be ~$300/month. What goes wrong: If they don't enable the plan for all AKS clusters, some clusters remain unprotected. Also, if they don't regularly update container images, vulnerability scans might miss new CVEs.
What AZ-900 Tests on This Objective (Objective 2.5 – Azure Architecture Services)
AZ-900 expects you to understand the high-level capabilities of Defender for Cloud, not deep configuration. Key areas: - Secure Score: What it is (a percentage representing your security posture based on recommendations). - Recommendations: How they are generated and what they lead to (improving secure score). - Security Alerts: When they occur (only with paid plans) and what they indicate. - Regulatory Compliance Dashboard: Tracks compliance against standards. - Pricing: Free tier (CSPM) vs. paid plans (per resource). - Integration: Works with Azure Policy and Azure Sentinel.
Common Wrong Answers and Why Candidates Choose Them
'Defender for Cloud can prevent all security incidents.' – Wrong. It detects and alerts but does not automatically block everything. Some responses (like JIT) can block, but it's not a full prevention tool. Candidates choose this because they think 'security' equals 'prevention'.
'Secure Score is based on the number of alerts.' – Wrong. It's based on compliance with security recommendations. Candidates confuse alerts (threats) with posture.
'Defender for Cloud is only for Azure.' – Wrong. It supports hybrid and multi-cloud (AWS, GCP) via connectors. Candidates think it's Azure-only because of the name.
'The free tier includes threat detection.' – Wrong. Threat detection (alerts) requires a paid plan. Candidates assume free includes everything.
Specific Terms and Values That Appear on the Exam
Secure Score: Range 0-100%, higher is better.
CSPM: Cloud Security Posture Management (free).
CWPP: Cloud Workload Protection (paid).
Defender for Servers, SQL, Storage, App Service, Containers, Key Vault – know these plan names.
Azure Security Benchmark: The default assessment standard.
Just-In-Time (JIT) VM Access: A feature to reduce exposure of management ports.
Adaptive Application Controls: Whitelisting of allowed applications.
Edge Cases and Tricky Distinctions
Free vs. Paid: Only paid plans generate security alerts. Free tier only gives recommendations and secure score.
Multi-cloud: Defender for Cloud can protect AWS and GCP resources via Azure Arc, but this is an advanced topic – for AZ-900, know it's possible.
Regulatory Compliance: Free tier supports up to 10 standards; paid has unlimited. The exam may test this limit.
Memory Trick: 'SCORE' Acronym
Secure Score – the central metric.
Compliance dashboard – regulatory tracking.
Only paid plans give alerts.
Recommendations – fix these to improve score.
Everywhere – works across Azure, on-prem, and other clouds.
Use this to eliminate wrong answers: if a question mentions alerts, ensure a paid plan is involved.
Defender for Cloud provides a unified security management platform for Azure, hybrid, and multi-cloud environments.
The free tier (CSPM) includes secure score, recommendations, and regulatory compliance dashboard (up to 10 standards).
Paid Defender plans (e.g., Defender for Servers, SQL, Storage) enable threat detection and security alerts.
Secure Score ranges from 0% to 100% and improves by fixing security recommendations.
Defender for Cloud integrates with Azure Policy to enforce compliance and with Microsoft Sentinel for SIEM/SOAR.
Just-In-Time (JIT) VM Access reduces attack surface by locking down management ports until requested.
Defender for Cloud supports on-premises servers via Azure Arc and AWS/GCP via connector settings.
The default assessment standard is the Azure Security Benchmark.
These come up on the exam all the time. Here's how to tell them apart.
Microsoft Defender for Cloud
Unified CSPM and CWPP for Azure, on-prem, and other clouds
Integrated with Microsoft Defender for Cloud plans (servers, SQL, etc.)
Secure Score is a percentage (0-100%)
Regulatory compliance dashboard with unlimited standards in paid tier
Supports multi-cloud via connectors (AWS, GCP)
Azure Security Center (Legacy Name)
Original name for the same service (renamed in 2020)
Did not include multi-cloud support initially
Same secure score concept
Same compliance dashboard (but fewer integrations early on)
Now deprecated; all documentation uses 'Defender for Cloud'
Mistake
Defender for Cloud is the same as Microsoft Sentinel.
Correct
Defender for Cloud is a CSPM and CWPP tool that provides posture management and threat detection. Microsoft Sentinel is a SIEM (Security Information and Event Management) that ingests logs from multiple sources (including Defender for Cloud) for advanced correlation and incident response. They are complementary, not the same.
Mistake
The free tier of Defender for Cloud includes threat detection and alerts.
Correct
The free tier (CSPM) only provides secure score, recommendations, and regulatory compliance dashboard. Security alerts are only generated when you enable a paid Defender plan (e.g., Defender for Servers).
Mistake
Defender for Cloud only works for Azure resources.
Correct
Defender for Cloud also supports hybrid environments (on-premises via Azure Arc) and multi-cloud (AWS and GCP via connectors). You can protect workloads across different environments from a single dashboard.
Mistake
Secure Score is calculated based on the number of security alerts.
Correct
Secure Score is based on how many security recommendations you have implemented. It reflects your compliance with security best practices (e.g., enabling encryption, MFA). Alerts are separate and indicate active threats.
Mistake
Enabling Defender for Cloud automatically remediates all security issues.
Correct
Defender for Cloud provides recommendations and some automated remediation options (e.g., 'Fix' button), but it does not automatically fix everything. You must review and approve changes.
The basic Cloud Security Posture Management (CSPM) features are free for all Azure subscriptions. This includes secure score, recommendations, and a regulatory compliance dashboard (up to 10 standards). However, advanced threat detection and security alerts require enabling paid Defender plans (e.g., Defender for Servers at ~$15/server/month). So yes, there is a free tier, but it's limited to posture management only.
Azure Security Center was the original name for the service. In 2020, Microsoft rebranded it to Microsoft Defender for Cloud to reflect its expanded capabilities (including multi-cloud support and integration with Microsoft Defender plans). Functionally, they are the same service. The exam uses the new name (Defender for Cloud), but you may still see 'Security Center' in older questions. Always choose 'Defender for Cloud' for the latest.
Yes, it can. You need to install Azure Arc on your on-premises servers to connect them to Azure. Then, you can enable Defender for Servers plan for those machines. Defender for Cloud will then assess their configurations, provide recommendations, and generate security alerts just like for Azure VMs. This extends the same security management to your on-premises environment.
Go to the 'Recommendations' blade and review the list of security issues. Each recommendation has an 'Impact' value (e.g., +2.00%) indicating how much your score will increase if fixed. Prioritize high-impact recommendations. You can manually fix them or use the 'Fix' button to apply automated remediation. After fixing, the score updates within a few hours. The goal is to reach 100% by remediating all recommendations.
A recommendation is a suggestion to improve your security posture (e.g., 'Enable encryption on storage account'). It is based on configuration assessments and does not indicate an active threat. A security alert is a notification of a detected threat (e.g., 'Malware was detected on VM'). Alerts are only generated if you have a paid Defender plan enabled. Both appear in Defender for Cloud but serve different purposes.
Yes, it integrates deeply with many Azure services. For example, it uses Azure Policy to enforce security recommendations, can send alerts to Azure Monitor, and can forward high-severity alerts to Microsoft Sentinel for incident response. It also integrates with Azure Arc for hybrid environments and with Azure DevOps for security of CI/CD pipelines.
The Azure Security Benchmark is a set of security best practices and recommendations created by Microsoft. It is the default standard against which Defender for Cloud assesses your resources. It includes controls for identity, network, storage, etc. The benchmark is regularly updated to reflect current threats. Defender for Cloud uses it to generate recommendations and calculate your secure score.
You've just covered Microsoft Defender for Cloud — now see how well it sticks with free AZ-900 practice questions. Full explanations included, no account needed.
Done with this chapter?