This chapter covers Cloud Security Posture Management (CSPM) as implemented by Microsoft Defender for Cloud, a core component of the SC-200 exam. You will learn how CSPM continuously assesses your cloud environments against security benchmarks, generates a secure score, and provides actionable recommendations. Expect 10-15% of exam questions to touch on CSPM concepts, including secure score calculation, regulatory compliance, and workload protection.
Jump to a section
Imagine you own a large office building with hundreds of rooms, each with doors, windows, locks, and fire safety equipment. You hire a building inspector who walks the entire building daily, checking every door lock, window latch, fire extinguisher, and emergency exit. The inspector carries a clipboard with a checklist of building codes—every lock must be deadbolt, every fire extinguisher must be within 50 feet of any point, every exit must be unobstructed. When the inspector finds a violation, they note it, assign a severity (e.g., 'critical' if a fire exit is blocked, 'low' if a light bulb is out), and send a report to the property manager. The manager can then fix the issue or override the finding if it's a false alarm. Over time, the inspector learns the building's normal state and can detect when a door that was always locked is suddenly unlocked—a potential security breach. This inspector never stops inspecting; they continuously monitor and report. In the cloud, Microsoft Defender for Cloud plays the role of that inspector. It continuously scans your Azure subscriptions, AWS accounts, and GCP projects against a set of security benchmarks (like the Azure Security Benchmark and CIS controls). It checks configurations such as whether network security groups allow unrestricted inbound RDP (a 'critical' finding), whether storage accounts have encryption enabled, or whether MFA is required for all users. Each finding is a 'recommendation' with a severity and a remediation step. The 'secure score' is like an overall building safety grade, calculated as a percentage of compliant controls. Just as the inspector can be tuned to ignore certain rooms (exemptions), Defender for Cloud can be configured with custom policies and initiatives to match your organization's specific security requirements. And just as the inspector's reports help prioritize fixes, Defender for Cloud's recommendations help security teams focus on the most impactful issues first.
What is Cloud Security Posture Management (CSPM)?
Cloud Security Posture Management (CSPM) is a class of security tools that continuously monitor cloud environments for misconfigurations, compliance violations, and security weaknesses. CSPM solutions automatically assess resources against industry standards (e.g., CIS, NIST, Azure Security Benchmark) and provide a unified view of security posture. Microsoft Defender for Cloud is the native CSPM solution for Azure, and it also supports multicloud environments (AWS and GCP). On the SC-200 exam, CSPM is tested under objective 3.2: "Manage cloud security posture management." You must understand how Defender for Cloud discovers resources, evaluates policies, calculates secure scores, and generates recommendations.
How Defender for Cloud CSPM Works Internally
Defender for Cloud operates through a combination of agents, APIs, and policy engines. The core mechanism is as follows:
Resource Discovery: Defender for Cloud uses Azure Resource Graph and Azure Resource Manager to discover all resources in a subscription. For AWS and GCP, it uses connector configurations that authenticate via cross-account roles (AWS IAM role) or service accounts (GCP). Discovery occurs continuously, typically every few hours, but changes trigger near-real-time scans.
Policy Evaluation: Each resource is evaluated against built-in policy definitions (from Azure Policy) and custom initiatives. These policies define desired state configurations. For example, a policy might require that storage accounts restrict network access to specific IP ranges. The evaluation engine checks the resource's actual configuration against the policy's conditions. If the configuration does not meet the condition, the resource is marked as non-compliant, and a recommendation is generated.
Secure Score Calculation: The secure score is a percentage that represents how well your environment aligns with security best practices. It is calculated as: (Achieved points / Total possible points) * 100. Each security control (group of related recommendations) has a maximum score. For example, the "Enable MFA" control might be worth 10 points. If you have 100% compliance on that control, you earn all 10 points. The score is additive across controls. The exam expects you to know that secure score is not based on the number of resources but on the percentage of compliant controls. Also, the secure score is only available when Defender for Cloud is enabled on the subscription (free tier or enhanced).
Recommendations: Each non-compliant resource generates a recommendation. Recommendations include a description, severity (High, Medium, Low), remediation steps, and a 'quick fix' option (for Azure resources) that can apply the fix with one click. Recommendations also show affected resources and compliance status relative to regulatory standards (e.g., SOC 2, PCI DSS).
Regulatory Compliance: Defender for Cloud maps recommendations to regulatory compliance frameworks. The user can add custom compliance standards via Azure Policy initiatives. The compliance dashboard shows the percentage of controls that are compliant for each standard. The exam tests the difference between 'built-in' standards (e.g., Azure CIS 1.1.0, PCI DSS 3.2.1) and 'custom' standards.
Key Components, Values, and Defaults
Secure Score: Ranges from 0% to 100%. The default free tier provides secure score and recommendations. The enhanced tier (with Defender plans) adds workload protection but does not change the secure score mechanism.
Security Controls: There are about 70-80 security controls in Defender for Cloud. Each control has a maximum score (e.g., 20 points for 'Enable encryption at rest'). The total possible score is the sum of all control max scores.
Recommendation Severity: High (critical misconfiguration like open RDP), Medium (less critical but still important), Low (best practice but not urgent).
Regulatory Compliance Standards: Built-in standards include Azure CIS 1.1.0, Azure CIS 1.3.0, PCI DSS 3.2.1, SOC TSP, ISO 27001, NIST SP 800-53. Custom standards can be uploaded as JSON.
Defender Plans: Enhanced security features require enabling specific Defender plans (e.g., Defender for Servers, Defender for Storage). Each plan has a cost. The free tier includes CSPM only.
Continuous Export: Recommendations and security alerts can be exported to Log Analytics workspace, Event Hubs, or via API. This is important for integration with SIEMs like Microsoft Sentinel.
Configuration and Verification Commands
While the SC-200 exam does not require scripting, understanding the underlying Azure CLI or PowerShell can help. Key commands:
- Azure CLI:
- az security secure-score list – Lists secure scores for subscriptions.
- az security recommendation list – Lists all recommendations.
- az security regulatory-compliance-standards list – Lists compliance standards.
- az policy assignment create – To assign custom initiatives.
- PowerShell:
- Get-AzSecuritySecureScore – Retrieves secure score.
- Get-AzSecurityRecommendation – Retrieves recommendations.
Azure Portal: Navigate to Microsoft Defender for Cloud > Recommendations or Secure Score.
Interaction with Related Technologies
CSPM in Defender for Cloud is tightly integrated with:
Azure Policy: Every recommendation is backed by an Azure Policy definition. When you 'fix' a recommendation via 'Quick fix!', Defender for Cloud creates a policy assignment or modifies the resource. Understanding Azure Policy concepts (initiatives, assignments, exemptions) is critical for the exam.
Microsoft Sentinel: CSPM data can be ingested into Sentinel for advanced correlation and incident response. The 'Continuous Export' feature sends recommendations to Log Analytics, which Sentinel can query.
Microsoft Defender for Cloud Apps: Provides visibility into cloud app usage, but CSPM focuses on infrastructure misconfigurations.
Azure Arc: Extends CSPM to on-premises servers and other clouds by enabling them as Azure resources.
How CSPM Differs from Workload Protection
CSPM (free tier) provides posture assessment without agents. Workload protection (enhanced tier) adds agents for file integrity monitoring, vulnerability scanning, and threat detection. The exam often asks: "Which feature requires the enhanced tier?" The answer is workload protection (e.g., just-in-time VM access, adaptive application controls). CSPM does not require agents.
Multicloud Capabilities
Defender for Cloud can assess AWS and GCP resources by connecting via connectors. For AWS, you create a cross-account IAM role; for GCP, you use a service account. Once connected, Defender for Cloud discovers resources like S3 buckets, EC2 instances, and GCP storage buckets, and evaluates them against the same security benchmarks. The secure score aggregates findings from all connected clouds. On the exam, know that multicloud support is available in the enhanced tier (requires Defender for Cloud plans).
Continuous Monitoring and Drift Detection
CSPM is not a one-time scan. Defender for Cloud continuously monitors resources. If a configuration drifts from the desired state (e.g., someone opens a port), a new recommendation appears. The re-evaluation interval is typically every 24 hours for most resources, but changes trigger immediate re-evaluation. The exam may test that 'continuous' means near-real-time for resource changes, not just periodic.
Custom Initiatives and Regulatory Compliance
You can create custom policy initiatives (sets of policies) to enforce organization-specific rules. These custom initiatives appear in the Regulatory Compliance dashboard. The exam tests that custom standards must be uploaded as JSON policy set definitions. Also, you can create 'exemptions' at the resource or subscription level to exclude certain resources from recommendations (e.g., a test server intentionally open). Exemptions can be time-bound.
Secure Score Impact of Recommendations
Not all recommendations affect the secure score. Only recommendations that are part of a security control contribute to the score. Some recommendations are 'informational' and do not have a score impact. The exam may ask: "Which recommendation will increase the secure score?" Only those that remediate a non-compliant resource for a control with remaining points.
Common Exam Scenarios
Scenario: You need to improve the secure score from 60% to 80%. Which tool do you use? Answer: Implement recommendations from Defender for Cloud.
Scenario: You want to ensure compliance with PCI DSS. What do you enable? Answer: Add the PCI DSS regulatory compliance standard in Defender for Cloud.
Scenario: You need to monitor on-premises servers. Answer: Use Azure Arc to onboard them to Defender for Cloud.
Summary of Key Exam Points
CSPM is free with Defender for Cloud (enhanced tier adds workload protection).
Secure score is based on compliance percentage of controls, not resource count.
Recommendations are backed by Azure Policy.
Regulatory compliance requires adding a standard (built-in or custom).
Multicloud support requires connectors and enhanced tier.
Continuous monitoring means near-real-time for changes.
Enable Defender for Cloud
Navigate to Microsoft Defender for Cloud in the Azure portal. On the 'Getting started' page, select 'Upgrade' to enable the enhanced security features if needed. For CSPM only, the free tier is sufficient. Ensure the subscription is registered with the Microsoft.Security resource provider. This step activates the CSPM engine, which begins discovering resources and evaluating policies. The exam expects you to know that CSPM is available by default on all Azure subscriptions (free tier).
Review Secure Score
Go to the 'Secure score' blade. The overview shows your current score, the maximum possible score, and the score trend. Click on a security control to see which recommendations are affecting that control. Each control shows the number of compliant and non-compliant resources, and the points earned versus maximum. The score is calculated as (earned points / total possible points) * 100. For example, if you have earned 150 points out of 200 possible, your score is 75%. The exam may ask you to calculate the new score after remediating a recommendation.
Implement Recommendations
Go to the 'Recommendations' blade. Filter by severity (High, Medium, Low) or by security control. Select a recommendation, e.g., 'MFA should be enabled on accounts with owner permissions on your subscription'. Review the affected resources. Click 'Fix' to apply the remediation using the 'Quick fix!' option, which will automatically configure the resource to be compliant. Alternatively, use the 'Remediation steps' to manually fix. After remediation, the recommendation status changes to 'Completed' and the secure score increases.
Configure Regulatory Compliance
Go to the 'Regulatory compliance' blade. Click 'Manage compliance policies' to add a built-in standard (e.g., PCI DSS 3.2.1) or upload a custom standard as a JSON policy set. Once added, Defender for Cloud maps recommendations to the standard's controls. The dashboard shows the percentage of controls that are compliant. The exam tests that you can add multiple standards and that custom standards require a policy initiative.
Set Up Multicloud Connectors
If you have AWS or GCP environments, go to 'Environment settings' and select 'Add environment'. For AWS, you need to create a cross-account IAM role in AWS and provide the role ARN to Defender for Cloud. For GCP, you create a service account and provide the credentials. Once connected, Defender for Cloud discovers resources and evaluates them against the same benchmarks. The secure score now includes findings from all clouds. The exam expects you to know that multicloud connectors are available only with the enhanced tier.
Enterprise Scenario 1: Financial Services Compliance
A large bank uses Azure for its customer-facing applications. The compliance team must adhere to PCI DSS and SOC 2. They enable Defender for Cloud and add the PCI DSS 3.2.1 built-in standard. The secure score initially is 45% due to many misconfigurations: storage accounts without encryption, VMs with open management ports, and missing MFA on admin accounts. The security team prioritizes high-severity recommendations, using 'Quick fix!' to enable encryption and apply network security group rules. Within a month, the secure score rises to 78%. They also set up continuous export to a Log Analytics workspace for audit logging. The compliance dashboard shows 85% compliance with PCI DSS, which satisfies the auditor. Common pitfalls: not enabling the enhanced tier for workload protection (if needed), and forgetting to exclude test resources via exemptions, which artificially lowers the score.
Enterprise Scenario 2: Multicloud Security Posture
A technology company runs workloads across Azure, AWS, and GCP. They need a unified view of security posture. They configure AWS and GCP connectors in Defender for Cloud (enhanced tier required). The connectors discover 500 EC2 instances, 200 S3 buckets, and 100 GCP storage buckets. The secure score now reflects all clouds. They notice that many AWS S3 buckets are publicly accessible (a critical finding). They use Defender for Cloud's recommendation to apply an S3 bucket policy that blocks public access. They also create a custom initiative to enforce tagging standards across all clouds. The central security team can now view all recommendations in one dashboard. Performance consideration: the connector syncs every 4 hours by default, but changes can trigger near-real-time scans. Common issue: connector authentication fails if IAM roles or service accounts expire, causing resource discovery to stop.
Enterprise Scenario 3: On-Premises Servers via Azure Arc
A manufacturing company has on-premises servers running Windows Server 2012. They want to apply the same security policies as their Azure VMs. They install Azure Arc agents on the on-premises servers, which register them as Azure resources. Defender for Cloud then assesses these servers against the Azure Security Benchmark. Recommendations appear for missing security updates, weak passwords, and exposed admin accounts. They set up a custom initiative to enforce encryption on all disks. The secure score now includes on-premises resources. The exam may test that Azure Arc is required to extend CSPM to non-Azure environments. Common misconfiguration: not installing the Log Analytics agent on Arc-enabled servers, which limits visibility.
What the SC-200 Exam Tests on CSPM (Objective 3.2)
The exam focuses on your ability to manage cloud security posture using Microsoft Defender for Cloud. Key sub-objectives include:
Interpret secure scores and recommendations.
Implement regulatory compliance standards.
Configure continuous export.
Manage multicloud connectors.
Understand the difference between free tier (CSPM only) and enhanced tier (workload protection).
Common Wrong Answers and Why Candidates Choose Them
Wrong answer: 'Enabling Defender for Cloud automatically enables all workload protection features.' Reality: Only CSPM is free; workload protection requires enabling specific Defender plans (e.g., Defender for Servers) which incur costs. Candidates often confuse the free tier with enhanced security.
Wrong answer: 'The secure score is based on the percentage of resources that are compliant.' Reality: The secure score is based on the percentage of security controls that are compliant, not resources. Each control has a maximum point value. Candidates mistakenly think it's a simple resource count.
Wrong answer: 'Regulatory compliance standards are automatically added when you enable Defender for Cloud.' Reality: You must manually add each standard (built-in or custom). Candidates assume they are pre-configured.
Wrong answer: 'Multicloud support is available in the free tier.' Reality: Multicloud connectors require the enhanced tier (at least one Defender plan enabled). Candidates overlook this requirement.
Specific Numbers, Values, and Terms That Appear Verbatim
Secure score range: 0% to 100%.
Recommendation severity levels: High, Medium, Low.
Built-in compliance standards: Azure CIS 1.1.0, Azure CIS 1.3.0, PCI DSS 3.2.1, SOC TSP, ISO 27001, NIST SP 800-53.
Continuous export destinations: Log Analytics workspace, Event Hubs, or API.
Default re-evaluation interval: 24 hours for most resources, but changes trigger immediate re-evaluation.
Edge Cases and Exceptions
Exemptions: You can create exemptions for specific resources (e.g., a test VM intentionally unsecured). Exemptions can be time-bound (e.g., expire in 30 days). The exam may test that exemptions do not change the resource's actual configuration; they only suppress the recommendation.
Custom initiatives: Must be uploaded as a JSON policy set definition. You can assign them at management group, subscription, or resource group level.
Secure score for management groups: The secure score is calculated per subscription, but you can view an aggregated score at the management group level.
How to Eliminate Wrong Answers Using the Underlying Mechanism
When you see a question about improving secure score, remember: only recommendations that are part of a security control and have points remaining will increase the score. If a question asks how to reduce the attack surface, think of recommendations that close open ports or enable encryption. If a question asks about compliance, think of adding a regulatory standard. If a question asks about multicloud, think of connectors and enhanced tier. Use the mechanism: CSPM is continuous, policy-driven, and score-based.
CSPM is available in the free tier of Defender for Cloud; no additional cost.
Secure score = (achieved points / total possible points) * 100; points are per security control.
Recommendations are backed by Azure Policy definitions.
Regulatory compliance standards must be manually added (built-in or custom).
Multicloud connectors require the enhanced tier.
Continuous export can send recommendations to Log Analytics, Event Hubs, or API.
Exemptions can suppress recommendations for specific resources (time-bound possible).
Custom initiatives are uploaded as JSON policy set definitions.
Default re-evaluation interval is 24 hours; changes trigger near-real-time re-evaluation.
Azure Arc extends CSPM to on-premises servers.
These come up on the exam all the time. Here's how to tell them apart.
Defender for Cloud Free Tier (CSPM Only)
No additional cost; included with Azure subscription
Provides secure score, recommendations, and regulatory compliance
Does not require agents on workloads
Supports only Azure resources (no multicloud)
No workload protection (e.g., no just-in-time VM access)
Defender for Cloud Enhanced Tier (with Defender Plans)
Requires enabling specific Defender plans (e.g., Defender for Servers) at additional cost
Includes all CSPM features plus workload protection
May require agents (e.g., Log Analytics agent) for some protections
Supports multicloud (AWS, GCP) via connectors
Provides threat detection, vulnerability scanning, and adaptive controls
Mistake
CSPM requires the enhanced tier of Defender for Cloud.
Correct
CSPM is available in the free tier. The enhanced tier adds workload protection features such as just-in-time VM access and adaptive application controls.
Mistake
The secure score is calculated as the percentage of compliant resources.
Correct
The secure score is calculated as (achieved points / total possible points) * 100. Points are earned per security control, not per resource.
Mistake
Regulatory compliance standards are automatically applied to all subscriptions.
Correct
You must manually add each compliance standard (built-in or custom) in Defender for Cloud. They are not applied by default.
Mistake
Multicloud support is included in the free tier.
Correct
Multicloud connectors (AWS, GCP) require the enhanced tier. You must enable at least one Defender plan to use them.
Mistake
Remediating a recommendation via 'Quick fix!' permanently changes the resource configuration.
Correct
The 'Quick fix!' option applies a remediation script that changes the resource configuration. This change is permanent unless reverted manually or by another policy.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The secure score is a percentage representing your compliance with security best practices. It is calculated as (achieved points / total possible points) * 100. Each security control (group of related recommendations) has a maximum point value. You earn points by being fully compliant with all recommendations in a control. For example, if the 'Enable MFA' control is worth 10 points and you have MFA enabled on all accounts, you earn all 10 points. The total possible points sum across all controls is typically around 200-300. The score does not consider resource count; it's about control compliance. To improve your score, remediate recommendations that have remaining points.
The free tier provides Cloud Security Posture Management (CSPM) features: secure score, recommendations, and regulatory compliance. It does not require any additional cost. The enhanced tier (formerly Azure Security Center standard) adds workload protection capabilities such as just-in-time VM access, adaptive application controls, file integrity monitoring, and threat detection. Enhanced tier requires enabling specific Defender plans (e.g., Defender for Servers) which incur per-resource costs. Multicloud support (AWS, GCP) is only available with the enhanced tier. The exam often tests this distinction.
Go to Microsoft Defender for Cloud > Regulatory compliance. Click 'Manage compliance policies'. On the policy management page, you can add a built-in standard (e.g., PCI DSS 3.2.1, Azure CIS 1.3.0) by selecting it from the list. To add a custom standard, you need to create an Azure Policy initiative (a set of policies) and upload it as a JSON file. Then assign it to the relevant scope (management group, subscription, resource group). Once added, Defender for Cloud maps its recommendations to the standard's controls and shows compliance percentage.
Yes, but only with the enhanced tier. You must configure a multicloud connector: for AWS, you create a cross-account IAM role and provide the role ARN; for GCP, you create a service account and provide the credentials. Once connected, Defender for Cloud discovers resources (e.g., EC2, S3, GCP storage) and evaluates them against the same security benchmarks. The secure score aggregates findings from all connected clouds. Connectors sync every 4 hours by default, but changes trigger near-real-time scans. Note that some features like adaptive application controls are only available for Azure VMs.
Continuous export allows you to stream security recommendations and alerts to Azure Log Analytics workspaces, Event Hubs, or via API. This is useful for integration with SIEMs like Microsoft Sentinel or for long-term storage. To configure, go to Environment settings > Continuous export. You can choose which data to export (recommendations, security alerts, secure score) and the destination. The export is near-real-time. On the exam, know that continuous export is a feature of both free and enhanced tiers, but some data (like alerts) may require enhanced tier.
Exemptions allow you to suppress a recommendation for a specific resource or subscription without actually fixing the underlying issue. For example, a test VM intentionally left unsecured can be exempted. Exemptions can be applied at the resource, resource group, or subscription level. They can be permanent or time-bound (e.g., expire in 30 days). Exemptions do not change the resource's configuration; they only remove the recommendation from the secure score calculation. The exam tests that exemptions are different from 'dismissing' a recommendation (which is temporary).
Defender for Cloud re-evaluates resources against policies every 24 hours by default. However, when a resource changes (e.g., a VM is created or a network security group is modified), Defender for Cloud triggers a near-real-time evaluation. This ensures that the secure score and recommendations reflect the current state. The exam may ask about this interval. Note that some policies may have different evaluation frequencies, but 24 hours is the standard.
You've just covered Cloud Security Posture Management — now see how well it sticks with free SC-200 practice questions. Full explanations included, no account needed.
Done with this chapter?