This chapter covers Microsoft Defender for Cloud plans and coverage — a critical topic for the SC-200 exam and for any security operations analyst managing multicloud environments. You will learn how to enable, configure, and optimize Defender for Cloud plans across Azure, AWS, and GCP, and understand exactly which features are available at each tier. This topic area typically accounts for 15–20% of exam questions, focusing on plan selection, feature mapping, and cost implications.
Jump to a section
Imagine you own a large office building with multiple floors (your cloud subscriptions), each floor containing offices, labs, and server rooms (your virtual machines, storage accounts, databases, etc.). You hire a security guard company called "Defender for Cloud." The company offers different service tiers: Basic (free), Standard (paid), and Premium (with advanced threat hunting). With the Basic plan, the guards only walk the perimeter and check that doors are locked — they give you a daily report of who entered and left (security findings and recommendations). With the Standard plan, guards are stationed inside, monitor every door and window in real-time, and immediately alert you if someone tries to pick a lock or if a server room door is left open (real-time alerts and threat protection). With the Premium plan, you get a dedicated team that proactively hunts for suspicious patterns — they review footage from past weeks, correlate events across floors, and even simulate break-ins to test your defenses (advanced threat hunting, attack path analysis, and vulnerability assessments). The coverage scope defines which floors and rooms are protected: you can choose to protect only the lobby (cloud security posture management), all offices (workload protections), or even the basement servers (containers and databases). If you upgrade a floor's plan, all rooms on that floor benefit, but you can also selectively protect specific high-value rooms with add-ons (like Defender for Servers P2 for critical servers). Just like a security guard company, Defender for Cloud's effectiveness depends on the plan you choose and the coverage you configure — and the exam tests exactly which plan covers which assets and what features are unlocked at each tier.
What is Microsoft Defender for Cloud?
Microsoft Defender for Cloud (formerly Azure Security Center and Azure Defender) is a unified cloud security posture management (CSPM) and cloud workload protection platform (CWPP) for Azure, on-premises, and multicloud environments (AWS and GCP). It provides two main categories of protection:
Cloud Security Posture Management (CSPM) – Continuous assessment of your cloud resources against security baselines (e.g., Azure Security Benchmark, CIS, NIST). Generates security recommendations and a secure score.
Cloud Workload Protection Platform (CWPP) – Advanced threat protection for specific workload types: servers, databases, storage, containers, App Service, Key Vault, etc.
Why Plans and Coverage Matter
Defender for Cloud offers multiple plans that unlock different features. The exam tests your ability to recommend the correct plan for a given scenario, understand what each plan includes, and know how to enable them across subscriptions, management groups, and multicloud connectors. Coverage refers to which resources are protected under a plan. For example, enabling the "Defender for Servers" plan on a subscription covers all VMs in that subscription, but you can also selectively exclude specific VMs via policy exemptions.
Defender for Cloud Plans Overview
There are two primary plan families:
1. Foundational CSPM (Free) – Included by default when you enable Defender for Cloud. Provides:
- Continuous assessment and security recommendations - Secure score - Regulatory compliance dashboards (with Azure Policy) - Inventory of cloud resources - Network map - No time-limited data retention for alerts (alerts are stored for 90 days)
2. Defender for Cloud Plans (Paid) – Each plan is a separate SKU that you enable per subscription or per resource. The main plans are:
Defender for Servers – Two tiers: Plan 1 (P1) and Plan 2 (P2). P1 includes Microsoft Defender for Endpoint integration, file integrity monitoring, and adaptive application controls. P2 adds vulnerability assessments, just-in-time VM access, and adaptive network hardening.
Defender for SQL Servers on Machines – Protects SQL Server instances running on VMs (Azure, on-premises, multicloud). Includes vulnerability assessment and threat detection.
Defender for SQL Databases – For Azure SQL Database, Azure SQL Managed Instance, and Synapse. Provides advanced threat protection and vulnerability assessment.
Defender for Storage – Protects Azure Blob Storage, Azure Files, and Azure Data Lake Storage Gen2. Detects unusual access patterns, malware uploads, and data exfiltration.
Defender for Containers – Protects AKS clusters, Azure Container Registry, and Azure Kubernetes Service (AKS). Includes runtime threat detection, vulnerability assessment, and compliance checks.
Defender for App Service – Protects Azure App Service plans. Detects attacks targeting web applications, such as SQL injection and cross-site scripting.
Defender for Key Vault – Protects Azure Key Vault. Detects suspicious access patterns and exfiltration attempts.
Defender for Resource Manager – Protects Azure Resource Manager operations. Detects suspicious activities like privilege escalation or lateral movement.
Defender for DNS – Protects Azure DNS. Detects malicious DNS queries and data exfiltration.
Defender for Open-Source Relational Databases – Protects Azure Database for PostgreSQL, MySQL, and MariaDB (single server).
Defender for Azure Cosmos DB – Protects Azure Cosmos DB accounts.
Defender for Cloud Security Posture Management (CSPM) – A separate plan that enhances the free CSPM with additional features like attack path analysis, cloud security explorer, and advanced governance rules.
Enabling Plans
Plans can be enabled at the subscription level, management group level (via Azure Policy), or for individual resources. The exam expects you to know the following:
Subscription-level enablement: In the Azure portal, under Defender for Cloud > Environment settings > Select subscription > Enable plans. You can toggle each plan on/off.
Management group enablement: You can use Azure Policy to enforce Defender for Cloud plans across all subscriptions in a management group. The built-in initiative "Configure Microsoft Defender for Cloud to be enabled" can be assigned.
Multicloud enablement: For AWS and GCP, you must first connect the cloud connector (via AWS CloudFormation or GCP project configuration), then enable the same Defender plans for those resources.
Coverage Details
Coverage determines which resources are protected by a plan. Key points:
Per-subscription: When you enable a plan on a subscription, all current and future resources of that type in that subscription are protected. For example, enabling Defender for Servers on a subscription protects all existing and new VMs.
Per-resource: Some plans can be enabled per resource (e.g., Defender for Storage on a specific storage account). However, the exam emphasizes subscription-level enablement as the standard.
Exclusions: You can exclude specific resources from a plan using Azure Policy exemptions or by configuring the plan's settings (e.g., for Defender for Servers, you can exclude specific VMs via tags or resource IDs).
Multicloud coverage: For AWS and GCP, coverage applies to resources discovered via the connector. For example, if you enable Defender for Servers on the AWS connector, it protects EC2 instances discovered in that account.
Feature Mapping by Plan
The exam frequently asks which plan provides a specific feature. Here is a concise mapping:
Foundational CSPM (Free): Secure score, recommendations, compliance dashboards, inventory, network map.
Defender for Servers P1: MDE integration, FIM, adaptive application controls.
Defender for Servers P2: All P1 features plus vulnerability assessments (integrated Qualys), JIT VM access, adaptive network hardening.
Defender for SQL Servers on Machines: Vulnerability assessment and threat detection for SQL on VMs.
Defender for SQL Databases: Advanced threat protection and vulnerability assessment for Azure SQL.
Defender for Storage: Threat detection for Blob, Files, and ADLS Gen2.
Defender for Containers: Runtime threat detection, vulnerability assessment for AKS and ACR, compliance.
Defender for App Service: Web application attack detection.
Defender for Key Vault: Anomalous access detection.
Defender for Resource Manager: Suspicious ARM operations detection.
Defender for DNS: DNS-based threat detection.
Defender for CSPM (paid): Attack path analysis, cloud security explorer, advanced governance.
Default Values and Timers
Alert retention: 90 days for free tier, 90 days for paid plans (extendable to 1 year with continuous export to Log Analytics).
Vulnerability assessment scan frequency: For Defender for Servers P2, the integrated Qualys agent scans weekly by default. Scans can be triggered on demand.
Just-in-Time (JIT) VM access: Default request duration is 3 hours, configurable up to 8 hours.
File Integrity Monitoring (FIM): Monitors changes to registry keys and files. Default monitoring interval is every 24 hours.
Configuration and Verification Commands
While the SC-200 exam is not command-heavy, you should know how to verify plan status using Azure CLI or PowerShell:
# Check if a plan is enabled on a subscription
az security pricing show --name VirtualMachines --subscription <subscription-id>
# Enable Defender for Servers P2 on a subscription
az security pricing create --name VirtualMachines --tier Standard --subscription <subscription-id>
# List all plans and their tiers for a subscription
az security pricing list --subscription <subscription-id># Check plan status with PowerShell
Get-AzSecurityPricing -Name "VirtualMachines"
# Enable Defender for Servers P2
Set-AzSecurityPricing -Name "VirtualMachines" -PricingTier "Standard"Interaction with Related Technologies
Defender for Cloud integrates deeply with:
Microsoft Defender for Endpoint (MDE): Defender for Servers P1 and P2 automatically onboard MDE to VMs for endpoint detection and response (EDR).
Azure Policy: Security recommendations are driven by Azure Policy initiatives. You can create custom policies to enforce specific plans.
Microsoft Sentinel: Defender for Cloud alerts can be streamed to Sentinel for advanced SIEM and SOAR.
Log Analytics: Defender for Cloud stores security data in a Log Analytics workspace. Continuous export can send alerts and recommendations to a workspace.
Azure Arc: For on-premises servers, you must enable Azure Arc and then apply Defender for Servers plans via Arc-enabled servers.
Multicloud Considerations
For AWS and GCP, Defender for Cloud uses connectors that discover resources and apply the same plans. The exam tests that:
AWS connector requires an IAM role with specific permissions.
GCP connector requires a service account with appropriate roles.
Plans enabled on the connector apply to all discovered resources of that type (e.g., Defender for Servers on AWS protects EC2 instances).
Some plans are not available for multicloud (e.g., Defender for App Service is Azure-only).
Cost Implications
Each plan has a per-resource or per-hour cost. The exam does not require exact pricing, but you should know that:
Foundational CSPM is free.
Defender for Servers P2 costs more than P1.
Defender for Containers is billed per AKS cluster per hour.
Defender for Storage is billed per storage account per month.
Enabling all plans on a subscription can be costly, so candidates must choose based on requirements.
Common Exam Scenarios
You need to protect Azure VMs from malware and vulnerabilities. Answer: Enable Defender for Servers P2 (or P1 if MDE is sufficient).
You need to protect Azure SQL Database from SQL injection. Answer: Enable Defender for SQL Databases.
You need to protect on-premises servers. Answer: First enable Azure Arc on the servers, then enable Defender for Servers on the subscription that contains the Arc resources.
You need to protect AKS clusters from runtime threats. Answer: Enable Defender for Containers.
You need to improve your security posture without additional cost. Answer: Use the foundational CSPM (free) to get recommendations and secure score.
1. Enable Defender for Cloud on Subscription
Navigate to the Azure portal, open Microsoft Defender for Cloud, and go to Environment settings. Select the subscription you want to protect. Under the 'Defender plans' tab, you will see a list of all available plans with toggles. By default, the foundational CSPM (free) is enabled. To enable a paid plan, toggle it on. For example, to enable Defender for Servers P2, turn on the 'Servers' plan and select 'Plan 2' from the dropdown. This action applies to all current and future VMs in that subscription. The change takes effect immediately, and you will start seeing alerts and recommendations within minutes. You can verify using Azure CLI: `az security pricing show --name VirtualMachines`.
2. Configure Plan Settings and Exclusions
After enabling a plan, you may need to configure its settings. For Defender for Servers, you can configure the vulnerability assessment solution (Qualys or Microsoft Defender Vulnerability Management), enable or disable FIM, and set up JIT VM access. To exclude specific resources, use Azure Policy exemptions or tags. For example, you can create a policy assignment that enables Defender for Servers but exempts VMs with tag 'Environment=Dev'. In the portal, under Environment settings > Subscription > Settings > Servers, you can configure exclusions by resource ID. This granularity is important for cost optimization and compliance.
3. Enable Multicloud Connectors
To protect AWS or GCP resources, you must first connect the cloud environment. In Defender for Cloud, go to Environment settings > Add environment > AWS or GCP. For AWS, you will deploy a CloudFormation stack that creates an IAM role with read-only permissions. For GCP, you create a service account and provide its credentials. After the connector is created, Defender for Cloud discovers resources (EC2, S3, etc.) and applies the same plans you enable on the connector. For example, if you enable Defender for Servers on the AWS connector, all EC2 instances in the connected account will be protected. Note that some plans (like Defender for App Service) are Azure-only and cannot be applied to multicloud.
4. Verify Plan Coverage and Alerts
After enabling plans, verify coverage using the 'Inventory' blade in Defender for Cloud. It shows all resources and their protection status. For each resource, you can see which plans are active. Alerts generated by the plans appear in the 'Security alerts' blade. You can filter by severity, time, and resource type. Use the continuous export feature to stream alerts to Log Analytics for long-term retention (beyond 90 days) or to Microsoft Sentinel. To verify plan status via CLI, run `az security pricing list` and check the 'tier' field: 'Free' for foundational, 'Standard' for paid plans.
5. Monitor and Optimize Coverage
Regularly review the recommendations blade to see if there are resources not covered by a plan you intended to enable. For example, if you enabled Defender for Servers but a new VM was created before the policy took effect, it might be unprotected. Use Azure Policy with the built-in initiative 'Configure Microsoft Defender for Cloud to be enabled' to automatically enable plans on new subscriptions or resources. Also, use the secure score to track improvement. If costs are a concern, you can disable plans on low-risk subscriptions or use exclusions. The exam may ask about using Azure Policy to enforce plans across management groups.
Scenario 1: Enterprise with Hybrid Infrastructure
A large financial services company runs 5,000 VMs across Azure, on-premises, and AWS. They need centralized threat protection and compliance reporting. They enable Defender for Servers P2 on all subscriptions (including the AWS connector) and Defender for SQL Servers on Machines for their SQL Server workloads. They use Azure Arc to onboard on-premises servers. The challenge is cost: at roughly $15 per VM per month for P2, the bill is significant. To optimize, they use exclusions for development VMs (tagged 'Environment=Dev') and only enable P1 for those. They also enable Defender for CSPM (paid) to gain attack path analysis and cloud security explorer for proactive threat hunting. The security team uses continuous export to send all alerts to Microsoft Sentinel for correlation. A common misconfiguration is forgetting to enable the AWS connector's plans after creating it, leaving EC2 instances unprotected. They use Azure Policy to enforce plan enablement on all new subscriptions and connectors.
Scenario 2: Multicloud Startup
A tech startup uses AWS for compute and Azure for databases and identity. They have 200 EC2 instances, 10 RDS databases, and 50 Azure SQL databases. They enable Defender for Servers P1 on the AWS connector (sufficient for their needs) and Defender for SQL Databases on the Azure subscription. They also enable Defender for Storage on their S3 buckets (via AWS connector) and Azure Blob Storage. The startup is cost-conscious, so they avoid enabling all plans. They rely on the foundational CSPM for posture management. A common issue is that Defender for Storage on AWS is limited; it only protects S3, not other AWS services like DynamoDB. They must use native AWS services for those. The exam may ask about such limitations: not all Azure Defender plans are available for multicloud.
Scenario 3: Regulated Healthcare Organization
A healthcare provider must comply with HIPAA and has 1,000 Azure VMs, 50 SQL Managed Instances, and 10 AKS clusters. They enable Defender for Servers P2 for vulnerability assessments (required by HIPAA), Defender for SQL Databases for threat detection, and Defender for Containers for AKS. They also enable the regulatory compliance dashboard with the HIPAA benchmark. They use JIT VM access to reduce attack surface. The performance impact of vulnerability scanning is a concern: weekly scans can cause CPU spikes. They schedule scans during maintenance windows. A misconfiguration they encountered: enabling Defender for Servers P2 but not the integrated Qualys agent, which left VMs without vulnerability data. They fixed it by ensuring the 'Vulnerability assessment' setting is set to 'Microsoft Defender Vulnerability Management' or 'Qualys'. The exam tests that you must configure the vulnerability assessment solution after enabling P2.
Exactly What SC-200 Tests
The SC-200 exam objective 3.1 covers "Manage Microsoft Defender for Cloud plans and coverage." Specifically, you must be able to:
Determine which Defender for Cloud plan to use based on workload and compliance requirements.
Enable and disable plans at the subscription, management group, and resource level.
Configure multicloud connectors for AWS and GCP.
Understand the difference between foundational CSPM and paid plans.
Map specific features to the correct plan (e.g., JIT VM access requires Defender for Servers P2).
Know how to exclude resources from coverage using tags or exemptions.
Common Wrong Answers and Why Candidates Choose Them
Choosing 'Defender for Servers P1' when the scenario requires vulnerability assessments. Candidates see 'server protection' and pick P1, but P1 does not include vulnerability assessment; that is in P2.
Enabling 'Defender for SQL Databases' for on-premises SQL Server. That plan only protects Azure SQL Database and Azure SQL Managed Instance. For SQL on VMs, you need 'Defender for SQL Servers on Machines'.
Thinking that enabling a plan on a subscription automatically protects all resources of that type across all subscriptions. No, it only protects the subscription where enabled. You must enable it on each subscription or use Azure Policy at the management group level.
Assuming the free tier includes threat detection. The free tier (foundational CSPM) only provides posture assessment and recommendations, not threat detection. Threat detection requires a paid plan.
Selecting 'Defender for Containers' for Azure Container Instances (ACI). Defender for Containers protects AKS and ACR, not ACI (though ACI is partially covered via Defender for Servers if running on VMs).
Specific Numbers and Terms That Appear on the Exam
Plan names exactly: 'Defender for Servers Plan 1', 'Defender for Servers Plan 2', 'Defender for SQL Servers on Machines', 'Defender for SQL Databases', 'Defender for Storage', 'Defender for Containers', 'Defender for App Service', 'Defender for Key Vault', 'Defender for Resource Manager', 'Defender for DNS', 'Defender for Open-Source Relational Databases', 'Defender for Azure Cosmos DB', 'Defender for CSPM'.
Default alert retention: 90 days (for both free and paid, but paid can be extended via continuous export).
JIT default duration: 3 hours.
FIM monitoring interval: every 24 hours.
Vulnerability assessment scan frequency: weekly.
Multicloud connector names: 'AWS connector' and 'GCP connector'.
Edge Cases and Exceptions
Azure Arc: For on-premises servers, you must enable Azure Arc before Defender for Servers can protect them. The plan is enabled on the subscription containing the Arc resources.
Defender for CSPM: This is a separate paid plan that enhances the free CSPM. It is not automatically included when you enable other plans.
Defender for Containers: Requires Azure Policy for AKS clusters to be installed as an add-on.
Defender for Storage: Does not protect Azure Files shares (only Blob, Files (SMB), and ADLS Gen2).
Exclusions: Using tags to exclude resources from a plan is a common exam scenario. For example, tag 'Environment=Test' can be used to exclude test VMs from Defender for Servers.
How to Eliminate Wrong Answers
Use the underlying mechanism: each plan is designed for a specific resource type. If the scenario mentions a SQL Server on an Azure VM, the answer must be 'Defender for SQL Servers on Machines', not 'Defender for SQL Databases'. If the scenario requires vulnerability scanning, the answer must include 'Plan 2' (for servers) or a plan that includes vulnerability assessment. If the scenario involves multicloud, ensure the plan is available for that environment. Also, remember that the free tier does not generate security alerts; it only provides recommendations.
Foundational CSPM (free) provides security recommendations and secure score, but no threat alerts.
Defender for Servers Plan 2 is required for vulnerability assessments and JIT VM access.
Defender for SQL Databases protects Azure SQL Database, Managed Instance, and Synapse; not SQL on VMs.
Defender for Containers protects AKS and ACR, not ACI.
Multicloud connectors (AWS, GCP) allow enabling Defender plans for non-Azure resources.
Alert retention is 90 days for all tiers; extend via continuous export to Log Analytics.
JIT VM access default request duration is 3 hours, configurable up to 8 hours.
FIM monitors registry and file changes every 24 hours by default.
Use Azure Policy to enforce Defender plans across management groups and subscriptions.
Exclude specific resources from a plan using tags or policy exemptions to reduce costs.
These come up on the exam all the time. Here's how to tell them apart.
Defender for Servers Plan 1
Includes Microsoft Defender for Endpoint integration
Includes File Integrity Monitoring (FIM)
Includes Adaptive Application Controls
Does not include vulnerability assessment
Does not include Just-In-Time VM access
Defender for Servers Plan 2
Includes all Plan 1 features
Includes vulnerability assessment (Qualys or Microsoft Defender Vulnerability Management)
Includes Just-In-Time (JIT) VM access
Includes Adaptive Network Hardening
More expensive than Plan 1
Defender for SQL Databases
Protects Azure SQL Database, Azure SQL Managed Instance, Azure Synapse
Includes Advanced Threat Protection (ATP)
Includes Vulnerability Assessment
Does not protect SQL on VMs
Billed per database or per managed instance
Defender for SQL Servers on Machines
Protects SQL Server instances running on Azure VMs, on-premises (via Arc), and multicloud VMs
Includes threat detection and vulnerability assessment
Requires Azure Arc for on-premises
Does not protect Azure SQL Database or Managed Instance
Billed per SQL Server instance
Mistake
Enabling Defender for Cloud automatically protects all resources in the subscription.
Correct
No, you must enable specific plans (e.g., Defender for Servers, Defender for SQL) individually. The free foundational CSPM is always on, but it only provides recommendations, not threat protection.
Mistake
Defender for Servers Plan 2 includes everything in Plan 1 plus more.
Correct
Correct, but many candidates think Plan 1 includes vulnerability assessment. It does not. Plan 2 adds vulnerability assessment, JIT VM access, and adaptive network hardening.
Mistake
Defender for SQL Databases can protect SQL Server running on an on-premises VM.
Correct
No, Defender for SQL Databases only protects Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse. For SQL on VMs (including on-premises), use Defender for SQL Servers on Machines.
Mistake
The free tier provides security alerts.
Correct
The free tier (foundational CSPM) does not generate security alerts. It only provides security recommendations, secure score, and compliance dashboards. Alerts require a paid plan.
Mistake
Defender for Containers protects Azure Container Instances (ACI).
Correct
Defender for Containers primarily protects Azure Kubernetes Service (AKS) and Azure Container Registry (ACR). ACI is not directly protected; however, if ACI runs on a VM, that VM could be protected by Defender for Servers.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
In the Azure portal, open Microsoft Defender for Cloud, go to Environment settings, select your subscription, and toggle on the plans you need (e.g., Servers, SQL). The foundational CSPM (free) is enabled by default. You can also use Azure CLI: `az security pricing create --name VirtualMachines --tier Standard`.
Plan 1 includes Microsoft Defender for Endpoint integration, File Integrity Monitoring, and Adaptive Application Controls. Plan 2 includes all of Plan 1 plus vulnerability assessment (Qualys or Microsoft Defender Vulnerability Management), Just-In-Time VM access, and Adaptive Network Hardening. Plan 2 is more expensive.
Yes, you must first enable Azure Arc on the on-premises servers to bring them into Azure as non-Azure VMs. Then enable Defender for Servers on the subscription that contains the Arc resources. The same plans apply.
Create an AWS connector in Defender for Cloud (Environment settings > Add environment > AWS). Deploy the CloudFormation stack to create an IAM role. Then, on the connector, enable the plans you want (e.g., Servers). EC2 instances will be discovered and protected.
90 days for both free and paid plans. To retain alerts longer, use continuous export to send them to a Log Analytics workspace or to Microsoft Sentinel.
You can use Azure Policy exemptions or tags. For example, create a policy that enables Defender for Servers but exempts VMs with tag 'Environment=Dev'. Alternatively, in the portal under Environment settings > Subscription > Settings > Servers, you can add exclusions by resource ID.
No, Defender for Containers protects Azure Kubernetes Service (AKS) and Azure Container Registry (ACR). For Azure Container Instances, consider using Defender for Servers if the containers run on VMs.
You've just covered Defender for Cloud Plans and Coverage — now see how well it sticks with free SC-200 practice questions. Full explanations included, no account needed.
Done with this chapter?