This chapter covers Microsoft Defender for Cloud, a critical tool for securing cloud workloads across Azure, on-premises, and other clouds. For the SC-900 exam, understanding Defender for Cloud's capabilities—including workload protection, Secure Score, security recommendations, and regulatory compliance—is essential, as this topic area accounts for approximately 10-15% of the exam questions. You will learn the key components, how they work together, and what the exam specifically tests.
Jump to a section
Imagine a large office building that houses multiple tenants (your cloud workloads). A fire safety system monitors the entire building: it has smoke detectors (vulnerability assessment) in every room, sprinklers (adaptive application controls) that activate based on fire type, and a central alarm panel (Secure Score) that shows the overall safety level. The system also includes fire doors (just-in-time VM access) that prevent fire from spreading, and an automated call to the fire department (security alerts) when a real fire is detected. Crucially, the system doesn't just react; it also conducts regular inspections (security recommendations) and can block hazardous materials at the entrance (network security controls). Just as a building's fire safety system must be tailored to the building's layout and occupancy, Defender for Cloud adapts to your specific cloud environment, providing continuous assessment and actionable recommendations to reduce risk. The system's effectiveness depends on proper configuration and integration with all building components—just as Defender for Cloud relies on enabling plans and connecting resources.
What is Microsoft Defender for Cloud?
Microsoft Defender for Cloud is a Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP) that provides unified security management across multicloud and hybrid environments. It helps you strengthen your security posture, protect against threats, and integrate with existing security workflows. Defender for Cloud is available in two main tiers: Free (Foundational CSPM) and Paid (Defender Cloud Security Posture Management + Workload Protections). The Free tier provides continuous assessment and security recommendations based on Microsoft's security best practices. The Paid tier adds advanced protections, including just-in-time VM access, adaptive application controls, file integrity monitoring, and threat detection for workloads.
How Defender for Cloud Works
Defender for Cloud operates through a combination of agents, APIs, and log analytics. The core mechanism involves:
Data Collection: Defender for Cloud collects data from connected resources via the Log Analytics agent (or Azure Monitor Agent) and Azure Policy. For VMs, it installs the Log Analytics agent to gather security-related configuration and event data. For PaaS services, it uses built-in telemetry.
Assessment and Recommendations: The collected data is evaluated against built-in security policies (based on Azure Security Benchmark) and custom policies. This evaluation generates security recommendations, each with a severity level (High, Medium, Low) and a remediation step. For example, a recommendation might state "MFA should be enabled on accounts with owner permissions on your subscription."
Secure Score: Each recommendation contributes to your Secure Score, a percentage that indicates your overall security posture. The Secure Score is calculated as a weighted average of all recommendations. Fixing recommendations increases your score. The formula is: (Achieved points / Total possible points) * 100%. Points are weighted based on the recommendation's impact and the likelihood of exploitation.
Security Alerts: When Defender for Cloud detects a threat, it generates a security alert. Alerts include details such as the affected resource, the threat type, and steps to investigate and remediate. Alerts are integrated with Azure Sentinel for SIEM capabilities.
Workload Protections: The Paid tier enables specific Defender plans (e.g., Defender for Servers, Defender for SQL, Defender for Storage) that provide advanced threat detection and response capabilities. Each plan has its own pricing and features.
Key Components and Defaults
Secure Score: Ranges from 0% to 100%. Default baseline is based on Azure Security Benchmark. The score is recalculated every time a recommendation is completed or a resource changes.
Security Recommendations: Over 500 built-in recommendations. Each recommendation has a 'healthy' and 'unhealthy' status. Default refresh interval is 24 hours for most resources, but can be triggered on-demand.
Regulatory Compliance Dashboard: Provides pre-built compliance assessments against standards like SOC 2, ISO 27001, PCI DSS, and Azure CIS. Default standards are Azure Security Benchmark and Microsoft Cloud Security Benchmark.
Defender Plans: Each plan (e.g., Defender for Servers Plan 1 or Plan 2) has specific features. For instance, Plan 2 includes file integrity monitoring, just-in-time VM access, and adaptive application controls.
Log Analytics Agent: Required for VM-level data collection. Default workspace is created per region unless a custom workspace is specified.
Pricing: Free tier includes foundational CSPM. Paid tier starts at $15/node/month for Defender for Servers Plan 1.
Configuration and Verification
To enable Defender for Cloud:
In the Azure portal, navigate to Microsoft Defender for Cloud.
Select Environment settings and choose your subscription or management group.
Toggle on Defender Cloud Security Posture Management (Free) or enable specific Defender plans.
For VMs, install the Log Analytics agent via the Auto-provisioning settings.
To verify configuration:
Use Azure CLI: az security pricing show --name VirtualMachines
Use PowerShell: Get-AzSecurityPricing -Name VirtualMachines
Check the Recommendations blade to see if any resources are unhealthy.
Integration with Related Technologies
Azure Policy: Defender for Cloud uses built-in policies to enforce security controls. You can create custom initiatives.
Azure Sentinel: Security alerts from Defender for Cloud can be streamed to Sentinel for advanced correlation and incident response.
Microsoft Defender for Identity: On-premises identity protection can be integrated for hybrid scenarios.
Microsoft Defender for Cloud Apps: Provides visibility into cloud app usage and can be integrated for shadow IT discovery.
Azure Arc: Extends Defender for Cloud to on-premises and multicloud servers.
Exam-Relevant Details
The Free tier is included with any Azure subscription. It provides continuous assessment and security recommendations but no threat detection.
Secure Score is not a guarantee of security; it's a measure of how well you follow Microsoft's best practices.
Regulatory compliance dashboard includes default standards; you can add more.
Just-in-time VM access is only available in the Paid tier (Defender for Servers Plan 2).
Adaptive application controls allow you to define allowlists for applications running on VMs.
File integrity monitoring monitors changes to critical files and registry keys.
Defender for Cloud supports AWS and GCP via multicloud connectors.
Step-by-Step: Enabling Defender for Cloud and Interpreting Secure Score
Access Defender for Cloud: In Azure portal, search for "Microsoft Defender for Cloud" and open the service.
Review Secure Score: On the overview page, note your current Secure Score percentage. Click the score to see a breakdown by control area (e.g., Identity, Networking, Storage).
Examine Recommendations: Under "Recommendations", filter by severity. Each recommendation shows affected resources, the potential risk, and steps to remediate.
Remediate a Recommendation: Select a recommendation, e.g., "MFA should be enabled on accounts with owner permissions". Click "Fix" to enable MFA via Azure AD or follow manual steps. After remediation, the Secure Score updates (may take up to 24 hours automatically, or you can trigger a refresh).
Enable a Defender Plan: Go to "Environment settings" > Select subscription > Toggle on "Defender for Servers" (Plan 1 or Plan 2). Confirm pricing. After enabling, additional recommendations and alerts appear.
View Security Alerts: Under "Security alerts", review any active alerts. Each alert includes a description, severity, affected resource, and recommended response.
Check Regulatory Compliance: Under "Regulatory compliance", select a standard (e.g., Azure CIS 1.3.0). See which controls pass or fail, and drill into specific recommendations.
Real-World Section
Scenario 1: Enterprise Migration to Azure A large financial services company migrates 500 VMs and multiple SQL databases to Azure. They need to meet PCI DSS compliance. Using Defender for Cloud, they enable Defender for Servers Plan 2 and Defender for SQL. They configure the regulatory compliance dashboard with the PCI DSS v3.2.1 standard. The Secure Score starts at 30%. Over three months, the security team remediates critical recommendations: enabling MFA, encrypting disks, and configuring network security groups. The score rises to 85%. They also use just-in-time VM access to reduce the attack surface, and adaptive application controls to block unauthorized software. A common pitfall is forgetting to enable auto-provisioning for the Log Analytics agent on new VMs, causing gaps in monitoring.
Scenario 2: Multicloud Security Posture A tech startup uses Azure for compute and AWS for storage. They deploy Defender for Cloud with multicloud connectors for AWS. The CSPM assessments cover both environments, providing a unified Secure Score and recommendations. They identify misconfigured S3 buckets and Azure storage accounts with public access. By remediating these, they reduce the risk of data exposure. Performance considerations: The connector for AWS requires read-only permissions and incurs additional cost based on the number of resources. Misconfiguration of the connector (e.g., incorrect role ARN) leads to failed discovery and missing recommendations.
Scenario 3: Hybrid Environment with On-Premises Servers A healthcare organization has 200 on-premises servers running legacy applications. They use Azure Arc to project these servers into Azure and enable Defender for Cloud. They deploy Defender for Servers Plan 2 to get threat detection and file integrity monitoring. The Log Analytics agent is installed on each server via Arc. The Secure Score includes on-premises resources, allowing unified security management. A challenge is network connectivity: if the agents cannot communicate with Azure (e.g., due to firewall rules), data collection fails. They must ensure outbound HTTPS access to the Log Analytics workspace.
Exam Focus Section
What SC-900 Tests - Objective 3.1: Describe the capabilities of Microsoft Defender for Cloud. Specifically, you need to know:
The difference between Free (Foundational CSPM) and Paid (Defender CSPM + workload protections) tiers.
Secure Score: what it measures, how it's calculated, and that it's based on recommendations.
Security recommendations: how they are generated and what they indicate.
Regulatory compliance dashboard: that it includes built-in standards and allows custom assessments.
Workload protections: just-in-time VM access, adaptive application controls, file integrity monitoring.
Integration with Azure Sentinel, Azure Policy, and Defender for Cloud Apps.
Multicloud support for AWS and GCP.
Common Wrong Answers 1. "Secure Score is a real-time measure of active threats." — Wrong: Secure Score measures posture (how well you follow best practices), not active threats. Candidates confuse Secure Score with security alerts. 2. "All Defender plans are included in the Free tier." — Wrong: Only foundational CSPM is free. Workload protections require a paid plan. 3. "Defender for Cloud only works with Azure resources." — Wrong: It supports AWS, GCP, and on-premises via Azure Arc. 4. "You must manually enable auto-provisioning for the Log Analytics agent." — Wrong: Auto-provisioning is on by default for new subscriptions, but can be disabled. Candidates think it's always manual.
Specific Numbers and Terms - Secure Score formula: (Achieved points / Total possible points) * 100%. - Default refresh: 24 hours. - Pricing: $15/node/month for Defender for Servers Plan 1 (exam may ask approximate cost). - Supported cloud providers: Azure, AWS, GCP. - Regulatory compliance standards: Azure Security Benchmark, Microsoft Cloud Security Benchmark, SOC 2, ISO 27001, PCI DSS.
Edge Cases - If a subscription has no resources, Secure Score is 0% but no recommendations appear. - Recommendations can be suppressed if they are not applicable. - Just-in-time VM access requires a default port (3389 for RDP, 22 for SSH) to be enabled. - Adaptive application controls require at least 14 days of data to generate recommendations.
How to Eliminate Wrong Answers - For questions about Secure Score, remember it's about best practices, not threat detection. - For tier questions, look for keywords like "threat detection" or "advanced" to indicate paid tier. - For scope questions, note that multicloud is supported.
Misconceptions
1. Myth: Defender for Cloud is only for Azure VMs. Reality: It covers Azure PaaS services (SQL, storage, app services), on-premises servers via Azure Arc, and even AWS and GCP resources.
2. Myth: Secure Score reflects how many threats have been blocked. Reality: Secure Score measures your security posture based on implemented best practices. It does not measure active threats or attacks.
3. Myth: All security recommendations must be fixed to improve Secure Score. Reality: Recommendations have different weights. Fixing high-impact recommendations (e.g., enabling MFA) gives more points than low-impact ones (e.g., enabling diagnostic logs).
4. Myth: The Free tier provides threat detection for workloads. Reality: The Free tier only provides continuous assessment and recommendations. Threat detection requires enabling a paid Defender plan.
5. Myth: Defender for Cloud automatically remediates all security issues. Reality: It provides recommendations and some automated remediation options (e.g., "Fix" button for certain policies), but most require manual action or configuration.
Comparisons
1. Microsoft Defender for Cloud vs. Azure Security Center - Azure Security Center was the previous name; Defender for Cloud is the current, broader service. - Defender for Cloud includes CSPM and CWPP; Security Center was primarily CSPM. - Defender for Cloud integrates with Microsoft Defender for Cloud Apps, while Security Center did not.
2. Defender for Cloud Free Tier vs. Paid Defender Plans - Free: Foundational CSPM, continuous assessment, security recommendations, Secure Score, regulatory compliance dashboard (with limited standards). - Paid: All Free features plus workload protections (threat detection, just-in-time VM access, adaptive application controls, file integrity monitoring), advanced compliance (more standards), and multicloud support.
3. Defender for Cloud vs. Azure Policy - Azure Policy enforces rules on resources (e.g., deny creation of unencrypted storage accounts). - Defender for Cloud uses Azure Policy to evaluate compliance and generate recommendations, but also provides threat detection and security alerts. - They are complementary: Defender for Cloud's recommendations can be enforced via Azure Policy.
Key Takeaways
Defender for Cloud provides unified security management across Azure, on-premises, and multicloud.
The Free tier (Foundational CSPM) is included with Azure subscription and offers continuous assessment and recommendations.
Secure Score measures your security posture based on implemented recommendations; it ranges from 0% to 100%.
Security recommendations are generated based on built-in and custom policies; each has a severity and remediation step.
Paid Defender plans add workload protections: threat detection, just-in-time VM access, adaptive application controls, file integrity monitoring.
Regulatory compliance dashboard includes pre-built standards like Azure Security Benchmark, SOC 2, ISO 27001, and PCI DSS.
Defender for Cloud integrates with Azure Sentinel, Azure Policy, and Microsoft Defender for Cloud Apps.
Multicloud support extends to AWS and GCP via connectors.
The Log Analytics agent is required for VM-level data collection; auto-provisioning is enabled by default.
Just-in-time VM access reduces attack surface by opening ports only when needed, and only for authorized users.
Adaptive application controls use machine learning to create allowlists for applications running on VMs.
FAQ
1. Q: What is the difference between Defender for Cloud Free and Paid tiers? A: The Free tier provides foundational cloud security posture management (CSPM) including continuous assessment, security recommendations, and Secure Score. The Paid tier (Defender Cloud Security Posture Management + Workload Protections) adds advanced threat detection, just-in-time VM access, adaptive application controls, file integrity monitoring, and regulatory compliance with more standards. You must enable specific Defender plans (e.g., Defender for Servers) for workload protection.
2. Q: How is Secure Score calculated? A: Secure Score is calculated as (Achieved points / Total possible points) * 100%. Each security recommendation has a point value based on its potential impact and the likelihood of exploitation. Achieving a recommendation adds its points to your achieved total. The total possible points is the sum of all recommendation points applicable to your environment. The score refreshes automatically every 24 hours or on-demand.
3. Q: Can Defender for Cloud protect resources in AWS and GCP? A: Yes, Defender for Cloud supports multicloud environments. You can connect AWS and GCP accounts using connectors. This allows you to view security recommendations, Secure Score, and regulatory compliance for those resources alongside Azure resources. Threat detection for AWS and GCP workloads requires enabling the appropriate Defender plans.
4. Q: What is just-in-time VM access? A: Just-in-time (JIT) VM access is a feature of Defender for Servers Plan 2 that reduces the attack surface by allowing you to lock down inbound traffic to VMs. When a user requests access, Azure opens the requested ports (e.g., RDP 3389, SSH 22) for a specified time period (default 3 hours) after approval. After the time expires, the ports are closed again. JIT access can be configured from the Defender for Cloud portal or via Azure Policy.
5. Q: How do I enable Defender for Cloud for an on-premises server? A: To protect on-premises servers, you need to use Azure Arc. First, install the Azure Arc agent on the server to project it as an Azure resource. Then, enable Defender for Cloud on the subscription and install the Log Analytics agent (or Azure Monitor Agent) on the server via Arc. The server will then appear in Defender for Cloud and receive security recommendations and threat detection (if a paid plan is enabled).
6. Q: What are adaptive application controls? A: Adaptive application controls (AAC) is a feature of Defender for Servers that uses machine learning to analyze the applications running on your VMs. After a learning period (typically 14 days), it creates an allowlist of known safe applications. It then generates alerts or blocks any application not on the allowlist. AAC helps prevent malware and unauthorized software from running.
7. Q: Does Defender for Cloud automatically fix security issues? A: Some recommendations offer a "Fix" button that can automatically apply remediation (e.g., enabling encryption on a storage account). However, many recommendations require manual steps or custom configuration. Defender for Cloud primarily provides guidance and monitoring; it does not automatically patch vulnerabilities or change configurations unless you explicitly approve.
Quiz
1. Question: Which of the following is included in the Free tier of Microsoft Defender for Cloud? A: True: Continuous assessment and security recommendations. B: False: Just-in-time VM access. C: False: File integrity monitoring. D: False: Threat detection for SQL databases. Answer: A. The Free tier provides foundational CSPM including continuous assessment and security recommendations. Just-in-time VM access, file integrity monitoring, and threat detection require paid Defender plans.
2. Question: What does Secure Score measure? A: The number of active threats detected. B: The percentage of security recommendations that have been implemented. C: The performance of the Log Analytics agent. D: The number of regulatory standards met. Answer: B. Secure Score measures your security posture based on the percentage of implemented recommendations. It does not measure active threats or agent performance.
3. Question: Which of the following is a feature of Defender for Servers Plan 2? A: Just-in-time VM access. B: Secure Score. C: Regulatory compliance dashboard. D: Security recommendations. Answer: A. Just-in-time VM access is a feature of Defender for Servers Plan 2. Secure Score, regulatory compliance dashboard, and security recommendations are available in the Free tier.
4. Question: How often does Secure Score refresh automatically? A: Every 24 hours. B: Every 12 hours. C: Every hour. D: Real-time. Answer: A. Secure Score refreshes automatically every 24 hours. You can also trigger an on-demand refresh.
5. Question: Can Defender for Cloud provide security recommendations for AWS resources? A: Yes, if you connect your AWS account using a multicloud connector. B: No, it only works with Azure resources. C: Yes, but only for compute resources. D: No, AWS has its own security tools. Answer: A. Defender for Cloud supports multicloud environments, including AWS, via connectors. It can provide security recommendations and Secure Score for connected AWS resources.
Meta Title
Microsoft Defender for Cloud SC-900 Study Guide | Courseiva
Meta Description
Master Microsoft Defender for Cloud for SC-900. Learn Secure Score, recommendations, workload protections, and exam tips. Free chapter from Courseiva.
Estimated Read Minutes
25
Access Microsoft Defender for Cloud
In the Azure portal, search for 'Microsoft Defender for Cloud' and select it. The overview page displays your Secure Score, the number of security recommendations, and recent security alerts. This is the central dashboard for managing security posture across your subscriptions. For SC-900, you need to know that the overview provides a high-level summary and that you can drill down into specific areas.
Review Secure Score and Recommendations
Click on the Secure Score percentage to see a breakdown by control areas (e.g., Identity, Networking, Storage). Each area shows how many points you've achieved out of the total possible. Below, the Recommendations blade lists all security recommendations with their severity. Each recommendation includes a description, affected resources, and steps to remediate. The exam tests that Secure Score is based on recommendations, not on threat detection.
Enable a Defender Plan
Navigate to 'Environment settings' and select your subscription. Under 'Defender plans', toggle on a plan such as 'Defender for Servers' (Plan 1 or Plan 2). Confirm the pricing. Once enabled, additional workload protections become available, such as just-in-time VM access and file integrity monitoring. For SC-900, know that enabling a plan is required for advanced threat detection.
Configure Auto-Provisioning for Log Analytics
Under 'Environment settings' > 'Auto-provisioning', ensure the Log Analytics agent is set to 'On' for new VMs. This automatically installs the agent on any new VM, enabling data collection. If turned off, you must manually install the agent. The exam may ask about the default state of auto-provisioning (it is on by default).
View and Respond to Security Alerts
In the 'Security alerts' blade, you can see alerts generated by Defender for Cloud. Each alert includes a severity level (High, Medium, Low), a description, the affected resource, and recommended steps. You can click an alert to investigate further or link to Azure Sentinel for advanced analysis. For the exam, understand that alerts are only generated if a paid Defender plan is enabled.
Scenario 1: Enterprise Migration to Azure A large financial services company migrates 500 VMs and multiple SQL databases to Azure. They need to meet PCI DSS compliance. Using Defender for Cloud, they enable Defender for Servers Plan 2 and Defender for SQL. They configure the regulatory compliance dashboard with the PCI DSS v3.2.1 standard. The Secure Score starts at 30%. Over three months, the security team remediates critical recommendations: enabling MFA, encrypting disks, and configuring network security groups. The score rises to 85%. They also use just-in-time VM access to reduce the attack surface, and adaptive application controls to block unauthorized software. A common pitfall is forgetting to enable auto-provisioning for the Log Analytics agent on new VMs, causing gaps in monitoring.
Scenario 2: Multicloud Security Posture A tech startup uses Azure for compute and AWS for storage. They deploy Defender for Cloud with multicloud connectors for AWS. The CSPM assessments cover both environments, providing a unified Secure Score and recommendations. They identify misconfigured S3 buckets and Azure storage accounts with public access. By remediating these, they reduce the risk of data exposure. Performance considerations: The connector for AWS requires read-only permissions and incurs additional cost based on the number of resources. Misconfiguration of the connector (e.g., incorrect role ARN) leads to failed discovery and missing recommendations.
Scenario 3: Hybrid Environment with On-Premises Servers A healthcare organization has 200 on-premises servers running legacy applications. They use Azure Arc to project these servers into Azure and enable Defender for Cloud. They deploy Defender for Servers Plan 2 to get threat detection and file integrity monitoring. The Log Analytics agent is installed on each server via Arc. The Secure Score includes on-premises resources, allowing unified security management. A challenge is network connectivity: if the agents cannot communicate with Azure (e.g., due to firewall rules), data collection fails. They must ensure outbound HTTPS access to the Log Analytics workspace.
What SC-900 Tests - Objective 3.1: Describe the capabilities of Microsoft Defender for Cloud. Specifically, you need to know:
The difference between Free (Foundational CSPM) and Paid (Defender CSPM + workload protections) tiers.
Secure Score: what it measures, how it's calculated, and that it's based on recommendations.
Security recommendations: how they are generated and what they indicate.
Regulatory compliance dashboard: that it includes built-in standards and allows custom assessments.
Workload protections: just-in-time VM access, adaptive application controls, file integrity monitoring.
Integration with Azure Sentinel, Azure Policy, and Defender for Cloud Apps.
Multicloud support for AWS and GCP.
Common Wrong Answers 1. "Secure Score is a real-time measure of active threats." — Wrong: Secure Score measures posture (how well you follow best practices), not active threats. Candidates confuse Secure Score with security alerts. 2. "All Defender plans are included in the Free tier." — Wrong: Only foundational CSPM is free. Workload protections require a paid plan. 3. "Defender for Cloud only works with Azure resources." — Wrong: It supports AWS, GCP, and on-premises via Azure Arc. 4. "You must manually enable auto-provisioning for the Log Analytics agent." — Wrong: Auto-provisioning is on by default for new subscriptions, but can be disabled. Candidates think it's always manual.
Specific Numbers and Terms - Secure Score formula: (Achieved points / Total possible points) * 100%. - Default refresh: 24 hours. - Pricing: $15/node/month for Defender for Servers Plan 1 (exam may ask approximate cost). - Supported cloud providers: Azure, AWS, GCP. - Regulatory compliance standards: Azure Security Benchmark, Microsoft Cloud Security Benchmark, SOC 2, ISO 27001, PCI DSS.
Edge Cases - If a subscription has no resources, Secure Score is 0% but no recommendations appear. - Recommendations can be suppressed if they are not applicable. - Just-in-time VM access requires a default port (3389 for RDP, 22 for SSH) to be enabled. - Adaptive application controls require at least 14 days of data to generate recommendations.
How to Eliminate Wrong Answers - For questions about Secure Score, remember it's about best practices, not threat detection. - For tier questions, look for keywords like "threat detection" or "advanced" to indicate paid tier. - For scope questions, note that multicloud is supported.
Defender for Cloud provides unified security management across Azure, on-premises, and multicloud.
The Free tier (Foundational CSPM) is included with Azure subscription and offers continuous assessment and recommendations.
Secure Score measures your security posture based on implemented recommendations; it ranges from 0% to 100%.
Security recommendations are generated based on built-in and custom policies; each has a severity and remediation step.
Paid Defender plans add workload protections: threat detection, just-in-time VM access, adaptive application controls, file integrity monitoring.
Regulatory compliance dashboard includes pre-built standards like Azure Security Benchmark, SOC 2, ISO 27001, and PCI DSS.
Defender for Cloud integrates with Azure Sentinel, Azure Policy, and Microsoft Defender for Cloud Apps.
Multicloud support extends to AWS and GCP via connectors.
The Log Analytics agent is required for VM-level data collection; auto-provisioning is enabled by default.
Just-in-time VM access reduces attack surface by opening ports only when needed, and only for authorized users.
Adaptive application controls use machine learning to create allowlists for applications running on VMs.
These come up on the exam all the time. Here's how to tell them apart.
Free Tier (Foundational CSPM)
Continuous assessment and security recommendations
Secure Score based on best practices
Regulatory compliance dashboard with limited standards
No threat detection for workloads
No just-in-time VM access or adaptive application controls
Paid Tier (Defender CSPM + Workload Protections)
All Free tier features included
Advanced threat detection for workloads (e.g., SQL, Storage)
Just-in-time VM access to reduce attack surface
Adaptive application controls to block unauthorized software
File integrity monitoring and more regulatory standards
Mistake
Defender for Cloud is only for Azure VMs.
Correct
It covers Azure PaaS services (SQL, storage, app services), on-premises servers via Azure Arc, and even AWS and GCP resources.
Mistake
Secure Score reflects how many threats have been blocked.
Correct
Secure Score measures your security posture based on implemented best practices. It does not measure active threats or attacks.
Mistake
All security recommendations must be fixed to improve Secure Score.
Correct
Recommendations have different weights. Fixing high-impact recommendations (e.g., enabling MFA) gives more points than low-impact ones (e.g., enabling diagnostic logs).
Mistake
The Free tier provides threat detection for workloads.
Correct
The Free tier only provides continuous assessment and recommendations. Threat detection requires enabling a paid Defender plan.
Mistake
Defender for Cloud automatically remediates all security issues.
Correct
It provides recommendations and some automated remediation options (e.g., "Fix" button for certain policies), but most require manual action or configuration.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The Free tier provides foundational cloud security posture management (CSPM) including continuous assessment, security recommendations, and Secure Score. The Paid tier (Defender Cloud Security Posture Management + Workload Protections) adds advanced threat detection, just-in-time VM access, adaptive application controls, file integrity monitoring, and regulatory compliance with more standards. You must enable specific Defender plans (e.g., Defender for Servers) for workload protection.
Secure Score is calculated as (Achieved points / Total possible points) * 100%. Each security recommendation has a point value based on its potential impact and the likelihood of exploitation. Achieving a recommendation adds its points to your achieved total. The total possible points is the sum of all recommendation points applicable to your environment. The score refreshes automatically every 24 hours or on-demand.
Yes, Defender for Cloud supports multicloud environments. You can connect AWS and GCP accounts using connectors. This allows you to view security recommendations, Secure Score, and regulatory compliance for those resources alongside Azure resources. Threat detection for AWS and GCP workloads requires enabling the appropriate Defender plans.
Just-in-time (JIT) VM access is a feature of Defender for Servers Plan 2 that reduces the attack surface by allowing you to lock down inbound traffic to VMs. When a user requests access, Azure opens the requested ports (e.g., RDP 3389, SSH 22) for a specified time period (default 3 hours) after approval. After the time expires, the ports are closed again. JIT access can be configured from the Defender for Cloud portal or via Azure Policy.
To protect on-premises servers, you need to use Azure Arc. First, install the Azure Arc agent on the server to project it as an Azure resource. Then, enable Defender for Cloud on the subscription and install the Log Analytics agent (or Azure Monitor Agent) on the server via Arc. The server will then appear in Defender for Cloud and receive security recommendations and threat detection (if a paid plan is enabled).
Adaptive application controls (AAC) is a feature of Defender for Servers that uses machine learning to analyze the applications running on your VMs. After a learning period (typically 14 days), it creates an allowlist of known safe applications. It then generates alerts or blocks any application not on the allowlist. AAC helps prevent malware and unauthorized software from running.
Some recommendations offer a "Fix" button that can automatically apply remediation (e.g., enabling encryption on a storage account). However, many recommendations require manual steps or custom configuration. Defender for Cloud primarily provides guidance and monitoring; it does not automatically patch vulnerabilities or change configurations unless you explicitly approve.
You've just covered Microsoft Defender for Cloud — now see how well it sticks with free SC-900 practice questions. Full explanations included, no account needed.
Done with this chapter?