Microsoft Defender for Cloud
Microsoft Defender for Cloud is Azure’s built-in security management platform. It continuously assesses your Azure environment against security best practices, gives you a Secure Score that quantifies your posture, and — with paid Defender plans — detects active threats across your workloads. If you have an Azure subscription, the foundational features are already available to you at no cost.
What Defender for Cloud actually does
Defender for Cloud has two distinct functions that are easy to conflate:
Cloud Security Posture Management (CSPM) — This is the assessment function. Defender for Cloud scans your Azure resources continuously and compares their configuration against a library of security best practices. It tells you: your storage account has public access enabled, your SQL Server has no audit logging, your VMs have ports open to the internet that should not be. It translates these findings into a Secure Score, giving you a single number that reflects how well your environment is configured. The foundational CSPM is free.
Cloud Workload Protection (CWP) — This is the threat detection function. Defender plans for specific workload types monitor runtime behaviour and flag active threats: a VM being used for crypto mining, a SQL database receiving brute-force attacks, malware detected on a container image, unusual data access patterns in a storage account. CWP requires paid Defender plans, one per workload type.
Both functions are accessed through the same Defender for Cloud interface in the Azure Portal.
Reading the Secure Score
The Secure Score is a percentage (0–100) representing how many of the applicable security recommendations in your environment are currently satisfied. A higher score means fewer security gaps. It is calculated as the number of healthy resources divided by the total number of assessed resources, weighted by the maximum score points available for each recommendation.
A low Secure Score does not mean you have been breached — it means your configuration does not follow recommended security practices. A score of 40% is common for a new subscription that has not had security hardening applied. A mature production environment actively maintained should target 70–80% or higher.
Navigating the dashboard
In the Azure Portal, go to Microsoft Defender for Cloud → Secure Score. The dashboard shows:
- Your current score as a percentage and as raw points.
- The potential score increase you would get if you addressed all current recommendations.
- A breakdown by security control — groups of related recommendations. Each control shows how many points it is worth and how many resources in your environment are healthy vs unhealthy for that control.
Click any control to see the individual recommendations within it. Each recommendation shows:
- The severity (High, Medium, Low).
- How many resources are affected.
- The remediation steps.
- Whether a Quick Fix is available (a one-click or one-command fix).
- The score impact — how many points you will gain by fixing it.
Three categories of recommendations
Not all recommendations are equally actionable, and understanding the three categories helps you prioritise your remediation work.
Quick Fix recommendations
These have a remediation action built into the Defender for Cloud interface. You can fix them from the recommendation detail page with a single button click or by running a pre-written remediation script. Quick Fix recommendations are the lowest-effort improvements you can make. They typically cover straightforward configuration changes: enabling HTTPS-only on a storage account, turning on audit logging for a SQL server, enabling threat detection on a database. Start here when improving your Secure Score.
Manual remediation recommendations
These require you to take action outside of Defender for Cloud — through the Azure Portal, CLI, or IaC templates. The recommendation will describe what needs to change, link to the relevant documentation, and show which resources are affected, but you must make the change yourself. Examples include ensuring VMs have endpoint protection installed, configuring network security group rules, or enabling MFA for privileged accounts.
Policy-driven recommendations
Some recommendations are implemented as Azure Policy assignments. Defender for Cloud uses Azure Policy to run compliance checks, and the recommendation will point you to the policy assignment you need to review. Fixing these may mean adjusting the policy definition, creating an exemption for a legitimate exception, or remediating the non-compliant resources that the policy has flagged.
Walkthrough: fixing public blob access on storage accounts
One of the most common high-impact findings for new Azure environments is storage accounts with anonymous (public) blob access enabled. This means anyone on the internet can read the contents of any blob container in that account that has been set to public. The recommendation shows up as “Storage accounts should prevent public access” in the Restrict unauthorized network access security control.
Here is how to find and fix it.
In the Portal: Go to Defender for Cloud → Recommendations → search for “public access”. Click the recommendation. You will see a list of affected storage accounts. Click a storage account, then “Fix”. For this recommendation, a Quick Fix button is available that disables public access on that account immediately.
Via CLI:
# List all storage accounts in a subscription
az storage account list \
--query "[].{name:name, rg:resourceGroup, allowPublicAccess:allowBlobPublicAccess}" \
--output table
# Disable public blob access on a specific storage account
az storage account update \
--name mystorageaccount \
--resource-group my-rg \
--allow-blob-public-access false
# Bulk-fix all storage accounts in a resource group
for account in $(az storage account list --resource-group my-rg --query "[].name" --output tsv); do
echo "Disabling public access on $account"
az storage account update \
--name $account \
--resource-group my-rg \
--allow-blob-public-access false
doneAfter fixing this, Defender for Cloud will re-evaluate the affected resources within a few hours and update your Secure Score. The recommendation will show those accounts as healthy.
Before disabling public blob access, verify that no application intentionally uses public access to serve static content (like a web application serving images from a public container). If you have a legitimate public container, you have two options: move the static content to Azure CDN (which serves it publicly without requiring the storage account to have public access), or create an exemption for that specific resource in Defender for Cloud.
Defender plans for workload protection
The paid Defender plans extend coverage to runtime threat detection for specific workload types. Each plan is enabled independently and billed per resource.
| Plan | What it protects | Example threats detected |
|---|---|---|
| Defender for Servers | Azure VMs, Arc-connected servers | Malware, suspicious process execution, brute-force SSH/RDP, lateral movement, fileless attacks |
| Defender for SQL | Azure SQL Database, SQL Managed Instance, SQL on VMs | SQL injection attempts, anomalous login locations, privilege escalation, brute-force attacks |
| Defender for Storage | Azure Blob Storage, Azure Files, Azure Data Lake Gen2 | Malware upload, unusual data access patterns, anonymous access attempts, suspicious IP access |
| Defender for Containers | AKS, Azure Container Registry, Arc-enabled Kubernetes | Container image vulnerabilities, runtime container escape attempts, anomalous API calls |
| Defender for Key Vault | Azure Key Vault | Access from unusual locations, high-volume operations, suspicious access patterns |
| Defender for App Service | Azure App Service plans | Dangling DNS, suspicious outbound connections, web shell detection, command injection |
You do not need to enable all plans. Enable the ones that cover your highest-risk or highest-value workloads. For a typical web application with a database and storage account, Defender for Servers, Defender for SQL, Defender for Storage, and Defender for App Service are the most relevant.
How Defender for Cloud differs from Azure Policy
Azure Policy is a guardrail: it prevents non-compliant resources from being created (Deny effect) or flags existing resources that do not meet your rules (Audit effect). It is configuration enforcement. You define the rules, and Policy ensures resources conform to them.
Defender for Cloud is assessment and detection: it continuously evaluates your environment against a library of security best practices and alerts you to gaps and active threats. Where Policy asks “does this resource comply with your rules?”, Defender for Cloud asks “is this resource as secure as it should be, and is anything suspicious happening?”.
In practice, the two work together. Defender for Cloud’s compliance assessments run as Azure Policy assignments under the hood — you can see the policies in the Policy portal. You can also use Azure Policy to prevent resources from being created in configurations that would immediately fail Defender for Cloud recommendations (for example, a Policy that denies creation of storage accounts with public access enabled).
A useful mental model: Policy is preventive, Defender for Cloud is detective and reactive. Use both.
Common mistakes
- Ignoring Defender for Cloud because it was never set up. If you have an Azure subscription, Defender for Cloud is already assessing your resources — you just need to open it. Most teams that have never looked at their Secure Score find it is below 50%. Opening the portal and fixing the top Quick Fix recommendations takes a few hours and can meaningfully improve your security posture.
- Treating the Secure Score as the only metric. A high Secure Score means your configuration follows recommended practices. It does not mean you are immune to breaches — a misconfigured application, a stolen credential, or a vulnerable dependency can all be exploited regardless of your Secure Score. Use Secure Score to assess your baseline hardening, not as a complete security health metric.
- Dismissing recommendations without documenting why. Defender for Cloud lets you create exemptions for recommendations that do not apply to your environment. Use this feature rather than leaving recommendations unaddressed — but document the reason for each exemption so future reviewers understand it was an informed decision, not an oversight.
- Enabling all Defender plans without estimating cost. Defender for Servers, for example, is priced per VM-core per hour. On a subscription with hundreds of VMs, the monthly cost can be significant. Review the pricing for each plan before enabling it across your entire environment.
Summary
- Defender for Cloud has two functions: CSPM (posture assessment, Secure Score, recommendations — free) and CWP (runtime threat detection — paid plans per workload type).
- Secure Score is a percentage reflecting how many security recommendations your environment satisfies. Low scores are normal for new environments; improve by addressing recommendations starting with Quick Fix items.
- Recommendations fall into three categories: Quick Fix (remediable from the portal in one click), Manual (requires external action), and Policy-driven (managed through Azure Policy assignments).
- The most common quick win for new environments: disable public blob access on storage accounts.
- Defender for Cloud differs from Azure Policy — Policy prevents non-compliant resources, Defender assesses existing resources and detects active threats. Use both together.
Frequently asked questions
Is Microsoft Defender for Cloud free?
The foundational CSPM features — including Secure Score, basic security recommendations, and continuous assessment of your Azure resources — are available at no additional cost on all Azure subscriptions. The enhanced Defender plans (Defender for Servers, Defender for SQL, Defender for Storage, etc.) are paid add-ons billed per resource per month. You only pay for the plans you enable, and you can enable them on specific subscriptions or even individual resources rather than your entire environment.
What is the difference between Microsoft Defender for Cloud and Azure Policy?
Azure Policy is an enforcement tool — it prevents non-compliant resources from being created or flags existing resources that violate rules. Defender for Cloud is an assessment and threat detection tool — it continuously evaluates your security posture, provides prioritised recommendations, and detects active threats. They complement each other: Policy enforces guardrails, Defender audits what exists and alerts on suspicious activity. Defender for Cloud actually uses Azure Policy internally to run its compliance assessments.
Does Defender for Cloud work for workloads outside of Azure?
Yes. With Azure Arc, you can onboard on-premises servers, AWS instances, and GCP VMs into Defender for Cloud. The server-level Defender plans (like Defender for Servers) will then cover those non-Azure machines, giving you a single security posture view across multi-cloud and on-premises environments.