Security is not something you bolt on after building a cloud environment — it needs to be embedded from the start. Microsoft Defender for Cloud (formerly Azure Security Center and Azure Defender) is Microsoft's unified cloud security posture management (CSPM) and cloud workload protection platform (CWPP). It continuously assesses your Azure environment, identifies security risks, and provides actionable recommendations — all from a single dashboard. And the foundational tier is free.
The Two Pillars of Defender for Cloud
Defender for Cloud delivers security across two dimensions:
- Cloud Security Posture Management (CSPM): Continuously scans your Azure resources against security benchmarks (Microsoft Cloud Security Benchmark, CIS, PCI DSS, ISO 27001) and produces a Secure Score — a percentage that represents your overall security posture. The higher the score, the lower the risk. Free tier included.
- Cloud Workload Protection Platform (CWPP): Real-time threat detection for specific workload types: VMs, SQL databases, storage accounts, Key Vault, App Service, containers, and more. Paid tier — priced per resource per hour.
Enabling Defender for Cloud
Defender for Cloud is enabled at the subscription level. Basic CSPM is on by default. Enhanced protections (Defender Plans) are opt-in:
- In the Portal, search for Microsoft Defender for Cloud.
- Click Environment settings in the left menu.
- Select your subscription.
- Toggle individual Defender Plans: Servers, SQL, Storage, Key Vault, App Service, Containers, DNS.
- Click Save.
# Enable Defender for Servers on a subscription (Plan 2)
az security pricing create
--name VirtualMachines
--tier Standard
# Enable Defender for SQL
az security pricing create
--name SqlServers
--tier Standard
# Enable Defender for Storage
az security pricing create
--name StorageAccounts
--tier StandardUnderstanding Secure Score
Your Secure Score summarizes your security posture as a percentage. Each security control (a logical grouping of recommendations) contributes a maximum number of points. Implementing all recommendations in a control earns you those points. Navigate to Defender for Cloud > Secure score to see your current score and the controls with the highest point potential.
Focus first on controls with the highest impact:
- Remediate vulnerabilities — patch OS and application vulnerabilities on VMs.
- Enable MFA — enforce multi-factor authentication on all privileged accounts.
- Apply system updates — keep all VMs patched with the latest security updates.
- Restrict unauthorized network access — close unnecessary open ports on VMs.
- Enable encryption at rest — ensure all storage accounts and disks use encryption.
Security Recommendations
Defender for Cloud generates specific, actionable recommendations for each resource. Navigate to Recommendations to see a prioritized list. Each recommendation shows:
- The affected resource(s).
- The potential Secure Score increase if remediated.
- The severity (High, Medium, Low).
- Step-by-step remediation guidance — sometimes with a one-click fix.
Use the Exempt feature to acknowledge recommendations that do not apply to your environment (e.g., a deliberately public storage account with non-sensitive data), keeping your score accurate.
Threat Detection: Security Alerts
When Defender Plans are enabled, Defender for Cloud analyzes signals from your resources and raises Security Alerts for suspicious activity. Examples:
- "Suspicious authentication activity" — multiple failed SSH logins followed by a success from an unusual IP.
- "Potential SQL injection" — unusual SQL commands detected by Defender for SQL.
- "Access from unusual location" — a Key Vault accessed from a country your team has never worked from.
- "Malware detected" — Defender for Servers identifies malicious files on a VM.
Alerts are surfaced in Defender for Cloud > Security alerts and can be routed to Microsoft Sentinel (Azure's SIEM) or exported to a SIEM via Event Hub.
Just-in-Time VM Access
Leaving RDP (3389) or SSH (22) open to the internet is one of the most common vulnerabilities on Azure. Just-in-Time (JIT) VM Access closes these ports by default and opens them temporarily (e.g., for 3 hours) only when a specific user requests access from an approved IP address.
# Enable JIT for a VM
az security jit-policy create
--resource-group rg-vm-demo
--location eastus
--name default
--virtual-machines '[{
"id": "/subscriptions/<SUB_ID>/resourceGroups/rg-vm-demo/providers/Microsoft.Compute/virtualMachines/vm-webserver",
"ports": [
{"number": 22, "protocol": "TCP", "allowedSourceAddressPrefix": "*", "maxRequestAccessDuration": "PT3H"},
{"number": 3389, "protocol": "TCP", "allowedSourceAddressPrefix": "*", "maxRequestAccessDuration": "PT3H"}
]
}]'In the Portal, request JIT access at VM > Connect > Request access. Defender for Cloud opens the port in the NSG for the specified duration, then closes it automatically.
Regulatory Compliance Dashboard
If your organization must comply with PCI DSS, ISO 27001, SOC 2, or HIPAA, the Regulatory Compliance dashboard maps your Defender for Cloud recommendations to specific compliance controls. This gives auditors a live view of your compliance posture and generates assessment reports in PDF format.
Key Takeaways
Microsoft Defender for Cloud gives you continuous visibility into the security posture of your entire Azure environment at no cost for the CSPM tier. Enable Defender Plans for your most sensitive workloads — Servers, SQL, Storage, and Key Vault at minimum. Focus on improving your Secure Score by remediating high-impact recommendations, enable JIT VM Access to close unnecessary attack surface, and route alerts to Microsoft Sentinel for centralized investigation and response.