Azure: Services & Architecture
by Sergey Okinchuk
DDoS ProtectionSentinel
Microsoft Defender for Cloud
Service 38

Microsoft Defender for Cloud

Security

Microsoft Defender for Cloud is the security posture and workload-protection service for an Azure estate — and for AWS, Google Cloud, and on-premises resources connected to it. It continuously assesses configuration against best practices, scores your posture, and (with the paid Defender plans) detects active threats against workloads.

It has two halves that are easy to conflate. Cloud security posture management (CSPM) finds misconfigurations and is largely free; cloud workload protection (CWPP), the paid Defender plans, detects threats against servers, containers, databases, storage, and more. Knowing which half you are relying on — and paying for — is the key to using it well.

Secure Score and CSPM

The free foundational CSPM continuously evaluates resources against the Microsoft Cloud Security Benchmark and rolls the findings into a secure score — a single percentage that quantifies posture and a prioritized list of recommendations to raise it. The secure score is the headline metric: it turns 'are we secure?' into a tracked number with concrete next actions.

Defender Plans

Foundational CSPM is free, but advanced posture features such as attack-path analysis and agentless scanning come with the paid Defender CSPM plan. The other paid Defender plans add workload protection per resource type — Defender for Servers, for Containers, for Storage, for SQL, for Key Vault, and more. Each adds threat detection (anomalous behavior, known-bad activity), vulnerability assessment, and hardening specific to that workload. You enable the plans for the resource types you actually run, rather than paying for all of them.

Regulatory Compliance

Defender for Cloud maps your posture against regulatory standards — PCI DSS, ISO 27001, SOC 2, and others — showing where you meet a control and where you fall short. This turns compliance from a periodic audit scramble into a continuous dashboard, and is a primary reason regulated organizations adopt it.

Recommendations

Findings arrive as actionable recommendations with severity and, often, one-click or guided remediation. The discipline is to work the high-severity items rather than letting recommendations pile up — an unread recommendation that a storage account is publicly exposed is no better than not having the finding at all.

Defender for Cloud vs Microsoft Sentinel

Defender for Cloud — Posture management and workload threat protection — secure score, misconfiguration findings, per-resource detection. The 'is my cloud configured and defended' tool.

Microsoft Sentinel — SIEM/SOAR — collects signals across the estate, hunts with KQL, and automates response. The 'investigate and respond across everything' tool, often fed by Defender.

Common Mistakes
  • Relying on the free CSPM and assuming workloads are protected — threat detection requires the paid Defender plans.
  • Enabling every Defender plan regardless of what you run, paying for protection of resource types you do not have.
  • Letting recommendations accumulate unworked, so a known high-severity exposure sits open for weeks.
  • Treating the secure score as a vanity metric instead of working the prioritized actions behind it.
  • Ignoring the multicloud and on-premises coverage, running a separate posture tool for AWS or GCP that Defender already covers.
  • Confusing Defender for Cloud with Sentinel — posture and workload protection is not the same as a SIEM for investigation and response.
Best Practices
  • Use the free CSPM and secure score as the baseline, and work the high-severity recommendations first.
  • Enable the paid Defender plans for the workload types you actually run (Servers, Containers, SQL, Storage, Key Vault).
  • Track the regulatory-compliance dashboards against the standards you must meet.
  • Connect AWS and GCP accounts so one tool covers posture across clouds.
  • Feed Defender alerts into Microsoft Sentinel for investigation and automated response.
  • Treat the secure score as a tracked operational metric, not a one-time number.
Comparable servicesAWS Security Hub / GuardDuty / InspectorGCP Security Command Center

Knowledge Check

What is the difference between the free and paid capabilities of Defender for Cloud?

  • Free CSPM assesses posture and produces the secure score; the paid Defender plans add workload threat detection
  • The free tier covers only AWS and GCP resources while the paid plans are restricted to Azure subscriptions alone
  • The free tier blocks incoming attacks inline at the gateway while the paid tier merely logs them after the fact
  • There is no free capability whatsoever — every single feature requires an enabled paid Defender plan

What does the secure score represent?

  • A quantified measure of configuration posture with a prioritized list of recommendations to improve it
  • The running real-time count of active attacks currently detected across every resource in the estate
  • The total accrued monthly cost of all enabled Defender workload protection plans across the subscription
  • The percentage of inbound HTTP traffic blocked by the configured WAF rules over the period

How do Defender for Cloud and Microsoft Sentinel relate?

  • Defender does posture and workload protection; Sentinel is the SIEM/SOAR that investigates and responds, often fed by Defender alerts
  • They are two completely interchangeable marketing names for one and the same underlying Microsoft security product, with no functional difference between them at all
  • Sentinel fully replaces and decommissions Defender for Cloud the moment it is enabled on the Log Analytics workspace
  • Defender works exclusively on AWS resources while Sentinel works exclusively on Azure subscription resources

You got correct