TTechclick ⚡ XP 0% All lessons
Azure · Defender · Defender for CloudInteractive · L1 / L2 / L3

Microsoft Defender for Cloud: — Posture Management and Workload Protection in One

Two security jobs, one screen. Defender for Cloud grades how securely your cloud is configured (the free Secure Score) AND defends the running servers, storage and containers from live attacks (the paid Defender plans). This lesson untangles CSPM from CWPP so the AZ-500 and SC-100 never trip you up — and so you know which button actually costs money.

📅 2026-06-11 · ⏱ 13 min · 3 live demos · 4 infographics · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

Microsoft Defender for Cloud for L1/L2 engineers and AZ-500/SC-100: CSPM (free Secure Score + recommendations) vs CWPP (paid Defender plans), workload protection, governance rules and multicloud connectors.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

Two jobs in one

CSPM grades posture; CWPP guards the workloads.

 2

Secure Score + recs

How the number is built and how to fix it.

 3

Workload protection

Servers, Storage, Containers — and their ATT&CK alerts.

 4

Operating it

Multicloud, Sentinel export, a worked remediation.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. You enable Defender for Cloud on a brand-new subscription and touch no other setting. Do you get a Secure Score?

Answered in Two jobs in one.

2. Defender for Cloud shows "Storage accounts should restrict network access." Is that a misconfiguration finding or a live-attack alert?

Answered in Workload protection.

3. Which feature lets you open RDP/SSH to a VM only for a short, requested window instead of leaving the port open?

Answered in Secure Score + recs.

Most engineers think…

Most engineers hear "Microsoft Defender for Cloud" and picture one antivirus-style product that you switch on and it protects everything. So they assume the whole thing is one paid bundle, and that the Secure Score and the threat alerts are the same feature.

Wrong — and this exact confusion loses marks on AZ-500 and money on the bill. Defender for Cloud is two different jobs in one pane: CSPM (Cloud Security Posture Management) is the free part — the Secure Score, the recommendations, the misconfiguration hunting across Azure, AWS and GCP. CWPP (Cloud Workload Protection Platform) is the set of paid Defender plans you switch on per workload type — Servers, Storage, SQL, Containers, Key Vault, App Service — that watch the running resource and raise ATT&CK-mapped alerts when something is actually attacking it. Posture is the home inspection; protection is the burglar alarm. Knowing which is which is the whole lesson.

① Two jobs in one — CSPM and CWPP

Meet Sneha, an L1 cloud-security analyst at Infosys. On her first week she's handed a single Azure blade — Microsoft Defender for Cloud — and told "keep our cloud secure." She opens it and sees two very different things on the same screen: a big Secure Score percentage with a list of recommendations, and separately a list of security alerts screaming about suspicious activity. Same product, two completely different jobs. Getting this split straight is the difference between passing AZ-500 and guessing.

Job one is CSPM (Cloud Security Posture Management). This is the free part. The moment you enable Defender for Cloud on a subscription, it starts assessing every resource against the Microsoft cloud security benchmark (MCSB) and produces a Secure Score plus a list of recommendations — "this storage account is public," "this VM has no disk encryption." CSPM finds misconfigurations before an attacker does, across Azure, AWS and GCP. Nothing is being attacked; this is the proactive, hygiene side.

Job two is CWPP (Cloud Workload Protection Platform). This is the paid part — a set of Defender plans you turn on per workload type: Defender for Servers (VMs), Storage, SQL, Containers/AKS, Key Vault and App Service. Each plan watches its workload for actual threats and raises a security alert when something is happening — "a malicious blob was uploaded," "a reverse shell on this VM." CWPP is the reactive, real-time defence.

👉 So far: CSPM = free posture grading (recommendations + Secure Score) across all clouds; CWPP = paid Defender plans that defend the running workloads. Next: see them side by side, and meet the one trap everyone falls into.
Figure 1 — Defender for Cloud — CSPM and CWPP in one pane
Defender for Cloud is two products in one pane: free CSPM that grades posture across all clouds, and paid CWPP plans that defend the running workloads The big picture of Microsoft Defender for Cloud. On the left, the free Foundational CSPM layer continuously assesses Azure, AWS and GCP against the Microsoft cloud security benchmark and produces the Secure Score and recommendations. On the right, the paid CWPP layer is a set of Defender plans — Defender for Servers, Storage, SQL, Containers, Key Vault and App Service — that watch the running workloads and raise threat alerts. CSPM is the home inspection; CWPP is the burglar alarm. Amber marks the policy and scoring engine, blue marks the trusted protected workloads, green marks the compliant output. One pane, two jobs — posture (CSPM) + workload defence (CWPP) CSPM — free, always on • grades posture: Secure Score (% lower risk = higher) • recommendations from the MCSB benchmark • CIS / PCI-DSS / NIST compliance dashboards • misconfig detection across Azure + AWS + GCP "Your storage account is public" — a FINDINGa misconfiguration, before anyone attacks it = the home inspection report finds the unlocked window before the thief does CWPP — paid Defender plans (per resource/hour) Defender for Servers Defender for Storage Defender for SQL Defender for Containers Defender for Key Vault Defender for App Service "A malicious blob was uploaded" — an ALERTan attack happening NOW, mapped to ATT&CK = the burglar alarm screams when someone is actually inside untrusted / attackertrusted / inspectedpolicy / decisionkey insightallowed / compliant
Read it left to right. Left (amber) = free CSPM grading posture and producing recommendations. Right (blue) = paid Defender plans protecting the running workloads and raising alerts. Same blade, two jobs.
Daily-life analogy — society gate-pass register vs the burglar alarm

Think of your apartment society. The gate-pass register at the entrance is CSPM: it checks, in advance, whether every flat has locked its door and registered its visitors — it finds the unlocked window before any thief shows up. The burglar alarm wired into each flat is CWPP: it stays quiet until someone actually breaks in, then it screams in real time. The register is free and always running for the whole society; the alarm is a paid add-on you install flat by flat (workload by workload). You want both — but they are not the same thing, and only one of them costs extra.

One more layer worth naming now: CSPM itself comes in two plans. Foundational CSPM is free and on by default. Defender CSPM is paid and adds the heavy posture features: attack-path analysis, the cloud security graph, CIEM (permissions analysis) and agentless vulnerability scanning. So the full picture is: free Foundational CSPM, optional paid Defender CSPM, and then the per-workload CWPP Defender plans on top. Together Microsoft markets this whole thing as a CNAPP.

The four building blocks, one tap each

Tap each card. These four names are what every Defender for Cloud question on AZ-500 and SC-100 is really testing.

📋
Foundational CSPM
tap to flip

Free, default. Secure Score + recommendations + compliance across Azure/AWS/GCP. So: posture grading costs nothing.

🧠
Defender CSPM
tap to flip

Paid CSPM upgrade: attack paths, security graph, CIEM, agentless scan. So: deeper posture insight, but it bills.

🛡️
CWPP Defender plans
tap to flip

Paid per workload: Servers, Storage, SQL, Containers, Key Vault. So: real-time alerts on the running resource.

🧩
CNAPP
tap to flip

The umbrella name for CSPM + CWPP together. So: one platform, posture and protection end to end.

Quick check · Q1 of 10

Rahul at TCS says: "Finance is worried about cost. Which part of Defender for Cloud gives us a Secure Score and misconfiguration recommendations WITHOUT any per-resource charge?"

Correct: b. Foundational CSPM is the free tier — it delivers the Secure Score, recommendations and multicloud coverage at no per-resource cost. Defender for Servers and Defender for Storage are paid CWPP plans; the Sentinel connector is an export integration, not the source of the Secure Score.

Pause & Predict

Predict: Defender for Cloud shows BOTH "Storage accounts should restrict network access" and "Malicious blob uploaded to storage account." Which one is CSPM and which is CWPP — and which one needed money turned on? Type your guess.

Answer: "Storage accounts should restrict network access" is a CSPM recommendation — a misconfiguration found by the free Foundational CSPM; no plan needed. "Malicious blob uploaded to storage account" is a CWPP alert — it only appears because someone turned ON (and is paying for) Defender for Storage with malware scanning. The first is posture (proactive, free); the second is protection (reactive, paid). Same storage account, two different security jobs.

② Secure Score, recommendations & compliance

The Secure Score is the headline number on the blade, and L1 engineers are constantly asked "why did it drop?" So you need to know how it's built. Defender for Cloud groups recommendations into security controls. Each control has a fixed max score — for example Enable MFA = 10 points, Secure management ports = 8, Apply system updates = 6, Remediate vulnerabilities = 6. The bigger the number, the more it matters, so you fix the heavy controls first.

The maths is simple. For one control, Defender counts how many resources are healthy (compliant) versus unhealthy (need a fix). The control's current score is max ÷ total resources × healthy resources. Microsoft's own worked example: a control worth 6 points, with 4 healthy out of 78 total resources, scores 6 ÷ 78 = 0.0769, then 0.0769 × 4 = 0.31. Fix the other 74 and the control climbs toward its full 6. All the control scores add up into the subscription Secure Score, which Defender re-evaluates every eight hours.

Common mistake — "I fixed a bunch of stuff and the score didn't move"

Symptom: an engineer remediates several findings but the Secure Score stays put. Two real causes. First, only the MCSB built-in recommendations move the score — recommendations flagged Preview, and the newer risk-prioritisation labels, do not change the number. Second, the score only recalculates every ~8 hours, so give it time. If you fixed a Preview recommendation expecting points, that's why nothing happened — it counts only once it reaches general availability.

Figure 2 — How a recommendation becomes the Secure Score
How a recommendation becomes a number: Defender assesses each resource, counts healthy vs unhealthy, and rolls it into the Secure Score every eight hours The Secure Score evaluation flow. Step 1: every 8 hours Defender for Cloud assesses each resource against the MCSB benchmark. Step 2: each resource is marked healthy or unhealthy for each recommendation. Step 3: a control score equals its max score divided by the total resources, times the number of healthy resources. Step 4: control scores add up into the subscription Secure Score, shown as a percentage. A worked example shows a control worth 6 points with 4 healthy of 78 total resources scoring 0.31. Amber is the scoring engine, blue is the assessed resources, green is the compliant healthy count, lime is the key insight that only the MCSB built-in recommendations move the score. From one recommendation to one number — the Secure Score 1 · Assessevery 8 hours vs MCSBAzure · AWS · GCP 2 · Mark each resource✓ healthy (compliant)✗ unhealthy (needs fix) 3 · Control scoremax ÷ total × healthyper security control 4 · Sumall controls →Secure Score % Worked example — control "Enable MFA" (max 10) on a control worth 6 points score per resource = 6 ÷ 78 = 0.0769 → current = 0.0769 × 4 healthy = 0.31 fix the other 74 → current climbs toward the full 6 points for that control Key insight: only the MCSB built-in recommendations move the scorePreview recs and risk-prioritisation labels do NOT change the number untrusted / attackertrusted / inspectedpolicy / decisionkey insightallowed / compliant
Follow 1→4: assess every 8h, mark each resource healthy/unhealthy, compute the control score (max ÷ total × healthy), then sum all controls into the percentage. The lime band is the trap: only MCSB built-ins count.
👉 So far: controls have point weights, the per-control score is max ÷ total × healthy, and only MCSB built-ins move it. Next: the compliance dashboards, and turning one recommendation into a fix or a governance rule.

Beyond the single score, the Regulatory compliance dashboard maps the very same findings against formal standards — CIS Azure Benchmark, PCI-DSS, NIST and more. So when an auditor at ICICI asks "are we PCI-DSS compliant on this subscription?", Meera doesn't run a separate scan — she opens the compliance dashboard, picks the PCI-DSS standard, and reads pass/fail per control with the failing resources listed. Recommendations are also mapped to the MITRE ATT&CK tactics so you can see which attacker techniques a misconfiguration would enable.

Now the part L1 engineers actually do all day: turning a recommendation into action. Take the classic "Storage accounts should restrict network access". Open it and you get three buttons in the Take action panel: Fix (apply the change now), Enforce (auto-correct future resources via Azure Policy) and Deny (block new non-compliant resources from being created at all). If you can't fix it today, you assign it instead — with a governance rule.

A governance rule turns "someone should fix this" into accountability. At Defender for Cloud → Environment settings → Governance rules → Create governance rule, you scope the rule, pick which recommendations it covers (by severity, risk level, category or specific recommendation), set an owner (by Microsoft Entra email, or read from a resource tag), and a remediation time frame of 7, 14, 30 or 90 days. Until the due date the recommendation shows On time; after it, Overdue. Owners and their managers get a weekly email of open and overdue tasks. (Governance rules need the paid Defender CSPM plan.)

Why the grace period exists

When you set a governance rule you can tick Apply grace period. This means: while the recommendation is assigned but not yet overdue, it does not drag down your Secure Score. It only starts hurting the score once it passes the due date. That's deliberate — it lets a security team set a realistic SLA (say 30 days to fix all medium findings) without the score punishing them for work that's legitimately in progress. The score reflects the SLA, not just the raw config state.

🖥️ This is the screen you'll live in — Microsoft Defender for Cloud → Recommendations → (open) Storage accounts should restrict network access, then the Take action tab. (Recreated for clarity — your portal matches this.)
portal.azure.com · Defender for Cloud · Recommendations
1
Recommendation
Storage accounts should restrict network access
2
Severity
Medium
Affected resources
7 unhealthy of 31
3
Take action
Fix / Enforce / Deny
4
Owner & due date
sneha@infosys-tenant · 14 days
Apply grace period
On
Fix
Quick check · Q2 of 10

Priya at HCL fixes 30 storage accounts that were flagged Preview, expecting her Secure Score to jump. It doesn't move. What's the best explanation?

Correct: a. Only MCSB built-in recommendations move the Secure Score, and recommendations marked Preview are explicitly excluded until they go GA. The product isn't broken; the Secure Score is a CSPM feature that doesn't need Defender for Storage; and storage misconfigurations absolutely can count — just not the Preview ones.

Pause & Predict

Predict: your team sets a governance rule giving 30 days to fix all medium recommendations, with the grace period ON. A new medium finding appears today. Does it hurt your Secure Score this week? Type your guess.

Answer: No — not this week. With the grace period applied, an assigned recommendation doesn't affect the Secure Score until it passes its due date. The new medium finding is 'On time' for 30 days, so the score holds. Only if day 31 arrives unremediated does it flip to 'Overdue' and start dragging the score down. That's the whole point of the grace period: the score tracks your SLA, not the raw instant-by-instant config.

③ Workload protection — the Defender plans

Now the paid side: the CWPP Defender plans. Each protects one workload type and raises ATT&CK-mapped alerts. The one you'll meet first is Defender for Servers, and it ships in two plans. Plan 1 (P1) integrates Microsoft Defender for Endpoint (MDE) — a full EDR on every VM, auto-provisioned, billed per hour (so you only pay while the VM runs). Plan 2 (P2) includes everything in P1 and adds the operational extras.

Two P2 features matter for the exam and the job. Just-in-Time (JIT) VM access keeps RDP (3389) and SSH (22) closed by default and opens them only when a named user requests access, for a specific source IP and a limited time — then auto-closes. That kills the #1 brute-force entry point. File Integrity Monitoring (FIM) watches critical OS files, Windows registry keys and Linux system files and alerts when they change — a classic sign of tampering. Modern FIM rides on the MDE agent (the old Log Analytics/MMA agent retired in 2024).

Azure CLI — enable Defender for Servers Plan 2 on a subscription
az security pricing create \
  --name VirtualMachines \
  --tier Standard \
  --subscription 11111111-2222-3333-4444-555555555555

# verify which Defender plans are on
az security pricing list --query "value[].{plan:name, tier:pricingTier}" -o table
Expected output
Plan                 Tier
-------------------  --------
VirtualMachines      Standard
StorageAccounts      Standard
Containers           Free
SqlServers           Free
KeyVaults            Free

Next, Defender for Storage. Its headline feature is on-upload malware scanning: every blob is scanned by Microsoft Defender Antivirus the moment it lands, so a poisoned file can't sit in your bucket and spread — you get the alert "Malicious blob uploaded to storage account" (ATT&CK: Lateral Movement, High). It also does sensitive-data threat detection (powered by Sensitive Data Discovery + Microsoft Purview labels), so an alert on a container holding PII is prioritised higher. And it flags abused SAS tokens and public-access changes — all without you enabling any diagnostic logs.

Finally, Defender for Containers. It works in two halves. Registry scanning is agentless vulnerability assessment — every image pushed to Azure Container Registry (ACR) (or AWS ECR, Google GAR) is scanned for CVEs, re-scanned daily, so you stop deploying known-vulnerable images. Runtime protection uses the Defender sensor (a DaemonSet on the cluster nodes) plus Kubernetes audit logs to run 60+ Kubernetes-aware analytics — "exposed Kubernetes dashboard," "creation of a high-privileged role," "sensitive mount" — each mapped to the MITRE ATT&CK matrix for Containers.

▶ Watch one malicious upload trip Defender for Storage

Karthik at Flipkart has Defender for Storage with malware scanning ON. A customer-upload web app writes a poisoned PDF to a blob container. Follow what happens. Press Play for the healthy path, then Break it to see the failure.

① Uploaduser uploads invoice.pdf → app writes blob to flipkartuploads container
② Scan on-uploadDefender for Storage triggers Microsoft Defender Antivirus on the new blob automatically
③ VerdictMDAV deep-scan + hash check → malware match; result tagged on the blob
④ Alertalert Storage.Blob_AM.MalwareFound (ATT&CK Lateral Movement, High) → SOC + Sentinel
Press Play to step through the healthy path. Then press Break it.

Aditya at Wipro faces this

Aditya, an L2 engineer, sees a flood of Defender alerts: 'Exposed Kubernetes service detected' and 'Creation of high privileged roles' on a Wipro AKS cluster, all within minutes.

Likely cause

A misconfigured CI/CD pipeline deployed a workload as a LoadBalancer service with no auth and created a cluster-admin ClusterRoleBinding. Defender for Containers' runtime sensor and the Kubernetes audit logs caught both — the exposed service (ATT&CK: Initial Access) and the privilege grant (ATT&CK: Privilege Escalation).

Diagnosis

He doesn't guess. He opens the alert, reads the mapped ATT&CK tactic and the affected pod/role, and checks whether the LoadBalancer is genuinely meant to be internet-facing or is an accident.

Microsoft Defender for Cloud > Security alerts > (filter: resource = aks-wipro-prod) > select alert > View full details > Take action
Fix

Revert the rogue ClusterRoleBinding, change the service back to ClusterIP (or add an ingress with auth), and add a Defender security-gating / Azure Policy rule so a privileged or publicly-exposed deployment is blocked at admission next time.

Verify

Re-deploy through the pipeline → the gating policy rejects the over-privileged manifest; no new 'high privileged role' alert fires; the service no longer has a public IP.

Figure 3 — CSPM vs CWPP — recommendation or alert?
Recommendation or alert? CSPM tells you a door is unlocked before anyone tries it; CWPP screams when someone is already walking through it A decision and comparison diagram contrasting CSPM and CWPP. The left column is CSPM: free, posture, proactive, output is a recommendation and a Secure Score, example is a public storage account flagged before any attack. The right column is CWPP: paid Defender plans, threat protection, reactive and real time, output is a security alert mapped to MITRE ATT&CK, example is a malicious blob uploaded right now. A decision arrow in the middle asks: is this a misconfiguration to harden, or an attack in progress? Amber marks the posture decision side, blue the protected workload side, red the active attack, green the safe path. CSPM vs CWPP — recommendation or alert? CSPM — posture (proactive) Cost: FREE (Foundational), paid = Defender CSPM Asks: is this configured securely? Output: a RECOMMENDATION + Secure Score Tense: before an attack — fix the window "Storage accounts should restrictnetwork access" → harden itno attacker needed to trigger it Advanced extras: attack-path analysis,cloud security graph, CIEM, agentless scan(these need the paid Defender CSPM plan) CWPP — protection (reactive) Cost: PAID, per resource or per hour Asks: is something attacking it right now? Output: a security ALERT (MITRE ATT&CK) Tense: during an attack — catch the burglar "Malicious blob uploaded tostorage account" → respond NOWLateral Movement · High severity Plans: Servers (EDR/JIT/FIM), Storage(malware scan), Containers (registry+runtime)turn ON only the plans you need to pay for untrusted / attackertrusted / inspectedpolicy / decisionkey insightallowed / compliant
The decision you make every day. Left (amber) = a misconfiguration to harden, found before any attack (CSPM). Right (blue/red) = an attack in progress, caught by a paid Defender plan (CWPP).
Quick check · Q3 of 10

Neha at Airtel wants to keep RDP/SSH closed and only open it for a specific engineer, from a specific IP, for one hour when they request it. Which feature — and which plan — does she need?

Correct: d. Just-in-Time (JIT) VM access keeps management ports closed and opens them on request for a named user, source IP and time window — and it's a Plan 2 feature. FIM watches file changes (and is also P2, not P1); malware scanning protects storage, not VM ports; Sentinel export ships alerts onward but doesn't gate ports.

Pause & Predict

Predict: a developer pushes a container image with a known-critical CVE to ACR, but nothing is deployed yet. With Defender for Containers on, do you get a recommendation, an alert, or nothing? Type your guess.

Answer: You get a recommendation (a CSPM-style finding from the registry vulnerability assessment) — the image is scanned on push and the CVE is surfaced as 'Container registry images should have vulnerability findings resolved.' You don't get a runtime alert yet, because nothing is running — runtime alerts (the ATT&CK-mapped kind) only fire once a workload is actually executing in the cluster. Scan-on-push catches it before it ever runs.

④ Operating it — multicloud, SIEM & a worked flow

Real environments are rarely pure Azure. The strength of Defender for Cloud is that the same Secure Score, recommendations and even CWPP plans extend to AWS and GCP through multicloud connectors. You add one at Defender for Cloud → Environment settings → Add environment → Amazon Web Services (or Google Cloud Platform). You name the connector, choose Management account or Single account, pick the Defender plans, then deploy a CloudFormation (AWS) or Terraform (AWS/GCP) template that grants the read role. Within a few hours, AWS EC2 and S3 show up in the same Secure Score as your Azure VMs.

Azure Resource Graph (Kusto) — pull the Secure Score % per subscription/connector
SecurityResources
| where type == 'microsoft.security/securescores'
| extend current = properties.score.current, max = todouble(properties.score.max)
| project subscriptionId, current, max, percentage = ((current / max) * 100)
Expected output
subscriptionId                        current  max   percentage
-----------------------------------   -------  ----  ----------
11111111-2222-3333-4444-555555555555  41.2     58    71.03
aws-connector-prod-123456789012       28.7     46    62.39
gcp-connector-prod-flipkart-data      33.1     50    66.20
👉 So far: AWS/GCP connectors fold other clouds into one Secure Score. Next: get the alerts OFF the blade and into your SIEM, switch on auto-provisioning, then walk one finding end to end.

Defender for Cloud is not where your SOC lives all day — your SIEM is. So you export. The cleanest route to Microsoft's own SIEM, Microsoft Sentinel, is the built-in Microsoft Defender for Cloud connector, which streams alerts and can two-way-sync status (close it in Sentinel, it closes in Defender). For third-party SIEMs (Splunk, QRadar, ArcSight) you use continuous export at Environment settings → Continuous export, sending to an Event Hub the SIEM reads from.

Two more operating switches. Auto-provisioning means Defender installs the MDE extension and enables agentless scanning on supported machines automatically as they appear — turn it on once and new VMs are protected without manual agent rollouts. And remember the cost guardrail: Defender for Storage's malware scanning lets you set a monthly GB scan cap, and you get the alert "Malware scanning will stop soon: 75% of monthly cap reached" before it pauses — so a sudden upload spike can't blow the bill silently.

🖥️ Connecting another cloud — Microsoft Defender for Cloud → Environment settings → Add environment → Amazon Web Services. (Recreated for clarity — your portal matches this.)
portal.azure.com · Defender for Cloud · Environment settings · Add environment
1
Connector name
aws-prod-flipkart
2
Onboard
Management account / Single account
3
AWS account ID
123456789012
Plans
CSPM · Servers · Storage · Containers
4
Deployment method
AWS CloudFormation / Terraform
Next: Review and generate

Let's tie the whole lesson together with the worked flow every L1 should be able to narrate. (1) Finding: the free CSPM raises "Storage accounts should restrict network access" on a public account — Secure Score takes a hit on the Restrict unauthorised network access control. (2) Triage: Sneha opens it, sees 7 unhealthy of 31, reads the ATT&CK context. (3) Remediate: she clicks Fix to apply network rules now, then clicks Enforce to deploy an Azure Policy so future storage accounts can't be public. (4) Govern: for the resources she can't touch today she assigns a governance rule (owner by tag, 14-day SLA, grace period on). (5) Score rises: within ~8 hours the unhealthy count drops, the control's max ÷ total × healthy climbs, and the Secure Score goes up.

Prove the fix actually worked

Don't trust the green tick alone. After clicking Fix, re-open the recommendation and confirm the unhealthy resource count dropped (e.g. 7 → 1). Then check the storage account itself: Storage account → Networking → Public network access = Disabled / Enabled from selected networks. Finally, wait one 8-hour cycle and confirm the Restrict unauthorised network access control's current score rose. Finding cleared + resource actually reconfigured + control score up = a real fix, not just a dashboard that looks better.

One forward-looking note, because interviewers ask about it: Defender for Cloud is steadily moving into the unified Microsoft Defender portal (XDR), and 2025 brought AI security posture management and attack-path analysis for AI agents — Defender now discovers your generative-AI workloads and maps how a weak link could chain into a breach. Heads-up on cost: from 1 July 2026, AI-agent discovery and posture for Microsoft Foundry and third-party cloud agents needs a Microsoft Agent 365 license rather than just Defender CSPM. The split you learned — free posture, paid protection — keeps holding as the surface grows.

For your certification path, this lesson is high-yield. On AZ-500, Defender for Cloud sits squarely in the Manage security operations and Secure compute, storage and databases domains — Secure Score, recommendations, JIT, the Defender plans and Sentinel export are all directly testable. On SC-100 (the architect exam) it's the tool you cite when designing posture management and a CNAPP strategy across a multicloud estate. Know the CSPM-vs-CWPP split, the score formula and which features are free, and these questions become free marks.

Next: Azure NSGs & Azure Firewall — layered network security
Figure 4 — Defender for Cloud — the cheat-sheet
Defender for Cloud on one card — the CSPM vs CWPP split, the Defender plan map, the score formula, the SLA timers and the first menu paths A nine-tile cheat sheet covering Microsoft Defender for Cloud fundamentals. Tiles: CSPM equals free posture, CWPP equals paid protection; the two CSPM plans; the Defender CWPP plan map; the Secure Score formula; the security-control point weights; governance-rule SLA timers; the Defender for Servers P1 versus P2 split; the operating menu paths; and the recent 2025 to 2026 changes. Each tile has a one-line takeaway. Defender for Cloud — your one-glance card CSPM vs CWPPCSPM = posture (free), recommendationCWPP = workload defence (paid), alertinspection report vs burglar alarm Two CSPM plansFoundational CSPM = free, defaultDefender CSPM = paid: attack path,security graph, CIEM, agentless scan CWPP plan mapServers · Storage · SQL · ContainersKey Vault · App Service · Resource Mgrturn ON per resource type Score formulactrl = max ÷ total × healthyre-evaluated every 8 hoursonly MCSB built-ins move it Control weightsEnable MFA = 10 · mgmt ports = 8patch / remediate vulns = 6 eachfix the heavy ones first Governance SLAowner + due date: 7 / 14 / 30 / 90 dgrace period = don't ding score yetweekly email to owner + manager Servers P1 vs P2P1 = MDE/EDR, auto-provision, per-hourP2 adds JIT VM access + FIM + 500MBP2 also assesses OS baselines Menu pathsDefender for Cloud › Environment settings› Recommendations › Governance rulesAdd environment › AWS / GCP Recent (2025-26)moving into the Defender portal (XDR)AI security posture + AI-agent pathsJul 1 2026: AI agents need Agent 365
Your one-card map of the whole lesson: the CSPM/CWPP split, the two CSPM plans, the Defender plan map, the score formula, the SLA timers, P1-vs-P2 and the menu paths. Revisit it before any AZ-500/SC-100 interview.
Daily-life analogy — Aadhaar e-KYC trust vs the gym day-pass

Two ideas from this section, made concrete. Multicloud connectors are like Aadhaar e-KYC: once your AWS/GCP account proves its identity to Defender for Cloud (via the CloudFormation/Terraform role), it's trusted and assessed in the same register as Azure — one score across all of them. JIT VM access is the gym day-pass: the door (RDP/SSH) is normally locked; you request a pass for a specific time, the door opens just for you, then auto-locks. No standing open door = far fewer break-ins.

Quick check · Q4 of 10

An interviewer asks Meera: "We're 60% Azure, 40% AWS. How do we get ONE Secure Score and send all the threat alerts to our existing Splunk SOC?" Best answer?

Correct: c. An AWS multicloud connector brings AWS resources into the same unified Secure Score and recommendations as Azure; and continuous export to an Azure Event Hub is the standard way to feed a third-party SIEM like Splunk. The Sentinel connector is great for Microsoft's own SIEM but isn't the only path, and manual copying defeats the point.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from Azure docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

In Microsoft Defender for Cloud, which capability is FREE and enabled by default, giving you a Secure Score and security recommendations?

Correct: b. Foundational CSPM is the free, default tier — Secure Score, recommendations and multicloud coverage at no cost. Defender for Servers and Defender for Storage are paid CWPP plans, and Defender CSPM is the paid CSPM upgrade.
Q6 · Apply

Sneha opens "Storage accounts should restrict network access" and wants to both fix the current public accounts AND stop new public ones being created. Which two actions on the Take action panel?

Correct: a. Fix applies the remediation to the currently unhealthy resources, and Enforce deploys an Azure Policy so future non-compliant storage accounts are auto-corrected (Deny would block creation entirely). Exporting/archiving doesn't remediate; disabling the recommendation hides the problem; recommendations aren't 'alerts'.
Q7 · Apply

Karthik needs RDP/SSH to a production VM kept closed and opened only on request for a named user, a source IP and a short window. Which feature and plan does he enable?

Correct: c. Just-in-Time (JIT) VM access keeps management ports closed and opens them only for a requested user/IP/time, and it's a Defender for Servers Plan 2 feature. FIM belongs to Servers (not Storage) and watches files; continuous export ships alerts; sensitive-data detection is a Storage feature.
Q8 · Analyze

A team remediates 25 recommendations but the Secure Score doesn't move at all, even after a day. Steering and permissions are fine. Most likely reason?

Correct: d. Only MCSB built-in recommendations move the Secure Score, and Preview recommendations are explicitly excluded until GA — so fixing them yields no points yet. The product needn't be re-enabled, storage findings can absolutely count (just not Preview ones), and the Sentinel connector only exports data.
Q9 · Analyze

On an AKS cluster you suddenly see Defender alerts "Exposed Kubernetes service detected" and "Creation of high privileged roles," each tagged with an ATT&CK tactic. Which plan produced these, and what does the ATT&CK tag tell you?

Correct: b. Runtime threat detection in Defender for Containers (sensor + Kubernetes audit logs) raises these alerts and maps each to the MITRE ATT&CK matrix for Containers, so you immediately see the tactic (e.g. Initial Access, Privilege Escalation) and how urgent it is. CSPM raises recommendations not runtime alerts; Storage is unrelated; Sentinel only ingests alerts.
Q10 · Evaluate

Two ways to describe Defender for Cloud to a hiring manager: (A) "it's a CNAPP: free CSPM grades posture with the Secure Score and recommendations, and paid CWPP Defender plans protect running workloads with ATT&CK-mapped alerts"; (B) "it's an antivirus you switch on and it secures everything." Which is stronger and why?

Correct: a. A captures the real model: CSPM (free posture, recommendations, Secure Score) versus CWPP (paid Defender plans, real-time ATT&CK alerts) — which is exactly what AZ-500 and SC-100 test and what determines cost and design. B is wrong on substance: Defender for Cloud is not a single antivirus, and treating it as one leads to both security gaps and billing surprises.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: In one line, why is the Secure Score free but the alert that a malicious blob was uploaded is not? Then compare to the expert version.

Expert version: Because the Secure Score is CSPM — free posture grading of how things are configured — while the malicious-blob alert is CWPP, produced only because you turned on (and pay for) the Defender for Storage plan that actually scans the running workload.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

Microsoft Defender for Cloud
Microsoft's CNAPP — does both posture management (CSPM) and workload threat protection (CWPP) across Azure, AWS and GCP.
CSPM
Cloud Security Posture Management — continuously assesses how securely your cloud is configured; the free Secure Score and recommendations live here.
CWPP
Cloud Workload Protection Platform — the paid Defender plans that watch running workloads and raise threat alerts.
Secure Score
A single percentage aggregating all security findings; higher = lower identified risk. Re-evaluated every ~8 hours.
MCSB
Microsoft cloud security benchmark — the built-in standard applied by default; only its built-in recommendations move the Secure Score.
Security control
A themed bucket of related recommendations with a fixed max score (e.g. Enable MFA = 10, Secure management ports = 8).
Governance rule
An SLA: auto-assigns an owner and a 7/14/30/90-day due date to recommendations; optional grace period spares the score until overdue.
Defender for Servers
CWPP plan for VMs. P1 = MDE/EDR; P2 adds Just-in-Time VM access, File Integrity Monitoring and OS-baseline assessment.
JIT VM access
Just-in-Time — keeps RDP/SSH closed and opens them only for a requested user, source IP and time window, then auto-closes.
Defender for Storage
CWPP plan that scans uploaded blobs for malware (Microsoft Defender Antivirus), detects sensitive-data exposure and flags abused SAS tokens.
Defender for Containers
CWPP plan: agentless registry/image vulnerability scanning plus runtime detection (Defender sensor + audit logs), mapped to ATT&CK for Containers.
Multicloud connector
A native connector (CloudFormation/Terraform) that folds an AWS account or GCP project into the same Secure Score and Defender plans, then exports alerts to Sentinel or a SIEM via continuous export.

📚 Sources

  1. Microsoft Learn — "What is Microsoft Defender for Cloud?" (CSPM + CWPP, the CNAPP model, Foundational vs Defender CSPM, the Defender plan list). learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction
  2. Microsoft Learn — "Secure score in Defender for Cloud" (the max ÷ total × healthy control equation, the 6/78×4=0.31 worked example, control point weights MFA=10/ports=8, 8-hour recalculation, MCSB-only and Preview-excluded rules). learn.microsoft.com/azure/defender-for-cloud/secure-score-security-controls
  3. Microsoft Learn — "Drive recommendation remediation by using governance rules" + "Security policies in Defender for Cloud" (owner by email/tag, 7/14/30/90-day SLA, grace period, weekly owner+manager emails; the 'Storage accounts should restrict network access' MCSB example, Fix/Enforce/Deny). learn.microsoft.com/azure/defender-for-cloud/governance-rules · learn.microsoft.com/azure/defender-for-cloud/security-policy-concept
  4. Microsoft Learn — "Defender for Servers" overview + support matrix + "What is Defender for Storage" + "Introduction to Defender for Containers" (P1 vs P2: JIT + FIM are P2; MDE per-hour billing; on-upload malware scanning via MDAV; registry scan + 60+ runtime analytics mapped to ATT&CK for Containers; Storage alerts e.g. Storage.Blob_AM.MalwareFound). learn.microsoft.com/azure/defender-for-cloud/defender-for-servers-overview · /defender-for-storage-introduction · /defender-for-containers-introduction
  5. Microsoft Learn — "Connect AWS accounts" / "Connect your GCP project" + "Export alerts and recommendations with continuous export" + "Ingest Defender for Cloud alerts to Microsoft Sentinel" (Environment settings → Add environment → AWS/GCP via CloudFormation/Terraform; Event Hub export; the Sentinel connector with bi-directional sync). learn.microsoft.com/azure/defender-for-cloud/quickstart-onboard-aws · /continuous-export · learn.microsoft.com/azure/sentinel/connect-defender-for-cloud
  6. Microsoft Tech Community — "Microsoft Defender for Cloud Innovations at Ignite 2025" + Microsoft Learn "AI security posture management" (move into the unified Defender/XDR portal; AI security posture + attack-path analysis for AI agents; from 1 July 2026 AI-agent discovery requires a Microsoft Agent 365 license). techcommunity.microsoft.com/blog/microsoftdefendercloudblog/microsoft-defender-for-cloud-innovations-at-ignite-2025/4469386 · learn.microsoft.com/azure/defender-for-cloud/ai-security-posture
  7. Microsoft Learn — AZ-500 (Microsoft Azure Security Technologies) and SC-100 (Microsoft Cybersecurity Architect) exam study guides — Defender for Cloud sits in 'Manage security operations' / 'Secure compute, storage and databases' (AZ-500) and posture/CNAPP strategy design (SC-100). learn.microsoft.com/credentials/certifications/exams/az-500 · /exams/sc-100

What's next?

Defender for Cloud told you the storage account was exposed — but what actually controls which traffic reaches your VMs and subnets in the first place? Next we drop down to the network layer and build defence in depth with NSGs and Azure Firewall.

Next · Azure NSGs and Azure Firewall: Layered Network Security → Practice on exam.techclick.in →