Microsoft Defender for Cloud (formerly Azure Security Center) is an integrated CSPM (Cloud Security Posture Management) + CWPP (Cloud Workload Protection Platform) that comprehensively protects Azure, AWS, and GCP environments. As the core of Microsoft cloud security, it delivers unified enterprise security management across multiple clouds. This article covers Free Tier vs. Defender Plans, Secure Score, JIT VM Access, vulnerability management, multi-cloud support, and Sentinel integration in depth.
| Item | CSPM | CWPP |
|---|---|---|
| Category | Cloud Security Posture Management | Cloud Workload Protection Platform |
| Role | Visualize and improve org security posture | Per-resource protection and threat detection |
| Features | Secure Score, Recommendations, compliance assessment | EDR, vulnerability scanning, JIT VM |
| Pricing | Free Tier (basic), Defender CSPM (advanced) | Defender Plans (per resource) |
| Plan | Target | Key protection features |
|---|---|---|
| Defender for Servers Plan 1/2 | VMs (Windows / Linux) | EDR, Vulnerability Assessment, Adaptive Application Controls |
| Defender for Storage | Storage Account | Malicious upload detection, Sensitive Data Discovery |
| Defender for SQL | SQL DB / MI / SQL on VM | Threat detection, Vulnerability Assessment |
| Defender for Containers | AKS / ACR | AKS runtime protection, image scanning |
| Defender for Key Vault | Key Vault | Anomalous access detection |
| Defender for App Service | App Service | Web attack detection |
| Defender for OSS DB | PostgreSQL/MySQL/MariaDB | Threat detection |
| Defender for Resource Manager | ARM | Anomalous ARM operation detection |
| Defender for DNS | Azure DNS | DNS spoofing detection |
| Defender for DevOps | GitHub / Azure DevOps | Secret scanning, IaC scanning |
| Defender CSPM | All | Advanced CSPM, Attack Path analysis |
In production, Defender for Servers, SQL, Storage, Key Vault, and Containers are essentially mandatory.
A 0-100% metric that quantifies the organization's Azure security posture.
A Defender for Servers feature that keeps VM management ports (RDP 3389, SSH 22, PowerShell Remoting 5986) closed by default and grants time-bound access only when needed.
This eliminates constant exposure to brute-force attacks and scanners, dramatically improving production VM security. Combined with Microsoft Entra ID authentication and Conditional Access, you can enforce strict controls like 'JIT activation allowed only from compliant devices.' Applying JIT to every VM with a public IP is a modern production best practice.
Automatically scans VMs, container images, and SQL DBs for vulnerabilities. Microsoft Defender Vulnerability Management (MDVM) detects against the CVE database.
In production, the standard is automated patch management combining Defender for Cloud Vulnerability Assessment with Microsoft Update Manager.
Defender for Cloud extends protection to other clouds via the AWS Connector and GCP Connector.
A common enterprise pattern: unified management of a primary cloud (Azure) and secondary cloud (AWS) in Defender for Cloud so SOC analysts can monitor all environments from a single pane.
The Defender CSPM plan is a paid plan that adds advanced CSPM features.
Attack Path analysis is extremely valuable for SOC analysts and security architects, enabling risk assessment from the attacker's perspective.
Defender for Cloud and Microsoft Sentinel are complementary.
| Item | Defender for Cloud | Microsoft Sentinel |
|---|---|---|
| Role | Posture management plus per-resource protection for cloud resources | Org-wide threat detection and incident response |
| Outputs | Recommendations and Security Alerts | Incidents and Hunting Queries |
| Data sources | Azure, AWS, and GCP resources | Defender XDR, third-party firewalls, SaaS |
What is Microsoft Defender for Cloud?
Microsoft Defender for Cloud (formerly Azure Security Center) is an integrated CSPM (Cloud Security Posture Management) + CWPP (Cloud Workload Protection Platform) that comprehensively protects Azure, AWS, and GCP environments. CSPM features visualize the organization's security posture (Microsoft Secure Score), assess compliance (NIST, ISO, PCI DSS, etc.), and provide recommendations. CWPP features protect individual Azure resources (VMs, Storage, SQL DB, Key Vault, AKS, App Service, OSS DBs) with threat detection, vulnerability scanning, and Just-in-Time VM Access. Multi-cloud support (AWS Connector, GCP Connector) enables unified enterprise security management.
What's the difference between the Free Tier and Defender Plans?
Free Tier (basic CSPM only, free): Security Score, Recommendations, Secure Score, Microsoft Cloud Security Benchmark assessment, and Asset Inventory. Defender Plans (paid, per resource): Defender for Servers Plan 1/2 (EDR, Vulnerability Assessment, Adaptive Application Controls), Defender for Storage (malicious upload detection, Sensitive Data Discovery), Defender for SQL (threat detection, Vulnerability Assessment), Defender for Containers (AKS protection, container image scanning), Defender for Key Vault, Defender for App Service, Defender for OSS DB, Defender for Resource Manager, Defender for DNS, Defender for DevOps (GitHub / Azure DevOps integration), and Defender CSPM (advanced CSPM, Attack Path analysis). Plans are enabled individually and billed per resource. In production, Defender for Servers, SQL, Storage, Key Vault, and Containers are essentially mandatory.
What is Microsoft Secure Score?
Microsoft Secure Score is a 0-100% metric that quantifies an organization's Azure security posture. It evaluates controls based on the Microsoft Cloud Security Benchmark (formerly Azure Security Benchmark) — for example, VM disk encryption, disabling Storage public access, and enabling SQL DB auditing — and computes a score by completion rate. Recommendations highlight specific improvements (e.g., an 'Enable VM disk encryption' button that triggers automatic remediation). Multi-cloud (AWS, GCP) is included in the unified score. Target values vary by organization, but 70-80% is a typical production benchmark. It's also used as a reporting metric for leadership and is heavily referenced in compliance audits and board-level security reports.
What is Just-in-Time (JIT) VM Access?
JIT VM Access is a Defender for Servers feature that keeps VM management ports (RDP 3389, SSH 22, PowerShell Remoting 5986) closed by default and only opens them temporarily when needed. By default, management ports are denied via NSG. A user requests access from Defender for Cloud (specifying a window like 3 hours), the NSG rules are dynamically updated to allow only that user's source IP, and access is automatically denied when the window expires. This eliminates constant exposure to brute-force attacks and scanners, dramatically improving production VM security. Combined with Microsoft Entra ID authentication and Conditional Access, you can enforce strict controls like 'JIT activation allowed only from compliant devices.' Applying JIT to every VM with a public IP is a modern production best practice.
How do I use Vulnerability Assessment?
Vulnerability Assessment automatically scans VMs, container images, and SQL DBs for vulnerabilities. Microsoft Defender Vulnerability Management (MDVM), integrated into Defender for Servers Plan 2, detects OS, software, and middleware vulnerabilities against the CVE database, prioritizes them by CVSS score, and provides remediation guides. VMs: monthly automatic scans plus real-time detection. Container Registry: automatic scanning on image push plus runtime detection (Defender for Containers). SQL DB: monthly scans plus baselined recommendations. Post-detection response: apply Patch Tuesday (Windows), run apt/yum update (Linux), rebuild container images, and apply SQL DB Security Baseline. In production, the standard is automated patch management combining Defender for Cloud Vulnerability Assessment with Microsoft Update Manager.
How does multi-cloud support work?
Defender for Cloud extends protection to other clouds via the AWS Connector and GCP Connector. AWS Connector: connect AWS accounts to Defender for Cloud and gain CSPM (Recommendations, Secure Score) plus CWPP (Defender for Servers also covers AWS EC2; Defender for SQL also covers RDS). GCP Connector: connect GCP projects and apply Defender for Servers to Compute Engine VMs. Multi-cloud Secure Score provides a unified dashboard for Azure, AWS, and GCP for centralized security posture management. A common enterprise pattern is unified management of a primary cloud (Azure) and secondary cloud (AWS) in Defender for Cloud so SOC analysts can monitor all environments from a single pane. Multi-cloud integration positions the Microsoft security stack as the core platform for multi-cloud enterprises.
How does it relate to Microsoft Sentinel?
Defender for Cloud and Microsoft Sentinel are complementary. Defender for Cloud focuses on 'security posture management plus per-resource protection' for cloud resources, generating Recommendations and Security Alerts. Microsoft Sentinel focuses on organization-wide 'threat detection, incident response, and threat hunting,' aggregating alerts from Defender for Cloud and other sources (Defender XDR, third-party firewalls, SaaS apps). Standard pattern: Defender for Cloud generates Security Alerts → forwarded to Microsoft Sentinel (auto-ingested via Data Connector) → analyzed in Sentinel with KQL, automated responses via Logic App Playbook, and threat hunting. The combination forms the complete picture of Microsoft cloud security, and SOC analysts must deeply understand both tools.
Which certifications are related?
SC-200 (Security Operations Analyst Associate) is the headline certification for this area — Domain 2 (Configure protections and detections, 15-20%) covers Defender for Cloud deeply. Also covered in: SC-100 (Cybersecurity Architect Expert) as the Infrastructure pillar of Zero Trust strategy; AZ-104 (Administrator) Domain 5 for monitoring; MS-102 (Microsoft 365 Administrator Expert) Domain 3 for Defender XDR integration; and SC-500 (formerly AZ-500, GA 2026-09) for overall Azure security implementation. As the core of the Microsoft security stack, it's an essential skill for SOC analysts and security architects.
Related Articles and Technical Deep Dives
SC-200 完全ガイド|Microsoft Security Operations Analyst Associate 出題範囲・学習リソース・合格戦略【2026 年版】
Microsoft Certified: Security Operations Analyst Associate (SC-200) の完全ガイド。4 ドメインの出題範囲、Microsoft Sentinel / Defender XDR (Endpoint / Cloud / Identity / Office 365 / Cloud Apps) の運用スキル、KQL Hunting Query、3-4 ヶ月の合格ロードマップ、SC-300 / SC-100 / SC-500 への展開ルートを日本語で網羅。
Azure セキュリティエンジニア キャリアロードマップ|SC-900 → SC-200/300/400 → SC-100 シニアへの道【2026 年版】
Azure セキュリティエンジニアになるための認定取得ロードマップ完全版。SC-900 → SC-200/300/400 のいずれか → SC-100 / SC-500 の王道ルート、ロール別の優先順序、CISSP との二刀流戦略、SC-500 (旧 AZ-500 後継、2026-09 GA 予定) の動向、10-15 ヶ月の学習プラン、年収レンジまで日本語で網羅。
SC-300 完全ガイド|Microsoft Identity and Access Administrator Associate 出題範囲・学習リソース・合格戦略【2026 年版】
Microsoft Certified: Identity and Access Administrator Associate (SC-300) の完全ガイド。4 ドメインの出題範囲、Microsoft Entra ID の ユーザー / グループ / アプリ管理、Conditional Access / MFA / PIM / Entra ID Governance の実装、3-4 ヶ月の合格ロードマップ、SC-200 / SC-100 / SC-500 への展開ルートを日本語で網羅。
SC-900 完全ガイド|Microsoft Security, Compliance, and Identity Fundamentals 出題範囲・学習リソース・合格戦略
Microsoft Certified: Security, Compliance, and Identity Fundamentals (SC-900) の完全ガイド。Zero Trust・Microsoft Entra・Defender スイート・Purview の出題範囲、無料 Virtual Training Day バウチャー、4 週間合格ロードマップ、SC-200 / SC-300 / SC-500 / SC-100 へのキャリアパスを日本語で網羅。
Technical information in this article is based on the Microsoft Defender for Cloud Documentation. This article is not an official Microsoft Corporation product and has no affiliation or sponsorship relationship. Microsoft, Azure, Microsoft Defender, and Microsoft Entra are trademarks of the Microsoft group of companies. Information reflects official public materials as of May 24, 2026. Always check the official pages for the latest information.
Practice with certification-focused question sets
View Azure Exam PrepNicheeLab Editorial Team
NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.
AZ-900 Azure Fundamentals: Complete Exam Guide (2026)
Pass AZ-900 — cloud concepts, Azure architecture, management...
Azure Certification Roadmap: Which Cert to Take Next (2026)
Choose your Azure certification path — Fundamentals, Associa...
AI-901 Azure AI Fundamentals (Beta): Complete Guide (2026)
Pass AI-901 — Microsoft Foundry, generative AI, responsible ...
Microsoft Entra ID Fundamentals for Azure Certs (2026)
Entra ID basics every cert candidate needs — tenants, identi...
DP-900 Azure Data Fundamentals: Complete Guide (2026)
Pass DP-900 — relational, non-relational, analytics, Power B...