Azure

Microsoft Defender for Cloud Complete Guide: CSPM, CWPP, JIT VM, Multi-Cloud Protection

2026-05-24
NicheeLab Editorial Team

Microsoft Defender for Cloud (formerly Azure Security Center) is an integrated CSPM (Cloud Security Posture Management) + CWPP (Cloud Workload Protection Platform) that comprehensively protects Azure, AWS, and GCP environments. As the core of Microsoft cloud security, it delivers unified enterprise security management across multiple clouds. This article covers Free Tier vs. Defender Plans, Secure Score, JIT VM Access, vulnerability management, multi-cloud support, and Sentinel integration in depth.

CSPM and CWPP

ItemCSPMCWPP
CategoryCloud Security Posture ManagementCloud Workload Protection Platform
RoleVisualize and improve org security posturePer-resource protection and threat detection
FeaturesSecure Score, Recommendations, compliance assessmentEDR, vulnerability scanning, JIT VM
PricingFree Tier (basic), Defender CSPM (advanced)Defender Plans (per resource)

Free Tier vs. Defender Plans

Free Tier (basic CSPM features only, free)

  • Security Score and Recommendations
  • Microsoft Cloud Security Benchmark assessment
  • Asset Inventory

Defender Plans (paid, per resource)

PlanTargetKey protection features
Defender for Servers Plan 1/2VMs (Windows / Linux)EDR, Vulnerability Assessment, Adaptive Application Controls
Defender for StorageStorage AccountMalicious upload detection, Sensitive Data Discovery
Defender for SQLSQL DB / MI / SQL on VMThreat detection, Vulnerability Assessment
Defender for ContainersAKS / ACRAKS runtime protection, image scanning
Defender for Key VaultKey VaultAnomalous access detection
Defender for App ServiceApp ServiceWeb attack detection
Defender for OSS DBPostgreSQL/MySQL/MariaDBThreat detection
Defender for Resource ManagerARMAnomalous ARM operation detection
Defender for DNSAzure DNSDNS spoofing detection
Defender for DevOpsGitHub / Azure DevOpsSecret scanning, IaC scanning
Defender CSPMAllAdvanced CSPM, Attack Path analysis

In production, Defender for Servers, SQL, Storage, Key Vault, and Containers are essentially mandatory.

Microsoft Secure Score

A 0-100% metric that quantifies the organization's Azure security posture.

Example evaluation items

  • VM disk encryption
  • Disabling Storage public access
  • Enabling SQL DB auditing
  • Minimizing NSG rules
  • Enabling each Microsoft Defender for Cloud plan
  • Enforcing MFA in Microsoft Entra ID

Operational best practices

  • Target: 70-80%+ in production
  • Use the auto-remediation button on Recommendations
  • Monthly reporting to leadership
  • Leverage in compliance audits and board security reports
  • Multi-cloud (AWS, GCP) scoring is unified

Just-in-Time (JIT) VM Access

A Defender for Servers feature that keeps VM management ports (RDP 3389, SSH 22, PowerShell Remoting 5986) closed by default and grants time-bound access only when needed.

How it works

  1. Management ports are denied by NSG by default
  2. A user requests access from Defender for Cloud (specifying a window like 3 hours)
  3. NSG rules are dynamically updated to allow only the user's source IP
  4. Access is automatically denied when the window expires

This eliminates constant exposure to brute-force attacks and scanners, dramatically improving production VM security. Combined with Microsoft Entra ID authentication and Conditional Access, you can enforce strict controls like 'JIT activation allowed only from compliant devices.' Applying JIT to every VM with a public IP is a modern production best practice.

Vulnerability Assessment

Automatically scans VMs, container images, and SQL DBs for vulnerabilities. Microsoft Defender Vulnerability Management (MDVM) detects against the CVE database.

Behavior by target

  • VM: monthly automatic scans plus real-time detection (Defender for Servers Plan 2)
  • Container Registry: automatic scanning on image push plus runtime detection (Defender for Containers)
  • SQL DB: monthly scans plus baselined recommendations

Post-detection response

  • Apply Patch Tuesday (Windows)
  • Run apt/yum update (Linux)
  • Rebuild container images
  • Apply SQL DB Security Baseline

In production, the standard is automated patch management combining Defender for Cloud Vulnerability Assessment with Microsoft Update Manager.

Multi-Cloud Support

Defender for Cloud extends protection to other clouds via the AWS Connector and GCP Connector.

AWS Connector

  • Connect AWS accounts to Defender for Cloud
  • CSPM (Recommendations, Secure Score) plus CWPP
  • Defender for Servers also covers AWS EC2
  • Defender for SQL also covers RDS

GCP Connector

  • Connect GCP projects
  • Apply Defender for Servers to Compute Engine VMs
  • Multi-cloud Secure Score provides a unified Azure, AWS, GCP dashboard

A common enterprise pattern: unified management of a primary cloud (Azure) and secondary cloud (AWS) in Defender for Cloud so SOC analysts can monitor all environments from a single pane.

Advanced Defender CSPM Features

The Defender CSPM plan is a paid plan that adds advanced CSPM features.

Key features

  • Attack Path Analysis: visualizes attacker intrusion paths (e.g., Public IP VM → Service Principal → Storage Account)
  • Cloud Security Explorer: graph-based exploration of resource relationships
  • Agentless Vulnerability Scanning: scanning without VM agents
  • Container Posture Management: compliance assessment for AKS containers
  • Data-aware Security Posture: visualizes the location of sensitive data in Storage Accounts

Attack Path analysis is extremely valuable for SOC analysts and security architects, enabling risk assessment from the attacker's perspective.

Integration with Microsoft Sentinel

Defender for Cloud and Microsoft Sentinel are complementary.

ItemDefender for CloudMicrosoft Sentinel
RolePosture management plus per-resource protection for cloud resourcesOrg-wide threat detection and incident response
OutputsRecommendations and Security AlertsIncidents and Hunting Queries
Data sourcesAzure, AWS, and GCP resourcesDefender XDR, third-party firewalls, SaaS

Standard pattern

  1. Defender for Cloud generates Security Alerts
  2. Forward to Microsoft Sentinel (auto-ingested via Data Connector)
  3. Analyze with KQL in Sentinel
  4. Automated response via Logic App Playbook
  5. Proactive threat hunting

Operational Best Practices

  1. Enable Defender for Servers, SQL, Storage, Key Vault, and Containers in production subscriptions
  2. Target Microsoft Secure Score of 70-80%+
  3. Apply JIT VM Access to every VM with a public IP
  4. Automate patch management with Vulnerability Assessment + Microsoft Update Manager
  5. Unify AWS / GCP management via Connectors
  6. Use Defender CSPM plan for Attack Path analysis
  7. Forward alerts to Microsoft Sentinel
  8. Deliver monthly Secure Score reports to leadership
  9. Use the auto-remediation button on Recommendations
  10. Track compliance against the Microsoft Cloud Security Benchmark

Related Certifications

Frequently Asked Questions

What is Microsoft Defender for Cloud?

Microsoft Defender for Cloud (formerly Azure Security Center) is an integrated CSPM (Cloud Security Posture Management) + CWPP (Cloud Workload Protection Platform) that comprehensively protects Azure, AWS, and GCP environments. CSPM features visualize the organization's security posture (Microsoft Secure Score), assess compliance (NIST, ISO, PCI DSS, etc.), and provide recommendations. CWPP features protect individual Azure resources (VMs, Storage, SQL DB, Key Vault, AKS, App Service, OSS DBs) with threat detection, vulnerability scanning, and Just-in-Time VM Access. Multi-cloud support (AWS Connector, GCP Connector) enables unified enterprise security management.

What's the difference between the Free Tier and Defender Plans?

Free Tier (basic CSPM only, free): Security Score, Recommendations, Secure Score, Microsoft Cloud Security Benchmark assessment, and Asset Inventory. Defender Plans (paid, per resource): Defender for Servers Plan 1/2 (EDR, Vulnerability Assessment, Adaptive Application Controls), Defender for Storage (malicious upload detection, Sensitive Data Discovery), Defender for SQL (threat detection, Vulnerability Assessment), Defender for Containers (AKS protection, container image scanning), Defender for Key Vault, Defender for App Service, Defender for OSS DB, Defender for Resource Manager, Defender for DNS, Defender for DevOps (GitHub / Azure DevOps integration), and Defender CSPM (advanced CSPM, Attack Path analysis). Plans are enabled individually and billed per resource. In production, Defender for Servers, SQL, Storage, Key Vault, and Containers are essentially mandatory.

What is Microsoft Secure Score?

Microsoft Secure Score is a 0-100% metric that quantifies an organization's Azure security posture. It evaluates controls based on the Microsoft Cloud Security Benchmark (formerly Azure Security Benchmark) — for example, VM disk encryption, disabling Storage public access, and enabling SQL DB auditing — and computes a score by completion rate. Recommendations highlight specific improvements (e.g., an 'Enable VM disk encryption' button that triggers automatic remediation). Multi-cloud (AWS, GCP) is included in the unified score. Target values vary by organization, but 70-80% is a typical production benchmark. It's also used as a reporting metric for leadership and is heavily referenced in compliance audits and board-level security reports.

What is Just-in-Time (JIT) VM Access?

JIT VM Access is a Defender for Servers feature that keeps VM management ports (RDP 3389, SSH 22, PowerShell Remoting 5986) closed by default and only opens them temporarily when needed. By default, management ports are denied via NSG. A user requests access from Defender for Cloud (specifying a window like 3 hours), the NSG rules are dynamically updated to allow only that user's source IP, and access is automatically denied when the window expires. This eliminates constant exposure to brute-force attacks and scanners, dramatically improving production VM security. Combined with Microsoft Entra ID authentication and Conditional Access, you can enforce strict controls like 'JIT activation allowed only from compliant devices.' Applying JIT to every VM with a public IP is a modern production best practice.

How do I use Vulnerability Assessment?

Vulnerability Assessment automatically scans VMs, container images, and SQL DBs for vulnerabilities. Microsoft Defender Vulnerability Management (MDVM), integrated into Defender for Servers Plan 2, detects OS, software, and middleware vulnerabilities against the CVE database, prioritizes them by CVSS score, and provides remediation guides. VMs: monthly automatic scans plus real-time detection. Container Registry: automatic scanning on image push plus runtime detection (Defender for Containers). SQL DB: monthly scans plus baselined recommendations. Post-detection response: apply Patch Tuesday (Windows), run apt/yum update (Linux), rebuild container images, and apply SQL DB Security Baseline. In production, the standard is automated patch management combining Defender for Cloud Vulnerability Assessment with Microsoft Update Manager.

How does multi-cloud support work?

Defender for Cloud extends protection to other clouds via the AWS Connector and GCP Connector. AWS Connector: connect AWS accounts to Defender for Cloud and gain CSPM (Recommendations, Secure Score) plus CWPP (Defender for Servers also covers AWS EC2; Defender for SQL also covers RDS). GCP Connector: connect GCP projects and apply Defender for Servers to Compute Engine VMs. Multi-cloud Secure Score provides a unified dashboard for Azure, AWS, and GCP for centralized security posture management. A common enterprise pattern is unified management of a primary cloud (Azure) and secondary cloud (AWS) in Defender for Cloud so SOC analysts can monitor all environments from a single pane. Multi-cloud integration positions the Microsoft security stack as the core platform for multi-cloud enterprises.

How does it relate to Microsoft Sentinel?

Defender for Cloud and Microsoft Sentinel are complementary. Defender for Cloud focuses on 'security posture management plus per-resource protection' for cloud resources, generating Recommendations and Security Alerts. Microsoft Sentinel focuses on organization-wide 'threat detection, incident response, and threat hunting,' aggregating alerts from Defender for Cloud and other sources (Defender XDR, third-party firewalls, SaaS apps). Standard pattern: Defender for Cloud generates Security Alerts → forwarded to Microsoft Sentinel (auto-ingested via Data Connector) → analyzed in Sentinel with KQL, automated responses via Logic App Playbook, and threat hunting. The combination forms the complete picture of Microsoft cloud security, and SOC analysts must deeply understand both tools.

Which certifications are related?

SC-200 (Security Operations Analyst Associate) is the headline certification for this area — Domain 2 (Configure protections and detections, 15-20%) covers Defender for Cloud deeply. Also covered in: SC-100 (Cybersecurity Architect Expert) as the Infrastructure pillar of Zero Trust strategy; AZ-104 (Administrator) Domain 5 for monitoring; MS-102 (Microsoft 365 Administrator Expert) Domain 3 for Defender XDR integration; and SC-500 (formerly AZ-500, GA 2026-09) for overall Azure security implementation. As the core of the Microsoft security stack, it's an essential skill for SOC analysts and security architects.

Related Articles and Technical Deep Dives

SC-200 完全ガイド|Microsoft Security Operations Analyst Associate 出題範囲・学習リソース・合格戦略【2026 年版】

Microsoft Certified: Security Operations Analyst Associate (SC-200) の完全ガイド。4 ドメインの出題範囲、Microsoft Sentinel / Defender XDR (Endpoint / Cloud / Identity / Office 365 / Cloud Apps) の運用スキル、KQL Hunting Query、3-4 ヶ月の合格ロードマップ、SC-300 / SC-100 / SC-500 への展開ルートを日本語で網羅。

Azure セキュリティエンジニア キャリアロードマップ|SC-900 → SC-200/300/400 → SC-100 シニアへの道【2026 年版】

Azure セキュリティエンジニアになるための認定取得ロードマップ完全版。SC-900 → SC-200/300/400 のいずれか → SC-100 / SC-500 の王道ルート、ロール別の優先順序、CISSP との二刀流戦略、SC-500 (旧 AZ-500 後継、2026-09 GA 予定) の動向、10-15 ヶ月の学習プラン、年収レンジまで日本語で網羅。

SC-300 完全ガイド|Microsoft Identity and Access Administrator Associate 出題範囲・学習リソース・合格戦略【2026 年版】

Microsoft Certified: Identity and Access Administrator Associate (SC-300) の完全ガイド。4 ドメインの出題範囲、Microsoft Entra ID の ユーザー / グループ / アプリ管理、Conditional Access / MFA / PIM / Entra ID Governance の実装、3-4 ヶ月の合格ロードマップ、SC-200 / SC-100 / SC-500 への展開ルートを日本語で網羅。

SC-900 完全ガイド|Microsoft Security, Compliance, and Identity Fundamentals 出題範囲・学習リソース・合格戦略

Microsoft Certified: Security, Compliance, and Identity Fundamentals (SC-900) の完全ガイド。Zero Trust・Microsoft Entra・Defender スイート・Purview の出題範囲、無料 Virtual Training Day バウチャー、4 週間合格ロードマップ、SC-200 / SC-300 / SC-500 / SC-100 へのキャリアパスを日本語で網羅。

Technical information in this article is based on the Microsoft Defender for Cloud Documentation. This article is not an official Microsoft Corporation product and has no affiliation or sponsorship relationship. Microsoft, Azure, Microsoft Defender, and Microsoft Entra are trademarks of the Microsoft group of companies. Information reflects official public materials as of May 24, 2026. Always check the official pages for the latest information.

Check what you learned with practice questions

Practice with certification-focused question sets

View Azure Exam Prep
Author

NicheeLab Editorial Team

NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.


Related articles
Azure

AZ-900 Azure Fundamentals: Complete Exam Guide (2026)

Pass AZ-900 — cloud concepts, Azure architecture, management...

Azure

Azure Certification Roadmap: Which Cert to Take Next (2026)

Choose your Azure certification path — Fundamentals, Associa...

Azure

AI-901 Azure AI Fundamentals (Beta): Complete Guide (2026)

Pass AI-901 — Microsoft Foundry, generative AI, responsible ...

Azure

Microsoft Entra ID Fundamentals for Azure Certs (2026)

Entra ID basics every cert candidate needs — tenants, identi...

Azure

DP-900 Azure Data Fundamentals: Complete Guide (2026)

Pass DP-900 — relational, non-relational, analytics, Power B...

Browse all Azure articles (104)
© 2026 NicheeLab All rights reserved.