Blog Azure Security & Compliance

Microsoft Defender for Cloud (Azure Security Center) 101

Out of Microsoft's big stack of Azure security tools, Microsoft Defender for Cloud (formerly known as Azure Security Center) should not be missed off your list.  

As you know, Microsoft likes to swap names around here and there for its services.

They combined Azure Security Center and (Microsoft) Azure Defender into one product: Microsoft Defender for Cloud. 

Niels Kroeze

Author

Niels Kroeze IT Business Copywriter

Reading time 13 minutes Published: 01 April 2025

In this article, we'll go over some of the security features of Defender for Cloud, including:

And much more…

But before we begin looking at its security features, let’s go over some of the basics. 

 

What is Microsoft Defender for Cloud?

Simply put, Microsoft Defender for Cloud is a monitoring tool for security posture management and threat protection. It provides a single pane of glass to monitor, detect, and respond to threats and vulnerabilities.

Microsoft Defender for Cloud infographic showing three stages: unify DevOps security management, strengthen cloud security posture, and protect cloud workloads. 

It consolidates security services into one interface where you can track security status across workloads.

This can be in Microsoft Azure, on-premise, hybrid cloud, or multi-cloud environments (Google Cloud Platform, AWS, etc.).

Defender for Cloud is a cloud-native application protection platform (CNAPP) that includes security measures and practices to protect cloud-based apps from cyber threats and vulnerabilities.

But not only that, it’s also considered as:

  • Cloud Security Posture Management (CSPM) solution
  • Cloud Workload Protection Platform (CWPP)
  • A DevSecOps solution centralising security management at the code level across multi-cloud and multi-pipeline environments

Deploying Microsoft Defender for Cloud is simple since it’s already integrated with Azure services as a native security solution. 

For example, it integrates with Microsoft Sentinel and Microsoft Defender for Cloud Apps.

Defender for Cloud basically fills 3 essential needs:

Three colored squares depict security steps: Continuously Assess, Secure, and Defend.

  • Continuously assess: Knowing your security posture, and identify if there are any issues and keeping track of vulnerabilities.
  • Secure: Secure and harden resources and services by comparing status against the Microsoft cloud security benchmark in Defender for Cloud (Azure Security Benchmark+ Security benchmark for other cloud providers + other Microsoft clouds).
  • Defend: Defend is to detect and resolve the threats to resources, workloads and services hosted on the Azure Cloud.

The two primary goals of Microsoft Defender for Cloud are as follows:

  1. Help you (as aministrator) understand your current security situation
  2. Helping you improve your security posture based on insights

Watch the video below to learn more about it:

 

Now that we know what it means let’s see what you can do with it… with Microsoft Defender for Cloud, you can:

  • Monitor and manage cloud security posture
  • Detect vulnerabilities
  • Investigate security incidents efficiently

That information is provided to the Security administrator in the Azure dashboard:

Microsoft Defender for Cloud overview dashboard showing security posture, regulatory compliance, workload protections, inventory, and security alerts for Azure, AWS, and GCP subscriptions.

Azure-native Protections

  • Azure PaaS services: Detect threats targeting Azure PaaS services including Azure App Service, Azure SQL, Azure Storage Account, and many more services.
  • Azure data services: Defender for Cloud includes capabilities that help you automatically classify your data in Azure SQL. You can also get assessments for potential vulnerabilities across Azure SQL and Storage services, along with recommendations for how to mitigate them.
  • Networks: Defender for Cloud helps you limit exposure to brute force attacks by restricting access to virtual machine ports with Just-in-Time (JIT) VM access. You can strengthen your network by allowing only specific source IPs, defining port and IP range restrictions, and preventing unnecessary access to critical resources.

Advanced threat protection

Defender for Cloud offers advanced threat protection for virtual machines, SQL databases, containers, web applications, and networks, helping detect and respond to security threats across your environment.

 

Defender for Cloud Components

Microsoft groups Defender for Cloud capabilities into different areas:

Technology Description
Defender for DevOps Secures DevOps pipelines.
Defender for Servers Protects virtual machines and workloads.
Defender for Storage Monitors security for Azure Storage accounts.
Defender for Cosmos DB Protects NoSQL databases.
Defender for Containers Enhances container security.
Defender for App Service Monitors security for cloud applications.
Defender for Key Vault Secures cryptographic keys and secrets.
Defender for DNS Monitors DNS requests for malicious activity.
Defender for APIs Secures API endpoints from attacks.

All these have their own individual set of policies. These policies may require actions such as enabling centralised identity management, configuring firewalls, or applying other security best practices across services. 

 

What is the pricing for Defender for Cloud?

Microsoft Defender for Cloud pricing varies based on the type of agreement, date of purchase, and currency exchange rate. It is a pay-as-you-go service with no upfront costs, and you can try it for free for the first 30 days.

Charges apply per resource based on the pricing model outlined below.

Microsoft Defender for Cloud Pricing

 

NOTE

When you enable Microsoft Defender for Cloud, all supported resources are automatically enrolled and protected unless you opt-out.  

Azure Security Workshop

Want to learn how to secure your Azure cloud?

Then join our FREE 90-minute Azure Security Workshop for practical tips, best practices, and see live demos on securing your Azure environment. 

Yes, sign me up!

Key Features of Microsoft Defender for Cloud

To go into every feature, would take hours if not days. For now, we provide you with some of the key features of Microsoft Defender for Cloud:

  • Intelligent threat detection: Defender for Cloud uses machine learning and advanced detection algorithms to identify a wide range of threats. It proactively spots potential vulnerabilities and offers actionable steps to fix them before they’re exploited.
  • Prioritises risk remediation: It helps you focus on fixes that impact your secure score and overall security.
  • Vulnerability management: Defender for Cloud includes built-in vulnerability scanning (formerly Azure Defender) to detect and fix risks across your cloud resources.
  • Identity and Access Management (IAM): Microsoft Defender for Cloud supports IAM by integrating with Microsoft Entra (formerly Azure Active Directory). It helps detect excessive permissions, unused roles, and risky access patterns. The tool recommends actions to enforce least-privilege access and supports MFA, conditional access and role-based access control (RBAC) to reduce identity-related risks.
  • Code pipeline insights: Defender for Cloud helps security teams protect applications and resources from code to cloud. It supports multi-pipeline environments like GitHub and Azure DevOps.
  • Compliance: Defender for Cloud supports regulatory compliance by showing your current status against various industry standards. It helps you meet HIPAA, GDPR, and PCI DSS regulatory standards. It also provides recommendations to help improve compliance across your environment.
  • Threat protection: Covers capabilities that detect and respond to threats targeting both Azure and non-Azure resources.
  • Security Information and Event Management (SIEM): Defender for Cloud integrates with SIEM tools (like Microsoft Sentinel). This enables centralised security monitoring, threat detection, and incident response across your environment.

 

How does Microsoft Defender for Cloud work?

Microsoft Defender for Cloud works by providing unified security management and advanced threat protection. It actively monitors networks and detects threats by collecting and analysing log data from all Azure resources and network activity.

It doesn't just use signature-based detection methods but also makes use of machine learning (ML) to detect threats by using:

  • Integrated threat intelligence
  • Behavioural analytics
  • Anomaly detection

Microsoft Defender for Cloud works by assigning security policies and international regulations to workloads and resources across cloud environments and evaluating whether they are applied or not. This process then creates a “secure score”. 

Diagram showing the relationship between workloads/resources, security policies and regulations, and secure score recommendations for improving security threats in Azure and non-Azure cloud solutions.

Based on the outcomes, it includes recommendations to improve your security posture, for both Azure and non-Azure environments.

 

What is a Secure Score?

A Secure Score measures an organisation's security posture. It consolidates security findings into a single, actionable score. You can find it in the Microsoft Defender portal. 

A higher score = a lower identified risk level.

 

Security posture dashboard showing 43% secure score, 184/247 unassigned recommendations, and 156/63 overdue recommendations, broken down by Azure, AWS, and GCP.
Source: Microsoft

Microsoft Defender for Cloud constantly scans the hybrid network's resources for security issues. Each resource is assessed individually and has a maximum score based on everything that could be done to maximise its security.

For every recommendation that goes ignored, the score drops. The findings for each resource are all put together, and an overall score is generated that tells you how good your security is at a glance.

Online security subscription score of 54%, categorized as "Fixed" (54%) and "Unhealthy" (46%).

Next, you can see more details about the score and how to improve it.

 

How is the Secure Score Calculated?

Secure Score in Microsoft Defender for Cloud is calculated based on the percentage of security controls you've implemented out of the total possible improvements.

  • Each recommendation has a maximum point value based on its impact on your security posture.
  • When you implement a recommendation, you earn points toward your Secure Score. 
  • Partial implementation gives partial points. For example, if a recommendation applies to 10 resources and you fix 5, you get 50% of the possible points.
  • Total Secure Score is the sum of all points you've earned, divided by the total possible points across all recommendations.

 

Security alerts

Security alerts in Microsoft Defender for Cloud are notifications triggered when threats are detected across either your Azure or non-Azure resources.

Security center dashboard showing 665 active alerts, 44 affected resources, and a breakdown by severity (61 medium, 604 low).

As Defender for Cloud detects a threat in any area of your environment, it generates security alerts along with details of the affected resources. Even better, it also provides remediation steps. It can trigger automated responses (such as Azure Functions or other apps) to take immediate action if configured.

The really powerful part is that it actually correlates these alerts into incidents if they affect multiple resources. So, it's taking a lot of this telemetry and giving you more of a visual of an attack campaign that might be happening within your organisation.

Within this, you have a basic table with:

  • Severity: Helps you prioritize what incidents or alerts to respond to.
  • Title: The alert name.
  • Affected Resources: What assets are impacted.
  • Start Time: When the alert started.
  • Attack Tactics: (Sometimes available) Minor attack details.

This gives you a better visual indicator of what’s going on and what stage it’s at within your organisation.

Check out the image below for a visual representation of security alerts overview:

Security Center alert: low-severity inbound traffic detected from IP addresses recommended for blocking.

We can actually click into one of these alerts, and it'll pull up detailed information

  • Severity level
  • Description of what's happening
  • Affected resources
  • Take action page with recommendations

 

How to take action on an alert

Once you’ve finished the investigation of the security alert, and understand its scope, you can respond to it within the Azure portal. Just follow along:

Click on “take action”.

Azure Security Center alert details, showing inbound traffic blocked from IP addresses, affecting a virtual machine (mtpdemo-annhill), potentially malicious activity, and pre-attack MITRE ATT&CK tactics.

You will be redirected to the take action page, where you are given recommendations about what to do about the security alert. It should look like this:

Security alert showing traffic detected from IP addresses recommended for blocking, active since August 14, 2021.

From there, you can enforce a rule for that alert. For this example, that would be traffic detected from IP addresses recommended for blocking. Click on enforce role as shown below:

enforce rule in Microsoft Defender for Cloud

You should be redirected to another page where you can see the description as well as the remediation steps.

Network security group (NSG) rule management interface displaying recommended rules, total alerts, and remediation steps.

You can enforce rules directly within the security alert workflow, such as setting allowed source IP addresses and blocking all others. This lets you mitigate incidents on the spot in Defender for Cloud, without navigating through other areas of the Azure portal.

There are tons of capabilities within the security alerts page. To take action, you can implement multiple steps:

  • Mitigate the threat: Escalating the alert to the security teams and creating a solution for it.
  • Prevent future attacks: Resolving security recommendations to prevent future attacks.
  • Trigger automated responses: You can do this through Logic Apps and also create automated ways to remediate incidents or provide additional alerts (e-mail notifications or integration with your ticketing system).
  • Suppress similar attacks: if you see a false positive, you might want to create a suppression rule to mitigate all the other alerts that might be coming through for this particular incident.

Options of taking actions in security alerts Microsoft Defender for Cloud

 

Threat classification levels

When Defender for Cloud detects a threat, it categorises it into four severity levels:

  • High: Indicates a likely compromise that needs immediate action.
  • Medium: Flags suspicious activity that requires prompt investigation.
  • Low: Identifies minor events that may not pose a significant risk.
  • Informational: Provides context about a potential threat, usually alongside another severity level.

 

Benefits of Microsoft Defender for Cloud

  • Proactive threat defence: Defender for Cloud uses real-time monitoring and alerts to detect and stop threats early before they impact your infrastructure.
  • Multi-cloud protection: It provides visibility into the security of cloud environments within a single-pane dashboard, including Azure, AWS, and Google Cloud.
  • Integration with Azure-native services: Microsoft Defender for Cloud integrates with other Microsoft security tools like Azure Sentinel 
    Unified security management: Defender for Cloud brings security management into one platform, whether using Azure only, multiple clouds or a hybrid cloud.
  • Comprehensive protection across cloud resources: Defender for Cloud secures your entire cloud environment, including virtual machines, containers, networks, databases, and other key resources.
  • Cloud Native security: Microsoft Defender for Cloud is built as a cloud-native security solution tailored to protect cloud workloads and applications. It scales easily and supports deployment across multiple cloud platforms, making it flexible for complex environments.
Marc Bosgoed

Free Security scan

Need to increase security for your Azure environment? Grab your chance now and request a free Security Scan!

Yes I want a Security Scan

Closing thoughts

To wrap it up, we discussed how Microsoft Defender for Cloud is an essential and scalable solution for securing workloads and applications. No matter whether you’re fully in Azure, partially in Azure – hybrid cloud, on-prem or multi-cloud.

That said, you probably wonder, “Is Microsoft Defender for Cloud worth it?

The short answer = Yes. 

Out of all the Azure Security best practices, using Microsoft Defender for Cloud is one of the best things to do. You get a service that processes billions of signals daily.

Better yet, the dashboard basically gives you a single-pane overview to follow up on all recommendations easily and remain clear-sight, even in complex multi-cloud environments.

And let’s be honest: eventually, you’ll need something to protect your environment against cyberattacks – which are getting more sophisticated as days go by.

While Defender for Cloud may not be free forever (only the first 30 days), neither is recovery. Keep in mind that security is NOT the place to play a cost cutter. It’s just not worth the risk. 

Working Jack

Get in Touch!

For many enterprises, taking care of security remains a big challenge. Intercept can help you secure your Azure cloud so you can focus on delivering value to your customers and driving business.

FAQ about Microsoft Defender for Cloud

Is Microsoft Defender for Cloud free?

Are all Microsoft Defender for Cloud features free?

How do I turn on Microsoft Defender for Cloud?

What is the primary purpose of Microsoft Defender for Cloud?

What is the difference between Defender for Cloud and Cloud Apps?

How do I get to Microsoft Defender for Cloud?