Microsoft Defender for Cloud (Azure Security Center) 101
Out of Microsoft's big stack of Azure security tools, Microsoft Defender for Cloud (formerly known as Azure Security Center) should not be missed off your list.
As you know, Microsoft likes to swap names around here and there for its services.
They combined Azure Security Center and (Microsoft) Azure Defender into one product: Microsoft Defender for Cloud.
Author
Niels KroezeIT Business Copywriter
Reading time 13 minutesPublished: 01 April 2025
In this article, we'll go over some of the security features of Defender for Cloud, including:
But before we begin looking at its security features, let’s go over some of the basics.
What is Microsoft Defender for Cloud?
Simply put, Microsoft Defender for Cloud is a monitoring tool for security posture management and threat protection. It provides a single pane of glass to monitor, detect, and respond to threats and vulnerabilities.
It consolidates security services into one interface where you can track security status across workloads.
This can be in Microsoft Azure, on-premise, hybrid cloud, or multi-cloud environments (Google Cloud Platform, AWS, etc.).
Defender for Cloud is a cloud-native application protection platform (CNAPP) that includes security measures and practices to protect cloud-based apps from cyber threats and vulnerabilities.
But not only that, it’s also considered as:
Cloud Security Posture Management (CSPM) solution
Cloud Workload Protection Platform (CWPP)
A DevSecOps solution centralising security management at the code level across multi-cloud and multi-pipeline environments
Deploying Microsoft Defender for Cloud is simple since it’s already integrated with Azure services as a native security solution.
Defender for Cloud basically fills 3 essential needs:
Continuously assess: Knowing your security posture, and identify if there are any issues and keeping track of vulnerabilities.
Secure: Secure and harden resources and services by comparing status against the Microsoft cloud security benchmark in Defender for Cloud (Azure Security Benchmark+ Security benchmark for other cloud providers + other Microsoft clouds).
Defend: Defend is to detect and resolve the threats to resources, workloads and services hosted on the Azure Cloud.
The two primary goals of Microsoft Defender for Cloud are as follows:
Help you (as aministrator) understand your current security situation
Helping you improve your security posture based on insights
Watch the video below to learn more about it:
Now that we know what it means let’s see what you can do with it… with Microsoft Defender for Cloud, you can:
Monitor and manage cloud security posture
Detect vulnerabilities
Investigate security incidents efficiently
That information is provided to the Security administrator in the Azure dashboard:
Azure-native Protections
Azure PaaS services: Detect threats targeting Azure PaaS services including Azure App Service, Azure SQL, Azure Storage Account, and many more services.
Azure data services: Defender for Cloud includes capabilities that help you automatically classify your data in Azure SQL. You can also get assessments for potential vulnerabilities across Azure SQL and Storage services, along with recommendations for how to mitigate them.
Networks: Defender for Cloud helps you limit exposure to brute force attacks by restricting access to virtual machine ports with Just-in-Time (JIT) VM access. You can strengthen your network by allowing only specific source IPs, defining port and IP range restrictions, and preventing unnecessary access to critical resources.
Advanced threat protection
Defender for Cloud offers advanced threat protection for virtual machines, SQL databases, containers, web applications, and networks, helping detect and respond to security threats across your environment.
Defender for Cloud Components
Microsoft groups Defender for Cloud capabilities into different areas:
All these have their own individual set of policies. These policies may require actions such as enabling centralised identity management, configuring firewalls, or applying other security best practices across services.
What is the pricing for Defender for Cloud?
Microsoft Defender for Cloud pricing varies based on the type of agreement, date of purchase, and currency exchange rate. It is a pay-as-you-go service with no upfront costs, and you can try it for free for the first 30 days.
Charges apply per resource based on the pricing model outlined below.
NOTE
When you enable Microsoft Defender for Cloud, all supported resources are automatically enrolled and protected unless you opt-out.
Want to learn how to secure your Azure cloud?
Then join our FREE 90-minute Azure Security Workshop for practical tips, best practices, and see live demos on securing your Azure environment.
To go into every feature, would take hours if not days. For now, we provide you with some of the key features of Microsoft Defender for Cloud:
Intelligent threat detection: Defender for Cloud uses machine learning and advanced detection algorithms to identify a wide range of threats. It proactively spots potential vulnerabilities and offers actionable steps to fix them before they’re exploited.
Prioritises risk remediation: It helps you focus on fixes that impact your secure score and overall security.
Vulnerability management: Defender for Cloud includes built-in vulnerability scanning (formerly Azure Defender) to detect and fix risks across your cloud resources.
Identity and Access Management (IAM): Microsoft Defender for Cloud supports IAM by integrating with Microsoft Entra (formerly Azure Active Directory). It helps detect excessive permissions, unused roles, and risky access patterns. The tool recommends actions to enforce least-privilege access and supports MFA, conditional access and role-based access control (RBAC) to reduce identity-related risks.
Code pipeline insights: Defender for Cloud helps security teams protect applications and resources from code to cloud. It supports multi-pipeline environments like GitHub and Azure DevOps.
Compliance: Defender for Cloud supports regulatory compliance by showing your current status against various industry standards. It helps you meet HIPAA, GDPR, and PCI DSS regulatory standards. It also provides recommendations to help improve compliance across your environment.
Threat protection: Covers capabilities that detect and respond to threats targeting both Azure and non-Azure resources.
Security Information and Event Management (SIEM): Defender for Cloud integrates with SIEM tools (like Microsoft Sentinel). This enables centralised security monitoring, threat detection, and incident response across your environment.
How does Microsoft Defender for Cloud work?
Microsoft Defender for Cloud works by providing unified security management and advanced threat protection. It actively monitors networks and detects threats by collecting and analysing log data from all Azure resources and network activity.
It doesn't just use signature-based detection methods but also makes use of machine learning (ML) to detect threats by using:
Integrated threat intelligence
Behavioural analytics
Anomaly detection
Microsoft Defender for Cloud works by assigning security policies and international regulations to workloads and resources across cloud environments and evaluating whether they are applied or not. This process then creates a “secure score”.
Based on the outcomes, it includes recommendations to improve your security posture, for both Azure and non-Azure environments.
What is a Secure Score?
A Secure Score measures an organisation's security posture. It consolidates security findings into a single, actionable score. You can find it in the Microsoft Defender portal.
Microsoft Defender for Cloud constantly scans the hybrid network's resources for security issues. Each resource is assessed individually and has a maximum score based on everything that could be done to maximise its security.
For every recommendation that goes ignored, the score drops. The findings for each resource are all put together, and an overall score is generated that tells you how good your security is at a glance.
Next, you can see more details about the score and how to improve it.
How is the Secure Score Calculated?
Secure Score in Microsoft Defender for Cloud is calculated based on the percentage of security controls you've implemented out of the total possible improvements.
Each recommendation has a maximum point value based on its impact on your security posture.
When you implement a recommendation, you earn points toward your Secure Score.
Partial implementation gives partial points. For example, if a recommendation applies to 10 resources and you fix 5, you get 50% of the possible points.
Total Secure Score is the sum of all points you've earned, divided by the total possible points across all recommendations.
Security alerts
Security alerts in Microsoft Defender for Cloud are notifications triggered when threats are detected across either your Azure or non-Azure resources.
As Defender for Cloud detects a threat in any area of your environment, it generates security alerts along with details of the affected resources. Even better, it also provides remediation steps. It can trigger automated responses (such as Azure Functions or other apps) to take immediate action if configured.
The really powerful part is that it actually correlates these alerts into incidents if they affect multiple resources. So, it's taking a lot of this telemetry and giving you more of a visual of an attack campaign that might be happening within your organisation.
Within this, you have a basic table with:
Severity: Helps you prioritize what incidents or alerts to respond to.
Title: The alert name.
Affected Resources: What assets are impacted.
Start Time: When the alert started.
Attack Tactics: (Sometimes available) Minor attack details.
This gives you a better visual indicator of what’s going on and what stage it’s at within your organisation.
Check out the image below for a visual representation of security alerts overview:
We can actually click into one of these alerts, and it'll pull up detailed information
Severity level
Description of what's happening
Affected resources
Take action page with recommendations
How to take action on an alert
Once you’ve finished the investigation of the security alert, and understand its scope, you can respond to it within the Azure portal. Just follow along:
Click on “take action”.
You will be redirected to the take action page, where you are given recommendations about what to do about the security alert. It should look like this:
From there, you can enforce a rule for that alert. For this example, that would be traffic detected from IP addresses recommended for blocking. Click on enforce role as shown below:
You should be redirected to another page where you can see the description as well as the remediation steps.
You can enforce rules directly within the security alert workflow, such as setting allowed source IP addresses and blocking all others. This lets you mitigate incidents on the spot in Defender for Cloud, without navigating through other areas of the Azure portal.
There are tons of capabilities within the security alerts page. To take action, you can implement multiple steps:
Mitigate the threat: Escalating the alert to the security teams and creating a solution for it.
Prevent future attacks: Resolving security recommendations to prevent future attacks.
Trigger automated responses: You can do this through Logic Apps and also create automated ways to remediate incidents or provide additional alerts (e-mail notifications or integration with your ticketing system).
Suppress similar attacks: if you see a false positive, you might want to create a suppression rule to mitigate all the other alerts that might be coming through for this particular incident.
Threat classification levels
When Defender for Cloud detects a threat, it categorises it into four severity levels:
High: Indicates a likely compromise that needs immediate action.
Medium: Flags suspicious activity that requires prompt investigation.
Low: Identifies minor events that may not pose a significant risk.
Informational: Provides context about a potential threat, usually alongside another severity level.
Benefits of Microsoft Defender for Cloud
Proactive threat defence: Defender for Cloud uses real-time monitoring and alerts to detect and stop threats early before they impact your infrastructure.
Multi-cloud protection: It provides visibility into the security of cloud environments within a single-pane dashboard, including Azure, AWS, and Google Cloud.
Integration with Azure-native services: Microsoft Defender for Cloud integrates with other Microsoft security tools like Azure Sentinel Unified security management: Defender for Cloud brings security management into one platform, whether using Azure only, multiple clouds or a hybrid cloud.
Comprehensive protection across cloud resources: Defender for Cloud secures your entire cloud environment, including virtual machines, containers, networks, databases, and other key resources.
Cloud Native security: Microsoft Defender for Cloud is built as a cloud-native security solution tailored to protect cloud workloads and applications. It scales easily and supports deployment across multiple cloud platforms, making it flexible for complex environments.
Free Security scan
Need to increase security for your Azure environment? Grab your chance now and request a free Security Scan!
To wrap it up, we discussed how Microsoft Defender for Cloud is an essential and scalable solution for securing workloads and applications. No matter whether you’re fully in Azure, partially in Azure – hybrid cloud, on-prem or multi-cloud.
That said, you probably wonder, “Is Microsoft Defender for Cloud worth it?”
The short answer = Yes.
Out of all the Azure Security best practices, using Microsoft Defender for Cloud is one of the best things to do. You get a service that processes billions of signals daily.
Better yet, the dashboard basically gives you a single-pane overview to follow up on all recommendations easily and remain clear-sight, even in complex multi-cloud environments.
And let’s be honest: eventually, you’ll need something to protect your environment against cyberattacks – which are getting more sophisticated as days go by.
While Defender for Cloud may not be free forever (only the first 30 days), neither is recovery. Keep in mind that security is NOT the place to play a cost cutter. It’s just not worth the risk.
Get in Touch!
For many enterprises, taking care of security remains a big challenge. Intercept can help you secure your Azure cloud so you can focus on delivering value to your customers and driving business.
Yes, Microsoft Defender for Cloud is free. Note, this is only for the first 30 days. After that, you’ll be charged according to the pricing scheme.
Are all Microsoft Defender for Cloud features free?
Not all features are free for the first 30 days. Malware scanning in Defender for Storage is not included in the free trial. It is a paid feature and will be charged from day one once enabled.
How do I turn on Microsoft Defender for Cloud?
Microsoft Defender for Cloud is enabled by default on all Azure subscriptions.
What is the primary purpose of Microsoft Defender for Cloud?
The primary purpose of Microsoft Defender for Cloud is to help organisations prevent, detect, and respond to threats by providing increased visibility and control over the security of their resources across Azure, on-premises, and other cloud environments.
What is the difference between Defender for Cloud and Cloud Apps?
Microsoft Defender for Cloud is a unified security management system focusing on threat protection across various cloud workloads, including virtual machines, databases, and containers.
In contrast, Microsoft Defender for Cloud Apps (formerly Microsoft Cloud App Security) is a Cloud Access Security Broker (CASB) solution that provides visibility and control over the use of cloud applications, focusing on securing SaaS apps by monitoring user activities and data across cloud services.
How do I get to Microsoft Defender for Cloud?
To access Microsoft Defender for Cloud, log in to the Azure portal. Select 'Microsoft Defender for Cloud' from the left-hand navigation pane to view and manage your security posture and configurations. You can refer to Microsoft's official documentation on Microsoft Defender for Cloud for more detailed information.