Microsoft Defender for Cloud (formerly Azure Security Center) provides unified security posture management, threat detection, and compliance monitoring across Azure, hybrid, and multi-cloud environments. This guide covers essential configuration steps for effective cloud security.
Azure Security Center to Defender for Cloud
Azure Security Center was rebranded to Microsoft Defender for Cloud in November 2021, combining the previous Security Center and Azure Defender into a single product.
| Previous Name | Current Name | Function |
|---|
| Azure Security Center (Free) | Defender for Cloud (CSPM) | Security posture management and recommendations |
| Azure Defender | Defender for Cloud (CWP plans) | Workload protection and threat detection |
| Azure Sentinel | Microsoft Sentinel | SIEM and SOAR for security operations |
All existing configurations continue to work under the new naming. The functionality is identical — only the product name and admin portal organization changed.
Initial Configuration Steps
Setting up Defender for Cloud involves enabling the service, configuring security policies, and activating workload protection plans.
- Enable Defender for Cloud: Navigate to the Security Center blade in Azure Portal. The free CSPM tier activates automatically for all Azure subscriptions.
- Enable Defender plans: Activate paid workload protection for servers, databases, storage, containers, and other resource types as needed
- Configure security policies: Apply built-in policies (CIS Benchmark, NIST 800-53, PCI DSS) or create custom initiatives
- Set up email notifications: Configure security contact emails and notification thresholds for security alerts
- Enable auto-provisioning: Automatically deploy monitoring agents to new VMs for continuous assessment
Security Posture Management
Defender for Cloud continuously evaluates your Azure resources against security benchmarks and provides a Secure Score that measures your overall posture.
- Secure Score: A percentage-based score reflecting how well your environment follows security best practices. Aim for 80% or higher.
- Recommendations: Prioritized list of configuration improvements with severity ratings and remediation steps
- Regulatory compliance: Dashboard showing compliance status against CIS, NIST, PCI DSS, ISO 27001, and custom frameworks
- Attack path analysis: Identifies vulnerable resource combinations that could be exploited by attackers
Workload Protection Plans
Defender plans provide advanced threat detection for specific resource types beyond the free CSPM capabilities.
| Plan | Protects | Key Capabilities |
|---|
| Defender for Servers | VMs and Arc-connected servers | Vulnerability scanning, file integrity monitoring, JIT access |
| Defender for Databases | SQL, PostgreSQL, MySQL, Cosmos DB | SQL injection detection, anomalous access alerts |
| Defender for Storage | Blob, File, Data Lake | Malware scanning, sensitive data detection |
| Defender for Containers | AKS, container registries | Image vulnerability scanning, runtime protection |
| Defender for Key Vault | Key Vault secrets | Unusual access patterns, suspicious operations |
Integration With Microsoft Sentinel
Connecting Defender for Cloud to Microsoft Sentinel creates a comprehensive security operations platform with SIEM and SOAR capabilities.
- Configure the Defender for Cloud data connector in Sentinel to stream all security alerts
- Create analytics rules to correlate Defender alerts with other data sources
- Build automated playbooks using Logic Apps for common incident response tasks
- Use Sentinel workbooks for security operations dashboards and reporting
For identity security configuration, see our Entra ID management guide. For broader Azure security, explore our Azure managed services.
Best Practices
Follow these configuration best practices for maximum security value.
- Enable Defender for Servers on all production VMs — the vulnerability assessment alone justifies the cost
- Apply the CIS Azure Benchmark as your baseline security policy
- Configure Just-in-Time VM access to eliminate standing RDP/SSH exposure
- Review Secure Score weekly and address critical recommendations promptly
- Use Azure Policy to enforce Defender for Cloud activation on new subscriptions
Frequently Asked Questions
Is Defender for Cloud free?
The Cloud Security Posture Management (CSPM) tier is free for all Azure subscriptions. Advanced workload protection plans (Defender for Servers, Databases, etc.) have per-resource hourly pricing.
What is the difference between Defender for Cloud and Microsoft Sentinel?
Defender for Cloud focuses on security posture management and workload protection for Azure resources. Microsoft Sentinel is a SIEM/SOAR platform that collects and analyzes security data from across your entire environment. They complement each other.
Does Defender for Cloud work with non-Azure resources?
Yes. Through Azure Arc, Defender for Cloud extends monitoring and protection to on-premises servers, AWS instances, and GCP VMs. Multi-cloud connectors are also available for native AWS and GCP security assessment.
How much does Defender for Cloud cost?
CSPM is free. Defender for Servers costs approximately $15/server/month for Plan 2. Defender for Databases varies by database type. Use the Azure pricing calculator for exact costs based on your resource count.
What Secure Score should I target?
Aim for 80% or higher. Most organizations start between 40-60%. Focus on critical and high-severity recommendations first, as they have the largest impact on both score and actual security posture.
Editorial standards: This article was written by a certified practitioner and peer-reviewed by our engineering team. We update content quarterly to ensure technical accuracy. Opsio maintains editorial independence — we recommend solutions based on technical merit, not commercial relationships.
