Microsoft Defender for Cloud Configuration Guide
Head of Innovation
Digital Transformation, AI, IoT, Machine Learning, and Cloud Technologies. Nearly 15 years driving innovation
Microsoft Defender for Cloud (formerly Azure Security Center) is a cloud-native application protection platform (CNAPP) that unifies security posture management, workload protection, and threat detection across your Azure, hybrid, and multi-cloud environments. This guide walks you through configuring Defender for Cloud from first enable to production-ready, covering security policies, environment connectors, alert management, and ongoing monitoring. Whether you are securing your first Azure subscription or hardening an enterprise deployment, the steps below give you a practical foundation for stronger cloud security.
What Is Microsoft Defender for Cloud?
Microsoft Defender for Cloud is Azure's integrated security solution that continuously assesses, protects, and defends cloud workloads. Originally launched as Azure Security Center, Microsoft rebranded and expanded the service in November 2021 to reflect its broader multi-cloud capabilities.
The platform operates through two core pillars:
Cloud Security Posture Management (CSPM) — Continuously evaluates your resource configurations against security benchmarks such as the Microsoft Cloud Security Benchmark (MCSB) and generates a Secure Score that quantifies your overall posture.
Cloud Workload Protection (CWP) — Provides advanced threat detection for servers, containers, databases, storage, App Service, Key Vault, DNS, and Resource Manager through dedicated Defender plans.
Together, these capabilities give security teams a single pane of glass for identifying misconfigurations, detecting active threats, and prioritizing remediation — all without deploying separate tooling. If your organization uses Azure alongside AWS or GCP, Defender for Cloud extends posture management and protection across those environments as well.
Initial Configuration Steps
Enabling Defender for Cloud takes fewer than five minutes in the Azure portal and immediately starts assessing your subscriptions against security benchmarks. Follow these steps to get started:
Sign in to the Azure portal and search for Microsoft Defender for Cloud.
On the Overview dashboard, review the default Secure Score for each connected subscription.
Navigate to Environment settings and select the subscription or management group you want to protect.
Under Defender plans, toggle on the plans relevant to your workloads (Servers, Databases, Containers, Storage, etc.). The foundational CSPM plan is free; enhanced plans are billed per resource.
Enable auto-provisioning for the Azure Monitor Agent (AMA) so that security data collection starts automatically on new and existing VMs.
Configure email notifications under Settings > Email notifications so subscription owners and security admins receive high-severity alerts.
Click Save and allow a few minutes for the initial assessment to populate your Secure Score and recommendations.
After completing these steps, Defender for Cloud begins scanning your resources. The free foundational CSPM tier covers posture assessment and basic recommendations; enabling paid plans unlocks advanced threat detection and vulnerability scanning. For enterprise deployments, applying policies at the management group level ensures consistent coverage across all child subscriptions.
Need expert help with microsoft defender for cloud configuration guide?
Our cloud architects can help you with microsoft defender for cloud configuration guide — from strategy to implementation. Book a free 30-minute advisory call with no obligation.
Configuring Security Policies
Security policies in Defender for Cloud define the compliance standards your resources are evaluated against, transforming broad security goals into actionable recommendations. By default, the Microsoft Cloud Security Benchmark (MCSB) is assigned to every subscription.
To customize policies:
Go to Environment settings > Security policy.
Review the default MCSB initiative and disable any recommendations that do not apply to your environment.
Add regulatory compliance standards such as ISO 27001, SOC 2, PCI DSS, or the NIS2 Directive as additional initiatives. This maps your posture to frameworks that auditors and regulators require.
Create custom Azure Policy definitions for organization-specific rules — for example, requiring encryption at rest on all storage accounts.
Assign exemptions where a recommendation does not apply (e.g., a test subscription) and document the justification.
Review assigned policies quarterly or whenever your regulatory landscape changes. Keeping policies aligned with business requirements prevents alert fatigue from irrelevant findings and ensures your compliance dashboard reflects real risk. Organizations subject to EU cybersecurity regulation should explore NIS2 compliance requirements when configuring their policy baseline.
Connecting Multi-Cloud and Hybrid Environments
Defender for Cloud supports native connectors for AWS and GCP, allowing you to manage security posture across all three major cloud providers from a single dashboard. This multi-cloud visibility is essential for organizations running workloads across providers.
For AWS, create a connector in Environment settings > Add environment > Amazon Web Services. Defender for Cloud deploys a CloudFormation stack that grants read-only access for CSPM scanning and optional agent-based protection through Azure Arc.
For GCP, use the equivalent connector that provisions a service account with Security Center Viewer permissions. If you are migrating workloads to Azure, connecting the source environment during transition ensures you have continuous visibility.
For on-premises and hybrid servers, install Azure Arc to onboard non-Azure machines. Arc-enabled servers receive the same recommendations and Defender for Servers protection as native Azure VMs, closing a common coverage gap in hybrid architectures.
Security Alerts and Continuous Monitoring
Security alerts in Defender for Cloud use behavioral analytics and threat intelligence to surface suspicious activity, ranked by severity so teams can prioritize response. When a Defender plan detects anomalous behavior — such as brute-force sign-in attempts, crypto mining, or data exfiltration patterns — it generates an alert with context, affected resources, and recommended remediation steps.
Key monitoring capabilities include:
Secure Score — A percentage-based metric that quantifies how many recommendations you have resolved. Improving your Secure Score directly reduces attack surface.
Regulatory compliance dashboard — Shows pass/fail status for each control across assigned standards, simplifying audit preparation.
Workload protections dashboard — Displays active alerts, coverage status per plan, and recent threat detections.
Workflow automation — Trigger Logic Apps or Azure Functions in response to alerts (e.g., auto-isolate a compromised VM, send a Slack notification, or create a ServiceNow ticket).
For centralized operations, stream alerts to Microsoft Sentinel (Azure's cloud-native SIEM) or a third-party SIEM via the continuous export feature. This integration lets your SOC team correlate Defender for Cloud findings with logs from identity, network, and endpoint sources. Teams already evaluating managed SIEM providers should consider how Defender for Cloud's native Sentinel integration simplifies the pipeline.
Best Practices for Production Deployments
Following cloud security best practices from initial deployment prevents costly remediation later and keeps your Secure Score on an upward trajectory. Apply these recommendations whether you manage a single subscription or an enterprise tenant:
Enable enhanced CSPM early. The enhanced plan adds attack path analysis, agentless scanning, and governance rules that basic CSPM does not include.
Assign security admin roles using least privilege. Use Azure RBAC roles like Security Reader and Security Admin rather than broad Contributor or Owner assignments.
Act on high-impact recommendations first. Sort the recommendations list by potential Secure Score increase and tackle the items that move the needle most.
Integrate with your DevOps pipeline. Use Defender for DevOps to scan infrastructure-as-code templates (Bicep, Terraform, CloudFormation) before they reach production.
Review alert suppression rules monthly. Overly broad suppressions can hide real threats. Revisit suppressions as your environment evolves.
Monitor cost by plan. The Defender for Cloud pricing page breaks down per-resource costs. Disable plans on subscriptions that host only non-sensitive test workloads.
For organizations managing complex environments, partnering with a Microsoft-certified managed services provider can accelerate configuration, ensure policy consistency, and provide 24/7 monitoring that internal teams may not be resourced to deliver.
Common Configuration Mistakes to Avoid
Most security gaps in Defender for Cloud stem from incomplete configuration rather than product limitations. Watch for these frequent mistakes:
| Mistake | Impact | Fix |
|---|---|---|
| Leaving Defender plans disabled on production subscriptions | No threat detection for workloads | Audit plan coverage across all subscriptions monthly |
| Skipping auto-provisioning for agents | VMs excluded from vulnerability assessments | Enable AMA auto-provisioning in Environment settings |
| Ignoring low-severity recommendations | Cumulative attack surface expansion | Schedule quarterly sprints to address medium and low findings |
| Not connecting non-Azure environments | Blind spots in multi-cloud posture | Add AWS/GCP connectors and onboard hybrid servers via Arc |
| Using only default notification settings | Critical alerts missed by responders | Configure email, Logic App, and SIEM integrations for high-severity alerts |
Frequently Asked Questions
Is Microsoft Defender for Cloud free?
The foundational CSPM capabilities are free for all Azure subscriptions. This includes Secure Score, basic security recommendations, and the Microsoft Cloud Security Benchmark assessment. Enhanced features — such as Defender for Servers, Defender for Containers, and advanced CSPM with attack path analysis — require paid plans billed per protected resource.
What is the difference between Azure Security Center and Defender for Cloud?
They are the same product. Microsoft renamed Azure Security Center to Microsoft Defender for Cloud in November 2021 and simultaneously merged Azure Defender capabilities into the unified service. All documentation, portal experiences, and APIs now use the Defender for Cloud branding.
Can Defender for Cloud protect AWS and GCP workloads?
Yes. Native connectors for both AWS and GCP extend CSPM scanning and select workload protection plans to multi-cloud environments. The multi-cloud dashboard aggregates findings alongside Azure resources for unified visibility.
How does the Secure Score work?
Secure Score is a percentage calculated from the ratio of resolved recommendations to total applicable recommendations. Each recommendation carries a weight based on its potential security impact. Addressing high-weight items improves the score fastest.
About the Author
Head of Innovation at Opsio
Digital Transformation, AI, IoT, Machine Learning, and Cloud Technologies. Nearly 15 years driving innovation
Editorial standards: This article was written by a certified practitioner and peer-reviewed by our engineering team. We update content quarterly to ensure technical accuracy. Opsio maintains editorial independence — we recommend solutions based on technical merit, not commercial relationships.