Azure Security Management
Posture vs protection: the two halves
Two questions decide everything on this page. Ask them about any Azure, on-premises, or other-cloud resource you own: are my resources configured securely, before anything goes wrong? And is something attacking my running resources right now? Microsoft Defender for Cloud[1] answers both, and it is built as two halves that map one-to-one onto those two questions.
Defender for Cloud is a cloud-native application protection platform (CNAPP), a single service that combines several cloud security tools. Its two halves are the model for the whole page:
- Cloud security posture management (CSPM) answers the first question. It is preventive and works on configuration: it continuously checks how your resources are set up and reports where they drift from a secure baseline. The next section covers it.
- Cloud workload protection (CWPP, cloud workload protection platform) answers the second question. It is detective and works on runtime behavior: it watches workloads while they run and raises an alert when it spots a threat. The section after that covers it.
Hold the two apart and the rest of the page falls into place, because every capability is either posture (CSPM) or protection (CWPP). They also differ in cost: posture basics are free, while workload protection is a paid tier. The later sections make that split precise.
One framing correction up front, because the product name invites the wrong picture. Defender for Cloud protects cloud resources and workloads: Azure resources natively, on-premises and other-cloud machines connected through Azure Arc, and AWS accounts[2] and GCP projects[3] connected with agentless connectors. It is not Azure-only, and it is not the same product as Microsoft Defender XDR, which protects endpoints and email. That boundary matters enough to get its own section near the end.
CSPM: policies, standards, and the secure score
The clearest way to hold CSPM is as a short chain: a security standard produces recommendations, and remediating recommendations raises a secure score. Learn that chain and the CSPM blueprint bullets follow from it.
Start with the security policy[4]. A policy defines how your resources are evaluated, and each policy contains one or more security standards. A standard is a set of controls, each control being an expected secure configuration (for example, that storage accounts restrict network access). Defender for Cloud continuously assesses your resources against these controls. When a resource fails a control, Defender for Cloud generates a security recommendation: a short description of the gap plus the steps to fix it. For Azure resources these standards are enforced through Azure Policy under the hood, but at this level the term to know is security standard, not the policy engine beneath it.
One standard is applied by default. The Microsoft cloud security benchmark (MCSB)[5] is a built-in baseline of security best practices, assigned automatically as your initial standard and covering Azure, AWS, and GCP. On top of MCSB you can add regulatory compliance standards such as ISO 27001 or PCI DSS, which show up in the regulatory compliance view; adding those extra standards requires enabling a paid Defender plan, whereas MCSB assessment itself is free.
The secure score[6] rolls the whole assessment into one number. It is a percentage that summarizes your current posture: higher is better. As you remediate recommendations, the score rises, so the score and its recommendation list are the everyday loop for improving posture. Secure score, recommendations, and the MCSB assessment are all part of the free Foundational CSPM tier, which turns on automatically for connected subscriptions. This is the half of Defender for Cloud that serves the Zero Trust infrastructure pillar: making sure resources are configured to a known-good baseline before anything goes wrong. For the seven-pillar Zero Trust model itself, see Security and compliance concepts.
Cloud workload protection: Defender plans and alerts
You wrote or deployed something that now runs in the cloud: a virtual machine, a storage account, a database, a container cluster. Posture management can tell you it is configured well, but it cannot tell you when an attacker is actively probing it. That is the job of cloud workload protection, and it is the paid half of Defender for Cloud.
Workload protection is switched on per resource type as a Defender plan. Each plan protects one family of resources and adds runtime threat detection for it. The representative plans:
| Defender plan | Protects |
|---|---|
| Defender for Servers | Windows and Linux VMs (Azure, AWS, GCP, on-premises) |
| Defender for Storage | Storage accounts (malware, sensitive-data exfiltration) |
| Defender for Containers | Kubernetes clusters and container images |
| Defender for SQL / Databases | Azure SQL and other database engines |
| Defender for App Service | Web apps and their APIs |
| Defender for Key Vault | Attempts to access or exploit key vaults |
The single most testable fact about this half: free CSPM gives you recommendations, a paid Defender plan gives you alerts. Unlike posture management, an enabled Defender plan watches the running workload and raises a security alert[7] when it detects a threat, graded by severity so you can triage it. Enhanced features ride along with the plans, for example just-in-time VM access[8], which keeps management ports closed until a time-boxed request opens them. If a scenario says a live attack produced no alert, the usual cause is simply that the matching Defender plan was never turned on.
Alerts do not stay inside Defender for Cloud. They can be exported to a SIEM (security information and event management) or SOAR (security orchestration, automation, and response) system[9], which is how Microsoft Sentinel ingests them and correlates them with signals from everywhere else into incidents. That correlation is the Zero Trust seventh pillar, visibility, automation, and orchestration, at work: Defender for Cloud is one signal source feeding it, not the correlation engine itself.
Defender for Cloud is not Defender XDR
The shared Defender brand is the biggest trap on this topic, so meet it head on. Microsoft ships two different products with Defender in the name, and this exam checks that you can tell them apart.
Microsoft Defender for Cloud[1] protects cloud infrastructure and workloads: Azure subscriptions, virtual machines, storage, databases, containers, plus the same resource types running on-premises or in AWS and GCP. Its job is posture and workload protection for resources, and its documentation lives under the Azure service docs.
Microsoft Defender XDR[10] is a different product that protects the user-and-device side of the estate: endpoints (through Defender for Endpoint), email and collaboration (through Defender for Office 365), identities, and SaaS apps (through Defender for Cloud Apps). XDR stands for extended detection and response, and it correlates those signals into cross-domain incidents. The XDR component family lives in its own subtopic, Microsoft Defender XDR.
The two integrate, and Defender for Cloud even surfaces in the same Defender portal, but they do not overlap in what they defend. The reliable test for an exam stem: if it is about securing a subscription, a VM, storage, a database, or overall cloud posture, the answer is Defender for Cloud; if it is about a laptop, a mailbox, a user identity, or a SaaS app, the answer is Defender XDR. A related boundary sits next door: the Azure network controls such as Azure Firewall, network security groups, and DDoS Protection belong to Azure infrastructure security. Defender for Cloud assesses whether those controls are configured well, but it does not replace them.
Exam pattern recognition
SC-900 asks about this topic at describe level, so the questions test boundaries and definitions rather than configuration. The recurring patterns:
Recommendation or alert? The most common stem hands you a symptom and asks which capability is involved. A hardening suggestion, a posture gap, or anything measured by the secure score is a CSPM recommendation from the free tier. A real-time detection of an attack on a running resource is a security alert, and it only appears if the matching paid Defender plan is enabled. If the stem says a live attack produced no alert, the answer is that the Defender plan was off.
Which Defender? When the brand is the trap, sort by what is being protected. Cloud resources, subscriptions, VMs, storage, or posture point to Defender for Cloud. Endpoints, mailboxes, identities, or SaaS apps point to Defender XDR. Correlating alerts from many sources into incidents across the whole estate points to Microsoft Sentinel, the SIEM and SOAR, not to Defender for Cloud itself.
What the secure score is. Expect a distractor that treats the secure score as a compliance pass or a guarantee. It is neither: it is a percentage summarizing current posture against recommendations, and it rises as you remediate. Regulatory compliance against a named framework like ISO or PCI is a separate view that you add on top of the default MCSB.
Scope of Defender for Cloud. A distractor may claim it protects only Azure. It does not: through Azure Arc and agentless connectors it also covers on-premises machines and AWS and GCP resources, and multicloud CSPM coverage is in the free tier. Finally, remember the model that ties it together: CSPM (posture) serves the Zero Trust infrastructure pillar, and the alerts from workload protection feed the seventh pillar, visibility, automation, and orchestration, where Sentinel correlates them.
The two halves of Defender for Cloud: CSPM vs CWPP
| Dimension | CSPM (posture) | CWPP (workload protection) |
|---|---|---|
| Question it answers | Are my resources configured securely? | Is something attacking my resources now? |
| Security stance | Preventive | Detective |
| Works on | Resource configuration | Runtime workload behavior |
| Key output | Secure score and recommendations | Security alerts |
| Standard applied | Microsoft cloud security benchmark (MCSB), plus added standards | Not applicable (per-workload threat detection) |
| Cost tier | Free Foundational CSPM (advanced posture is the paid Defender CSPM plan) | Paid per-resource Defender plans |
| Zero Trust tie | Infrastructure pillar (secure configuration) | Feeds the seventh pillar: visibility, automation, orchestration |
Decision tree
Sharp facts the exam loves — give these one last read before exam day.
Cheat sheet
Sharp facts the exam loves — scan these before test day.
- Defender for Cloud is one CNAPP covering posture and workload protection
Microsoft Defender for Cloud is a cloud-native application protection platform (CNAPP) with two halves: cloud security posture management (CSPM), which checks whether resources are configured securely, and cloud workload protection (CWPP), which detects threats against running workloads. CSPM is preventive and works on configuration, so it prevents problems; CWPP is detective and works on runtime behavior, so it catches attacks in progress. Sorting any feature into posture or protection is the fastest way to place it on this topic.
- Free CSPM gives recommendations; a paid Defender plan gives alerts
The single most testable Defender for Cloud fact is that posture management produces recommendations while workload protection produces security alerts. Free foundational CSPM continuously assesses configuration and surfaces hardening recommendations, but on its own it never raises a runtime threat alert. A security alert appears only when the paid Defender plan for that resource type is enabled and detects an active threat.
Trap Assuming a live attack will always raise an alert; if the matching Defender plan was never enabled, nothing is watching the workload at runtime and no alert fires.
3 questions test this
- A security analyst wants guidance that helps proactively harden resources and close misconfigurations before attackers can exploit them,…
- In Microsoft Defender for Cloud, which capability must be enabled to provide cloud workload protection (CWP) that detects threats and…
- What is one of the main purposes of Cloud Security Posture Management (CSPM) in Microsoft Defender for Cloud?
- Secure score is a percentage of posture that rises as you remediate
Secure score summarizes your current security posture as a single percentage, computed from how many of Defender for Cloud's recommendations your resources satisfy. Remediating recommendations raises the score, so the score together with its recommendation list is the everyday loop for improving posture. It is a relative measure of hardening, not a pass-or-fail result and not a compliance certification.
Trap Reading the secure score as proof of regulatory compliance; compliance against a named framework such as ISO or PCI is a separate regulatory compliance view, not the secure score.
12 questions test this
- In Microsoft Defender for Cloud, how is the overall secure score presented to summarize the security posture of a subscription?
- In Microsoft Defender for Cloud, what must you do to improve your secure score?
- What does a higher secure score in Microsoft Defender for Cloud indicate about your environment?
- How does a security team typically use the secure score that Microsoft Defender for Cloud provides?
- What should you do in Microsoft Defender for Cloud to improve your secure score?
- In Microsoft Defender for Cloud, what does a higher secure score indicate about your environment?
- What does the secure score in Microsoft Defender for Cloud represent?
- In Microsoft Defender for Cloud, what is the direct effect of remediating the security recommendations that are presented for your…
- In Microsoft Defender for Cloud, which capability provides a single numeric value that represents your current security situation, where a…
- In Microsoft Defender for Cloud, what is the most effective way for an administrator to increase the secure score of an Azure subscription?
- In Microsoft Defender for Cloud, what does the secure score represent?
- In Microsoft Defender for Cloud, what does the secure score primarily represent?
- The Microsoft cloud security benchmark is applied by default
When Defender for Cloud is enabled, the Microsoft cloud security benchmark (MCSB) is assigned automatically as the initial security standard, and its controls generate most recommendations across Azure, AWS, and GCP. You can add regulatory compliance standards such as ISO 27001 or PCI DSS on top of MCSB, but those added standards require enabling a paid Defender plan, whereas MCSB assessment is free.
Trap Confusing the free MCSB assessment with the paid regulatory compliance standards; MCSB is applied by default at no cost, while adding ISO or PCI requires a Defender plan.
5 questions test this
- Your organization must demonstrate that its Azure subscription meets PCI DSS requirements by using the regulatory compliance dashboard in…
- Which standard is assigned by default to your Azure subscriptions when you enable Microsoft Defender for Cloud and serves as the basis for…
- In Microsoft Defender for Cloud, what does the Microsoft cloud security benchmark (MCSB) provide as the default policy initiative?
- In Microsoft Defender for Cloud, how can you assess your environment against the NIST SP 800-53 standard when it is not applied by default?
- In Microsoft Defender for Cloud, what is the secure score primarily based on to measure the security posture of your subscriptions?
- A recommendation is raised when a resource fails a standard's control
Defender for Cloud continuously evaluates each resource against the controls in its assigned security standards. When a resource does not meet a control, the product generates a security recommendation that describes the gap and the steps to fix it. Standards define what secure looks like, and recommendations are the per-resource findings that flow from failing those controls.
13 questions test this
- In Microsoft Defender for Cloud, what is the primary purpose of the security recommendations generated by CSPM?
- What do security recommendations in Microsoft Defender for Cloud provide?
- Your organization wants a service that continuously assesses Azure resources and provides actionable guidance to fix misconfigurations and…
- In Microsoft Defender for Cloud, security recommendations are generated based on what underlying mechanism?
- Select the answer that correctly completes the sentence. In Microsoft Defender for Cloud, security recommendations are generated based on…
- In Microsoft Defender for Cloud, what do security recommendations provide to help improve your cloud security posture?
- When Microsoft Defender for Cloud assesses a resource and finds a security issue, what does the resulting security recommendation primarily…
- Security recommendations in Microsoft Defender for Cloud are generated from continuous assessments of your resources. What do these…
- How do the security recommendations generated by Microsoft Defender for Cloud help an organization reduce its attack surface?
- What is the primary purpose of a security recommendation in Microsoft Defender for Cloud?
- Resources protected by Microsoft Defender for Cloud are assessed against security standards, and security recommendations are produced from…
- What is the primary purpose of Cloud Security Posture Management (CSPM) as implemented by Microsoft Defender for Cloud?
- In Microsoft Defender for Cloud, what is the primary purpose of security recommendations?
- Foundational CSPM is free and on automatically for connected subscriptions
The foundational CSPM tier turns on automatically for every subscription connected to Defender for Cloud and costs nothing. It provides secure score, security recommendations, MCSB assessment, and multicloud posture visibility. What it does not include is runtime threat detection, so it issues no security alerts until a paid Defender plan is enabled.
3 questions test this
- You enable Microsoft Defender for Cloud on an Azure subscription but do not turn on any paid plans. Which capability is available to you…
- Which statement accurately describes the foundational Cloud Security Posture Management (CSPM) capabilities in Microsoft Defender for Cloud?
- A company uses Microsoft Defender for Cloud without enabling any paid plans. Which Cloud Security Posture Management (CSPM) capability is…
- Workload protection is enabled per resource type as a Defender plan
Cloud workload protection is delivered as individual Defender plans, each covering one resource family: Defender for Servers, for Storage, for Containers, for SQL and other databases, for App Service, for Key Vault, for Resource Manager, and for APIs. You enable the plans for the resource types you want to defend, and each adds runtime threat detection and security alerts for its family. Collectively these paid plans are the workload-protection tier of Defender for Cloud.
Trap Assuming one Defender plan protects the whole environment; each plan covers only its resource type, so any family whose plan is off has no workload protection.
7 questions test this
- Which Microsoft Defender for Cloud plan generates security alerts when unusual or suspicious attempts to access an Azure key vault are…
- Your organization hosts databases on Azure Database for PostgreSQL and Azure Database for MySQL. You need an enhanced workload protection…
- In Microsoft Defender for Cloud, which capability must be enabled to provide cloud workload protection (CWP) that detects threats and…
- You need an enhanced workload protection plan in Microsoft Defender for Cloud that monitors the Azure management layer and detects…
- Which capability of Microsoft Defender for Cloud provides enhanced threat detection and protection for specific workloads such as servers,…
- Which Microsoft Defender for Cloud plan should you use to protect Windows and Linux virtual machines across Azure, multicloud, and…
- Your organization runs several web applications on Azure App Service. You need an enhanced workload protection plan in Microsoft Defender…
- The paid Defender CSPM plan is not the same as free foundational CSPM
Two capabilities share the CSPM name. Free foundational CSPM gives secure score and recommendations. The paid Defender CSPM plan is a separate upgrade that adds advanced posture tools: agentless vulnerability scanning, attack path analysis, and the cloud security graph and explorer for querying risk across the environment. Both are posture rather than workload protection, so neither raises runtime threat alerts.
Trap Enabling the paid Defender CSPM plan expecting runtime threat alerts; Defender CSPM is enhanced posture, and alerts still come only from a workload-protection Defender plan.
5 questions test this
- Which capability in Microsoft Defender for Cloud helps you visualize the exploitable routes that an attacker could take to breach your…
- Which capability is available only with the paid Defender Cloud Security Posture Management (Defender CSPM) plan and not with the free…
- In Microsoft Defender for Cloud, which capability must be enabled to view risk-prioritized security recommendations based on the actual…
- Which Defender Cloud Security Posture Management (Defender CSPM) capability lets you proactively run graph-based queries to find security…
- Which Defender CSPM feature lets Microsoft Defender for Cloud assess virtual machines for vulnerabilities and misconfigurations without…
- Defender for Cloud secures multicloud and hybrid, not just Azure
Defender for Cloud protects Azure resources natively, on-premises and other-cloud machines connected through Azure Arc, and AWS accounts and GCP projects connected with agentless connectors. Multicloud posture coverage, including secure score and recommendations for AWS and GCP, is part of the free tier. The result is one portal and one secure score spanning all three clouds.
Trap Assuming Defender for Cloud only covers Azure; AWS, GCP, and on-premises resources connect too, and their CSPM coverage is free.
6 questions test this
- You want Microsoft Defender for Cloud to assess your Amazon Web Services (AWS) resources against the Microsoft cloud security benchmark.…
- In Microsoft Defender for Cloud, you manage workloads that run in Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform…
- Your organization runs workloads in Amazon Web Services (AWS) and Google Cloud Platform (GCP) in addition to Azure, and you want to assess…
- To use Microsoft Defender for Cloud to continuously assess the security posture of resources hosted in Amazon Web Services (AWS) and Google…
- You want Microsoft Defender for Cloud to assess the security posture of your resources running in Amazon Web Services (AWS) and Google…
- You manage workloads that run in Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP). What should you use to extend Microsoft…
- Defender for Cloud is not Defender XDR
Microsoft ships two products under the Defender brand. Defender for Cloud protects cloud infrastructure and workloads: subscriptions, virtual machines, storage, databases, and containers, across Azure, hybrid, and multicloud. Defender XDR protects the user side: endpoints, email, identities, and SaaS apps. They integrate but defend different things, so route a question by what is being protected.
Trap Choosing Microsoft Defender XDR to secure an Azure subscription or virtual machine; cloud resource and workload security is Defender for Cloud's job, not XDR's.
- Just-in-time VM access keeps management ports closed until requested
Just-in-time (JIT) VM access, an enhanced feature of Defender for Servers, keeps management ports such as RDP and SSH closed by default and opens them only for an approved, time-boxed request from a specific source. Nothing decides the moment of access on its own; the defining protection is simply that the opening is strictly time-limited, which shrinks the window an attacker has to find an exposed port. It cuts attack surface without leaving management ports permanently open.
- Defender for Cloud feeds alerts to Sentinel; it does not run the SOC
Defender for Cloud raises security alerts on the workloads it protects and can export them to a SIEM or SOAR system. Microsoft Sentinel ingests those alerts and correlates them with signals from across the estate into incidents. In Zero Trust terms, posture management serves the infrastructure pillar, while these alerts feed the seventh pillar, visibility, automation, and orchestration, where Sentinel is the correlation engine.
Trap Expecting Defender for Cloud to correlate alerts from across the whole estate into incidents; that estate-wide correlation is Microsoft Sentinel's job, and Defender for Cloud is only one signal source feeding it.
- Defender for Cloud groups recommendations into security controls and ranks them by risk
In Microsoft Defender for Cloud, related recommendations are grouped into security controls, and each control contributes points to the secure score once its recommendations are remediated. Recommendations are prioritized by risk level and carry a severity rating so you can address the most exploitable issues first.
Trap Treating each recommendation as an isolated item rather than part of a scored security control.
7 questions test this
- In Microsoft Defender for Cloud, how is the overall secure score presented to summarize the security posture of a subscription?
- Select the answer that correctly completes the sentence. In Microsoft Defender for Cloud, related security recommendations are grouped into…
- In Microsoft Defender for Cloud, how are related security recommendations organized within the secure score?
- A security analyst wants Defender for Cloud to present recommendations so that the most urgent issues, those most likely to be exploited,…
- In Microsoft Defender for Cloud, what is used to indicate the relative importance of a security recommendation so that you can decide which…
- In Microsoft Defender for Cloud, what is the most effective way for an administrator to increase the secure score of an Azure subscription?
- In Microsoft Defender for Cloud, a security control is best described as which of the following?
- Defender for Cloud acts on recommendations with Fix, governance rules, and workflow automation
The Fix option remediates a recommendation quickly, often across many affected resources at once, and remediating a misconfiguration reduces the resource's attack surface. Governance rules assign an owner and a remediation due date to drive accountability, while workflow automation triggers a Logic App response, such as a notification, when an alert or recommendation fires.
Trap Reaching for Microsoft Sentinel playbooks when the response should stay inside Defender for Cloud's own workflow automation.
5 questions test this
- A virtual machine has a management port left open to the internet. Microsoft Defender for Cloud surfaces a recommendation to restrict that…
- How do the security recommendations generated by Microsoft Defender for Cloud help an organization reduce its attack surface?
- In Microsoft Defender for Cloud, what should you use to automatically trigger a response, such as sending a notification or running a Logic…
- In Microsoft Defender for Cloud, which feature lets you assign owners and remediation timeframes to security recommendations to drive…
- In Microsoft Defender for Cloud, what does the Fix option on a security recommendation allow you to do?
- Defender for Servers and Defender for Containers protect their own workload types
Defender for Servers adds integrated vulnerability assessment and native Microsoft Defender for Endpoint integration to protect Windows and Linux machines across Azure, on-premises, and other clouds. Defender for Containers secures Kubernetes clusters, container registries, and images, scanning registry images for known vulnerabilities when they are pushed and on a recurring basis.
5 questions test this
- What types of assets does Microsoft Defender for Containers help secure?
- Which capabilities does the Microsoft Defender for Servers plan provide to protect machines in Azure, on-premises, and other clouds?
- What does Microsoft Defender for Containers provide for container images stored in Azure Container Registry?
- What does Microsoft Defender for Containers scan for when a new container image is pushed to Azure Container Registry?
- Which Microsoft Defender for Cloud plan should you use to protect Windows and Linux virtual machines across Azure, multicloud, and…
Also tested in
References
- Microsoft Defender for Cloud Overview
- Connect your AWS Account
- Connect your GCP Project
- Security policies in Microsoft Defender for Cloud
- Regulatory compliance in Defender for Cloud
- Cloud Secure Score in Microsoft Defender for Cloud
- Security Alerts and Incidents
- Understand just-in-time virtual machine access
- Stream alerts to monitoring solutions
- What is Microsoft Defender XDR?