Domain 3 of 4 · Chapter 2 of 4

Azure Security Management

Posture vs protection: the two halves

Two questions decide everything on this page. Ask them about any Azure, on-premises, or other-cloud resource you own: are my resources configured securely, before anything goes wrong? And is something attacking my running resources right now? Microsoft Defender for Cloud[1] answers both, and it is built as two halves that map one-to-one onto those two questions.

Defender for Cloud is a cloud-native application protection platform (CNAPP), a single service that combines several cloud security tools. Its two halves are the model for the whole page:

  • Cloud security posture management (CSPM) answers the first question. It is preventive and works on configuration: it continuously checks how your resources are set up and reports where they drift from a secure baseline. The next section covers it.
  • Cloud workload protection (CWPP, cloud workload protection platform) answers the second question. It is detective and works on runtime behavior: it watches workloads while they run and raises an alert when it spots a threat. The section after that covers it.

Hold the two apart and the rest of the page falls into place, because every capability is either posture (CSPM) or protection (CWPP). They also differ in cost: posture basics are free, while workload protection is a paid tier. The later sections make that split precise.

One framing correction up front, because the product name invites the wrong picture. Defender for Cloud protects cloud resources and workloads: Azure resources natively, on-premises and other-cloud machines connected through Azure Arc, and AWS accounts[2] and GCP projects[3] connected with agentless connectors. It is not Azure-only, and it is not the same product as Microsoft Defender XDR, which protects endpoints and email. That boundary matters enough to get its own section near the end.

Microsoft Defender for Cloud (CNAPP)Cloud security posturemanagement (CSPM)Configured securely before an attack?Preventive, works on configurationOutput: secure score, recommendationsCost: free foundational tierCloud workloadprotection (CWPP)Under attack right now?Detective, works on runtimeOutput: security alertsCost: paid Defender plans
Defender for Cloud's two halves: CSPM (preventive, configuration, free basics) and CWPP (detective, runtime, paid plans).

CSPM: policies, standards, and the secure score

The clearest way to hold CSPM is as a short chain: a security standard produces recommendations, and remediating recommendations raises a secure score. Learn that chain and the CSPM blueprint bullets follow from it.

Start with the security policy[4]. A policy defines how your resources are evaluated, and each policy contains one or more security standards. A standard is a set of controls, each control being an expected secure configuration (for example, that storage accounts restrict network access). Defender for Cloud continuously assesses your resources against these controls. When a resource fails a control, Defender for Cloud generates a security recommendation: a short description of the gap plus the steps to fix it. For Azure resources these standards are enforced through Azure Policy under the hood, but at this level the term to know is security standard, not the policy engine beneath it.

One standard is applied by default. The Microsoft cloud security benchmark (MCSB)[5] is a built-in baseline of security best practices, assigned automatically as your initial standard and covering Azure, AWS, and GCP. On top of MCSB you can add regulatory compliance standards such as ISO 27001 or PCI DSS, which show up in the regulatory compliance view; adding those extra standards requires enabling a paid Defender plan, whereas MCSB assessment itself is free.

The secure score[6] rolls the whole assessment into one number. It is a percentage that summarizes your current posture: higher is better. As you remediate recommendations, the score rises, so the score and its recommendation list are the everyday loop for improving posture. Secure score, recommendations, and the MCSB assessment are all part of the free Foundational CSPM tier, which turns on automatically for connected subscriptions. This is the half of Defender for Cloud that serves the Zero Trust infrastructure pillar: making sure resources are configured to a known-good baseline before anything goes wrong. For the seven-pillar Zero Trust model itself, see Security and compliance concepts.

Security standardMCSB by defaultContinuousassessmentRecommendationon a failed controlYou remediateSecure score riseshigher is betterre-assess
The CSPM loop: a standard drives assessment, a failed control raises a recommendation, remediation lifts the secure score, then assessment repeats.

Cloud workload protection: Defender plans and alerts

You wrote or deployed something that now runs in the cloud: a virtual machine, a storage account, a database, a container cluster. Posture management can tell you it is configured well, but it cannot tell you when an attacker is actively probing it. That is the job of cloud workload protection, and it is the paid half of Defender for Cloud.

Workload protection is switched on per resource type as a Defender plan. Each plan protects one family of resources and adds runtime threat detection for it. The representative plans:

Defender plan Protects
Defender for Servers Windows and Linux VMs (Azure, AWS, GCP, on-premises)
Defender for Storage Storage accounts (malware, sensitive-data exfiltration)
Defender for Containers Kubernetes clusters and container images
Defender for SQL / Databases Azure SQL and other database engines
Defender for App Service Web apps and their APIs
Defender for Key Vault Attempts to access or exploit key vaults

The single most testable fact about this half: free CSPM gives you recommendations, a paid Defender plan gives you alerts. Unlike posture management, an enabled Defender plan watches the running workload and raises a security alert[7] when it detects a threat, graded by severity so you can triage it. Enhanced features ride along with the plans, for example just-in-time VM access[8], which keeps management ports closed until a time-boxed request opens them. If a scenario says a live attack produced no alert, the usual cause is simply that the matching Defender plan was never turned on.

Alerts do not stay inside Defender for Cloud. They can be exported to a SIEM (security information and event management) or SOAR (security orchestration, automation, and response) system[9], which is how Microsoft Sentinel ingests them and correlates them with signals from everywhere else into incidents. That correlation is the Zero Trust seventh pillar, visibility, automation, and orchestration, at work: Defender for Cloud is one signal source feeding it, not the correlation engine itself.

Defender for Cloud is not Defender XDR

The shared Defender brand is the biggest trap on this topic, so meet it head on. Microsoft ships two different products with Defender in the name, and this exam checks that you can tell them apart.

Microsoft Defender for Cloud[1] protects cloud infrastructure and workloads: Azure subscriptions, virtual machines, storage, databases, containers, plus the same resource types running on-premises or in AWS and GCP. Its job is posture and workload protection for resources, and its documentation lives under the Azure service docs.

Microsoft Defender XDR[10] is a different product that protects the user-and-device side of the estate: endpoints (through Defender for Endpoint), email and collaboration (through Defender for Office 365), identities, and SaaS apps (through Defender for Cloud Apps). XDR stands for extended detection and response, and it correlates those signals into cross-domain incidents. The XDR component family lives in its own subtopic, Microsoft Defender XDR.

The two integrate, and Defender for Cloud even surfaces in the same Defender portal, but they do not overlap in what they defend. The reliable test for an exam stem: if it is about securing a subscription, a VM, storage, a database, or overall cloud posture, the answer is Defender for Cloud; if it is about a laptop, a mailbox, a user identity, or a SaaS app, the answer is Defender XDR. A related boundary sits next door: the Azure network controls such as Azure Firewall, network security groups, and DDoS Protection belong to Azure infrastructure security. Defender for Cloud assesses whether those controls are configured well, but it does not replace them.

Microsoft Defender for CloudProtects cloud resources and workloadsAzure resources and subscriptionsVMs, storage, databases, containersHybrid and multicloud (AWS, GCP)Posture (CSPM) and workload protectionMicrosoft Defender XDRProtects endpoints, users, and appsEndpoints (Defender for Endpoint)Email (Defender for Office 365)Identities and SaaS appsExtended detection and responseShared Defender brand, separate products
Scope map: Defender for Cloud defends cloud resources and workloads; Defender XDR defends endpoints, email, identities, and SaaS apps.

Exam pattern recognition

SC-900 asks about this topic at describe level, so the questions test boundaries and definitions rather than configuration. The recurring patterns:

Recommendation or alert? The most common stem hands you a symptom and asks which capability is involved. A hardening suggestion, a posture gap, or anything measured by the secure score is a CSPM recommendation from the free tier. A real-time detection of an attack on a running resource is a security alert, and it only appears if the matching paid Defender plan is enabled. If the stem says a live attack produced no alert, the answer is that the Defender plan was off.

Which Defender? When the brand is the trap, sort by what is being protected. Cloud resources, subscriptions, VMs, storage, or posture point to Defender for Cloud. Endpoints, mailboxes, identities, or SaaS apps point to Defender XDR. Correlating alerts from many sources into incidents across the whole estate points to Microsoft Sentinel, the SIEM and SOAR, not to Defender for Cloud itself.

What the secure score is. Expect a distractor that treats the secure score as a compliance pass or a guarantee. It is neither: it is a percentage summarizing current posture against recommendations, and it rises as you remediate. Regulatory compliance against a named framework like ISO or PCI is a separate view that you add on top of the default MCSB.

Scope of Defender for Cloud. A distractor may claim it protects only Azure. It does not: through Azure Arc and agentless connectors it also covers on-premises machines and AWS and GCP resources, and multicloud CSPM coverage is in the free tier. Finally, remember the model that ties it together: CSPM (posture) serves the Zero Trust infrastructure pillar, and the alerts from workload protection feed the seventh pillar, visibility, automation, and orchestration, where Sentinel correlates them.

The two halves of Defender for Cloud: CSPM vs CWPP

DimensionCSPM (posture)CWPP (workload protection)
Question it answersAre my resources configured securely?Is something attacking my resources now?
Security stancePreventiveDetective
Works onResource configurationRuntime workload behavior
Key outputSecure score and recommendationsSecurity alerts
Standard appliedMicrosoft cloud security benchmark (MCSB), plus added standardsNot applicable (per-workload threat detection)
Cost tierFree Foundational CSPM (advanced posture is the paid Defender CSPM plan)Paid per-resource Defender plans
Zero Trust tieInfrastructure pillar (secure configuration)Feeds the seventh pillar: visibility, automation, orchestration

Decision tree

What is being protected?cloud resource, or endpoint/email/ID?Alerts from everywhere?to Microsoft Sentinel(SIEM / SOAR)Microsoft Defender XDRendpoints, email, identitiesPosture, or active threat?Enable Defender planto security ALERT (paid)Baseline, or named framework?CSPM: secure score,recommendations (MCSB, free)Add regulatory standard(needs a paid plan)endpoint / email / IDcloud resourceactive threatposturebaselineISO / PCI

Sharp facts the exam loves — give these one last read before exam day.

Cheat sheet

Sharp facts the exam loves — scan these before test day.

Defender for Cloud is one CNAPP covering posture and workload protection

Microsoft Defender for Cloud is a cloud-native application protection platform (CNAPP) with two halves: cloud security posture management (CSPM), which checks whether resources are configured securely, and cloud workload protection (CWPP), which detects threats against running workloads. CSPM is preventive and works on configuration, so it prevents problems; CWPP is detective and works on runtime behavior, so it catches attacks in progress. Sorting any feature into posture or protection is the fastest way to place it on this topic.

1 question tests this
Free CSPM gives recommendations; a paid Defender plan gives alerts

The single most testable Defender for Cloud fact is that posture management produces recommendations while workload protection produces security alerts. Free foundational CSPM continuously assesses configuration and surfaces hardening recommendations, but on its own it never raises a runtime threat alert. A security alert appears only when the paid Defender plan for that resource type is enabled and detects an active threat.

Trap Assuming a live attack will always raise an alert; if the matching Defender plan was never enabled, nothing is watching the workload at runtime and no alert fires.

3 questions test this
Secure score is a percentage of posture that rises as you remediate

Secure score summarizes your current security posture as a single percentage, computed from how many of Defender for Cloud's recommendations your resources satisfy. Remediating recommendations raises the score, so the score together with its recommendation list is the everyday loop for improving posture. It is a relative measure of hardening, not a pass-or-fail result and not a compliance certification.

Trap Reading the secure score as proof of regulatory compliance; compliance against a named framework such as ISO or PCI is a separate regulatory compliance view, not the secure score.

12 questions test this
The Microsoft cloud security benchmark is applied by default

When Defender for Cloud is enabled, the Microsoft cloud security benchmark (MCSB) is assigned automatically as the initial security standard, and its controls generate most recommendations across Azure, AWS, and GCP. You can add regulatory compliance standards such as ISO 27001 or PCI DSS on top of MCSB, but those added standards require enabling a paid Defender plan, whereas MCSB assessment is free.

Trap Confusing the free MCSB assessment with the paid regulatory compliance standards; MCSB is applied by default at no cost, while adding ISO or PCI requires a Defender plan.

5 questions test this
A recommendation is raised when a resource fails a standard's control

Defender for Cloud continuously evaluates each resource against the controls in its assigned security standards. When a resource does not meet a control, the product generates a security recommendation that describes the gap and the steps to fix it. Standards define what secure looks like, and recommendations are the per-resource findings that flow from failing those controls.

13 questions test this
Foundational CSPM is free and on automatically for connected subscriptions

The foundational CSPM tier turns on automatically for every subscription connected to Defender for Cloud and costs nothing. It provides secure score, security recommendations, MCSB assessment, and multicloud posture visibility. What it does not include is runtime threat detection, so it issues no security alerts until a paid Defender plan is enabled.

3 questions test this
Workload protection is enabled per resource type as a Defender plan

Cloud workload protection is delivered as individual Defender plans, each covering one resource family: Defender for Servers, for Storage, for Containers, for SQL and other databases, for App Service, for Key Vault, for Resource Manager, and for APIs. You enable the plans for the resource types you want to defend, and each adds runtime threat detection and security alerts for its family. Collectively these paid plans are the workload-protection tier of Defender for Cloud.

Trap Assuming one Defender plan protects the whole environment; each plan covers only its resource type, so any family whose plan is off has no workload protection.

7 questions test this
The paid Defender CSPM plan is not the same as free foundational CSPM

Two capabilities share the CSPM name. Free foundational CSPM gives secure score and recommendations. The paid Defender CSPM plan is a separate upgrade that adds advanced posture tools: agentless vulnerability scanning, attack path analysis, and the cloud security graph and explorer for querying risk across the environment. Both are posture rather than workload protection, so neither raises runtime threat alerts.

Trap Enabling the paid Defender CSPM plan expecting runtime threat alerts; Defender CSPM is enhanced posture, and alerts still come only from a workload-protection Defender plan.

5 questions test this
Defender for Cloud secures multicloud and hybrid, not just Azure

Defender for Cloud protects Azure resources natively, on-premises and other-cloud machines connected through Azure Arc, and AWS accounts and GCP projects connected with agentless connectors. Multicloud posture coverage, including secure score and recommendations for AWS and GCP, is part of the free tier. The result is one portal and one secure score spanning all three clouds.

Trap Assuming Defender for Cloud only covers Azure; AWS, GCP, and on-premises resources connect too, and their CSPM coverage is free.

6 questions test this
Defender for Cloud is not Defender XDR

Microsoft ships two products under the Defender brand. Defender for Cloud protects cloud infrastructure and workloads: subscriptions, virtual machines, storage, databases, and containers, across Azure, hybrid, and multicloud. Defender XDR protects the user side: endpoints, email, identities, and SaaS apps. They integrate but defend different things, so route a question by what is being protected.

Trap Choosing Microsoft Defender XDR to secure an Azure subscription or virtual machine; cloud resource and workload security is Defender for Cloud's job, not XDR's.

Just-in-time VM access keeps management ports closed until requested

Just-in-time (JIT) VM access, an enhanced feature of Defender for Servers, keeps management ports such as RDP and SSH closed by default and opens them only for an approved, time-boxed request from a specific source. Nothing decides the moment of access on its own; the defining protection is simply that the opening is strictly time-limited, which shrinks the window an attacker has to find an exposed port. It cuts attack surface without leaving management ports permanently open.

1 question tests this
Defender for Cloud feeds alerts to Sentinel; it does not run the SOC

Defender for Cloud raises security alerts on the workloads it protects and can export them to a SIEM or SOAR system. Microsoft Sentinel ingests those alerts and correlates them with signals from across the estate into incidents. In Zero Trust terms, posture management serves the infrastructure pillar, while these alerts feed the seventh pillar, visibility, automation, and orchestration, where Sentinel is the correlation engine.

Trap Expecting Defender for Cloud to correlate alerts from across the whole estate into incidents; that estate-wide correlation is Microsoft Sentinel's job, and Defender for Cloud is only one signal source feeding it.

Defender for Cloud groups recommendations into security controls and ranks them by risk

In Microsoft Defender for Cloud, related recommendations are grouped into security controls, and each control contributes points to the secure score once its recommendations are remediated. Recommendations are prioritized by risk level and carry a severity rating so you can address the most exploitable issues first.

Trap Treating each recommendation as an isolated item rather than part of a scored security control.

7 questions test this
Defender for Cloud acts on recommendations with Fix, governance rules, and workflow automation

The Fix option remediates a recommendation quickly, often across many affected resources at once, and remediating a misconfiguration reduces the resource's attack surface. Governance rules assign an owner and a remediation due date to drive accountability, while workflow automation triggers a Logic App response, such as a notification, when an alert or recommendation fires.

Trap Reaching for Microsoft Sentinel playbooks when the response should stay inside Defender for Cloud's own workflow automation.

5 questions test this
Defender for Servers and Defender for Containers protect their own workload types

Defender for Servers adds integrated vulnerability assessment and native Microsoft Defender for Endpoint integration to protect Windows and Linux machines across Azure, on-premises, and other clouds. Defender for Containers secures Kubernetes clusters, container registries, and images, scanning registry images for known vulnerabilities when they are pushed and on a recurring basis.

5 questions test this

Also tested in

References

  1. Microsoft Defender for Cloud Overview
  2. Connect your AWS Account
  3. Connect your GCP Project
  4. Security policies in Microsoft Defender for Cloud
  5. Regulatory compliance in Defender for Cloud
  6. Cloud Secure Score in Microsoft Defender for Cloud
  7. Security Alerts and Incidents
  8. Understand just-in-time virtual machine access
  9. Stream alerts to monitoring solutions
  10. What is Microsoft Defender XDR?