CoursesAzure securityDefender for Cloud & Sentinel

Defender for Cloud: CSPM + CWPP

Secure Score, workload protection, org-wide.

Advanced30 min · lesson 10 of 15

Turn on enough Azure security signals and you drown in findings. Microsoft Defender for Cloud is the org-wide surface that unifies posture management and workload threat detection, so your effort goes into acting on prioritized recommendations and alerts rather than assembling the analytics yourself.

Posture (CSPM) and workload protection (CWPP)

Defender for Cloud has two halves. The free CSPM layer continuously assesses configuration against best practice, expressed as a Secure Score with prioritized recommendations — public storage, missing encryption, over-broad access, exposed management ports. The paid workload protection plans (CWPP) add active threat detection for servers, containers/AKS, storage, SQL, Key Vault, App Service, and more, raising alerts on suspicious behavior like a reverse shell in a container or anomalous Key Vault access. Turn plans on at the management-group level so coverage spans every subscription.

enable Defender plans org-wide
# Enable workload protection plans across the subscription (do this at the MG
# level via Policy for org-wide coverage — no per-subscription blind spots).
az security pricing create -n VirtualMachines --tier Standard
az security pricing create -n StorageAccounts --tier Standard
az security pricing create -n KeyVaults --tier Standard
az security pricing create -n Containers --tier Standard
# Secure Score + recommendations then track posture; alerts flow to Sentinel.

Secure Score as a tracked metric

Secure Score turns posture into a number you can trend and assign — each recommendation carries an impact and a remediation, and many can auto-remediate. Treat the score as a floor to maintain, not a finish line: passing checks means the automated controls are satisfied, not that your architecture is sound or your threat-specific risks are covered. Enable Defender at the management-group level with auto-provisioning so a new subscription is protected the moment it exists, and route its alerts into Sentinel for correlation and response.

Defender for Cloud coverage
1CSPM (Secure Score)
misconfig recommendations
2CWPP plans
threat detection per workload type
3org-wide via management group
no per-subscription gaps
4alerts → Sentinel
correlate + respond
Posture and workload threats in one surface, enabled org-wide. Detection pays off when its alerts feed a response pipeline.
Per-subscription enablement leaves blind spots
Enabling Defender in some subscriptions but not others leaves exactly the gap a quiet attacker wants. Enable it at the management-group level with Azure Policy and auto-provisioning so coverage is a property of the org and never lags behind a newly-created subscription.