What vulnerability scanners does Microsoft Defender for Cloud support?

Defender for Cloud supports multiple scanners depending on the workload type. For servers, it offers Microsoft Defender vulnerability management (MDVM) as the default built-in scanner, with Qualys available as an alternative. For containers, it uses built-in image scanning. For SQL databases, it has native vulnerability assessment. MDVM is recommended as it provides agentless scanning and integrates with Defender for Endpoint.

How often does Defender for Cloud scan for vulnerabilities?

Scan frequency varies by scanner type. MDVM performs continuous assessment with findings updated within hours of detection. Agentless container scanning runs daily on registry images. SQL vulnerability assessment runs weekly by default but can be triggered manually. For accurate compliance reporting, wait 24-48 hours after initial enablement for full assessment completion.

Can I scan containers that aren't running in Azure?

Yes. Defender for Containers can scan images in Azure Container Registry regardless of where containers run. For runtime protection of containers outside Azure, deploy Defender sensors to your Kubernetes clusters (AKS, GKE, EKS, or on-premises). Azure Arc-enabled Kubernetes extends Defender coverage to multi-cloud and on-premises container environments.

Microsoft Defender Vulnerability Assessment Guide

Microsoft Defender for Cloud provides continuous vulnerability assessment across your Azure workloads, identifying security weaknesses before attackers can exploit them. This guide covers enabling vulnerability scanning, understanding recommendations, implementing remediation, and improving your Secure Score.

This article is part of our comprehensive guide on Cloud Security Tips for 2026, which covers essential security practices across all major cloud platforms.

Overview

Defender for Cloud vulnerability assessment includes:

Server vulnerability scanning: OS and application vulnerabilities on VMs
Container image scanning: Vulnerabilities in container registries
SQL vulnerability assessment: Database configuration weaknesses
Code scanning: Infrastructure-as-code misconfigurations
Agentless scanning: Assessment without deploying agents

Prerequisites

Before configuring vulnerability assessment, ensure you have:

Azure subscription with Security Admin or Owner role
Defender for Cloud enabled (specific plans vary by workload)
Azure CLI installed (version 2.50 or later)
Understanding of Defender plans and their features
Budget approval for enhanced Defender plans (paid features)

Step 1: Enable Defender Plans

Enable via Azure Portal

Sign in to the Azure Portal
Navigate to Microsoft Defender for Cloud
Go to Environment settings
Select your subscription
Enable the following plans for vulnerability assessment:

Plan	Vulnerability Features
Defender for Servers P2	MDVM, agentless scanning
Defender for Containers	Container image scanning
Defender for SQL	Database vulnerability assessment
Defender CSPM	Agentless VM scanning, attack paths

Click Save to enable selected plans

Enable via Azure CLI

# Get subscription ID
SUBSCRIPTION_ID=$(az account show --query id -o tsv)

# Enable Defender for Servers Plan 2 (includes vulnerability assessment)
az security pricing create \
  --name VirtualMachines \
  --tier Standard \
  --subplan P2

# Enable Defender for Containers
az security pricing create \
  --name Containers \
  --tier Standard

# Enable Defender for SQL
az security pricing create \
  --name SqlServers \
  --tier Standard

# Enable Defender CSPM (agentless scanning)
az security pricing create \
  --name CloudPosture \
  --tier Standard

# Verify enabled plans
az security pricing list \
  --query "[?pricingTier=='Standard'].{Name:name, SubPlan:subPlan}" \
  -o table

Configure Agentless Scanning

# Enable agentless scanning for VMs (requires Defender CSPM or Servers P2)
az rest \
  --method PUT \
  --url "https://management.azure.com/subscriptions/$SUBSCRIPTION_ID/providers/Microsoft.Security/serverVulnerabilityAssessmentsSettings/default?api-version=2022-01-01-preview" \
  --body '{
    "properties": {
      "selectedProvider": "MdeTvm"
    }
  }'

Step 2: Configure Server Vulnerability Assessment

Enable MDVM on VMs

Microsoft Defender Vulnerability Management (MDVM) is automatically enabled when you activate Defender for Servers P2. For agent-based assessment:

# Check if Defender for Endpoint extension is installed
az vm extension list \
  --resource-group "rg-production" \
  --vm-name "vm-web-01" \
  --query "[?publisher=='Microsoft.Azure.AzureDefenderForServers'].name" \
  -o tsv

# Install Defender for Endpoint extension (if not auto-provisioned)
az vm extension set \
  --resource-group "rg-production" \
  --vm-name "vm-web-01" \
  --name "MDE.Windows" \
  --publisher "Microsoft.Azure.AzureDefenderForServers" \
  --settings '{"autoUpdate": true}'

# For Linux VMs
az vm extension set \
  --resource-group "rg-production" \
  --vm-name "vm-linux-01" \
  --name "MDE.Linux" \
  --publisher "Microsoft.Azure.AzureDefenderForServers" \
  --settings '{"autoUpdate": true}'

View Server Vulnerabilities via Portal

In Defender for Cloud, go to Recommendations
Filter by Resource type: Virtual machines
Click Machines should have vulnerability findings resolved
Select a VM to see:
- CVE details and CVSS scores
- Affected software versions
- Remediation guidance
- Exploit availability

Query Vulnerabilities via Azure CLI

# List VMs with vulnerability findings
az security sub-assessment list \
  --assessment-name "1195afff-c881-495e-9bc5-1486211ae03f" \
  --query "[].{VM:resourceDetails.id, Severity:status.severity, Finding:displayName}" \
  -o table

# Get vulnerability details for a specific VM
az security sub-assessment list \
  --assessment-name "1195afff-c881-495e-9bc5-1486211ae03f" \
  --query "[?contains(resourceDetails.id, 'vm-web-01')].{CVE:id, Severity:status.severity, Description:displayName}" \
  -o table

Step 3: Configure Container Image Scanning

Enable Registry Scanning

Container image scanning is automatic when Defender for Containers is enabled:

# Verify Defender for Containers is enabled
az security pricing show \
  --name Containers \
  --query '{Tier:pricingTier, Enabled:freeTrialRemainingTime}' \
  -o table

# Check registry scan status
az acr show \
  --name "mycontainerregistry" \
  --query "policies.quarantinePolicy.status" \
  -o tsv

Trigger Manual Image Scan

# Push an image to trigger scanning
az acr build \
  --registry "mycontainerregistry" \
  --image "myapp:v1.0" \
  --file Dockerfile .

# View scan results via Portal or Azure Resource Graph
az graph query -q "
  securityresources
  | where type == 'microsoft.security/assessments/subassessments'
  | where properties.assessedResourceType == 'ContainerRegistryVulnerability'
  | extend registryName = tostring(split(properties.resourceDetails.id, '/')[8])
  | extend imageName = properties.additionalData.repositoryName
  | extend severity = properties.status.severity
  | project registryName, imageName, severity, properties.displayName
  | summarize VulnCount=count() by registryName, imageName, severity
"

View Container Vulnerabilities

In Defender for Cloud, go to Recommendations
Filter by Resource type: Container registries
Click Container registry images should have vulnerability findings resolved
Review:
- Vulnerable images and tags
- CVE details per layer
- Base image vulnerabilities
- Remediation guidance

Step 4: Configure SQL Vulnerability Assessment

Enable SQL Assessment via Portal

Navigate to your SQL database in Azure Portal
Go to Microsoft Defender for Cloud
Click Configure under Vulnerability Assessment
Select storage account for scan results
Enable periodic recurring scans

Enable SQL Assessment via Azure CLI

# Enable vulnerability assessment on SQL Server
az sql vm update \
  --resource-group "rg-databases" \
  --name "sql-server-01" \
  --sql-mgmt-type Full

# Enable on Azure SQL Database
SQL_SERVER="sql-myapp-prod"
DATABASE="db-myapp"

# Create storage for scan results
STORAGE_ACCOUNT="stvascanresults"
az storage account create \
  --name $STORAGE_ACCOUNT \
  --resource-group "rg-databases" \
  --sku Standard_LRS

# Configure vulnerability assessment
STORAGE_KEY=$(az storage account keys list \
  --account-name $STORAGE_ACCOUNT \
  --query "[0].value" -o tsv)

az sql db va-baseline set \
  --resource-group "rg-databases" \
  --server $SQL_SERVER \
  --database $DATABASE \
  --storage-account-access-key $STORAGE_KEY \
  --storage-account "https://$STORAGE_ACCOUNT.blob.core.windows.net" \
  --storage-container-path "vulnerability-assessment"

# Enable recurring scans
az sql db va update \
  --resource-group "rg-databases" \
  --server $SQL_SERVER \
  --database $DATABASE \
  --recurring-scans true \
  --email-subscription-admins true

Run Manual SQL Scan

# Trigger immediate vulnerability scan
az sql db va scan \
  --resource-group "rg-databases" \
  --server $SQL_SERVER \
  --database $DATABASE

# Get latest scan results
az sql db va list \
  --resource-group "rg-databases" \
  --server $SQL_SERVER \
  --database $DATABASE \
  --query "[].{Rule:ruleId, Severity:status, Status:status}" \
  -o table

Step 5: Review and Remediate Findings

Access Recommendations in Portal

In Defender for Cloud, go to Recommendations
Use filters:
- Category: Vulnerability
- Severity: Critical, High, Medium
- Status: Unhealthy
Click a recommendation to see affected resources

Understand Severity Ratings

CVSS Score	Severity	Action Timeline
9.0 - 10.0	Critical	Remediate within 24-48 hours
7.0 - 8.9	High	Remediate within 7 days
4.0 - 6.9	Medium	Remediate within 30 days
0.1 - 3.9	Low	Remediate within 90 days

Export Findings for Remediation

# Export vulnerability findings to CSV
az security sub-assessment list \
  --assessment-name "1195afff-c881-495e-9bc5-1486211ae03f" \
  --query "[].{Resource:resourceDetails.id, CVE:id, Severity:status.severity, Description:displayName, Remediation:remediation}" \
  -o json > vulnerability-findings.json

# Query high and critical findings using Resource Graph
az graph query -q "
  securityresources
  | where type == 'microsoft.security/assessments/subassessments'
  | where properties.status.severity in ('High', 'Critical')
  | extend resource = tostring(properties.resourceDetails.id)
  | extend cve = properties.id
  | extend severity = properties.status.severity
  | extend description = properties.displayName
  | project resource, cve, severity, description
  | order by severity desc
" --output table

Configure Governance Rules

Assign owners and due dates to vulnerability findings:

In Defender for Cloud, go to Environment settings
Select Governance rules
Click + Create rule
Configure:
- Rule name: High severity vulnerabilities
- Priority: 1
- Conditions: Severity equals High or Critical
- Owner: [email protected]
- Remediation timeframe: By specific date or SLA
Click Create

Step 6: Improve Secure Score

Understand Score Impact

In Defender for Cloud, click Secure Score
View score breakdown by control:
- Remediate vulnerabilities (high impact)
- Enable endpoint protection
- Apply system updates
Click each control to see recommendations

Track Progress with PowerShell

# Get Secure Score over time
$subscriptionId = (Get-AzContext).Subscription.Id

$secureScore = Get-AzSecuritySecureScore -Name "ascScore"
Write-Host "Current Secure Score: $($secureScore.CurrentScore) / $($secureScore.MaxScore)"
Write-Host "Percentage: $([math]::Round($secureScore.Percentage * 100, 1))%"

# Get top recommendations by score impact
$recommendations = Get-AzSecurityTask | Where-Object { $_.State -eq "Active" }
$recommendations | Sort-Object -Property RecommendationTypeScoreImpact -Descending | Select-Object -First 10 | Format-Table Name, RecommendationTypeScoreImpact, State

Set Score Improvement Targets

# Query current score and potential improvement
az security secure-score-controls list \
  --query "[].{Control:displayName, Current:score.current, Max:score.max, Unhealthy:unhealthyResourceCount}" \
  -o table

# Calculate potential score improvement from vulnerability remediation
az security secure-score-controls show \
  --name "Remediate vulnerabilities" \
  --query '{CurrentScore:score.current, MaxScore:score.max, PotentialGain:score.max - score.current}' \
  -o table

Best Practices

Prioritize by exploitability: Focus on CVEs with known exploits first
Enable agentless scanning: Cover VMs without agent deployment overhead
Integrate with CI/CD: Scan container images before deployment
Set governance rules: Ensure accountability with owners and deadlines
Baseline accepted risks: Document and track accepted vulnerabilities
Monitor score trends: Track Secure Score weekly to measure progress
Use Azure Resource Graph: Build dashboards for vulnerability reporting
Export to SIEM: Stream findings to your security operations center

Troubleshooting

Vulnerabilities not appearing for VMs:

Verify Defender for Servers P2 is enabled
Check VM guest agent is running
Confirm MDE extension is installed
Wait 24 hours for initial scan completion

Container scan results missing:

Verify Defender for Containers is enabled
Check registry is in a supported region
Confirm image was pushed after enablement
Review scan status in registry settings

SQL assessment failing:

Verify storage account permissions
Check network connectivity to storage
Confirm SQL Defender is enabled on server
Review diagnostic logs for errors

Secure Score not improving after remediation:

Allow 4-24 hours for score recalculation
Verify all instances of the issue are fixed
Check if new vulnerabilities offset improvements

Next Steps

After configuring vulnerability assessment, enhance your security:

Implement just-in-time VM access to reduce attack surface
Configure adaptive application controls for workload protection
Enable attack path analysis in Defender CSPM
Review Cloud Security Tips for 2026 for comprehensive cloud security guidance

Microsoft Defender Vulnerability Assessment Guide

Overview

Prerequisites

Step 1: Enable Defender Plans

Enable via Azure Portal

Enable via Azure CLI

Configure Agentless Scanning

Step 2: Configure Server Vulnerability Assessment

Enable MDVM on VMs

View Server Vulnerabilities via Portal

Query Vulnerabilities via Azure CLI

Step 3: Configure Container Image Scanning

Enable Registry Scanning

Trigger Manual Image Scan

View Container Vulnerabilities

Step 4: Configure SQL Vulnerability Assessment

Enable SQL Assessment via Portal

Enable SQL Assessment via Azure CLI

Run Manual SQL Scan

Step 5: Review and Remediate Findings

Access Recommendations in Portal

Understand Severity Ratings

Export Findings for Remediation

Configure Governance Rules

Step 6: Improve Secure Score

Understand Score Impact

Track Progress with PowerShell

Set Score Improvement Targets

Best Practices

Troubleshooting

Next Steps

Frequently Asked Questions

Azure Infrastructure Experts

Microsoft Defender for Cloud CIS Benchmark Compliance Guide

Azure Global Administrator Best Practices: Securing Privileged Accounts

Azure Key Vault Tutorial

Microsoft Defender Vulnerability Assessment Guide

Overview

Prerequisites

Step 1: Enable Defender Plans

Enable via Azure Portal

Enable via Azure CLI

Configure Agentless Scanning

Step 2: Configure Server Vulnerability Assessment

Enable MDVM on VMs

View Server Vulnerabilities via Portal

Query Vulnerabilities via Azure CLI

Step 3: Configure Container Image Scanning

Enable Registry Scanning

Trigger Manual Image Scan

View Container Vulnerabilities

Step 4: Configure SQL Vulnerability Assessment

Enable SQL Assessment via Portal

Enable SQL Assessment via Azure CLI

Run Manual SQL Scan

Step 5: Review and Remediate Findings

Access Recommendations in Portal

Understand Severity Ratings

Export Findings for Remediation

Configure Governance Rules

Step 6: Improve Secure Score

Understand Score Impact

Track Progress with PowerShell

Set Score Improvement Targets

Best Practices

Troubleshooting

Next Steps

Frequently Asked Questions

Azure Infrastructure Experts

Related Articles

Microsoft Defender for Cloud CIS Benchmark Compliance Guide

Azure Global Administrator Best Practices: Securing Privileged Accounts

Azure Key Vault Tutorial