Microsoft Defender for Cloud is Azure's integrated cloud security posture management (CSPM) and cloud workload protection platform (CWPP). This guide covers enabling Defender across your subscriptions, configuring security policies, and setting up alert notifications for proactive threat response.
This article is part of our comprehensive guide on Cloud Security Tips for 2026, which covers essential security practices across all major cloud platforms.
Overview
Microsoft Defender for Cloud provides:
- Security posture management: Recommendations, Secure Score, and compliance assessments
- Workload protection: Threat detection for VMs, containers, databases, storage, and more
- Attack path analysis: Identify and remediate critical attack vectors
- DevSecOps integration: Security scanning in CI/CD pipelines
The service works across Azure, AWS, GCP, and on-premises environments, providing unified security management.
Prerequisites
Before setting up Defender for Cloud, ensure you have:
- Azure subscription with Owner or Security Admin role
- Understanding of workload types requiring protection
- Budget approval for paid Defender plans (optional but recommended)
- Azure CLI or Azure Portal access
- Email addresses for alert notifications
Step 1: Access Defender for Cloud
Navigate to Defender for Cloud
- Sign in to the Azure Portal
- Search for Microsoft Defender for Cloud and select it
- If first time, you'll see the Getting Started page
Initial Assessment
Defender for Cloud automatically assesses your environment:
- Review your initial Secure Score
- Check Recommendations for quick wins
- View Security alerts (if any)
Step 2: Enable Enhanced Security Features
Enable Defender plans for workload-specific protection.
Enable Plans via Azure Portal
- In Defender for Cloud, navigate to Environment settings
- Select your subscription
- Click Defender plans
- Enable plans based on your workloads:
| Plan | Protects | Key Features |
|---|---|---|
| Defender CSPM | All resources | Attack path analysis, agentless scanning |
| Defender for Servers | VMs | Vulnerability assessment, JIT access |
| Defender for Containers | AKS, containers | Runtime protection, image scanning |
| Defender for Storage | Storage accounts | Malware scanning, activity monitoring |
| Defender for SQL | SQL databases | Vulnerability assessment, threat detection |
| Defender for Key Vault | Key Vaults | Anomaly detection, access monitoring |
| Defender for App Service | Web apps | Threat detection, vulnerability assessment |
- Click Save to enable selected plans
Enable Plans via Azure CLI
# Set subscription
SUBSCRIPTION_ID=$(az account show --query id -o tsv)
# List available Defender plans
az security pricing list --query "[].{Name:name, Tier:pricingTier}" -o table
# Enable Defender for Servers
az security pricing create \
--name VirtualMachines \
--tier Standard
# Enable Defender for Storage
az security pricing create \
--name StorageAccounts \
--tier Standard
# Enable Defender for SQL
az security pricing create \
--name SqlServers \
--tier Standard
# Enable Defender for Key Vault
az security pricing create \
--name KeyVaults \
--tier Standard
# Enable Defender CSPM
az security pricing create \
--name CloudPosture \
--tier Standard
# Verify enabled plans
az security pricing list \
--query "[?pricingTier=='Standard'].name" -o tsv
Enable at Management Group Level
For enterprise-wide enablement:
# Enable Defender at management group scope
MANAGEMENT_GROUP_ID="your-management-group-id"
# Use Azure Policy to enforce Defender enablement
az policy assignment create \
--name "Enable Defender for Cloud" \
--policy "ac076320-ddcf-4066-b451-6154267e8ad2" \
--scope "/providers/Microsoft.Management/managementGroups/$MANAGEMENT_GROUP_ID"
Step 3: Configure Security Policies
Security policies define your organization's security requirements and drive recommendations.
Enable Microsoft Cloud Security Benchmark
- In Defender for Cloud, go to Environment settings
- Select your subscription
- Click Security policy
- Enable Microsoft Cloud Security Benchmark (enabled by default)
Add Regulatory Compliance Standards
Enable compliance assessments for industry standards:
# Enable PCI DSS compliance assessment
az security regulatory-compliance-standards update \
--name "PCI-DSS-3.2.1" \
--state Enabled
# Enable HIPAA compliance assessment
az security regulatory-compliance-standards update \
--name "HIPAA-HITRUST" \
--state Enabled
# Enable SOC 2 compliance assessment
az security regulatory-compliance-standards update \
--name "SOC-2-Type-2" \
--state Enabled
# List enabled standards
az security regulatory-compliance-standards list \
--query "[?state=='Enabled'].name" -o tsv
Configure Custom Security Policies
Create custom policies using Azure Policy:
- Go to Environment settings > Security policy
- Click Add custom initiative
- Create or select a policy initiative
- Assign to your subscription or management group
Step 4: Set Up Alert Notifications
Configure email notifications for security alerts.
Configure Email Notifications via Portal
- In Defender for Cloud, go to Environment settings
- Select your subscription
- Click Email notifications
- Configure settings:
- Email recipients: Enter email addresses
- Notification types: Select alert severities
- Additional email: Add more recipients
- Click Save
Configure via Azure CLI
# Configure email notifications
az security contact create \
--name "default" \
--email "[email protected]" \
--phone "+1-555-123-4567" \
--alert-notifications on \
--alerts-admins on
# Update notification settings
az security contact update \
--name "default" \
--email "[email protected];[email protected]" \
--alert-notifications on
Configure Continuous Export
Stream alerts to Log Analytics or Event Hub:
# Get Log Analytics workspace ID
WORKSPACE_ID=$(az monitor log-analytics workspace show \
--resource-group "rg-security" \
--workspace-name "law-security" \
--query id -o tsv)
# Configure continuous export to Log Analytics
az security automation create \
--name "export-to-law" \
--resource-group "rg-security" \
--scopes "/subscriptions/$SUBSCRIPTION_ID" \
--sources '[{"eventSource": "Alerts"}, {"eventSource": "Recommendations"}, {"eventSource": "SecureScore"}]' \
--actions "[{\"actionType\": \"LogAnalytics\", \"workspaceResourceId\": \"$WORKSPACE_ID\"}]"
Step 5: Review and Remediate Recommendations
Prioritize and address security recommendations.
Access Recommendations
- In Defender for Cloud, click Recommendations
- View recommendations sorted by:
- Secure Score impact: Highest impact first
- Severity: Critical, High, Medium, Low
- Status: Unhealthy, Healthy, Not applicable
High-Priority Recommendations to Address
| Recommendation | Impact | Remediation |
|---|---|---|
| Enable MFA for accounts with owner permissions | High | Configure Conditional Access |
| Storage accounts should use private endpoints | High | Create private endpoints |
| SQL databases should have vulnerability findings resolved | High | Apply security patches |
| Virtual machines should encrypt temp disks and caches | Medium | Enable Azure Disk Encryption |
| Subnets should have NSGs associated | Medium | Create and attach NSGs |
Remediate via Azure CLI
# List unhealthy recommendations
az security assessment list \
--query "[?status.code=='Unhealthy'].{Name:displayName, Resource:resourceDetails.id}" \
-o table
# View specific recommendation details
az security assessment show \
--name "recommendation-id" \
--assessed-resource-id "resource-id"
Enable Auto-Provisioning
Automatically deploy agents for enhanced protection:
- Go to Environment settings > Auto provisioning
- Enable:
- Log Analytics agent for Azure VMs
- Vulnerability assessment for machines
- Guest Configuration agent
- Select or create a Log Analytics workspace
Step 6: Monitor Security Posture
Track Secure Score
- In Defender for Cloud, view Secure Score on the overview page
- Click the score to see:
- Score breakdown by control
- Recommendations by impact
- Score history over time
Set Up Security Dashboards
Create workbooks for security monitoring:
# Query Defender for Cloud data in Log Analytics
az monitor log-analytics query \
--workspace $WORKSPACE_ID \
--analytics-query "SecurityAlert | summarize AlertCount=count() by AlertSeverity | order by AlertCount desc"
Integrate with Microsoft Sentinel
For advanced SIEM capabilities:
- In Microsoft Sentinel, go to Data connectors
- Search for Microsoft Defender for Cloud
- Click Open connector page
- Enable the connector for your subscriptions
Best Practices
- Enable Defender CSPM: Get attack path analysis and agentless scanning
- Start with high-impact recommendations: Focus on quick wins first
- Enable auto-provisioning: Ensure consistent agent deployment
- Configure continuous export: Stream data to SIEM for correlation
- Review alerts daily: Establish a security operations cadence
- Use governance rules: Assign remediation owners and due dates
Troubleshooting
Low Secure Score but resources are secured:
- Ensure agents are deployed and reporting
- Check resource types are supported
- Wait 24 hours for assessment refresh
Missing recommendations:
- Verify Defender plans are enabled
- Check resource types match enabled plans
- Ensure auto-provisioning is configured
Alerts not appearing in SIEM:
- Verify continuous export is configured
- Check Event Hub or Log Analytics connectivity
- Review export automation status
Cost Optimization
- Enable selectively: Start with critical workloads
- Use Defender for Servers P1: Reduced cost, fewer features
- Tag resources: Track costs by workload or team
- Review unused protections: Disable plans for decommissioned resources
Next Steps
After setting up Defender for Cloud, enhance your security:
- Enable Microsoft Sentinel for advanced threat detection
- Configure Just-in-Time VM access for reduced attack surface
- Implement Adaptive Application Controls for whitelisting
- Review Cloud Security Tips for 2026 for comprehensive cloud security guidance