Cyber Intelligence
Compute, Storage & Data · 25% of exam

L10. Defender for Cloud

Course outlineLesson 10 of 18

Defender for Cloud is the AZ-500 exam's primary CSPM and workload protection service. Understand Secure Score, the difference between CSPM and CWPP, and which Defender plans protect which resource types.

What Is Defender for Cloud?

Defender for Cloud is a Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP) service. These two capabilities are distinct:

  • CSPM (Foundry/Free tier): Assesses your configuration against security baselines, generates recommendations, and computes a Secure Score. CSPM is always free.
  • CWPP (Defender plans): Active threat detection for specific workload types. Each plan costs money and must be enabled per subscription.

Secure Score

Secure Score is a percentage that measures how well your environment meets the security recommendations in Defender for Cloud. Each recommendation has a max score contribution. Implementing a recommendation increases your score. Exam trap: Secure Score reflects recommendations, not actual security. You can improve the score by accepting risk or excluding resources without making the environment more secure.

Defender Plans (CWPP)

PlanProtects
Defender for ServersVMs (Windows and Linux)
Defender for StorageStorage Accounts
Defender for SQLSQL databases (Azure SQL, SQL on VMs, PostgreSQL, MySQL)
Defender for ContainersAKS clusters and container registries
Defender for Key VaultKey Vault (unusual access patterns)
Defender for App ServiceAzure App Service
Each plan is enabled at the subscription level. You pay per resource type per hour.

Security Recommendations vs Alerts

Recommendations = CSPM findings. "Enable MFA for accounts with owner permissions." These reduce your attack surface. Alerts = CWPP detections. "Suspicious PowerShell execution detected on VM." These indicate active threats.

The exam tests that recommendations are proactive (posture) while alerts are reactive (detection).

Regulatory Compliance

Defender for Cloud maps recommendations to compliance frameworks (NIST, CIS, PCI DSS, ISO 27001). The Regulatory Compliance dashboard shows which controls you pass and fail: useful for audit evidence.

Exam Focus Points
  • CSPM (free) = posture assessment plus Secure Score. CWPP (paid Defender plans) = active threat detection
  • Secure Score reflects recommendations: it can be gamed by excluding resources without real security improvement
  • Each Defender plan is enabled per subscription per resource type: they are independent of each other
  • Recommendations = proactive posture findings. Alerts = reactive threat detections from CWPP plans
  • Regulatory Compliance dashboard maps Defender recommendations to NIST, CIS, PCI DSS, ISO 27001 controls
Knowledge Check

1. What does Microsoft Defender for Cloud's Secure Score measure?

2. What is the difference between CSPM and CWPP in Defender for Cloud?

3. A recommendation in Defender for Cloud shows 'Quick Fix' available. What does this mean?

Recommended: Pluralsight

This free course covers the theory. Pluralsight adds structured video courses, hands-on Azure labs, and timed practice exams to make it stick before exam day.

Start AZ-500 prep free10-day free trial available