L10. Defender for Cloud
Course outlineLesson 10 of 18
Defender for Cloud is the AZ-500 exam's primary CSPM and workload protection service. Understand Secure Score, the difference between CSPM and CWPP, and which Defender plans protect which resource types.
What Is Defender for Cloud?
Defender for Cloud is a Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP) service. These two capabilities are distinct:
- CSPM (Foundry/Free tier): Assesses your configuration against security baselines, generates recommendations, and computes a Secure Score. CSPM is always free.
- CWPP (Defender plans): Active threat detection for specific workload types. Each plan costs money and must be enabled per subscription.
Secure Score
Secure Score is a percentage that measures how well your environment meets the security recommendations in Defender for Cloud. Each recommendation has a max score contribution. Implementing a recommendation increases your score. Exam trap: Secure Score reflects recommendations, not actual security. You can improve the score by accepting risk or excluding resources without making the environment more secure.
Defender Plans (CWPP)
| Plan | Protects |
|---|---|
| Defender for Servers | VMs (Windows and Linux) |
| Defender for Storage | Storage Accounts |
| Defender for SQL | SQL databases (Azure SQL, SQL on VMs, PostgreSQL, MySQL) |
| Defender for Containers | AKS clusters and container registries |
| Defender for Key Vault | Key Vault (unusual access patterns) |
| Defender for App Service | Azure App Service |
Security Recommendations vs Alerts
Recommendations = CSPM findings. "Enable MFA for accounts with owner permissions." These reduce your attack surface. Alerts = CWPP detections. "Suspicious PowerShell execution detected on VM." These indicate active threats.The exam tests that recommendations are proactive (posture) while alerts are reactive (detection).
Regulatory Compliance
Defender for Cloud maps recommendations to compliance frameworks (NIST, CIS, PCI DSS, ISO 27001). The Regulatory Compliance dashboard shows which controls you pass and fail: useful for audit evidence.
- ✓CSPM (free) = posture assessment plus Secure Score. CWPP (paid Defender plans) = active threat detection
- ✓Secure Score reflects recommendations: it can be gamed by excluding resources without real security improvement
- ✓Each Defender plan is enabled per subscription per resource type: they are independent of each other
- ✓Recommendations = proactive posture findings. Alerts = reactive threat detections from CWPP plans
- ✓Regulatory Compliance dashboard maps Defender recommendations to NIST, CIS, PCI DSS, ISO 27001 controls
1. What does Microsoft Defender for Cloud's Secure Score measure?
2. What is the difference between CSPM and CWPP in Defender for Cloud?
3. A recommendation in Defender for Cloud shows 'Quick Fix' available. What does this mean?
Recommended: Pluralsight
This free course covers the theory. Pluralsight adds structured video courses, hands-on Azure labs, and timed practice exams to make it stick before exam day.