L16. Security Recommendations and Secure Score
Video generating
Check back soon for the video lesson on Security Recommendations and Secure Score
Security recommendations and Secure Score form the core of Defender for Cloud posture management. This lesson covers recommendation categories, remediation workflows, exemptions, and Secure Score calculation for the SC-200 exam.
Security Recommendations
Defender for Cloud continuously assesses resources against the Microsoft Cloud Security Benchmark (MCSB) and other enabled standards. Each finding generates a recommendation with:
- Severity: High, Medium, Low
- Resource health: Healthy, Unhealthy, Not applicable
- Freshness interval: How often the assessment runs
- Remediation steps: Manual instructions or automated "Fix" button
- Related policy: The Azure Policy definition driving the assessment
Microsoft Cloud Security Benchmark (MCSB)
MCSB is the default security standard applied to all subscriptions. It organizes recommendations into control families:
| Control Family | Examples |
|---|---|
| Network Security | NSG rules, private endpoints, DDoS protection |
| Identity Management | MFA enforcement, conditional access, PIM |
| Privileged Access | JIT VM access, admin account protection |
| Data Protection | Encryption at rest, TDE, key rotation |
| Logging and Monitoring | Diagnostic settings, log analytics, alerts |
| Backup and Recovery | VM backup, database backup policies |
| Endpoint Security | Endpoint protection, vulnerability assessment |
Secure Score
Secure Score represents your overall security posture as a percentage. It is calculated based on:
- Maximum score: Total possible points across all recommendations
- Current score: Points earned from healthy (compliant) resources
- Percentage: Current / Maximum * 100
Each recommendation contributes points to a security control. Controls are weighted by impact:
Secure Score = (Sum of healthy resource points across all controls) / (Sum of maximum points across all controls) * 100- Fixing all resources for a single recommendation earns the full points for that control
- Partially fixing resources within a control earns partial credit
- Controls with more critical recommendations are weighted higher
Remediation Workflows
Three approaches to remediation: 1. Manual remediation:
- Follow the step-by-step instructions in the recommendation
- Best for complex changes requiring planning
- Click "Fix" on the recommendation to apply a pre-built remediation
- Uses ARM templates or Azure Policy remediation tasks
- Review the fix logic before applying
- Assign a recommendation owner with a remediation deadline
- Track progress through the governance dashboard
- Send email notifications for upcoming deadlines
Exemptions
When a recommendation does not apply to your environment, create an exemption:
- Waiver: Accepted risk. The recommendation is valid but you accept the risk
- Mitigated: You have an alternative control in place that addresses the risk
Exemptions remove the recommendation from your Secure Score calculation. They require a justification and can be time-limited. Exam tip: Exemptions with the "Mitigated" reason indicate an alternative control is in place. "Waiver" means the risk is accepted without alternative mitigation.
Custom Recommendations
Create custom recommendations using Azure Policy:
- Define or assign an Azure Policy (built-in or custom)
- Map the policy to a custom security standard in Defender for Cloud
- The policy evaluation results appear as recommendations
Custom recommendations appear alongside built-in ones and contribute to the Secure Score when added to a standard.
Recommendation Filters
Filter recommendations by:
- Environment (Azure, AWS, GCP)
- Severity (High, Medium, Low)
- Resource type
- Security control
- Compliance standard
- Freshness (stale vs. current assessments)
- ✓Microsoft Cloud Security Benchmark (MCSB) is enabled by default for all Azure subscriptions.
- ✓Secure Score is calculated as healthy resource points divided by maximum possible points.
- ✓Exemptions remove recommendations from Secure Score. "Waiver" accepts risk; "Mitigated" indicates an alternative control.
- ✓Quick Fix applies pre-built remediation using ARM templates or Azure Policy remediation tasks.
- ✓Governance rules assign owners with deadlines for recommendation remediation.
- ✓Custom recommendations use Azure Policy definitions mapped to custom security standards.
1. A recommendation to enable disk encryption does not apply because the organization uses a third-party encryption solution. Which exemption reason should they use?
2. Which security standard is enabled by default for all Azure subscriptions in Defender for Cloud?
3. An organization fixes 5 of 10 unhealthy resources for a security recommendation. How does this affect the Secure Score?