Recent Discussions
Problem Automatic Log Upload - Defender for Cloud Apps
Hello Community, I have a strange problem with the activity in the Title. I have create Data Sources from Fortinet And a Log collector With the correct documentation that is linked https://learn.microsoft.com/en-us/defender-cloud-apps/discovery-docker-ubuntu-azure?tabs=centos So i have a Fortinet Firewall that send by SYSLOG log to the VM Ubuntu in Azure, i have deploy docker, Ubuntu receive log from firewall, i see traffic is correct. But from Cloud Apps connector remains into "Connected" state. Regards, Guido
Restricting access to non SSO apps
I have multiple non SSO apps that my users need to access. I am looking to permit access but limit what actions users can take when visiting these apps/sites such as: blocking file uploads, blocking data download, restricting logins, etc to limit shadow IT. Is there a way to do this within MDCA? Session control policies, activity policies and access policies require the apps be onboarded or SSO configured which is not feasible for the numerous apps in scope. If not MDCA, what other services have you used to accomplish this?
Defender for Cloud DCR
Enabling Defender for Servers Plan 2 and creating a custom DCR to enable the 500MB ingestion into log analytics. The workspace I am sending the logs to is connected to Sentinel. When I looked at creating the DCR I received this pop-up If I enable the Sentinel connector, will this duplicate the cost of the logs or will the connector just enable the data to be surfaced in Sentinel?Is setting an index tag in Azure Defender for Cloud during file write an atomic operation?
Hi, When using Azure Defender for Cloud, is setting an index tag at the same time as writing a file considered an atomic operation? Or is there a propagation delay before the tag becomes fully available and effective for search and policy enforcement? Any insights or official documentation references would be appreciated!File Integrity Monitoring - Agentless Issues in Detecting Changes to Files
Hello! Looks like there have been some recent updates made to File Integrity Monitoring. After reviewing the MS documentation https://learn.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview#recommended-items-to-monitor it looks like you can now create custom Rules for Files and for custom Registry keys. From what I can gather from the documentation, agentless scans are used for custom rules that you create and an agentless scan occurs once every 24 hours. I have created several custom rules to detect if a file has been Deleted, Added, Modified or Renamed and Defender for Cloud is still not detecting any changes. I have made changes to these files 3 days ago, and no changes have been reported back. Any ideas why this might not be working. I have already confirmed that the appropriate RBAC Roles have been assigned to my Key Vaults where CMK Disks are being used. I also wanted to know if the Agentless FIM can monitor Folders / Directories as well. I haven't seen anything about this in the documentation. Is this even supported?
General Risk Factor - Logon URL - Null
I'm trying to create a policy that maps "Logon URL" field in the app details and if its empty/blank, it approves/sanction the application. My only challenge is that I'm not able to set an identifier that reads blank field. I tried ASCII null character but it doesn't work. Wondering if this use case is even possible.
Playbooks with MDCA
I am attempting to integrate MDCA alerts with freshdesk as per the e.g. https://learn.microsoft.com/en-us/defender-cloud-apps/flow-integration I have E5 without teams licenses. I created the flow, Once from playbooks in MDCA portal and once in power automate directly and went to create a policy to test it out but the option "Sent to power automate" from the policy is always greyed out. Alerts are not automatically detected in the flow unless the action in the policy is set to send to power automate which again is greyed as option in the policies. Also playbooks tab in the MDCA portal does not show the flows I created before, It shows empty, Seems link is broken between MDCA and PowerAutomate. Any reason for this, Any Idea about this? Thanks in advance.
MISRA support in Defender
I want to check for MISRA C code compliance. The idea is to check for MISRA C compliance when asking for a Pull Request. If the code fails on those checks, the PR will not be created. This way, we enforce MISRA compliance before integrating the code to the repository. I am not seeing MISRA in the list of standards under - Regulatory Compliance>>Subscriptions>> Security Po;iciesRuntime protection - Microsoft Defender for Cloud DevOps Security (Defender CSPM)
Hi team! The current support status for Microsoft Defender for Cloud DevOps Security (Defender CSPM) and runtime protection across services are this one : Fully Supported for Runtime Protection Azure Kubernetes Service (AKS) Amazon Elastic Kubernetes Service (EKS) are there more runtime in the product roadmap (Azure Container Apps, AWS, Fargate for Amazon ECS, Azure Functions, AWS Lambda)? ThanksOnboarding MDE with Defender for Cloud (Problem)
Hello Community, In our Customer i have a strange problem. We onboarded with Azure Arc server and activate a Defender for Cloud servises only for Endpoint protection. Some of this device onboarded into Microsoft Defender portale, but not appears as a device, infact i don't have opportunity to put them into a group to apply policy. I have check sensor of Azure Arc and all works fine (device are in Azure Arc, are in the defender portal and see them on Intune (managed by MDE)). From Intune portal From Defender portal But in difference from other device into entra ID exists only the enterprise application and not device I show the example of device that works correctly (the same onboarding method) Is there anyone who has or has had this problem? Thanks and Regards, Guido
Need help with enabling the "Security attack path" export data type in continuous export
I tried enabling the "Security attack path" via API and CMDLET using Powershell. It is not working. New-AzSecurityAutomation ` -Name $automationName ` -ResourceGroupName $resourceGroupName ` I am not sure .Which resource group we should mention here. Is it random RG in a subscription or LAW RG.it is failing in both ways. API Method $checkUrl="https://management.azure.com/subscriptions/$($subscription.Id)/resourceGroups/$resourceGroupName/providers/Microsoft.Security/automations/$automationName`?api-version=2023-12-01-preview"Defender for Cloud Inventory API Coverage — No Official Way to Retrieve Per-Resource Coverage?
I'm reaching out to the Microsoft Defender for Cloud team and the broader community because I've run into a gap that I believe others may face too — and I’m hoping for guidance or clarification. I need to programmatically retrieve a list of resources from a subscription and determine if each resource is covered by a Defender for Cloud plan. This would replicate what we see in the Azure Portal under: Microsoft Defender for Cloud > Inventory: The goal is to fetch this data via API and replicate that table — but the problem is that it seems there’s no way to retrieve the “Defender for Cloud” coverage status per resource. Here’s what I’ve tried so far: The /pricings endpoint — returns plan tiers like Free or Standard, but only for the overall subscription or service type, not individual resources. Azure Resource Graph — the properties field does not contain any Defender-related indicators that would confirm whether a specific resource is covered. My Question Does an API exist today to retrieve per-resource Defender for Cloud coverage? Is there a /coverage endpoint or equivalent that is officially supported? If anyone from the Defender for Cloud or Azure product teams can point me in the right direction, I’d truly appreciate it. Thank you!
Microsoft Defender for Cloud - Servers & Apps Question
Hi, while learning about the Microsoft Defender for Cloud (MDC) Cloud Workload Protection (CWP), I have seen below points. Servers: When we opt for MDC CWP for servers, I see Agentless scanning for machines and along with it below, But we already have "Carbon Black" which handles the above role of Guest Configuration agent. So, my question is, If I enroll for MDC - Cloud workload protection: As we need to have a security/defender tool installed on Azure machines (In this case Guest Configuration agent). Would this then replace "Carbon Black" as we already, have it? Or do we see this MDC - Cloud workload protection for Servers as additional apart from Carbon Black? Apps: We have our Azure Apps protected by Cloudflare and VNet Integration which are with our firewall-based routes, do we still need to enroll for App Service protection by MDC CWP. Please advise on above 2 areas. Thanks
Unable to resolve - A vulnerability assessment solution should be enabled on your virtual machines
We currently have a mix of approximately 45 Windows / Linux Servers and AVD machines which are not successfully being marked as compliant with the Defender recommendation "A vulnerability assessment solution should be enabled on your virtual machines". On the subscription level we have Defender for Servers Plan 2 enabled and Agentless Scanning CSPM enabled. Within a subscription some of the of these VMs are compliant and others are not. Their compliance state doesn't appear to have any relevance to if the Qualys or MDE extensions are installed. We have servers that are healthy that have Qualys, MDE, or none installed and are healthy. Our VMs are not using the full feature set of Defender Plan 2 as we use CrowdStrike so the Defender for Endpoint functionality of the Defender for Servers Plan 2 has been disabled, but to my knowledge this shouldn't impact Vulnerability assessments. In Security Portal it does seem that generally all the VMs that healthy for this recommendation are visible in the devices section. Whereas these 45 that are not, are either not searchable or have sensor health state "inactive". We have an Azure Policy generated to onboard devices to Vulnerability assessment using MDE.Tvm and it seems to be generally working but not for these 45 devices. The Microsoft Documentation is really unclear, what do we need to make these systems compliant?
Problem with MDCA Session Control and Google Workspace
We have implemented MDCA Session Control with Google Workspace in a Customer. Almost all Google apps work and they are protected by Session Control, but we have found problems with Gemini, Analytics and Google Search. These apps don´t open under session control and it seems some kind of problems with SSO. Do anyone knows any fix for the problem?How are you presenting CSPM and CNAPP insights to your executive leadership?
Hi everyone, I'm a Cloud Security Specialist at Microsoft, working closely with Microsoft Defender for Cloud, and I wanted to start a conversation with the community — partly out of curiosity, but also to learn from your real-world experiences. When it comes to reporting cloud security posture to your executive leadership (CISO, CTO, or broader security/tech leadership), how are you presenting insights from CSPM, CNAPP, or Defender for Containers? Specifically, how do you communicate findings such as: Misconfigurations Vulnerabilities Risk exposure across your cloud environments? Are you using: Power BI dashboards to centralize and visualize the data? Manual Excel reports? The native Defender for Cloud portal? Or even exploring Microsoft Fabric for more advanced reporting scenarios? I’d love to hear how you’re turning technical insights into executive-level narratives. Do you follow a particular structure, reporting cadence, or set of best practices? Looking forward to hearing how others in the community are approaching this challenge — and how you're bridging the gap between cloud security and business strategy.Filter out BYOD devices from blocking unsanctioned apps
Hi there, I've encountered an issue. When I tag a cloud app as unsanctioned, it gets blocked as expected. However, we use BYOD mobile devices that are Entra registered along with app protection policies, and the unsanctioned apps are being blocked outside the managed apps. For example, an unsanctioned app gets blocked in unmanaged safari browser on BYOD iOS device. I can't find information on how to limit the enforcement scope to only managed apps on BYODs or how to limit the enforcement scope to company-managed devices. Please help.Defender for Servers
Defender for servers is part of Defender for Cloud CWP. We do not use this product, however we have interest in logging Servers both on-premise and multi cloud tenants to Sentinel workspace. Couple of ways to accomplish: Defender for Servers in passive - Since we're currently not subscribed can we get data in with ARC + AMA + Defender extension across multi cloud tenant? Objective is to NOT pay for Defender for Servers p1/p2 instead log Events for detections Azure Monitor Agent and Data Collection Rule with logging level (Common, Minimal, Custom) I've ideas on both but I'm leaning towards Defender for Servers in passive with Defender Extension and AMA. Will this automatically get charge as part of Defender for Server CWP or it flat out won't work if not enabled? I can't get straight answer on this from anyone and I don't have full blown tenant owner permission to test this. When asked there is wait time to get response from other teams. I'm interested getting data in via Defender in Passive relying and relaying partner as Defender Extension and ARC+AMA. Let me know your thoughts!DevOps Security: MDC-ADO integration through Service account
Hi All, Is it possible to integrate MDC-ADO Integration with Service Account? When I attempted to authorize ADO in MDC during the integration process, it appears to only accept individual accounts. Does anyone have insights on how to utilize a Service Account for this integration?
Recent Blogs
- Shadow IT has always been a bit of a ghost story in cybersecurity. You know it’s there, lurking in the background, but it rarely shows itself until something goes wrong. For years, people thought it ...Sep 23, 2025
- Today, Defender for Storage released, in public preview for Commercial Cloud, the feature Automated Remediation for Malware Detection. This is for both On-upload and On-demand malware scanning. The f...Sep 17, 2025
