How and why you should enforce Defender for Cloud plans with Azure policies
Published Aug 16 2021 12:05 PM 9,043 Views

The security posture of an enterprise relies on the three pillars PROTECTION, DETECTION & RESPONSE. Microsoft Defender for Cloud is designed to strengthen all three pillars by providing a Cloud Security Posture Management Tool & Cloud Workload Protection tool.


The security posture is assessed by a defined set of security controls with underlying recommendations on security configurations which make up the secure score of an organization for all subscriptions where Microsoft Defender for Cloud is enabled. Microsoft recommends to keep the secure score to 100% so you can be sure your cloud environment is secure and your resources are protected proactively.




Enable Microsoft Defender” is one of the security controls that make up the overall Secure Score. That means that all Microsoft Defender for Cloud plans need to be enabled for the selected scope to fulfill this security control1. This recommendation can be enforced by the newly released built-in policies “Configure Microsoft Defender for Cloud for…” and you can find the “Enforce” button on top of the recommendation page.




Prior to the newly released built-in policies to enable Microsoft Defender for Cloud, it was necessary to enable Microsoft Defender for Cloud for the selected subscriptions and resource plans manually via portal or use the custom policies within GitHub: 





Now the built-in option to enforce the enablement of the Microsoft Defender for Cloud plans for all needed resources that can be secured with Microsoft Defender for Cloud is done via built-in Azure policies. The policies “Configure Microsoft Defender for ...” use the DeployIfNotExist effect, which means that as soon as the policy is assigned to a subscription or a Management Group above all new resources that get deployed and are type of the specified Microsoft Defender plan will have Microsoft Defender for Cloud enabled2. All new subscriptions under the specified scope will get the settings automatically, existing ones need to be remediated.


But why does it make sense to enable Microsoft Defender for Cloud plans on subscriptions automatically? To answer that questions we need to look at the three pillars of cloud security - Protect, Detect and Response.


Protection of the cloud environment means hardening the security posture by implementing all proactive security configuration to decrease the likelihood of compromising the cloud environment. These proactive actions are described and assessed in Microsoft Defender for Cloud for the Azure environment and make up the overall secure score. As soon as all recommendations are remediated and the Secure Score is at 100%, the Azure environment is hardened and vulnerabilities are remediated to the extent that it is assessable by Microsoft Defender for Cloud and the data it can gather. It is therefore proactively protected but needs to be checked iteratively to secure new resources or implement new recommended security configurations.


When we consider that customers are using a multi-cloud or hybrid cloud strategy, Microsoft Defender for Cloud can assess the security configuration in AWS & GCP as well by using the native Microsoft Defender for Cloud connectors.




Additionally, when a customer wants to assess the security estate of their on-premises environment to get a unified view on their hybrid cloud, Microsoft Defender for Cloud needs to be enabled. Therefore, it is recommended/necessary for customers with a multi-cloud as well as a hybrid cloud environment to enable Microsoft Defender for Cloud to be able to PROTECT their holistic cloud environment.


Microsoft Defender for Cloud with "enhanced security off" covers only the first pillar “protect” on securing the overall cloud security posture by being a proactive Cloud Security Posture Management System. Therefore, it makes sense to extend the feature set with solutions to DETECT vulnerabilities and RESPOND to attacks in a timely manner. These features can easily be extended by enabling the advanced capabilities of each Microsoft Defender for Cloud plan per resource type.


As a Cloud Workload protection tool, Microsoft Defender for Cloud delivers not only protection but also strong detection mechanisms across cloud workloads that are based on advanced security analytics and machine-learning technologies to evaluate events across the entire cloud fabric and is enhanced by data from multiple sources like Microsoft product signals. To be able to secure the specific resource types best, Microsoft Defender for Cloud features and detection mechanisms are aligned to them by defined Microsoft Defender plans per resource-type.





When we take a look into the advanced detection methods of Microsoft Defender for server, the goal is to identify compromised virtual machines by using behavioral analysis of the event logs of a virtual machine. This means that known patterns of malicious behavior are applied and as soon as there are deviations detected within the logs, it triggers an alert. A good example would be “Suspicious process was executed”. A specific process was flagged as malicious by other data sources as it was used to access credentials by attackers, therefore Microsoft Defender for Cloud fires an alert as soon as machine logs indicate that the flagged suspicious process was running on the machine.




As soon as Microsoft Defender for Cloud detects an attack or threat it fires security alerts to be able to respond to them. All alerts that are triggered through the advanced detection mechanisms by Microsoft Defender for Cloud are listed here and structured by resource-type plan. These alerts describe details of the affected resources, suggested remediation steps, and in some cases an option to trigger a logic app in response.


This leads us to the final pillar, response, as there are various ways to respond to these alerts by using automatic or manual response within Microsoft Defender for Cloud.




Every security alert within Microsoft Defender for Cloud indicates different approaches to responding to the alert within the “Take action” tab. It states a manual response by describing the steps to mitigate the threat as well as pointing out the security recommendation that would have protected the resource and prevented the threat execution. In addition to that for a lot of security alerts there are recommended Logic Apps pre-built as an automated response to mitigate the threat. All Logic Apps that are created to mitigate threats within Microsoft Defender for Cloud can be found here. As soon as there have been a RESPONSE action taken within the security alert, it should be marked Dismissed. It is only possible to respond to alerts as soon as they have been triggered through Microsoft Defender for Cloud.


This closes the loop on protecting through security configurations, detecting via advanced detection mechanisms and generating an alert to be able to respond manually or through automatic remediation. This makes it inevitable to enable Defender for Cloud to be able to ensure a complete Security Management system throughout Azure, on-premises and other clouds. With these reasons stated above Microsoft recommends to enforce the enablement of Defender for Cloud via the newly released Azure policies: “Configure Azure Defender for...”.

This article does not outline the full comparison of Microsoft Defender for Cloud enabled per resource type, which can be found here.


1 Please make sure that you install all needed agents on the machines you want to secure with Microsoft Defender for Cloud, to not only pay for Microsoft Defender for Cloud but also make use of these features. You can find the instructions on how to do this at scale here either through the auto-provisioning feature within Microsoft Defender for Cloud or via policy.

2 As the enablement of Microsoft Defender for Cloud is done on a subscription scope, it does make sense to only apply it on Management Group or subscription level. 

Version history
Last update:
‎Feb 06 2022 06:48 PM
Updated by: