Microsoft Defender for Cloud Innovations at Ignite 2025
In today’s AI-powered world, the boundaries of security are shifting fast. From code to runtime, organizations are moving faster than ever – building with AI across clouds, accelerating innovation, and expanding the landscape defenders must protect. Security teams are balancing fragmented tools, growing complexity and a new generation of intelligent, agentic systems that learn, adapt and act across the digital estate. The challenge isn’t understanding the change – it’s staying ahead of it. At Ignite 2025, we’re unveiling four major advancements in Microsoft Defender for Cloud that redefine how security keeps pace with cloud-scale innovation and AI autonomy. Together, they advance a simple idea – that security should move as fast as the systems it protects, adapting in real time to new patterns of risk. Defender for Cloud + GitHub Advanced Security integration delivers AI-driven, automated remediation We start where every application does: in the code – and with a major step forward in how security and development teams work together. The pace of development has scaled dramatically. Organizations now build more than 500 new apps 1 on average each year – and as code volume grows, the gap between development and security widens. Working in separate tools with no shared context, developers can’t see which threats security teams prioritize, and security teams can’t easily trace issues back to their source in code. To help organizations address this challenge, Microsoft Defender for Cloud now natively integrates with GitHub Advanced Security (in public preview) – the first native link between runtime intelligence and developer workflows, delivering continuous protection from code to runtime. This bidirectional integration brings Defender for Cloud’s runtime insights directly into GitHub, so vulnerabilities can be surfaced, prioritized, and remediated with AI assistance – all within the developer environment. When Defender for Cloud detects a critical vulnerability in a running workload, developers see exactly where the issue originated in code, how it manifests in production, and the suggestion of how to fix the vulnerability. With Copilot Autofix and GitHub Copilot coding agent capabilities, AI-generated and validated fixes are suggested in real time – shortening remediation cycles from days to hours. For organizations, this integration delivers three tangible benefits: Collaborate without friction. Security teams can open and track GitHub issues directly from Defender for Cloud with context and vulnerability details, ensuring shared visibility between security and development. Accelerate remediation with AI. Copilot-assisted fixes make it faster and safer to resolve vulnerabilities without breaking developer flow. Prioritize what matters most. By mapping runtime threats directly to their source in code, teams can focus on vulnerabilities that are truly exploitable – not just theoretical. Together, security, development, and AI now move as one, finding and fixing issues faster and creating a continuous feedback loop that learns from runtime, feeds insights back into development, and redefines how secure apps and agents get built in the age of AI. Unified posture management and threat protection extends to secure AI Agents The next frontier is securing the AI agents teams create – ensuring protection evolves as fast as the intelligence driving them. IDC projects that organizations will deploy 1.3 billion AI agents by 2028 2 , each capable of reasoning, acting, and accessing sensitive data across multiple environments. As these systems scale, visibility becomes the first challenge: knowing what agents exist, what data they touch, and where risks connect. And with 66% of organizations 3 planning to establish a formal AI risk management function within the next four years, it’s clear that security leaders are racing to catch up with this next evolution. To help organizations stay ahead, Microsoft Defender now provides unified posture management and threat protection for AI agents as a part of Microsoft Agent 365 (in preview). These first-of-its-kind capabilities that secure agentic AI applications across their entire lifecycle. With this innovation, Defender helps organizations secure AI agents in three critical ways: Comprehensive visibility for AI Agents. Gain unified visibility and management of AI agents through Defender, spanning both pro-code and low-code environments from Microsoft Foundry to Copilot Studio. With a single agent inventory, teams can see where agents run and what they connect to – reducing shadow AI and agent sprawl. Risk reduction through posture management. Proactively strengthen AI agents’ security posture with Defender’s posture recommendations and attack path analysis for AI agents. These insights reveal how weak links across agents and cloud resources can form broader risks, helping teams detect and address vulnerabilities before they lead to incidents. Threat protection for AI Agents. Detect, investigate, and respond to threats targeting agentic AI services across models, agents from Microsoft Copilot Studio and Microsoft Foundry, and cloud applications using Defender’s AI-specific detection analytics. These include scenarios like prompt injection, sensitive data exposure, or malicious tool misuse, all enriched with Microsoft’s unmatched threat intelligence for deeper context and faster response. By embedding security into every layer of the agentic AI lifecycle, Defender helps organizations start secure and stay secure. This unified approach ensures that as AI agents evolve and scale, protection scales with them, anchoring the same continuous security foundation that extends across code, cloud, and beyond. Cloud posture management extends to secure serverless resources Defender for Cloud’s unified foundation extends beyond agents – to the cloud infrastructure and platforms that power them – rounding out the protection that scales with innovation itself. That innovation is increasingly running on serverless computing, now a core layer of cloud-native and AI-powered application development. It gives teams the speed and simplicity to deliver faster, but also expands the attack surface across multicloud environments with new exposure points, from unsecured functions to lateral movement risks. To help organizations secure this expanding layer, Microsoft Defender for Cloud is extending its Cloud Security Posture Management (CSPM) to serverless compute and application platforms (available in preview by end of November). With this new coverage, security teams gain greater visibility into serverless compute environments and application platforms, including Azure Functions, Azure Web Apps, and AWS Lambda. Defender for Cloud integrates serverless posture insights into attack path analysis, helping security teams identify and visualize risk, continuously monitor and detect misconfigurations, and find vulnerable serverless resources – further strengthening security posture across the modern application lifecycle. This extension brings serverless computing into the same unified protection model that already secures code, containers, and workloads in Defender for Cloud. As customers modernize with event-driven architectures, Defender for Cloud evolves with them, delivering consistent visibility, control, and protection across every layer of the cloud. Deeper expansion into the Defender Portal turns fragmentation into focus Finally, bringing all the signals security teams depend on into one place requires a single operational hub – a unified security experience that delivers clarity at scale. Yet with 89% of organizations operating across multiple clouds 4 and using an average of 10 security tools to protect them 5 , teams struggle to manage risk across fragmented dashboards and disjointed data – slowing detection and response and leaving blind spots that attackers can exploit. To help security teams move faster and act with clarity, we’re announcing the public preview of unified cloud security posture management into the Microsoft Defender security portal. With Microsoft Defender for Cloud’s deep integration into the unified portal, we eliminate security silos and bring a modern, streamlined experience that is more intuitive and purpose-built for today’s security teams. With this deep integration, Microsoft delivers three key advancements: A new Cloud Security dashboard that unifies posture management and threat protection, giving security teams a complete view of their multicloud environment in one place. Integrated posture capabilities within Exposure Management. Security teams can now see assets, vulnerabilities, attack paths, secure scores, and prioritized recommendations in a single pane of glass, focusing on the issues that matter most. A centralized asset inventory that consolidates resources across Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP), enabling posture validation, logical segmentation, and simplified visibility aligned to operational needs. To complement these capabilities, granular role-based access control (RBAC) helps reduce operational risk and simplify compliance across multicloud environments. The Microsoft Defender portal is now the center of gravity for security teams – bringing together cloud, endpoint and identity protection into one connected experience. Looking ahead, customers will soon be able to onboard and secure new resources directly within the Defender portal, streamlining setup and accelerating time to value. Large organizations will also gain the ability to manage multiple tenants from this unified experience as the rollout expands. The Azure portal remains essential for Defender for Cloud personas beyond security teams, such as DevOps. Adding new resource coverage will continue in the Azure portal as part of this transition. We’ll also keep enhancing experiences for IT and operations personas as part of our broader vision, read more on that in the latest news here. Ready to explore more? To learn more about Defender for Cloud and our latest innovations, you can: Join us at Ignite breakout sessions: Secure what matters with a unified cloud security strategy Secure code to cloud with AI infused DevSecOps Secure your applications: Unified Visibility and Posture Management AI-powered defense for cloud workloads Check out our cloud security solution page and Defender for Cloud product page. New IDC research reveals a major cloud security shift – read the full blog to understand what it means for your organization. Start a 30-day free trial. 1: Source: State of the Developer Nation Report 2: Source: IDC Info Snapshot, Sponsored by Microsoft, 1.3 Billion AI Agents by 2028, Doc. #US53361825, May 2025 3: Source: According to KPMG, 66% of firms who don’t have a formalized AI risk management function are aiming to do so in the next 1-4 years. 4: Source: Flexera 2024 State of the Cloud Report 5: Source: IDC White Paper, Sponsored by Microsoft, "THE NEXT ERA OF CLOUD SECURITY: Cloud-Native Application Protection Platform and Beyond", Doc. #US53297125, April 2025Microsoft Defender for Cloud Customer Newsletter
What's new in Defender for Cloud? AI security posture management is now generally available! Reduce risk to cross cloud AI workloads by discovering generative AI Bill of Materials, strengthen generative AI application security posture and use the attack path analysis to identify risk. Learn more about it here. On-demand malware scanning now in public preview We’re excited to announce the public preview of on-demand malware scanning. Customers can now scan existing files in storage accounts on-demand, which helps customers to gain finer control and customization for critical storage assets. For more details, please refer to our documentation. Blog(s) of the month In November, following Ignite announcements, our team published the following blog posts we'd like to share: Cloud security innovations: strengthening defenses against modern cloud and AI threats New innovations in container security with unified visibility, investigations, and response actions Proactively harden your cloud security posture in the age of AI with CSPM innovations Prevent malware from spreading by scanning cloud storage accounts on-demand Deprecation of “Bring Your Own License” in MDC” GitHub community Learn how to onboard Azure DevOps to Defender for Cloud in our updated lab - Module 14 here. Visit our GitHub page here. Defender for Cloud in the field Refresh your knowledge on securing your AI applications: Secure your AI applications from code to runtime Visit our new YouTube page Customer journey Discover how other organizations successfully use Microsoft Defender for Cloud to protect their cloud workloads. This month we are featuring The NBA (National Basketball Association), a global sports and media powerhouse dedicated to growing and celebrating the game of basketball, partnered with Microsoft to address the complexities of scale, and security required for next-generation technologies. With its IT estate in Azure, the NBA leverages Defender for Cloud to provide a single pane of glass on its cloud security posture. Security community webinars Join our experts in the upcoming webinars to learn what we are doing to secure your workloads running in Azure and other clouds. This month, we have the following upcoming webinar: DEC 11 Microsoft Defender for Cloud | Exploring the Latest Container Security Updates from Microsoft Ignite DEC 12 Microsoft Defender for Cloud | Future-Proofing Cloud Security with Defender CSPM We offer several customer connection programs within our private communities. By signing up, you can help us shape our products through activities such as reviewing product roadmaps, participating in co-design, previewing features, and staying up-to-date with announcements. Sign up at aka.ms/JoinCCP. We greatly value your input on the types of content that enhance your understanding of our security products. Your insights are crucial in guiding the development of our future public content. We aim to deliver material that not only educates but also resonates with your daily security challenges. Whether it’s through in-depth live webinars, real-world case studies, comprehensive best practice guides through blogs, or the latest product updates, we want to ensure our content meets your needs. Please submit your feedback on which of these formats do you find most beneficial and are there any specific topics you’re interested in https://aka.ms/PublicContentFeedback. Note: If you want to stay current with Defender for Cloud and receive updates in your inbox, please consider subscribing to our monthly newsletter: https://aka.ms/MDCNewsSubscribe
Automate DevOps Security in Defender for Cloud Recommendation Remediation
Automate DevOps Security in Defender for Cloud Recommendation Remediation Logic Apps are a workflow automation feature of Microsoft Defender for Cloud in which you can create and run automated workflows that integrate your apps, data, services, and systems. This blog walks through creating a Logic App that you can use to auto-remediate the DevOps security recommendation in Defender for Cloud called “GitHub repositories should have Dependabot scanning enabled” by enabling Dependabot on a GitHub repo. Security Operators will find this Logic App particularly useful because they do not need to be familiar with GitHub or login to GitHub to enable Dependabot scanning. Instead, SecOps can enable Dependabot open source dependency scanning remotely and on numerous repositories by using Logic App automation. Objectives: Create a Logic App to enable Dependabot in GitHub Create a PAT Token and secure it in Azure Key Vault Test the Logic App Prerequisites: Key Vault – for Personal Access Token secret Connector provisioned in MDC to your GitHub Source Code Management System Sample GitHub repository – with Dependabot disabled Create a Logic App to enable Dependabot on a GitHub repo Login to Azure and search for or click Logic Apps Click + Add Choose a Subscription and Resource group Enter a name for your Logic App Under Plan, choose Consumption Click Review + create Click Create Go to the Logic App you created and click Logic app designer in the left menu Click Blank Logic App In the search box, type Recommendation Choose When a Microsoft Defender for Cloud Recommendation is created or triggered Click + New step Type variable in the search box Choose Initialize variable For Name, type repo_name For Type, choose String Click + New step Type variable in the search box Choose Initialize variable For Name, type owner For Type, choose String Click + New step Type variable in the search box Choose Set variable For Name, choose repo_name from the dropdown menu For Value, click in the empty box In the Add dynamic content flyout, click Expression and type the following: first(skip(split(triggerBody()?['properties']?['resourceDetails']?['id'],'/'),12)) and click OK Click + New step Type variable in the search box Choose Set variable For Name, choose owner from the dropdown menu For Value, click in the empty box In the Add dynamic content flyout, click Expression and type the following: first(skip(split(triggerBody()?['properties']?['resourceDetails']?['id'],'/'),10)) and click OK For this Logic App to execute securely, you need a Personal Access Token (PAT) to use in the API request. Follow the steps here in the GitHub documentation to create a PAT: https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token Important: The PAT needs permissions to enable Dependabot—which requires Full control of private repositories After you create a PAT, this should be stored in a Key Vault to keep it secure and accessible by the Logic App. Add the PAT as a secret to your Key Vault. Click Save on the Logic App canvas. Navigate back to the Logic App Click Identity On the System assigned tab, set status to On Click Save, then Yes Click Azure role assignments Click + Add role assignment In Scope, choose Key Vault. In Subscription, choose the subscription with your Key Vault. In Resource, select the Key Vault. In Role, choose Key Vault Reader Click Save Navigate back to the Logic App Click Identity On the System assigned tab, copy the Object (principal) ID Navigate to your Key Vault Click Access policies Click + Create In the Secret permissions list, tick Get and List Click Next Paste the Object (principal) ID that you copied earlier in the Search by box Click the Identity and click Next Click Next, then click Create Click Add, then click Save Navigate back to the Logic App Click Edit to go to the Logic Apps Designer Click + New step Type key vault in the search box Choose Azure Key Vault, click Get secret Click Connect with managed identity Type a Connection name, then type your Key Vault name in the Vault name box Click Create Choose your secret from the Name of the secret dropdown list Click + New step Type HTTP in the search box and click HTTP In Method, choose PUT. In URI, type https://api.github.com/repos///vulnerability-alerts. Put your cursor after repos/ and in the dynamic content click owner Move after the next / and click repo_name from the dynamic content In Headers, for Enter key type Accept and for Enter value type application/vnd.github+json In Headers, for Enter key type Authorization and for Enter value type token <space> click Value in the dynamic content Your HTTP step should now look like the following: Click Save to save the workflow Your no code Logic App is now complete and needs to be tested. Test the Logic App Navigate to Microsoft Defender for Cloud Click Recommendations Expand Enable enhanced security features, click GitHub repositories should have Dependabot enabled Expand Affected resources, tick a GitHub repository Click Trigger logic app In the Selected subscription dropdown, choose the Subscription that contains the Logic App Tick the box next to the Logic app Click Trigger Now let’s verify that Dependabot has been enabled Navigate to the GitHub repository that did not have Dependabot enabled Click Settings Click Code security and analysis You should now see that Dependabot alerts is enabled Conclusion To review, we’ve walked through creating a Logic App to auto-remediate the MDC recommendation: “GitHub repositories should have Dependabot scanning enabled” by enabling Dependabot on a GitHub repo. This helps harden the security on your organization’s GitHub repositories and provides Security Operators with visibility into your organization’s open source dependencies via Dependabot scanning findings. Additional Resources To learn more about DevOps security, read this documentation Download (free) a special Appendix about DevOps security from the latest Microsoft Defender for Cloud book published by Microsoft Press To learn how to onboard your GitHub Source Code Management System to Defender for Cloud, read this documentation for GitHubAutomate SecOps to Developer Communication with DevOps Security in Defender for Cloud
Automate SecOps to Developer Communication with DevOps Security in Defender for Cloud Logic Apps are a workflow automation feature of Microsoft Defender for Cloud (MDC) in which you can create and run automated workflows that integrate your apps, data, services, and systems. Customer feedback has been loud and clear—Security Teams need more efficient and effective ways to communicate directly with Development Teams about discovered security findings. This blog walks through creating a Logic App that Security Teams can use to automate communication of discovered security issues to Development Teams. The Logic App creates a Work Item in Azure DevOps (ADO) containing repository location, description, and remediation information from DevOps security in Defender for Cloud Recommendations that Developers can use to remediate the discovered security issue. Security Operators will find this Logic App particularly useful because they do not need to be familiar with Azure DevOps or even to login to Azure DevOps to create a Work Item for their Developers. Instead, SecOps can trigger a Logic App on an affected repository and create a Work Item for a Development Team to triage and remediate. Objectives: Create a Logic App to create an Azure DevOps work item from an MDC Recommendation Test the Logic App Prerequisite: Connector provisioned in MDC to your Source Code Management System (such as Azure DevOps or GitHub) Create a Logic App to Create an ADO Work Item Login to Azure and search for or click Logic Apps Click + Add Choose a Subscription and Resource group Enter a name for your Logic App Under Plan, choose Consumption Click Review + create Click Create Go to the Logic App you created and click Logic app designer in the left menu Click Blank Logic App In the search box, type Recommendation Choose When a Microsoft Defender for Cloud Recommendation is created or triggered Click + New step Type variable in the search box Choose Initialize variable For Name, type org_name For Type, choose String Click + New step Type variable in the search box Choose Initialize variable For Name, type project_name For Type, choose String Click + New step Type variable in the search box Choose Initialize variable For Name, type repo_name For Type, choose String Click + New step Type variable in the search box Choose Set variable For Name, choose org_name from the dropdown menu For Value, click in the empty box In the Add dynamic content flyout, click Expression and type the following: first(skip(split(triggerBody()?['properties']?['resourceDetails']?['id'],'/'),10)) and click OK Click + New step Type variable in the search box Choose Set variable For Name, choose project_name from the dropdown menu For Value, click in the empty box In the Add dynamic content flyout, click Expression and type the following: first(skip(split(triggerBody()?['properties']?['resourceDetails']?['id'],'/'),12)) and click OK Click + New step Type variable in the search box Choose Set variable For Name, choose repo_name from the dropdown menu For Value, click in the empty box In the Add dynamic content flyout, click Expression and type the following: first(skip(split(triggerBody()?['properties']?['resourceDetails']?['id'],'/'),14)) and click OK Click + New step Type azure devops in the search box Click Create a work item Click Sign in Click Accept to allow the App request for the Logic App to write to Azure DevOps For Organization Name, click in the box, click Enter custom value In the Add dynamic content flyout, click org_name For Project name, click Enter custom value In the Add dynamic content flyout, click project_name For Work Item Type, type task For Title, click in the box, type the title of the work item you want to create for your Developers, such as: A security issue needs to be remediated from the following repo: In the Add dynamic content flyout, click repo_name For Description, type Description: In the Add dynamic content flyout, click Properties Metadata Description, then hit enter twice Type Remediation steps: then hit enter In the Add dynamic content flyout, click Properties Metadata Remediation Description Your Logic App should now look like the following: Your no code Logic App is now complete and needs to be tested. Test the Logic App Navigate to Microsoft Defender for Cloud Click Recommendations Expand Remediate vulnerabilities, click Code repositories should have secret scanning findings resolved Expand Affected resources, tick an Azure DevOps repository Click Trigger logic app In the Selected subscription dropdown, choose the Subscription that contains the Logic App Tick the box next to the Logic app Click Trigger Now let’s verify that your work item has been created Login to Azure DevOps and navigate to the Project with the repository you tested Click Boards, then click Work items to see the work item that you created Your work item should look similar to the following work item: Conclusion To review, we’ve walked through creating a Logic App that creates a Work Item in Azure DevOps to communicate with Developers so they can remediate security findings discovered by Microsoft Defender for Cloud. This Logic App can be executed on any Azure DevOps repository. It injects the location, description, and remediation steps in the Work Item description body so that Developers can quickly find and fix the security issue. This helps Security Operators automate communication with Developers by creating a Work Item that the Development Team can then prioritize in their Sprint Planning sessions. Additional Resources To learn more about DevOps security in Defender for Cloud, read this documentation Download (free) a special Appendix about DevOps security in Defender for Cloud from the latest Microsoft Defender for Cloud book published by Microsoft Press To learn how to onboard your Azure DevOps Source Code Management System to Defender for Cloud, read this documentation for Azure DevOps
