Microsoft SC200 Certification - Microsoft Defender for Cloud

Microsoft Defender for Cloud: An Overview

In November 2021, Azure Defender and Azure Security Center were rebranded as Microsoft Defender for Cloud, bringing together security management and threat protection into a unified platform. This solution is designed to enhance visibility, security posture, and threat protection across multi-cloud and hybrid environments.

Core Components of Microsoft Defender for Cloud

Cloud Workload Protection Platform (CWPP) – Focuses on securing cloud workloads by protecting virtual machines, containers, and other cloud-based resources.
Cloud Security Posture Management (CSPM) – Helps strengthen and manage cloud security posture, identifying misconfigurations and enforcing best practices.
DevSecOps – Unifies DevOps security management, integrating security into the development lifecycle to minimize vulnerabilities in cloud-native applications.

Multi-Cloud Security & Expanding Capabilities

Microsoft Defender for Cloud extends beyond Azure, offering security solutions for AWS, Google Cloud, and other providers. This broad coverage aligns with Cloud Infrastructure Entitlement Management (CIEM), which focuses on controlling access to cloud resources and enforcing least-privilege access to reduce security risks. A large part of Microsoft CIEM solution was accomplished through Microsoft Entra Permissions Management. Microsoft announced that in October 2025 they will no longer be supporting Microsoft Entra Permissions Management however they will continue to support core CIEM functions of Centralized multicloud identity discovery, Permissions gap analysis, Inactive identity tracking, in the Defender for cloud CSPM product.

Additionally, Microsoft Defender for Cloud contributes to a larger security framework known as Cloud-Native Application Protection Platform (CNAPP) or Cloud Security Posture Management (CSPM). CNAPP unifies CSPM, CWPP, CIEM, and DevSecOps into a comprehensive cloud security strategy, ensuring end-to-end protection for cloud-native applications and infrastructure.

Defender for Cloud notes as related to the SC-200

It’s essential to differentiate between Microsoft Defender for Cloud and Microsoft Defender for Cloud Apps, as they serve distinct security functions:

Microsoft Defender for Cloud focuses on infrastructure security, providing security posture management and threat protection for cloud workloads.
Microsoft Defender for Cloud Apps, part of Microsoft Defender XDR, is designed for SaaS application security, offering visibility, monitoring, and access control over cloud applications.

SC-200 Exam Focus: Defender for Cloud & Sentinel Integration

As of now, the SC-200 certification primarily emphasizes Cloud Workload Protection Platform (CWPP) within Microsoft Defender for Cloud, as well as integrating third-party cloud services.

Additionally, Microsoft Sentinel plays a critical role in monitoring cloud workloads, as CWPP security telemetry is often integrated into Sentinel's SIEM system for centralized threat detection and response. This overlap reinforces the importance of understanding both Defender for Cloud & Sentinel within the SC-200 exam scope.

Cloud Workload Protection Platform (CWPP)

Defender for Cloud CWPP provides a comprehensive defense for workloads, including physical servers, virtual machines, serverless functions, and containers. Defender for Cloud integrates with various detection sources to provide layered protection across your cloud infrastructure: detection sources that fall under CWPP include:

Microsoft Defender for IoT
Microsoft Defender for Servers
Microsoft Defender for Storage
Microsoft Defender for DNS
Microsoft Defender for Databases
Microsoft Defender for Containers
Microsoft Defender for Network
Microsoft Defender for App Service
Microsoft Defender for Key Vault
Microsoft Defender for Resource Manager
Microsoft Defender for App Management

A crucial aspect of Defender for Cloud is its role within the cloud shared responsibility model, which is a core concept in any cloud security framework. This model defines the division of security responsibilities between cloud providers and customers, depending on whether the service is Infrastructure as a Service (IaaS), Platform as a Service (PaaS), or Software as a Service (SaaS).

While Microsoft Defender for Cloud enhances security by protecting cloud resources, it cannot compensate for weak access controls or compromised endpoints. Regardless of the cloud model, you remain responsible for securing:

Data – Safeguarding and managing sensitive information.
Endpoints – Protecting devices that access cloud resources.
Accounts – Monitoring and securing user identities.
Access Management – Enforcing authentication and permissions.

Additionally, you are responsible for on-premises resources and any cloud-managed components under your control, which vary based on the cloud service model. Understanding these responsibilities is critical to effectively leveraging Microsoft Defender for Cloud and maintaining a strong security posture across hybrid and multi-cloud environments.

Managing Cloud Resource Instrumentation with CWPP in Microsoft Defender for Cloud

Azure provides multiple mechanisms for managing and securing cloud resources, which can sometimes be confusing. Many of these components are tools for managing resources and virtual machines and not specifically security tools. A key component in instrumenting Azure Virtual Machines (VMs) for security configuration and telemetry collection is the Azure Monitor Agent (AMA). This agent collects monitoring data from both Azure and hybrid environments and integrates with Microsoft Sentinel and Microsoft Defender for Cloud.

Key Azure Components for Virtua Machines

Azure Monitor Agent (AMA) – Collects and sends security logs, metrics, and telemetry from Azure and non-Azure environments to Azure Monitor. AMA agents can be deployed using PowerShell, Azure CLI, or Azure Resource Manager (ARM) templates.
Azure Lighthouse – Enables multi-tenant management of workspaces and Azure resources across multiple Azure Active Directory (Entra ID) tenants, improving scalability, automation, and governance.
Azure Resource Manager (ARM) – Provides a structured management layer for deploying, updating, and monitoring Azure resources efficiently.
Azure Extensions – Small applications that enhance the functionality of Azure VMs, allowing for post-deployment configuration, automation, and management.
Azure Arc – Extends Azure services and governance to hybrid and multi-cloud environments, allowing centralized management across on-premises and cloud resources.

Deploying and Configuring the Azure Monitor Agent (AMA)

To collect security events and telemetry, the AMA agent must be installed and configured properly. Key steps include:

Allowing Required HTTP Endpoints Through Firewalls:
Using Data Collection Rules (DCRs):
- Define what data to collect, how to transform it, and where to send it.
- Provide visibility into missing updates, misconfigured security settings, firewall status, and endpoint protection.
- Essential for monitoring compute resources, including VMs, VM scale sets, IaaS containers, and non-Azure machines.
Installing AMA Using Various Methods:
- PowerShell or Azure CLI
- ARM templates for automated deployments
- Creating a Data Collection Rule (DCR) in Azure Monitor

Testing AMA Configuration with Security Alerts

Once a VM is instrumented, you can test alerting telemetry in Microsoft Defender for Cloud by simulating a malware detection event:

Download the EICAR test file (eicar.txt) from EICAR’s official website.

If direct download is blocked, create a text file and copy the following EICAR string into it.

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Executing this file should trigger a security alert, confirming that Defender for Cloud is successfully monitoring and detecting threats on the instrumented VM.

By properly configuring Azure Monitor Agent (AMA), Data Collection Rules (DCRs), and security integrations, organizations can strengthen their cloud security posture and proactively detect potential threats across their Azure environments.

Defender for Cloud Alerting

Microsoft Defender for Cloud generates security alerts that can be monitored and managed through two primary portals:

Defender for Cloud Portal – Used for full configuration and management of Defender for Cloud.
- Access it here: Azure Defender for Cloud

In the Azure Cloud Portal, within the Defender for Cloud section, you can review and manage security policies to ensure compliance and best practices. The three main policy types include:

Microsoft Cloud Security Benchmark (MCSB) – Microsoft's recommended security best practices for cloud environments.
Regulatory Compliance Standards – Predefined frameworks such as STIG, CIS, and other industry standards.
Custom Standards – User-defined security policies tailored to specific organizational needs.

These policies help organizations enforce security controls, maintain compliance, and enhance cloud security posture.

The Security Admin role in Microsoft Defender for Cloud is responsible for managing security permissions and configurations. It includes all the permissions of the Security Reader role but with additional capabilities to:
- Modify security policies
- Manage alerts, including creating suppression rules
In contrast, the Owner role has full administrative control over all resources within a subscription, allowing complete management of security settings and other configurations.

Defender XDR Portal – Security incidents and alerts from Defender for Cloud may also appear in the Defender XDR portal, categorized under Detection Sources in the Incidents & Alerts section.
- Access it here: Microsoft Defender XDRcom/

Additional Notes on Defender for Cloud Alerting

Email Notifications: Defender for Cloud can be configured to send email alerts, but the frequency depends on alert severity:
- High-severity alerts: One email every 6 hours
- Medium-severity alerts: One email every 12 hours
- Low-severity alerts: One email every 24 hours
Workflow Automation: You can automate responses to security alerts, recommendations, and compliance changes using Logic Apps in Defender for Cloud.
- Example: If you want an alert to trigger an email notification to a specific user, you must first configure the Logic App to handle the alerting workflow.

Azure Key Vault Security and Defender for Key Vault

Azure Key Vault Overview

Azure Key Vault enables applications and users to securely store and manage sensitive information, including keys, secrets, and certificates, collectively known as "objects."

Microsoft Defender for Key Vault

Defender for Key Vault enhances security by detecting and alerting on suspicious or potentially harmful access attempts. This built-in protection helps mitigate threats without requiring third-party security monitoring solutions.

When anomalous activity is detected, Defender for Key Vault generates security alerts and can optionally send email notifications to relevant team members.

Key Defender for Key Vault Alerts

Some critical security alerts generated by Defender for Key Vault include:

Suspicious Access Attempts:
- Access from a suspicious IP address
- Access from a TOR exit node (Microsoft recommends testing this alert by using a TOR browser to access Key Vault)
- Denied access from a suspicious IP
- Unusual access from a non-Microsoft or external IP
Unusual Activity & Operations:
- High volume of operations in a Key Vault
- Suspicious policy changes and secret queries
- Unusual operation patterns in a Key Vault
- Unusual user or application access to a Key Vault
- Unusual user-application pair accessing a Key Vault
Unauthorized Access Attempts:
- Unusual access denied – A user accessing a high volume of Key Vaults was denied
- Unusual user attempted access and was denied

Mitigating Unauthorized Access with the Key Vault Firewall

If you receive an alert about unauthorized access attempts or activity from suspicious IP addresses, you should enable the Azure Key Vault firewall to restrict unauthorized connections.

Key Vault Firewall Configuration

By default, new Key Vaults have the firewall disabled, meaning all applications and Azure services can send requests to them. However, this does not grant all users permission to access secrets, keys, or certificates—authentication via Microsoft Entra ID and proper access policies are still required.

When enabling the Key Vault Firewall, you can choose to:

Allow Trusted Azure Services to bypass the firewall. (Note: This does not include all Azure services.)
Manually add specific services' IP addresses to the firewall allowlist—ideal for services with static IPs or well-defined ranges.

Enabling the Key Vault firewall strengthens security by blocking unauthorized attempts while ensuring approved services and applications can continue to function.

Azure Storage Explorer & Defender for Storage Security

Azure Storage Explorer

Azure Storage Explorer is a free, cross-platform GUI tool designed to manage Azure Storage resources, including:

Storage accounts
Blobs
Files
Queues
Tables

It simplifies operations like uploading, downloading, copying, moving, and deleting data across storage accounts.

Defender for Storage Overview

Microsoft Defender for Storage enhances security by continuously analyzing data plane and control plane telemetry from Azure Blob Storage, Azure Files, and Azure Data Lake Storage services. It leverages:

Microsoft Threat Intelligence
Microsoft Defender Antivirus
Sensitive data discovery

Key Threat Detections in Defender for Storage

Defender for Storage monitors activity and alerts on potential threats, including:

Activity Monitoring – Tracks unauthorized or suspicious access attempts
Sensitive Data Threat Detection – Identifies threats targeting sensitive files
Malware Scanning – Detects malicious content within storage

Limitations of Defender for Storage

While Defender for Storage continuously monitors Blob Storage and Azure Files, it does not track activity for Queues and Tables. If monitoring a storage account, alerts will only apply to containers and file shares, not queues or tables.

Automating Responses to Security Threats

If you need to take action when a suspicious IP accesses a sensitive storage account, you can:

Enable Workflow Automation in Defender for Storage
Create a Logic App that triggers when an alert is generated
Execute a custom script in response to the detected threat

This automation ensures real-time threat mitigation, helping protect your critical storage resources from unauthorized access.

Just-In-Time (JIT) VM Access

Microsoft Defender for Cloud provides Just-In-Time (JIT) VM access to restrict inbound traffic to your virtual machines, reducing the attack surface while still allowing secure, time-limited access when needed.

Available with Defender for Servers Plan
Enforces "deny all inbound traffic" rules in Network Security Groups (NSGs) and Azure Firewall
Protects management ports from unauthorized access
Automatically recommends JIT for vulnerable servers, tagging them as "unhealthy"
Configured at the resource level

Privileged Access Workstation (PAW)

A Privileged Access Workstation (PAW) is a hardened, dedicated device designed for high-security administrative tasks such as managing directory services, servers, or sensitive systems. PAWs minimize the attack surface by isolating privileged activities from daily-use environments, reducing the risk of credential theft and malware attacks.

Cloud Security Posture Management (CSPM) Overview:

CSPM enhances cloud security by providing visibility, continuous assessment, and hardening guidance to improve the security posture of your Azure, AWS, and GCP resources. Microsoft Defender for Cloud continuously evaluates these resources against security benchmarks, issuing recommendations to remediate risks.

By default, Microsoft Cloud Security Benchmark (MCSB) is enabled, but organizations can apply other compliance standards as needed. CSPM covers IaaS, PaaS, and SaaS, automating monitoring, risk detection, and remediation of misconfigurations.

CSPM Plans

1. Foundational CSPM (Free, Enabled by Default)

Automatically included when onboarding subscriptions or accounts to Defender for Cloud, offering:

Asset inventory & Secure Score analysis
Infrastructure as Code (IaC) security (ARM, Bicep, Terraform, CloudFormation)
Application security posture visibility
Basic remediation & automation
Data export & built-in reporting

2. Defender CSPM (Paid, Advanced Capabilities)

Enhances security posture management with AI-driven insights, risk prioritization, and deeper visibility, including:

Agentless vulnerability scanning
Data-aware security posture management
Governance & compliance management
Contextual risk analysis & attack path visualization
Integrated data insights & advanced remediation tools
Regulatory compliance monitoring & industry benchmarks

Azure DevOps Security in Defender for Cloud

Azure DevOps integrates DevSecOps principles by unifying security management at the code level across multicloud and multi-pipeline environments. Microsoft Defender for Cloud provides DevOps security capabilities to protect applications from code to cloud across platforms like Azure DevOps, GitHub, and GitLab. Security teams can correlate DevOps security recommendations with cloud security insights to prioritize remediation efforts effectively.

Key Steps to Implement DevOps Security in Defender for Cloud

Configure Microsoft Security DevOps Extension

Enables integration between DevOps environments (e.g., GitHub, Azure DevOps) and Defender for Cloud
Automates security-related tasks such as code repository scanning

Set Up Third-Party App Access via OAuth

Establishes trusted connections between your DevOps environment and Defender for Cloud

Configure Security Admin Role

Assigns appropriate permissions to manage Defender for Cloud security policies and alerts

Defender for Cloud: Protecting AWS and GCP Workloads

Microsoft Defender for Cloud extends security protections beyond Azure to cover hybrid environments, including on-premises, AWS, and Google Cloud (GCP). To enable protection for AWS or GCP workloads, a cloud connector must be deployed to establish integration.

Defender for Cloud in AWS

Extend Security with Cloud Security Posture Management (CSPM)

CSPM evaluates AWS resources against AWS-specific security recommendations.
Findings are reflected in Secure Score, helping to identify misconfigurations and security risks.

Use the Environment Settings Blade in Defender for Cloud