Microsoft Defender for Cloud: Configuration Best Practices

Microsoft Defender for Cloud is one of the most powerful tools in your Azure security arsenal, but many organisations barely scratch the surface of its capabilities. This guide covers the best practices we've learned from configuring Defender for Cloud across dozens of enterprise environments.

Understanding Defender for Cloud Plans

Defender for Cloud offers both free and paid capabilities. The free tier provides security recommendations based on the Azure Security Benchmark, while the paid plans (Defender for Servers, Defender for Containers, etc.) add threat detection and advanced features.

Our recommendation: Enable paid plans selectively based on your workload types. Not every subscription needs every plan. A typical enterprise might enable Defender for Servers for all production VMs and Azure Arc-enabled servers, Defender for Containers for AKS clusters and container registries, Defender for Key Vault for all key vaults containing secrets, Defender for Storage for storage accounts with sensitive data, and Defender for SQL for Azure SQL and SQL on VMs.

Configuring Security Policies

The default security policy is based on the Azure Security Benchmark, which is excellent but may not align perfectly with your organisation's requirements. We recommend creating custom initiatives that map to your specific compliance frameworks.

Policy Assignment Strategy

Assign policies at the management group level rather than individual subscriptions. This ensures consistent security posture across your environment and reduces administrative overhead.

Management Group (Root)
├── Security Initiative (Inherited)
├── Production Management Group
│   ├── Additional Production Controls
│   └── Production Subscriptions
└── Non-Production Management Group
    ├── Relaxed Development Controls
    └── Development Subscriptions

Handling Exemptions

Exemptions are inevitable, but they should be treated as technical debt. When creating exemptions, always set an expiration date and document the business justification. Assign an owner responsible for remediation, and review all exemptions quarterly to ensure they remain necessary.

Managing Security Recommendations

Defender for Cloud generates hundreds of recommendations, which can be overwhelming. Here's how to prioritise effectively:

Use Secure Score Wisely

Secure Score is useful for tracking overall progress, but don't optimise blindly for the number. Focus on recommendations that address actual risks in your environment, align with your compliance requirements, and can be implemented without breaking applications.

Governance Rules

Use governance rules to automatically assign owners and due dates to recommendations. This creates accountability and ensures recommendations don't languish indefinitely.

// Example governance rule configuration
Rule: "High Severity - 30 Day SLA"
Conditions:
  - Severity = High
  - Environment = Production
Actions:
  - Assign to: Security Team
  - Due date: 30 days
  - Grace period: 7 days

Alert Management

Defender for Cloud generates security alerts when it detects potential threats. The key is ensuring these alerts reach the right people quickly without causing alert fatigue.

Alert Routing

Configure workflow automation to route alerts appropriately. High severity alerts should trigger immediate notification to the security team via PagerDuty or phone. Medium severity alerts warrant an email notification or Slack/Teams message. Low severity alerts can be aggregated into a daily digest to avoid alert fatigue.

SIEM Integration

Forward all alerts to your SIEM for correlation with other security events. Use continuous export to stream alerts to Log Analytics or Event Hub for SIEM ingestion.

Suppression Rules

Create suppression rules carefully for known false positives. Document the reason for each suppression and review regularly. Never suppress an entire alert type, be specific about the conditions.

Cloud Security Posture Management (CSPM)

Defender CSPM extends capabilities beyond basic recommendations with attack path analysis, cloud security graph, and agentless scanning.

Attack Path Analysis

Attack paths show how an attacker could potentially move through your environment to reach critical resources. Prioritise fixing issues that appear in multiple attack paths or paths to crown jewel resources.

Cloud Security Graph

The cloud security graph enables powerful queries across your environment:

// Find all VMs with public IPs that have vulnerabilities
Resources
| where type == "microsoft.compute/virtualmachines"
| where properties.publicIPAddress != null
| join kind=inner (
    SecurityResources
    | where type == "microsoft.security/assessments"
    | where properties.status.code == "Unhealthy"
) on subscriptionId, resourceGroup

Multi-Cloud and Hybrid

Defender for Cloud isn't Azure-only. Connect your AWS accounts, GCP projects, and on-premises servers for unified security management.

AWS Integration

Use the native AWS connector for CSPM capabilities across your AWS accounts. This provides security recommendations based on AWS best practices and maps findings to Azure Security Benchmark controls.

GCP Integration

Similar to AWS, the GCP connector enables visibility into your Google Cloud environment with recommendations mapped to common security standards.

On-Premises Servers

Use Azure Arc to bring on-premises and other cloud servers under Defender for Cloud protection. This provides consistent vulnerability assessment and threat detection across your entire estate.

Reporting and Compliance

Defender for Cloud includes built-in compliance dashboards for common frameworks including Azure Security Benchmark, CIS Controls, NIST 800-53, ISO 27001, PCI DSS, and SOC 2. Export compliance reports regularly for evidence collection, and automate weekly report generation and storage in a compliance evidence repository.

Cost Optimisation

Defender for Cloud costs can add up quickly. Optimise spending by only enabling plans for resource types you actually use, choosing P1 versus P2 plans based on actual needs, excluding non-production resources where appropriate, and regularly reviewing coverage to remove orphaned protections.

Summary

Microsoft Defender for Cloud is essential for maintaining security posture across your Azure and multi-cloud environments. The key to success is thoughtful configuration, effective prioritisation, and continuous improvement rather than trying to fix everything at once.

Focus on the fundamentals: enable appropriate plans for your workloads, assign clear ownership for recommendations, and ensure alerts reach the right people at the right time.