The Secure Score Trap

Secure Score is a useful starting point — it measures your security posture against Microsoft’s recommendations and gives a percentage that’s easy for leadership to latch onto. The problem is that it’s a compliance checklist, not a threat model. A subscription can have a 90% Secure Score and still have misconfigured network security groups, overprivileged managed identities, or unmonitored storage accounts full of sensitive data. Score gaming is easy; genuine security improvement takes more work.

Use Secure Score as a prioritization tool, not a goal. Filter recommendations by severity and impact. Focus on “High” severity findings first — these represent genuine attack vectors, not stylistic preferences. Pay particular attention to the Identity and Access recommendations: disabling legacy authentication protocols, enabling MFA for all users, and removing unused service principals are consistently high-impact, low-complexity wins that significantly reduce your real attack surface.

Workload Protections That Actually Matter

Defender for Cloud’s paid Workload Protection Plans extend protection to specific resource types: servers (via Defender for Servers), SQL databases, Kubernetes clusters, App Service, Storage accounts, Key Vault, and more. Defender for Servers is often the highest-value plan — it enables just-in-time VM access, adaptive application controls, file integrity monitoring, and integrates with Microsoft Defender for Endpoint for EDR capability on Azure VMs.

Defender for Storage is frequently overlooked but deserves attention. It monitors blob, file, and queue storage for anomalous access patterns — things like unusual geographic access, access from Tor exit nodes, or malware uploads detected via hash reputation. Defender for Key Vault detects unusual access patterns to your secrets, keys, and certificates and can alert on potentially compromised service principals trying to exfiltrate credentials.

Just-in-Time VM Access

Just-in-time (JIT) VM access is one of Defender for Cloud’s most practically useful features. Instead of leaving RDP (port 3389) or SSH (port 22) open to the internet or your entire corporate network, JIT locks down management ports and only opens them on-demand for a specific source IP and time window. The access request goes through Azure RBAC, creates an NSG rule, and automatically reverts after the time window expires. This dramatically reduces your exposure to brute-force and credential stuffing attacks.

Enabling JIT is straightforward from the Defender for Cloud portal or via the Azure CLI. For organizations managing many VMs, you can deploy JIT policy via Azure Policy to ensure all new VMs automatically get the protection. Note that JIT requires Defender for Servers Plan 2. The audit trail — who requested access, from where, and when — feeds into your SIEM via Azure Monitor, giving you a complete record of privileged management access.

# Enable JIT VM access via Azure CLI
# Requires Defender for Servers Plan 2

# Define JIT policy for a VM (RDP on 3389, SSH on 22)
$jitPolicy = @{
    "kind" = "Basic"
    "properties" = @{
        "virtualMachines" = @(
            @{
                "id" = "/subscriptions/SUB-ID/resourceGroups/RG-NAME/providers/Microsoft.Compute/virtualMachines/VM-NAME"
                "ports" = @(
                    @{ "number" = 3389; "protocol" = "TCP"; "allowedSourceAddressPrefix" = "*"; "maxRequestAccessDuration" = "PT3H" },
                    @{ "number" = 22;   "protocol" = "TCP"; "allowedSourceAddressPrefix" = "*"; "maxRequestAccessDuration" = "PT3H" }
                )
            }
        )
    }
}

# Apply via portal: Defender for Cloud > Workload protections > Just-in-time VM access > Configure

Connecting Defender to Microsoft Sentinel

Defender for Cloud’s alerts become significantly more powerful when correlated with other signals in Microsoft Sentinel. Enabling the Defender for Cloud data connector in Sentinel streams all alerts, security recommendations, and regulatory compliance assessments into Sentinel’s Log Analytics workspace. From there, Sentinel’s analytics rules can correlate a Defender alert with Azure AD sign-in anomalies, network flow data, and endpoint telemetry to surface attacks that span multiple signal types.

Sentinel’s playbooks (Azure Logic Apps) allow automated response to Defender alerts. A common workflow: when Defender detects a brute-force attack on a VM, a playbook automatically triggers JIT to revoke current access, posts a Teams notification to the security team, creates an incident in ServiceNow, and runs a diagnostic script on the VM to capture in-memory forensics. Building these automation chains transforms Defender from a passive alert system into an active response platform.

The post Microsoft Defender for Cloud: Moving Beyond the Dashboard appeared first on InfoTech Ninja.