Microsoft Defender for Cloud: CSPM Setup Guide

There is a meaningful gap between "we have security tooling" and "we understand our security posture." The first is a checkbox on a vendor slide deck. The second requires continuous measurement, automated policy enforcement, and a feedback loop that tells you exactly where your exposure is growing before an auditor -- or an attacker -- finds it first. Microsoft Defender for Cloud with its CSPM (Cloud Security Posture Management) capabilities is how I bridge that gap for Azure environments at enterprise scale.

What Changed in 2025

Defender for Cloud has evolved significantly. The headline features that matter for day-to-day posture management:

• Attack path analysis is now GA in the Defender CSPM plan. It maps how an attacker could traverse from an internet-facing resource to a high-value target, using the cloud security graph to correlate misconfigurations across compute, identity, and data layers.
• Agentless scanning for VMs and container registries -- no Log Analytics agent required for vulnerability discovery. The agent-based approach still has its place for real-time threat detection, but agentless scanning dramatically reduces onboarding friction.
• Secure Score expanded to 200+ recommendations across Azure, AWS, and GCP. The multi-cloud story is real now; we run assessments against AWS accounts from the same Defender for Cloud blade.
• Regulatory compliance dashboards ship with built-in mappings for DORA, NIS2, PCI DSS 4.0, and ISO 27001:2022. You can run a dual NIS2 + DORA assessment from a single initiative.
• Microsoft Copilot for Security integration provides natural-language queries against the security graph ("Show me all storage accounts with public blob access in production subscriptions").

Effort: 1-2 days for initial CSPM enablement, 4-8 hours for custom secure score policies Cost: Defender CSPM: ~$15/server/month (Foundational CSPM is free), Defender for Servers P2: ~$15/server/month Prerequisites: Azure subscription with Security Admin role, Log Analytics workspace, Microsoft Defender for Cloud enabled at subscription level

Why This Matters

Secure Score is the single number that tells you how exposed you are. Below 60% and you are operating in a high-risk posture -- most insurance underwriters and compliance auditors treat that threshold as a red flag.

Here is what actually happens when you deploy a fresh Azure Landing Zone without tuning: the initial Secure Score comes back around 34%. That is not because the Landing Zone is badly designed. It is because defaults are permissive -- storage accounts allow shared key access, NSGs are not attached to every subnet, diagnostic settings are not forwarded to a central workspace, and JIT VM access is not enabled. All of these are scored recommendations, and they add up fast.

After a focused CSPM remediation sprint on one client environment, we pushed the score from 34% to 87% in under a week. The remaining 13% were accepted risks with documented exceptions (legacy workloads that cannot support TLS 1.2, a third-party appliance that requires public IP).

Implementation: CSPM Configuration

Enable Defender Plans at Subscription Level

Start by enabling the plans that matter. Foundational CSPM is free and gives you Secure Score plus basic recommendations. The paid Defender CSPM plan adds attack path analysis, agentless scanning, and the cloud security graph.

# Enable Defender CSPM (paid plan with attack path analysis)
az security pricing create \
  --name CloudPosture \
  --tier Standard
 
# Enable Defender for Servers Plan 2 (full endpoint protection)
az security pricing create \
  --name VirtualMachines \
  --tier Standard \
  --subplan P2
 
# Enable Defender for Storage (malware scanning + sensitive data discovery)
az security pricing create \
  --name StorageAccounts \
  --tier Standard
 
# Verify all enabled plans
az security pricing list \
  --query "[?pricingTier=='Standard'].{Name:name, Tier:pricingTier, SubPlan:subPlan}" \
  -o table

Configure Auto-Provisioning for Log Analytics

Auto-provisioning ensures that the Log Analytics agent or Azure Monitor Agent is deployed to every VM automatically. Without this, new VMs are invisible to Defender for Cloud for the first few hours after deployment.

# Set the default Log Analytics workspace for auto-provisioning
az security auto-provisioning-setting update \
  --name default \
  --auto-provision on
 
# Configure workspace -- use a dedicated security workspace, not the default
az security workspace-setting create \
  --name default \
  --target-workspace "/subscriptions/a1b2c3d4-e5f6-7890-abcd-ef1234567890/resourceGroups/asc-alerts-rg/providers/Microsoft.OperationalInsights/workspaces/log-security-prod-westeurope"

Set Up Email Notifications for High-Severity Alerts

A Defender for Cloud alert that nobody sees is worse than no alert at all. Configure notification recipients for critical and high-severity findings.

# Configure security contact for alert notifications
az security contact create \
  --name "default" \
  --email "security-team@contoso.com" \
  --phone "+420123456789" \
  --alert-notifications on \
  --alerts-admins on

Create a Custom Secure Score Initiative

The built-in initiative covers broad security hygiene. For organization-specific controls -- say, enforcing specific tag schemas or requiring private endpoints on all PaaS services -- you need a custom initiative.

// Custom policy initiative for organization-specific CSPM controls
resource customInitiative 'Microsoft.Authorization/policySetDefinitions@2021-06-01' = {
  name: 'cspm-custom-org-controls'
  properties: {
    displayName: 'Organization CSPM Baseline Controls'
    description: 'Custom secure score controls beyond Microsoft defaults'
    policyType: 'Custom'
    metadata: {
      category: 'Security Center'
      // This metadata key registers the initiative with Secure Score
      securityCenter: {
        RemediationDescription: 'Apply organization baseline security controls'
        Severity: 'High'
      }
    }
    policyDefinitions: [
      {
        // Require private endpoints on all SQL servers
        policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/7698e800-9299-47a6-b3b6-5a0fee576ebb'
        policyDefinitionReferenceId: 'sqlPrivateEndpoint'
      }
      {
        // Require TLS 1.2 on all storage accounts
        policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-abc7-2a9a5718de29'
        policyDefinitionReferenceId: 'storageTls12'
      }
      {
        // Deny public IP creation in production subscriptions
        policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749'
        policyDefinitionReferenceId: 'denyPublicIp'
      }
    ]
  }
}

Query Compliance Summary with Azure Resource Graph

This is the query I run weekly to get a snapshot of compliance state across all subscriptions. It is faster than waiting for the portal to render and gives you numbers you can paste directly into a status report.

# Azure Resource Graph query: compliance summary across subscriptions
az graph query -q "
  SecurityResources
  | where type == 'microsoft.security/assessments'
  | extend assessmentStatus = properties.status.code
  | summarize
      Healthy = countif(assessmentStatus == 'Healthy'),
      Unhealthy = countif(assessmentStatus == 'Unhealthy'),
      NotApplicable = countif(assessmentStatus == 'NotApplicable')
  | extend Total = Healthy + Unhealthy + NotApplicable
  | extend HealthPercentage = round(100.0 * Healthy / Total, 1)
" --first 5

Real-World Results

After enabling Defender CSPM on a Landing Zone deployment with 4 subscriptions and roughly 120 resources, here is the Secure Score breakdown I pulled directly from the CLI:

$ az security secure-score list --query "[0]" -o yaml
displayName: ASC score
currentScore: 43.5
maxScore: 50
percentageScore: 0.87
weight: 50

$ az security secure-score-controls list \
    --query "[?unhealthyResourceCount > 0].{Control:displayName, Score:currentScore, Max:maxScore, Unhealthy:unhealthyResourceCount}" \
    -o table

Control                                   Score    Max    Unhealthy
----------------------------------------  -------  -----  ---------
Enable MFA                                10       10     0
Apply system updates                       4        6     3
Remediate vulnerabilities                  3        6     8
Enable endpoint protection                 5        5     0
Encrypt data in transit                    4        4     0
Restrict unauthorized network access       5.5      6     2
Apply adaptive application control         2        4     6
Enable auditing and logging                5        5     0
Enable enhanced security features          5        5     0

The paid CSPM plan vs. free Foundational tier comparison, based on actual invoices from one environment:

For 30 servers, the Defender CSPM plan costs roughly $450/month. The attack path analysis alone justified the spend -- it identified a chain from a public-facing App Service (with a known CVE in a dependency) through a managed identity with Contributor role on the production Key Vault. That is the kind of finding that a static policy check will never surface.

Key Takeaways

• Start with Foundational CSPM (free) to get Secure Score and basic recommendations. Enable the paid plan when you need attack path analysis or regulatory compliance dashboards.
• Secure Score below 60% is a red flag. Treat it like a failed build -- it should block production deployments until remediated.
• Auto-provisioning is non-negotiable. Every VM that boots without the agent is a blind spot for hours or days.
• Custom initiatives extend Secure Score to your organization's specific controls. Use them for tag governance, private endpoint enforcement, and network segmentation rules.
• Query with Resource Graph, not the portal. The portal is great for exploration, but weekly reporting needs a repeatable, scriptable query.

For a broader view of how CSPM fits into NIS2 compliance requirements, see our NIS2 Azure compliance checklist -- CSPM evidence is one of the core technical controls that auditors look for. If you need help with security posture assessment or Defender for Cloud deployment, check out our cloud security consulting services.