SkarpChapter 13 of 21
Security and Compliance at Fundamentals Level: Defender for Cloud and Basic Concepts
Tie together identity, governance, and monitoring by seeing how Defender for Cloud and related concepts support secure, compliant Azure environments.
Big Picture: Security, Compliance, and AZ-900
Why This Module Matters
This module connects identity, governance, and monitoring to show how Azure stays secure and compliant, especially for AZ-900 exam scenarios.
Key Services In Scope
You will focus on Microsoft Defender for Cloud, Azure Policy, Microsoft Entra ID, and how they implement Zero Trust and defense in depth.
Exam-Relevant View
You do not need deep security engineering skills, but you must recognize what each service does, where responsibilities lie, and common patterns.
Current Terminology
Azure AD is now called Microsoft Entra ID, and Defender for Cloud is the main Azure-native security posture and threat protection platform.
Shared Responsibility Model Revisited: Now Focused on Security
Definition Refresher
The shared responsibility model is a framework that defines how security and compliance responsibilities are divided between the cloud provider and the customer.
What Microsoft Handles
Microsoft secures datacenters, physical hosts, core networking, and the platform for managed services, and maintains many platform-level compliance certifications.
What You Handle
You secure identities, data, OS and apps you manage, network configuration, and you meet your own regulatory and policy obligations.
By Service Model
In IaaS you manage most layers; in PaaS you manage identities, data, and apps; in SaaS you mainly manage identities and data usage.
What Is Microsoft Defender for Cloud?
High-Level Purpose
Defender for Cloud assesses your security posture, gives you a secure score, and offers prioritized recommendations and protection for your workloads.
Posture Management
It discovers resources across subscriptions, evaluates them against baselines and standards, and shows where configurations are weak.
Secure Score
Secure score summarizes how well you follow recommended security practices and helps you prioritize high-impact fixes.
Regulatory Mapping
Its regulatory compliance view maps technical checks to standards like ISO 27001 or PCI-DSS to support your compliance efforts.
Walkthrough: Reading Secure Score and Recommendations
Starting in Defender for Cloud
You open Defender for Cloud and see a secure score of 54%. This indicates many recommended security controls are not yet implemented.
Identity Recommendation
A key item: enable MFA for owner-level accounts. You drill down, identify affected users, and work with the Entra ID team to turn on MFA.
Data Protection Recommendation
Another item: encrypt Azure SQL databases with TDE. Defender lists unencrypted databases and offers guided or one-click remediation.
Showing Improvement
After remediation, secure score rises to 68%. You use this score and resolved items to show auditors that security posture is improving.
Azure Policy and Security Compliance: How They Fit Together
Azure Policy Definition
Azure Policy is a service in Azure that you use to create, assign, and manage policies that enforce rules and effects so resources stay compliant.
Turning Rules into Enforcement
Policy lets you encode rules like 'HTTPS only' or 'no public IPs' and then automatically audit or deny non-compliant resources.
Policy Building Blocks
You create policy definitions, assign them to scopes, and choose effects such as Deny, Audit, or DeployIfNotExists to control behavior.
Integration with Defender
Defender for Cloud uses many built-in policies under the hood and surfaces their results as secure score and recommendations.
Thought Exercise: Choosing Enforcement Levels
Consider this scenario and decide which Azure Policy effect you would choose and why.
Scenario: Your organization has a rule that all storage accounts containing customer data must block public access and require HTTPS.
You are rolling out a new policy across many subscriptions, and you are worried about accidentally breaking a critical legacy system.
- First phase (discovery)
- Which effect would you use to understand current violations without blocking deployments?
- Options to consider:
- `Audit`
- `Deny`
- `DeployIfNotExists`
- Second phase (enforcement)
- After a month, you have a list of non-compliant resources and a remediation plan.
- Which effect would you now use on new deployments to prevent non-compliant storage accounts from being created?
- Third phase (automatic remediation)
- You want new storage accounts to automatically have HTTPS-only and public access disabled, even if someone forgets to configure these settings.
- Which effect could help enforce configuration at creation time?
Pause and answer:
- Phase 1: I would choose ... because ...
- Phase 2: I would choose ... because ...
- Phase 3: I would choose ... because ...
Then check suggested reasoning in your head:
- Phase 1: `Audit` to see current problems without breaking anything.
- Phase 2: `Deny` to block non-compliant new resources.
- Phase 3: `DeployIfNotExists` to automatically add or fix needed settings.
Zero Trust: Fundamentals-Level View for Azure
Zero Trust in One Line
Zero Trust means 'never trust, always verify'—every access request is treated as potentially risky, no matter where it comes from.
Verify Explicitly
Azure supports explicit verification with Microsoft Entra ID, MFA, and Conditional Access to check identity and context on every sign-in.
Least-Privilege with RBAC
Role-based access control gives users and apps only the permissions they need, mapped through roles on Azure resources.
Assume Breach and Monitor
Assuming breach means heavy use of monitoring and alerts. Defender for Cloud helps detect misconfigurations and suspicious activity.
Defense in Depth: Multiple Layers of Protection
Idea of Defense in Depth
Defense in depth uses multiple layers of security so that if one control fails, others still protect your environment.
Outer Layers
Physical security is handled by Microsoft; you design perimeter and network controls using firewalls, NSGs, and private networking.
Identity, Apps, and Data
Identity (Entra ID, RBAC, MFA), secure applications, and data protection (encryption, backups) form inner layers of protection.
Governance and Monitoring
Azure Policy, Defender for Cloud, and logging provide continuous governance and visibility across all layers.
Quiz 1: Shared Responsibility, Defender for Cloud, and Policy
Check your understanding of core relationships.
Which statement best describes how Microsoft Defender for Cloud and Azure Policy work together to support the shared responsibility model?
- Defender for Cloud replaces Azure Policy by automatically fixing all security issues without customer involvement.
- Azure Policy defines and evaluates rules for resource configuration, while Defender for Cloud uses many of those policies to surface secure score and security recommendations.
- Defender for Cloud is responsible for physical security of datacenters, while Azure Policy secures all customer data automatically.
- Azure Policy is only for cost management, while Defender for Cloud is only for identity and access management.
Show Answer
Answer: B) Azure Policy defines and evaluates rules for resource configuration, while Defender for Cloud uses many of those policies to surface secure score and security recommendations.
Azure Policy is the governance engine that defines and evaluates rules on resources. Microsoft Defender for Cloud builds on those policies to assess security posture, calculate secure score, and provide recommendations. It does not replace customer responsibilities or handle physical security.
Quiz 2: Zero Trust and Defense in Depth in Azure
Apply Zero Trust and defense-in-depth ideas to Azure scenarios.
You are hardening an Azure workload. Which combination of actions best reflects Zero Trust and defense in depth principles?
- Rely on the corporate VPN and open RDP to all VMs from the VPN subnet.
- Grant all developers Owner access to the subscription so they can fix security issues quickly.
- Enable MFA and Conditional Access in Microsoft Entra ID, use RBAC to give least-privilege roles, restrict inbound ports with NSGs, and require encryption at rest on databases.
- Disable all Azure Policy assignments to avoid blocking deployments, and depend solely on antivirus software inside VMs.
Show Answer
Answer: C) Enable MFA and Conditional Access in Microsoft Entra ID, use RBAC to give least-privilege roles, restrict inbound ports with NSGs, and require encryption at rest on databases.
Zero Trust emphasizes strong identity (MFA, Conditional Access) and least privilege (RBAC), while defense in depth adds multiple layers such as network restrictions (NSGs) and data encryption. The other options either weaken security or remove governance.
Key Term Flashcards: Security and Compliance Basics
Use these flashcards to reinforce the most exam-relevant definitions and relationships.
- shared responsibility model
- The shared responsibility model is a framework that defines how security and compliance responsibilities are divided between the cloud provider and the customer.
- Microsoft Defender for Cloud (high-level purpose)
- Azure's cloud-native service that continuously assesses the security posture of your resources, provides a secure score, gives prioritized recommendations, and enables threat protection for supported workloads.
- Azure Policy (definition)
- Azure Policy is a service in Azure that you use to create, assign, and manage policies that enforce rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.
- role-based access control (RBAC)
- Role-based access control (RBAC) is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources based on roles assigned to users, groups, and service principals.
- Microsoft Entra ID (definition)
- Microsoft Entra ID is Microsoft’s cloud-based identity and access management service that helps employees sign in and access resources such as Microsoft 365, the Azure portal, and thousands of other SaaS applications.
- Zero Trust (fundamentals-level idea)
- A security philosophy of 'never trust, always verify' that emphasizes explicit verification, least-privilege access, and assuming breach, implemented in Azure using Entra ID, MFA, Conditional Access, RBAC, and continuous monitoring.
- Defense in depth (in Azure)
- A strategy that uses multiple layers of security controls (physical, network, identity, application, data, governance/monitoring) so that if one layer fails, others still protect the environment.
- Secure score (Defender for Cloud)
- A metric in Microsoft Defender for Cloud that summarizes how well your environment follows recommended security practices and helps you prioritize remediation actions.
- Regulatory compliance view (Defender for Cloud)
- A dashboard in Defender for Cloud that maps technical security checks and policy results to specific controls in standards such as ISO 27001 or PCI-DSS, showing passed and failed requirements.
- Policy effect: Audit vs Deny
- Audit logs non-compliant resources without blocking them, useful for discovery. Deny blocks creation or update of non-compliant resources, enforcing compliance on new changes.
Apply It: Mini Scenario for AZ-900 Thinking
Imagine this exam-style scenario and mentally map each requirement to the right Azure concept.
Scenario: A healthcare startup is moving patient data to Azure. They must:
- Prove to auditors that resources follow specific security standards
- Ensure new resources cannot be created with public access to patient data
- Continuously improve their security posture over time
- Follow Zero Trust and defense in depth principles
Your tasks:
- Map each requirement
- Prove to auditors that standards are followed → Which Azure feature/view helps most?
- Block creation of non-compliant resources → Which service and policy effect?
- Continuously improve security posture → Which Azure service and metric?
- Follow Zero Trust and defense in depth → Which core practices?
- Check your mental answers
- Auditors: Defender for Cloud regulatory compliance view (plus Azure Policy compliance data).
- Block non-compliant: Azure Policy with `Deny` effect on rules like "no public access".
- Continuous improvement: Microsoft Defender for Cloud using secure score and recommendations.
- Zero Trust and defense in depth: MFA, Conditional Access, RBAC, NSGs/firewalls, encryption, logging, and monitoring.
As you continue through the Skarp course, look for these patterns in practice labs and mock exams. They will appear repeatedly in AZ-900-style questions.
Key Terms
- Zero Trust
- A security philosophy of never trust, always verify, emphasizing explicit verification, least privilege, and assuming breach.
- Azure Policy
- A governance service used to create, assign, and manage policies that enforce rules and effects over Azure resources to keep them compliant.
- secure score
- A metric in Microsoft Defender for Cloud that summarizes how well recommended security practices are implemented and guides remediation priorities.
- policy effect
- The behavior Azure Policy applies when a rule is evaluated, such as Audit, Deny, or DeployIfNotExists.
- defense in depth
- A strategy of using multiple layers of security controls so that if one layer fails, others still provide protection.
- Microsoft Entra ID
- Microsoft’s cloud-based identity and access management service used for authentication and authorization to Azure and many SaaS apps.
- regulatory compliance view
- A Defender for Cloud dashboard that maps technical checks and policy results to controls in standards like ISO 27001 or PCI-DSS.
- shared responsibility model
- A framework that defines how security and compliance responsibilities are divided between Microsoft as the cloud provider and you as the customer.
- Microsoft Defender for Cloud
- Azure's cloud-native service that assesses security posture, provides secure score and recommendations, and offers threat protection for supported workloads.
- role-based access control (RBAC)
- An Azure authorization system that manages access to resources through roles assigned to users, groups, and service principals.