top of page
Search

Enabling Defender for Cloud - Initial Setup and Config

  • 1 day ago
  • 5 min read

Getting started with Defender for Cloud can feel overwhelming if you're doing it for the first time. There are multiple plans to enable, policies to configure, and settings to tune. This guide walks you through the initial setup process for Defender for Cloud in your Azure environment, covering everything from enabling the basic service to configuring your first foundational settings. By the end of this walkthrough, you'll have Defender for Cloud active and ready to start protecting your resources.


Prerequisites

  • An active Azure subscription with Owner or Security Admin permissions

  • At least one resource deployed in your Azure environment (VMs, storage accounts, or containers)

  • Access to the Azure Portal

  • Basic understanding of Azure resource groups and subscriptions


Step 1 – Navigate to Defender for Cloud

Log into the Azure Portal and search for "Defender for Cloud" in the top search bar.

Click on the Defender for Cloud service to open the main dashboard. The first time you access this, you'll see an overview of your current security posture and recommendations.


Step 2 – Review Your Current Coverage

Before enabling any plans, take a moment to understand what you're working with.

In the left navigation menu, click on Environment settings. This view shows all your Azure subscriptions and which Defender plans are currently enabled.

By default, Foundational CSPM (Cloud Security Posture Management) is enabled for free on all Azure subscriptions. This gives you basic security recommendations but doesn't include the advanced threat protection features.


Step 3 – Enable Defender Plans at the Subscription Level

Select the subscription you want to protect from the Environment settings list.

You'll see a page showing all available Defender plans with toggle switches. The main plans include:

  • Servers

  • App Service

  • Databases

  • Storage

  • Containers

  • Key Vault

  • Resource Manager

  • DNS

For now, let's start with the foundational setup. Toggle on Servers and Storage as these are typically the most critical workloads.

Click Save at the top of the page.


Step 4 – Configure Auto-Provisioning

Auto-provisioning automatically deploys the necessary agents and extensions to your resources.


From the Defender for Cloud menu, go to Environment settings, select your subscription, then click on Settings & monitoring in the left pane.

You'll see a list of extensions and agents that can be automatically deployed:

  • Log Analytics agent / Azure Monitor agent

  • Vulnerability assessment

  • Guest configuration agent


Toggle on Log Analytics agent for Azure VMs (or Azure Monitor agent if you prefer the newer option).

Select the workspace configuration. You can either use a default workspace created by Defender for Cloud or select an existing Log Analytics workspace.

Recommendation: Use a centralized Log Analytics workspace if you already have one for logging and monitoring

Click Continue and then Save.


Step 5 – Configure Email Notifications

It's important to know when security alerts fire in your environment.

Navigate to Environment settings, select your subscription, then click on Email notifications.

Enter the email addresses that should receive security alerts. You can add multiple addresses separated by commas.


Configure the notification settings:

  • Notify about alerts with the following severity: Select High or High and Medium

  • Include alerts from Microsoft Defender for Cloud: Toggle to On

  • Include alerts from Microsoft Defender plans: Toggle to On

Click Save.


Step 6 – Review Security Recommendations

Now that Defender for Cloud is enabled, let's see what it found.

Go back to the main Defender for Cloud overview page. You'll see your Secure Score displayed prominently.


Click on Recommendations in the left menu. This page shows all the security issues Defender for Cloud has identified in your environment.

Recommendations are grouped by severity: High, Medium, and Low. Click into a few to understand what they're suggesting and what impact remediating them would have on your


Secure Score.

Don't worry about fixing everything right now. This is just your baseline.


Step 7 – Verify Agent Deployment

If you enabled auto-provisioning, agents should start deploying to your virtual machines automatically.

To verify this, go to one of your VMs in the Azure Portal. Click on Extensions + applications in the left menu.

You should see either the MicrosoftMonitoringAgent or AzureMonitorWindowsAgent (or the Linux equivalents) listed and with a status of "Provisioning succeeded."

This process can take 10-15 minutes after enabling auto-provisioning, so don't panic if you don't see it immediately.


Troubleshooting

Agent deployment fails on virtual machines

Check that the VMs are running and have outbound internet connectivity. The agents need to communicate with Azure services. Verify that any Network Security Groups or Azure Firewall rules allow outbound traffic on port 443 to Azure service tags.


Not seeing any recommendations after enabling Defender for Cloud

Recommendations can take up to 24 hours to fully populate after initial enablement. The service needs time to assess your resources. If you're still not seeing recommendations after 24 hours, check that the agents are properly installed and reporting data.

Cost concerns after enabling multiple plans


Each Defender plan has different pricing models. Servers are typically charged per server per month, while Storage is charged per transaction. Go to Environment settings and click on the subscription to see the estimated monthly cost before enabling plans. You can selectively enable only the plans you need.


Can't enable Defender plans at subscription level

Verify you have the appropriate permissions. You need Owner, Contributor, or Security Admin role at the subscription level. If you're working in an enterprise environment, there may be Azure Policy restrictions preventing changes.


Hardening Considerations

Use Azure Policy to enforce Defender for Cloud enablement

Create a custom Azure Policy that requires specific Defender plans to be enabled on all subscriptions in your environment. This prevents accidental disablement and ensures consistent coverage across your Azure estate.


Implement a centralized Log Analytics workspace strategy

Rather than letting Defender for Cloud create individual workspaces per subscription, use a centralized hub workspace. This makes it easier to query data across your entire environment and reduces costs through data consolidation.


Configure continuous export

Set up continuous export to send Defender for Cloud alerts and recommendations to a Log Analytics workspace or Event Hub. This allows you to integrate with SIEM solutions and create custom alerting logic.

Navigate to Environment settings > Continuous export to configure this

Enable Defender CSPM for advanced features

If your budget allows, enable Defender CSPM (the paid tier) to get access to attack path analysis, cloud security explorer, and agentless scanning. These features provide significantly more visibility than the free Foundational CSPM.


Create exemptions thoughtfully

As you work through recommendations, you'll find some that don't apply to your environment. Use the exemption feature sparingly and always document why a recommendation is being exempted. This creates an audit trail for compliance purposes.


Comments

Subscribe

Thanks for submitting!

bottom of page