Defender for Cloud in 2026 and What to Enable, Tune, and Skip

When we wrote about Defender for Cloud’s multi-cloud rebrand in 2021, the product was a single dashboard with a handful of plans and a Secure Score number. Five years later, it covers CSPM, workload protection, regulatory compliance, attack path analysis, and cloud-native application protection.

We work with enterprise security teams that have Defender for Cloud enabled but don’t know which plans are running, what they cost, or whether the recommendations they’re ignoring actually matter. This is a practical breakdown of what to turn on first, what to tune, and what to skip.

If you only do three things:

1. Enable Defender for Key Vault across all subscriptions
2. Enable Defender for Servers Plan 2 on production only
3. Treat Secure Score as a trend indicator, not a target

What You Get for Free

The free tier is already active in every Azure subscription. It provides foundational CSPM: continuous assessment against the Microsoft Cloud Security Benchmark, a Secure Score, and basic recommendations. It catches misconfigured storage accounts, missing disk encryption, overly permissive NSGs, and similar baseline issues at no cost.

What you don’t get for free: workload protection (threat detection for VMs, storage, databases), attack path analysis, regulatory compliance dashboards beyond MCSB, and the Defender-for-X plans.

Which Defender Plans to Enable First

Every Defender plan bills per protected resource. Enabling everything across a large subscription set can produce a painful invoice. The order matters.

1. Defender for Key Vault. Small cost, high-signal alerts. Anomalous access patterns, unusual geographic access, suspicious enumeration. Key Vault contains your most sensitive material; protect it first.

2. Defender for Servers Plan 2 on production. The largest expense and the most impactful. Adds agentless scanning, file integrity monitoring, and just-in-time VM access over Plan 1. Use Plan 1 (or nothing) on dev/test. Cost is per-server per-hour, so estimate before enabling.

3. Defender for DNS. Monitors queries for C2 callbacks and DNS tunnelling. Inexpensive and produces alerts that are hard to get otherwise.

4. Defender for Storage. Detects anomalous access, malware uploads, and Tor exit node connections. Per-transaction pricing means high-volume accounts can get expensive. Evaluate your storage profile first.

Skip or delay initially:

• Defender for Containers: requires runtime agents and image scanning. Skip if you don’t run AKS in production.
• Defender for App Service: less value if your web tier already sits behind WAF with analysis.
• Defender for Databases: worth enabling for sensitive production databases, but Key Vault and Servers produce more actionable alerts per euro. Wave two.
• Defender CSPM (paid): attack path analysis and cloud security graph. Valuable for mature teams, but the free CSPM is sufficient while you work through basic recommendation hygiene.

What We Typically Find

When we review Defender for Cloud in enterprise Azure estates, the same patterns come up repeatedly.

• Plans enabled without ownership. Someone turned on Defender for Servers across all subscriptions two years ago. Nobody knows whether the alerts are being reviewed, which team handles triage, or whether the cost is justified by the signal.

• Recommendations piling up. The initial cleanup happened during onboarding. The findings that accumulated since then sit in the portal untouched. Secure Score has drifted down and nobody noticed.

• Noisy findings mixed with real risk. A recommendation about diagnostic settings on a sandbox subscription sits in the same list as management ports open to the internet on a production VM. Without severity-based triage and environment-aware filtering, the important signals drown.

• Tool overlap with no single owner. Defender reports a storage account as non-compliant. Azure Policy reports the same account differently because it checks a different property. Sentinel has an alert from Defender for Storage about anomalous access. Three tools, three views, no single owner.

• Exemptions without documentation. Thirty exemptions exist across production subscriptions. Five have a valid business reason recorded. The rest say “waived” with no evidence, no owner, and no review date.

Secure Score as Signal, Not Target

Secure Score represents how many recommendations you have addressed. Microsoft designed it as a prioritisation tool. Too many organisations treat it as a KPI.

A Secure Score of 70% with documented exemptions for the remaining 30% is a healthier posture than 95% achieved by disabling features to avoid findings.

Not every recommendation applies to every environment. Chasing 100% produces busywork, not security. Use Secure Score as a trend indicator. If it drops significantly week over week, investigate. If it sits at 70% with documented exemptions for the remaining 30%, that is a healthy posture.

Set a floor (65-70%) and treat drops below it as incidents. Above the floor, prioritise by actual risk, not score impact.

The Recommendations That Actually Matter

After working through hundreds of subscriptions, these consistently surface real risk:

1. MFA not enforced for all users. If this is open, nothing else matters yet.
2. Storage accounts allowing unintended public access.
3. Management ports open to the internet (RDP/SSH with 0.0.0.0/0).
4. Key Vault soft-delete and purge protection not enabled.
5. Disk encryption not applied to VMs. Relevant under NIS2 and DORA.
6. Subnets not associated with an NSG.
7. SQL databases without transparent data encryption.
8. Diagnostic settings not configured on critical resources.
9. Just-in-time VM access not enabled (included in Servers Plan 2).
10. Deprecated or unsupported OS versions.

Everything else is context-dependent. Triage by risk, not by list position in the portal.

The most dangerous finding is not the one with the highest severity label. It is the one on a production resource that nobody has looked at in six months.

Regulatory Compliance Dashboards

Defender for Cloud maps your posture against regulatory standards including CIS Benchmarks, ISO 27001, NIS2, and DORA. The dashboards are useful for audit preparation and for identifying gaps that Secure Score alone won’t surface (because Secure Score only tracks MCSB).

For Belgian and EU enterprises, add the NIS2 compliance dashboard. It won’t cover organisational measures or incident reporting processes (those are outside Azure’s scope), but it handles the technical control requirements.

Integration with Sentinel

Defender alerts flow into Microsoft Sentinel through the built-in connector. Enable it, but be intentional: high and medium severity alerts warrant automated incident creation. Low and informational alerts should be available for hunting but not generate incidents. Otherwise your SOC drowns in recommendation-grade noise.

Estimating Cost Before You Enable

Before enabling any paid plan, run an inventory. Count your VMs by environment (prod vs. dev/test). Count Key Vaults, storage accounts (with transaction volume estimates), and databases. Use the pricing calculator before clicking “Enable.” Start with production subscriptions only.

Suppressions and Exemptions

Not every recommendation applies to every resource. Defender for Cloud supports exemptions that suppress specific recommendations on specific resources. Always use formal exemptions rather than ignoring recommendations informally. An exemption includes a reason, an owner, and an expiry date. An ignored recommendation is just a gap nobody tracks.

Document the reasoning. “Business requirement” is not a reason. “This storage account serves the public website; public blob access required by design, approved by security team on 2026-03-15, review date 2026-09-15” is a reason. Review active exemptions quarterly.

From Defender Findings to Compliance Evidence

An exemption without a documented reason, an owner, and a review date is not an exemption. It is a gap nobody tracks.

Defender for Cloud tells you what is misconfigured. It does not tell you what that means for your compliance obligations, who owns the gap, or what proof you can show to an auditor.

What Defender gives you:

• findings and posture signals
• recommendation tracking and Secure Score
• regulatory compliance mapping (CIS, NIS2, ISO 27001)

What it does not give you:

• control ownership and remediation accountability
• auditor-ready evidence with review dates and attestations
• cross-framework interpretation (what does this Defender finding mean for CyFun control PR.AC-3?)

We built Governator to bridge that gap. It sits on top of Defender for Cloud (and Azure Policy, RBAC, Activity Log, cost data, WAF policies, and network security analysis) and maps findings to the CCB CyberFundamentals framework, NIS2 Directive Article 21 measures, and CIS controls. Each finding gets an owner, a remediation timeline, and an audit trail. Each control gets an interpretation layer that explains what Azure evidence exists, what is missing, and what remediation or attestation is needed.

Defender for Cloud is the data source. Governator is the operating model on top of it: auditor-ready evidence packs, board dashboards with audit readiness scores, and remediation workflows with accountability.

Where to Start

If you are new to Defender for Cloud or have it enabled but unmanaged:

1. Review free-tier recommendations. Fix the top 10 highest-impact findings.
2. Enable Defender for Key Vault across all subscriptions.
3. Enable Defender for Servers Plan 2 on production subscriptions. Estimate cost first.
4. Add the NIS2 or CIS compliance dashboard.
5. Connect Defender alerts to Sentinel if you have a workspace running.
6. Set up exemptions for recommendations you’ve intentionally accepted.

Everything after that is incremental. The goal is not to turn everything on; it is to turn on the right things and actually act on what they tell you.

In most Azure estates, the issue is not whether Defender for Cloud is enabled. The issue is whether it has been turned into an operating control with clear scope, ownership, and follow-through.

Related: Microsoft Sentinel in 2026 covers ingestion cost control. Cloud Security Is a Board Problem Now covers NIS2 and DORA context. Governator is our platform for turning Defender findings into CyFun/NIS2 compliance evidence with remediation tracking and audit readiness.

More from the blog

8 October 2024 | 10 min read

Your Board Is Asking About NIS2. Here Is What You Actually Need to Do

Security Compliance Enterprise

14 March 2026 | 10 min read

Shared vs Separate Azure Hubs for Regulated Workloads Under NIS2 and DORA

Azure Architecture Security

3 January 2026 | 11 min read

Microsoft Sentinel in 2026 and How to Control Ingestion Costs

Azure Security Sentinel