Skip to main content
This guide explains how to configure Defender for Cloud policies in Azure to monitor and enforce security compliance. Defender for Cloud allows you to assign various policies—such as the Azure Security Benchmark—and continuously assess your Azure resources against these standards.

Overview of the Azure Security Benchmark

The Azure Security Benchmark provides a comprehensive roadmap for implementing robust security controls. It aligns with multiple compliance frameworks and regulatory requirements including PCI DSS, HIPAA, and GDPR. Integrated directly with Microsoft Defender for Cloud, the benchmark evaluates your resource configurations and offers remediation recommendations based on periodic assessments.
By assigning the Azure Security Benchmark, you not only secure your environment but also receive targeted recommendations to improve your overall security posture.

How Defender for Cloud Works

Once the required policies are assigned, Defender for Cloud evaluates your Azure resources, checking them against the defined requirements. It then reports on compliance levels and provides clear remediation recommendations. Additional policy initiatives, including PCI or HIPAA, can be incorporated as needed to further tailor your security strategy.
The image shows a configuration interface for Azure Security Center policies, highlighting security controls, compliance frameworks, recommendations, and regular assessments. It includes a list of industry and regulatory standards with options to enable or disable them.
To see these policies in action, follow these steps in the Azure portal:
  1. Open the portal and navigate to Microsoft Defender for Cloud.
  2. Enter the environment settings where you enable security plans.
  3. Click on Edit settings to access the security policies view.
At this point, you might notice that the default initiative is not assigned yet. To deploy it, click on Assign policy to add the Microsoft Cloud Security Benchmark initiative.
The image shows a Microsoft Azure portal screen for assigning a security policy initiative called "Microsoft cloud security benchmark." It includes options for setting the scope, exclusions, and policy enforcement.
This initiative comprises 210 audit policies, out of which 12 are disabled by default. The comprehensive security recommendations you see for your environment are based on this evaluation.

Adding Additional Regulatory Standards

If you want to include additional standards such as PCI DSS, you can easily do so:
  1. Locate the PCI DSS standard in the list.
  2. Click the Add button next to it.
The image shows a Microsoft Azure portal page listing various regulatory compliance standards, each with an "Add" button next to it. The page is part of the Microsoft Defender for Cloud settings.
This action opens the policy assignment blade for the selected standard. Once added, the initiative will evaluate your Azure resources against its specific compliance criteria, highlighting any gaps and providing actionable remediation steps.
The following sections will delve deeper into the remediation recommendations generated by these policies and provide guidance on how to address compliance issues effectively.

Summary

By configuring Defender for Cloud policies, you create a proactive security environment for your Azure resources. Using initiatives like the Microsoft Cloud Security Benchmark, you receive continuous assessments and targeted recommendations, ensuring that your security posture meets industry best practices and regulatory requirements. For more information on Azure Security and compliance, visit Microsoft Defender for Cloud Documentation.

Watch Video