Back to Blog
Defender for Cloud Azure CSPM Security

5 Microsoft Defender for Cloud Settings You Should Enable Today

Defender for Cloud ships with sensible defaults, but a handful of non-default settings make a dramatic difference to your security posture. Here are the ones I enable on every engagement.

· 6 min read

Microsoft Defender for Cloud (MDfC) is one of the most powerful — and most underutilised — tools in the Azure security arsenal. Most teams enable it, glance at the Secure Score, and move on.

These are the settings I check on every cloud security engagement, because they’re off by default but high-value.

1. Enable All Defender Plans on Critical Subscriptions

The free tier gives you posture management. The paid Defender plans (for Servers, Storage, SQL, Containers, etc.) add threat detection. Teams often enable the free tier, see the cost of paid plans, and stop there.

My recommendation: At minimum, enable Defender for Servers on anything facing the internet, and Defender for Storage on every storage account that holds sensitive data. The threat detection signals are worth the cost.

2. Turn On Agentless Scanning

Under Environment Settings → Defender Plans → Servers, you’ll find agentless scanning for vulnerabilities and secrets. It’s off by default.

Agentless scanning gives you vulnerability assessments and can detect secrets (like connection strings) embedded in VM disks — without installing an agent. For large fleets, this is transformative.

3. Configure Email Notifications for High Severity Alerts

Sounds basic. You’d be surprised how often it’s not set up.

Defender for Cloud → Environment Settings → Email notifications — ensure at least one subscription owner and a security contact receive high-severity alerts. If nobody is notified, the alert might as well not exist.

4. Connect Your Git Repositories (DevOps Security)

MDfC can connect to GitHub, Azure DevOps, and GitLab to surface security findings in your pipelines. This is a relatively new feature and most teams haven’t wired it up.

Under Environment Settings → DevOps Environments, you can connect your repos and get:

  • Secrets scanning across your codebase
  • IaC misconfigurations (Terraform, Bicep, ARM)
  • Dependency vulnerability alerts

Finding a hardcoded storage account key before it hits production is infinitely better than finding it after.

5. Export Alerts to Sentinel

If you’re running Microsoft Sentinel, connect it to MDfC via the continuous export feature. This routes all MDfC alerts and recommendations into Sentinel for correlation and automated response.

The combination of MDfC (posture + threats) and Sentinel (SIEM/SOAR) gives you a genuinely comprehensive picture. Running them in isolation wastes a lot of the value of both products.

This is part of an ongoing series on practical Microsoft cloud security. Subscribe via RSS or follow along on LinkedIn.

Written by Tom Clark

Senior Cloud Security & Platform Engineer

LinkedIn More Posts →