Using Secure Score and Inventory
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
Module: Security Posture with Microsoft Defender for Cloud
Lesson: Mastering Secure Score and Inventory Management
Introduction: Why Security Posture Matters
In the modern landscape of cloud computing, the perimeter has effectively vanished. Organizations no longer manage a single physical data center with a locked door; instead, they operate across sprawling, multi-cloud, and hybrid environments. This complexity makes it incredibly difficult to maintain visibility into what assets exist, let alone whether they are configured securely. If you do not know what you own, you cannot protect it.
This is where the concept of "Security Posture" becomes critical. Security posture refers to the overall cybersecurity strength of an organization and its ability to anticipate, identify, and respond to threats. In Microsoft Defender for Cloud, this posture is measured through two primary lenses: the Secure Score and the Asset Inventory.
The Secure Score provides a quantifiable metric of your security health, turning abstract risk into a concrete, actionable number. The Asset Inventory provides the foundational visibility required to manage that score. Together, these tools allow security teams to move away from reactive "firefighting" and toward a proactive, continuous improvement model. In this lesson, we will explore how to use these tools effectively to harden your environment, reduce your attack surface, and report your progress to stakeholders.
Part 1: Understanding the Secure Score
The Secure Score is the backbone of your security posture in Microsoft Defender for Cloud. It is a measurement of your organization’s security position, with a higher number indicating a lower level of identified risk. When you enable Defender for Cloud, you are automatically presented with a score based on the security recommendations that are currently applicable to your environment.
How the Score is Calculated
The Secure Score is not just a random number; it is a weighted calculation. Not all security recommendations are created equal. For example, ensuring that a virtual machine has multi-factor authentication (MFA) enabled is generally considered more critical than a minor configuration change in a non-production storage bucket.
Defender for Cloud uses the Microsoft Cloud Security Benchmark (MCSB) as the default standard. This benchmark is a set of guidelines that reflect industry best practices for securing your cloud resources. When you implement a recommendation from the benchmark, your score increases. When you ignore a vulnerability, your score remains stagnant or drops as new threats are identified.
Callout: Secure Score vs. Compliance It is important to distinguish between Secure Score and regulatory compliance. Secure Score is about your internal security health and risk reduction. Compliance (such as ISO 27001 or PCI-DSS) is about meeting specific legal or industry-standard requirements. You might have a high Secure Score but still be non-compliant with a specific regulation, or vice versa. Always view Secure Score as your primary operational tool for daily security hygiene.
Navigating the Secure Score Dashboard
To view your score, navigate to the Defender for Cloud portal and select "Secure Score" from the left-hand menu. You will see a graphical representation of your score over time. This historical view is essential for demonstrating the effectiveness of your security team. If you implemented a new policy last month and your score trended upward, you have visual proof of your progress.
The dashboard breaks down your score by subscription and by specific security control. This allows you to identify which areas of your environment are "dragging down" your score. For instance, you might find that your Identity and Access Management (IAM) controls are strong, but your data protection settings for storage accounts are weak. This specific insight allows you to prioritize your work.
Part 2: Working with Recommendations
Recommendations are the actionable tasks that improve your Secure Score. They are organized by control categories like Compute, Networking, Data, and Identity. Each recommendation includes a description, the specific resources impacted, and the potential impact on your score.
Implementing Recommendations
When you click on a recommendation, you are taken to a detailed view that explains why the change is necessary. For example, a recommendation to "Enable MFA for accounts with owner permissions" will explain that unauthorized access to these accounts could lead to a full environment compromise.
Following the guidance provided within the portal is usually the most efficient path forward. You can often trigger a "Quick Fix" directly from the portal, which uses an Azure Resource Manager (ARM) template or a CLI script to apply the recommended setting automatically.
Tip: Prioritize by Impact When looking at a long list of recommendations, it is easy to become overwhelmed. Use the "Score Impact" column to sort your tasks. Always start with the high-impact recommendations that affect the most resources. Improving one high-impact control is often more valuable than fixing ten minor, low-impact issues.
Using Azure Policy to Enforce Security
While you can fix issues manually, the best practice is to use Azure Policy to prevent them from happening in the first place. Many recommendations in Defender for Cloud are backed by Azure Policy definitions. By assigning these policies to your subscriptions, you can prevent users from deploying resources that don't meet your security standards.
For example, if you have a recommendation to "Restrict access to storage accounts," you can create an Azure Policy that denies any request to create a storage account with public access enabled. This shifts the burden of security from "remediation" (fixing the problem) to "prevention" (stopping the problem before it starts).
Part 3: Mastering Asset Inventory
Before you can secure your environment, you must have a complete list of your assets. The Asset Inventory in Defender for Cloud is a powerful tool that provides a centralized view of your resources across Azure, AWS, and GCP.
Why Inventory is Essential
Many security breaches occur because of "shadow IT"—assets that were deployed by developers or departments without the security team's knowledge. If an asset isn't tracked, it isn't patched, monitored, or protected. The Asset Inventory solves this by pulling data from all connected environments into a single, queryable interface.
Using the Resource Graph Explorer
The true power of the Asset Inventory lies in its integration with Azure Resource Graph (ARG). You can write Kusto Query Language (KQL) queries to find exactly what you need.
For example, if you want to find all virtual machines that are currently missing a specific security agent, you can run a query like this:
securityresources
| where type == "microsoft.security/assessments"
| extend resourceId = properties.resourceDetails.Id
| where properties.status.code == "Unhealthy"
| where properties.displayName == "System updates should be installed on your machines"
| project resourceId, properties.status.description
This query searches the security assessment database for any resource marked as "Unhealthy" regarding system updates. The output gives you a targeted list of machines that require your immediate attention.
Categorizing and Exporting Data
You can filter your inventory by resource type, subscription, location, or tag. Tags are particularly useful for organizational hygiene. If you tag your resources by "Environment: Production" or "Owner: Finance," you can quickly filter your inventory to see the security status of your most critical assets.
Exporting this data to Excel or Power BI is a common requirement for security reporting. By exporting the inventory, you can create custom dashboards for management that show the security posture of specific business units, which is often more useful than a single, global score.
Callout: Inventory vs. Configuration Management Think of Asset Inventory as your "Security Census." It tells you who is in the building (your resources) and their current health status. Configuration Management (like Terraform or Ansible) is the "Blueprint" that dictates how the building should be constructed. You need the census to ensure the building matches the blueprint.
Part 4: Best Practices and Industry Standards
To maximize the effectiveness of Defender for Cloud, you should align your operations with industry-standard practices. These strategies help prevent "alert fatigue" and ensure that your security efforts are actually reducing risk.
1. Adopt a "Shift Left" Mentality
Don't wait for a resource to be deployed before you check its security. Integrate security checks into your CI/CD pipelines. If a developer attempts to deploy an insecure infrastructure template, the pipeline should fail, providing them with immediate feedback on how to fix the configuration.
2. Leverage Regulatory Standards
Defender for Cloud allows you to add different regulatory standards to your dashboard. While the Microsoft Cloud Security Benchmark is a great starting point, you should enable standards relevant to your industry, such as NIST 800-53, HIPAA, or SOC2. This maps your security posture directly to compliance requirements.
3. Use Tags for Contextual Awareness
A raw list of 5,000 resources is useless. By implementing a robust tagging policy, you can group resources by business impact. When a high-severity alert appears for a resource tagged "Critical-Production," your team will know to prioritize it over a "Dev-Test" resource.
4. Continuous Monitoring
Security is not a project; it is a process. Set up automated email notifications or trigger Logic Apps when your Secure Score drops below a certain threshold. This ensures that you are notified immediately when a new vulnerability is introduced into your environment.
5. Common Pitfalls to Avoid
- Ignoring "Excluded" Resources: It is tempting to exclude a resource from recommendations because it is "too hard" to fix. This creates blind spots. Only exclude resources when you have a legitimate, documented business reason and a compensating control in place.
- Over-relying on Default Policies: While default policies are good, they may not fit every unique scenario. Customize your policies to match your actual operational needs.
- Neglecting Multi-Cloud: If you have AWS or GCP assets, ensure they are connected to Defender for Cloud. A secure Azure environment means nothing if your AWS S3 buckets are wide open to the public.
Part 5: Step-by-Step Implementation Guide
If you are starting from scratch, follow these steps to establish a solid security posture:
Step 1: Enable Defender for Cloud
- Log into the Azure Portal.
- Search for "Microsoft Defender for Cloud."
- Go to "Environment Settings" and select your subscription.
- Enable the "Enhanced Security Features" (this is required for advanced recommendations and regulatory compliance tracking).
Step 2: Review Your Initial Score
- Navigate to the "Secure Score" page.
- Review the top-contributing recommendations.
- Click on the "Recommendations" tab to see the list of issues ranked by impact.
Step 3: Implement Quick Fixes
- Select a recommendation with a high "Score Impact."
- Review the "Remediation Steps."
- Use the "Fix" button if available. If not, follow the manual steps provided in the documentation link.
- Verify the fix by refreshing the dashboard (this may take a few minutes as the scanner re-evaluates).
Step 4: Configure Alerts and Reporting
- Go to "Workbooks" in the Defender for Cloud menu.
- Select the "Secure Score Over Time" workbook.
- Pin this to your Azure Dashboard so it is the first thing you see when you log in.
- Set up an alert rule in Azure Monitor to notify your team if the "Secure Score" falls below a specific percentage.
Part 6: Advanced KQL Queries for Inventory
To truly master the Asset Inventory, you should become comfortable with KQL. Here are three practical queries you can use to maintain your posture.
Query 1: Find all unencrypted storage accounts
securityresources
| where type == "microsoft.security/assessments"
| where properties.displayName == "Storage accounts should have secure transfer enabled"
| where properties.status.code == "Unhealthy"
| project resourceId, properties.status.description
Query 2: List all resources that are missing a "Department" tag
resources
| where tags.Department == ""
| project name, type, resourceGroup, location
Query 3: Identify VMs that have public IP addresses
resources
| where type == "microsoft.network/publicipaddresses"
| join kind=inner (
resources | where type == "microsoft.network/networkinterfaces"
) on $left.id == $right.properties.ipConfigurations.properties.publicIPAddress.id
| project name, resourceGroup, properties.ipAddress
Part 7: Comparison Table: Secure Score vs. Asset Inventory
| Feature | Secure Score | Asset Inventory |
|---|---|---|
| Primary Goal | Measure security health and risk | Provide visibility into resources |
| Data Type | Weighted numerical value | List of resources and metadata |
| Action | Fix recommendations to increase | Use for planning, auditing, and triage |
| Visibility | High-level (Executive/Manager) | Granular (Operational/Security Engineer) |
| Update Frequency | Near real-time | Real-time (event-driven) |
Part 8: Common Questions (FAQ)
Q: My Secure Score dropped suddenly. What happened? A: A drop in score usually means one of three things: (1) A new, high-impact recommendation was added to the Microsoft Cloud Security Benchmark, (2) A new resource was deployed that is not compliant with your policies, or (3) A previously compliant resource has drifted from its secure configuration. Check the "History" tab on the Secure Score page to see exactly when the drop occurred.
Q: Can I customize the Secure Score to ignore certain recommendations? A: Yes. You can "exempt" a recommendation for a specific resource or an entire subscription. However, you must provide a justification (e.g., "Mitigated by third-party tool," "Risk accepted," or "Not applicable"). These exemptions are audited, so ensure your justifications are clear for compliance purposes.
Q: Does Defender for Cloud work with non-Azure resources? A: Absolutely. Defender for Cloud is designed for multi-cloud environments. You must connect your AWS and GCP accounts using the "Environment Settings" page. Once connected, your AWS and GCP resources will appear in your Asset Inventory and will be evaluated against the relevant security benchmarks for those platforms.
Q: How long does it take for the Secure Score to update after I fix a problem? A: Defender for Cloud scans your resources continuously. While some changes reflect within minutes, others may take up to 24 hours to be fully assessed and reflected in your total score. If you have just completed a massive remediation, be patient.
Key Takeaways
- Visibility is the First Step: You cannot secure what you cannot see. Use the Asset Inventory to maintain a real-time, searchable list of every resource in your environment, regardless of whether it is in Azure, AWS, or GCP.
- Quantify Your Progress: The Secure Score is not just a metric; it is a communication tool. Use it to show leadership how your security initiatives are actively reducing risk over time.
- Prioritize Impact: Do not attempt to fix every single recommendation at once. Focus your efforts on the high-impact items that provide the most significant reduction in your attack surface.
- Prevent, Don't Just Remediate: Leverage Azure Policy to enforce security standards at the time of deployment. This is far more effective than trying to "fix" insecure resources after they are already live.
- Context is King: Use tagging to categorize your assets by business function, environment, and owner. This allows you to filter your inventory and prioritize alerts for the most critical systems.
- Continuous Improvement: Security is a cycle. Use the Secure Score dashboard to identify weaknesses, implement the recommended fixes, and then monitor the score to ensure those fixes remain in place.
- Don't Ignore the "Why": Every recommendation in Defender for Cloud comes with a "Why this is important" section. Read it. Understanding the underlying threat is what separates a box-checker from a truly skilled security professional.
By mastering these two components—the visibility provided by the Asset Inventory and the actionable guidance provided by the Secure Score—you can transform your cloud security from a chaotic, reactive mess into a disciplined, proactive operation. Take the time to explore the interface, run the KQL queries, and build the habit of checking your posture daily. Your environment will be significantly safer for the effort.
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons