Understanding Defender for Cloud: Recommendations, Compliance & Threat Protection (AZ-500 Study Series)

In this blog:

• 1️⃣ Enabling Defender Plans (Free → Defender Capabilities).

• 2️⃣ Creating a Storage Account (to Trigger Defender Insights).

• 🔧 Recommendation 1: “Storage Accounts Should Use a Private Link Connection”.

• 🔧 Recommendation 2: “Storage Accounts Should Prevent Shared Key Access”.

• 🔧 Recommendation 3: “Storage Accounts Should Restrict Network Access Using Virtual Network Rules”.

• ✅ End of Defender CSPM Lab.

Goal: Learn how Microsoft Defender for Cloud provides security recommendations, evaluates compliance, detects threats, and integrates with tools such as Defender for Endpoint, Defender for Identity, and Defender for Cloud Apps.

➡️ Click here to see my blog on setting up the Azure environment for this lab.

➡️ Click here to see my blog on Azure's Sentinel offering.

1️⃣ Enabling Defender Plans (Free → Defender Capabilities)

Start by navigating to: Azure Portal → Defender for Cloud → Environment Settings → Your Subscription

Under your subscription, Foundational CSPM is enabled by default. This gives you:

• Basic security recommendations

• Secure Score

• Limited regulatory compliance insights

For this lab, we don’t need to enable any paid Defender plans because we’re not using VMs — but Defender will still generate identity-level and subscription-level recommendations.

You can now view the recommendations generated for your subscription:

2️⃣ Creating a Storage Account (to Trigger Defender Insights)

We’ll create a Storage Account so Defender for Cloud can analyse it and produce real recommendations.

A full step-by-step setup guide is already available in my Azure environment setup post:

🔗 https://spcyber.wixsite.com/shonepcyber/post/setting-up-an-azure-network-security-lab-az-500-study-series#viewer-19sgf31244

Use default settings:

Once deployed, wait 2–5 minutes for Defender to generate recommendations.

Next, create a container and upload any file (I used an image). Make sure Anonymous access level = Private.

Now go to: Defender for Cloud → Recommendations → Filter → Resource type = Storage Account

You should now see three recommendations:

We’ll go through each recommendation and remediate them — exactly what a SOC analyst or cloud security engineer would do.

🔧 Recommendation 1: “Storage Accounts Should Use a Private Link Connection”

Why this matters:

A Private Endpoint exposes your Storage Account only over your private Azure VNet. Traffic never touches the public internet, massively reducing your attack surface.

How to fix it

1. Go to Storage Account → Networking → Private Endpoint Connections

   

2. Select + Private Endpoint

3. Configure:

   • Name: privendpoint-storage-lab

   • Region: Same as the storage account (e.g., UK West)

   • Target sub-resource: blob

   • Virtual Network / Subnet: Select an existing VNet (or create a temporary one)

4. Review + Create

Once deployed, the Private Endpoint should show Approved, and your storage account receives a private IP.

Architecture overview:

To fully test connectivity, a VM inside the same VNet would normally be used. For this lab, we validated the private endpoint via the Azure settings.

⚠️ Note: Defender recommendations may take several hours to fully update.

🔧 Recommendation 2: “Storage Accounts Should Prevent Shared Key Access”

Why this matters:

Shared keys are considered less secure than identity-based authentication methods like Microsoft Entra ID (formerly Azure AD) or managed identities because they are static credentials that can be compromised if exposed, potentially leading to unauthorized access to data.

Fix applied:

1. Go to your Storage Account → Settings → Configuration.

2. Find the option “Allow storage account key access”.

3. Toggle it Off.

4. Click Save.

We disabled shared key access, which forces all authentication to use:

• Azure AD identities

• Role-based Access Control (RBAC)

• SAS tokens

This removes a major attack path: shared keys being leaked or misused.

Defender may still temporarily show the recommendation, but the configuration is active.

🔧 Recommendation 3: “Storage Accounts Should Restrict Network Access Using Virtual Network Rules”

Why this matters:

By default, storage accounts allow public network access — meaning anyone on the internet with valid credentials could connect. Restricting access to specific VNets or IPs significantly improves security.

How to fix it:

1. Storage Account → Networking → Public Network Access

2. Choose:

   • Disabled, or

   • Selected networks

3. Add allowed VNets or IP ranges

Save

✅ End of Defender CSPM Lab

In this lab, we explored how Defender for Cloud:

✔️ Identifies misconfigurations

✔️ Generates real-time security recommendations

✔️ Guides remediation aligned to frameworks like NIST, GDPR, and DPA

✔️ Integrates with other Defender products for threat detection

This aligns closely with the responsibilities of SOC analysts and cloud security engineers — improving cloud posture, protecting sensitive data, and ensuring compliance.