What are security policies, initiatives, and recommendations?

Microsoft Defender for Cloud applies security initiatives to your subscriptions. These initiatives contain one or more security policies. Each of those policies results in a security recommendation for improving your security posture. This page explains each of these ideas in detail.

What is a security policy?

An Azure Policy definition, created in Azure Policy, is a rule about specific security conditions that you want controlled. Built in definitions include things like controlling what type of resources can be deployed or enforcing the use of tags on all resources. You can also create your own custom policy definitions.

To implement these policy definitions (whether built-in or custom), you'll need to assign them. You can assign any of these policies through the Azure portal, PowerShell, or Azure CLI. Policies can be disabled or enabled from Azure Policy.

There are different types of policies in Azure Policy. Defender for Cloud mainly uses 'Audit' policies that check specific conditions and configurations then report on compliance. There are also "Enforce' policies that can be used to apply secure settings.

What is a security initiative?

A security initiative is a collection of Azure Policy definitions, or rules, are grouped together towards a specific goal or purpose. Security initiatives simplify management of your policies by grouping a set of policies together, logically, as a single item.

A security initiative defines the desired configuration of your workloads and helps ensure you're complying with the security requirements of your company or regulators.

Like security policies, Defender for Cloud initiatives are also created in Azure Policy. You can use Azure Policy to manage your policies, build initiatives, and assign initiatives to multiple subscriptions or for entire management groups.

The default initiative automatically assigned to every subscription in Microsoft Defender for Cloud is Microsoft cloud security benchmark. This benchmark is the Microsoft-authored set of guidelines for security and compliance best practices based on common compliance frameworks. This widely respected benchmark builds on the controls from the Center for Internet Security (CIS) and the National Institute of Standards and Technology (NIST) with a focus on cloud-centric security. Learn more about Microsoft cloud security benchmark.

Defender for Cloud offers the following options for working with security initiatives and policies:

  • View and edit the built-in default initiative - When you enable Defender for Cloud, the initiative named 'Microsoft cloud security benchmark' is automatically assigned to all Defender for Cloud registered subscriptions. To customize this initiative, you can enable or disable individual policies within it by editing a policy's parameters. See the list of built-in security policies to understand the options available out-of-the-box.

  • Add your own custom initiatives - If you want to customize the security initiatives applied to your subscription, you can do so within Defender for Cloud. You'll then receive recommendations if your machines don't follow the policies you create. For instructions on building and assigning custom policies, see Using custom security initiatives and policies.

  • Add regulatory compliance standards as initiatives - Defender for Cloud's regulatory compliance dashboard shows the status of all the assessments within your environment in the context of a particular standard or regulation (such as Azure CIS, NIST SP 800-53 R4, SWIFT CSP CSCF-v2020). For more information, see Improve your regulatory compliance.

What is a security recommendation?

Using the policies, Defender for Cloud periodically analyzes the compliance status of your resources to identify potential security misconfigurations and weaknesses. It then provides you with recommendations on how to remediate those issues. Recommendations are the result of assessing your resources against the relevant policies and identifying resources that aren't meeting your defined requirements.

Defender for Cloud makes its security recommendations based on your chosen initiatives. When a policy from your initiative is compared against your resources and finds one or more that aren't compliant, it's presented as a recommendation in Defender for Cloud.

Recommendations are actions for you to take to secure and harden your resources. Each recommendation provides you with the following information:

  • A short description of the issue
  • The remediation steps to carry out in order to implement the recommendation
  • The affected resources

In practice, it works like this:

  1. Microsoft cloud security benchmark is an initiative that contains requirements.

    For example, Azure Storage accounts must restrict network access to reduce their attack surface.

  2. The initiative includes multiple policies, each with a requirement of a specific resource type. These policies enforce the requirements in the initiative.

    To continue the example, the storage requirement is enforced with the policy "Storage accounts should restrict network access using virtual network rules".

  3. Microsoft Defender for Cloud continually assesses your connected subscriptions. If it finds a resource that doesn't satisfy a policy, it displays a recommendation to fix that situation and harden the security of resources that aren't meeting your security requirements.

    So, for example, if an Azure Storage account on any of your protected subscriptions isn't protected with virtual network rules, you'll see the recommendation to harden those resources.

So, (1) an initiative includes (2) policies that generate (3) environment-specific recommendations.

Security recommendation details

Security recommendations contain details that help you understand its significance and how to handle it.

Screenshot of the recommendation details page with labels for each element.

The recommendation details shown are:

  1. For supported recommendations, the top toolbar shows any or all of the following buttons:

  2. Severity indicator

  3. Freshness interval

  4. Count of exempted resources if exemptions exist for a recommendation, this shows the number of resources that have been exempted with a link to view the specific resources.

  5. Mapping to MITRE ATT&CK ® tactics and techniques if a recommendation has defined tactics and techniques, select the icon for links to the relevant pages on MITRE's site. This applies only to Azure scored recommendations.

    Screenshot of the MITRE tactics mapping for a recommendation.

  6. Description - A short description of the security issue.

  7. When relevant, the details page also includes a table of related recommendations:

    The relationship types are:

    • Prerequisite - A recommendation that must be completed before the selected recommendation
    • Alternative - A different recommendation, which provides another way of achieving the goals of the selected recommendation
    • Dependent - A recommendation for which the selected recommendation is a prerequisite

    For each related recommendation, the number of unhealthy resources is shown in the "Affected resources" column.


    If a related recommendation is grayed out, its dependency isn't yet completed and so isn't available.

  8. Remediation steps - A description of the manual steps required to remediate the security issue on the affected resources. For recommendations with the Fix option, you can selectView remediation logic before applying the suggested fix to your resources.

  9. Affected resources - Your resources are grouped into tabs:

    • Healthy resources – Relevant resources, which either aren't impacted or on which you've already remediated the issue.
    • Unhealthy resources – Resources that are still impacted by the identified issue.
    • Not applicable resources – Resources for which the recommendation can't give a definitive answer. The not applicable tab also includes reasons for each resource.

    Screenshot of resources for which the recommendation can't give a definitive answer.

  10. Action buttons to remediate the recommendation or trigger a logic app.

Viewing the relationship between a recommendation and a policy

As mentioned above, Defender for Cloud's built in recommendations are based on the Microsoft cloud security benchmark. Almost every recommendation has an underlying policy that is derived from a requirement in the benchmark.

When you're reviewing the details of a recommendation, it's often helpful to be able to see the underlying policy. For every recommendation supported by a policy, use the View policy definition link from the recommendation details page to go directly to the Azure Policy entry for the relevant policy:

Link to Azure Policy page for the specific policy supporting a recommendation.

Use this link to view the policy definition and review the evaluation logic.

If you're reviewing the list of recommendations on our Security recommendations reference guide, you'll also see links to the policy definition pages:

Accessing the Azure Policy page for a specific policy directly from the Microsoft Defender for Cloud recommendations reference page.

Next steps

This page explained, at a high level, the basic concepts and relationships between policies, initiatives, and recommendations. For related information, see: