Protect your resources with Defender CSPM

Defender Cloud Security Posture Management (CSPM) in Microsoft Defender for Cloud provides you with hardening guidance that helps you efficiently and effectively improve your security. CSPM also gives you visibility into your current security situation.

Defender for Cloud continually assesses your resources, subscriptions, and organization for security issues. Defender for Cloud shows you your security posture with the secure score. The secure score is an aggregated score of the security findings that tells you your current security situation. The higher the score, the lower the identified risk level.

When you enable Defender for Cloud, you automatically enable the Foundational CSPM capabilities. These capabilities are part of the free services offered by Defender for Cloud.

You have the ability to enable the Defender CSPM plan, which offers extra protections for your environments such as governance, regulatory compliance, cloud security explorer, attack path analysis and agentless scanning for machines.


Agentless scanning requires the Subscription Owner to enable the Defender CSPM plan. Anyone with a lower level of authorization can enable the Defender CSPM plan, but the agentless scanner won't be enabled by default due a lack of required permissions that are only available to the Subscription Owner. In addition, attack path analysis and security explorer won't populate with vulnerabilities because the agentless scanner is disabled.

For availability and to learn more about the features offered by each plan, see the Defender CSPM plan options.

You can learn more about Defender CSPM's pricing on the pricing page.


Enable the Defender CSPM plan

When you enable Defender for Cloud, you automatically receive the protections offered by the Foundational CSPM capabilities. In order to gain access to the other features provided by Defender CSPM, you need to enable the Defender CSPM plan on your subscription.

To enable the Defender CSPM plan on your subscription:

  1. Sign in to the Azure portal.

  2. Search for and select Microsoft Defender for Cloud.

  3. In the Defender for Cloud menu, select Environment settings.

  4. Select the relevant Azure subscription, AWS account or GCP project.

  5. On the Defender plans page, toggle the Defender CSPM plan to On.

  6. Select Save.

Enable the components of the Defender CSPM plan

Once the Defender CSPM plan is enabled on your subscription, you have the ability to enable the individual components of the Defender CSPM plan:

  • Agentless scanning for machines: Scans your machines for installed software and vulnerabilities without relying on agents or impacting machine performance. You can disable the agentless scanner or add exclusion tags to your subscription.

  • Agentless discovery for Kubernetes: API-based discovery of information about Kubernetes cluster architecture, workload objects, and setup. Required for Kubernetes inventory, identity and network exposure detection, risk hunting as part of the cloud security explorer. This extension is required for attack path analysis (Defender CSPM only).

  • Agentless container vulnerability assessments: Provides vulnerability management for images stored in your container registries.

  • Sensitive data discovery: Sensitive data discovery automatically discovers managed cloud data resources containing sensitive data at scale. This feature accesses your data, it is agentless, uses smart sampling scanning, and integrates with Microsoft Purview sensitive information types and labels.

  • Permissions management - Insights into Cloud Infrastructure Entitlement Management (CIEM). CIEM ensures appropriate and secure identities and access rights in cloud environments. It helps understand access permissions to cloud resources and associated risks. Setup and data collection may take up to 24 hours.

To enable the components of the Defender CSPM plan:

  1. On the Defender plans page, select Settings.

    Screenshot of the Defender plans page that shows where to select the settings option.

  2. Select On for each component to enable it.

  3. (Optional) For agentless scanning, select Edit configuration.

    Screenshot that shows where to select edit configuration.

    1. Enter a tag name and tag value for any machines to be excluded from scans.

    2. Select Apply.

  4. Select Continue.

For code to cloud contextualization capabilities and automated developer remediation workflows that come with your Defender CSPM plan at no additional cost, connect your DevOps environments to Defender for Cloud.

Next steps

Cloud Security Posture Management (CSPM)