Introduction
Enabling Microsoft Defender for Cloud isn't the same as governing with it. Contoso's security team discovered the difference when their Security Officer asked: "We pay for Defender for Cloud—why isn't it protecting us?" The answer: Defender for Cloud was generating 847 active recommendations, but zero are assigned owners, remediation timelines, or progress tracking. The tool was enabled, but not configured to govern.
In this module, you configure security controls and deploy remediation at scale for an organization using Microsoft Defender for Cloud. You configure environment settings and security standards at the management group level. Then you assign custom standards that enforce internal requirements, and finally deploy security controls across subscriptions using Fix operations, policy remediation tasks, governance rules, and exemptions. Control implementation work focuses on deploying security configurations and establishing ownership—the Cloud and AI Security Engineer's role isn't SOC analysis or threat hunting.
By the end of this module, you know how to configure Defender for Cloud to generate accurate recommendations, deploy security controls at scale to remediate findings, and track remediation progress using secure score and governance reports.
Learning objectives
By the end of this module, you're able to:
- Configure environment settings and security standards at the management group level in Microsoft Defender for Cloud.
- Assign custom security standards that enforce internal organizational requirements.
- Deploy security controls across subscriptions using Fix operations and policy remediation tasks.
- Create and manage governance rules to assign ownership and remediation timelines.
- Create and justify exemptions from document resources excluded from a control using Waiver or Mitigated categories.
- Measure and report remediation progress using secure score and governance reports.