Azure Security Baseline: Defender for Cloud and Sentinel

A landing zone without a security baseline is a liability. Pristine management group hierarchies and beautifully scoped RBAC models are ineffective if no system monitors for threats or misconfiguration drift. Your infrastructure is effectively unobserved.

In an enterprise environment, two services perform the bulk of the security work: Microsoft Defender for Cloud manages posture and workload protection, and Microsoft Sentinel ingests telemetry to orchestrate response. This guide deploys both as code, establishes automated enrollment via policy, and configures the baseline alerting required for a modern SecOps team.

By the end of this guide, you will:

Assign Defender for Cloud plans to a management group hierarchy via Azure Policy.
Deploy Microsoft Sentinel on a centralized Log Analytics Workspace.
Automate data connectors using the Codeless Connector Framework standard.
Configure Secure Score auditing and automated incident response.

This is Post 7 in the Azure Platform Engineering series.

Microsoft Defender for Cloud: The CSPM Layer

  graph TD
    subgraph Azure_Hierarchy [Management Group Hierarchy]
        LZ_MG[Landing Zones MG]
        Sub_A[Subscription A]
        Sub_B[Subscription B]
        LZ_MG --> Sub_A
        LZ_MG --> Sub_B
    end

    Policy[Azure Policy: Defender Initiative] -- Assigned To --> LZ_MG
    Policy -- Automates Enrollment --> Sub_A
    Policy -- Automates Enrollment --> Sub_B

    subgraph SecOps [Centralized Security Operations]
        Defender[Microsoft Defender for Cloud: CSPM]
        Sentinel[Microsoft Sentinel: SIEM/SOAR]
        LAW[Log Analytics Workspace]
    end

    Sub_A -- Alerts/Telemetry --> Defender
    Sub_B -- Alerts/Telemetry --> Defender
    Defender -- Security Incidents --> Sentinel
    Sentinel -- Logs Query --> LAW

    style SecOps fill:#fff9c4,stroke:#fbc02d,stroke-width:2px
    style Policy fill:#e8f5e9,stroke:#2e7d32

Notes:

Azure Policy ensures that every subscription (new or existing) is automatically enrolled in the security baseline.
Defender for Cloud provides continuous security posture management (CSPM) and workload protection.
Microsoft Sentinel aggregates alerts from Defender and other sources for unified threat detection and automated response.

Enabling Defender at Scale

The only way to ensure 100% coverage is Azure Policy. Assign the built-in initiative “Microsoft Defender for Cloud” (ID: 1f3afdf9-d0c9-4c3d-847f-89da613e70a8) to your intermediate management group. This ensures every child subscription — including those vended in the future — automatically enrolls in the security baseline.

Bicep: Policy Assignment

resource defenderAssignment 'Microsoft.Authorization/policyAssignments@2024-05-01' = {
  name: 'enable-defender-baseline'
  location: 'eastus'
  identity: { type: 'SystemAssigned' }
  properties: {
    displayName: 'Enable Microsoft Defender for Cloud'
    policyDefinitionId: '/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8'
  }
}

Workload Protection Plans

Enable specific plans (Servers, Storage, Key Vault) at the subscription scope. In 2026, the Risk-Based Secure Score 2.0 model weights these findings by asset criticality and internet exposure.

AMA Auto-provisioning: Defender for Servers requires the Azure Monitor Agent (AMA). Automate the installation for all VMs:

resource amaProvision 'Microsoft.Security/autoProvisioningSettings@2017-08-01-preview' = {
  name: 'ama-agent'
  properties: {
    autoProvision: 'On'
  }
}

Note: As of April 2026, 1 unit of Defender Serverless coverage now accounts for 8 function or app service resources in the discovery plan.

Microsoft Sentinel: Centralized SIEM/SOAR

Hub Workspace Integration

Sentinel should live in the mgt-prod-logging subscription on the same workspace receiving diagnostic logs from the entire hierarchy. This prevents detection silos and allows analytics rules to correlate lateral movement across multiple subscriptions.

Sentinel Log Tiers (2026): Optimize costs by routing data to the appropriate plan:

Analytics Logs (~$4.30/GB): Security alerts, sign-ins, audit events.
Basic Logs (~$0.50/GB): Verbose diagnostics.
Auxiliary Logs (~$0.19/GB): High-volume firewall “Allow” logs and DNS queries (up to 12-year retention).

Data Connectors as Code

Use the Codeless Connector Framework (CCF) to deploy connectors via IaC. The legacy HTTP Data Collector API retires on September 14, 2026.

Bicep: Defender Connector:

resource defenderConnector 'Microsoft.SecurityInsights/dataConnectors@2024-09-01' = {
  name: guid('defender-connector')
  kind: 'AzureSecurityCenter'
  scope: sentinelWorkspace
  properties: {
    subscriptionId: subscription().subscriptionId
    dataTypes: { alerts: { state: 'Enabled' } }
  }
}

Security Baselines and Alerting

Secure Score Auditing

Track your posture trend using KQL against the SecurityResources table. Focus on the top five “Risk-Based” recommendations; in 2026, these often move the score more than dozens of low-risk findings.

Automated Response

Configure Sentinel Automation Rules to trigger Logic App playbooks for high-severity incidents.

Operational Tip: Monitor the SentinelHealth table to ensure your data connectors stay in a connected state without having to manually check the portal.

Best Practices

Standard SKUs Only: Use the Standard tier for Sentinel to access automation rules and UEBA.
Auxiliary for Firewalls: Route firewall traffic logs to the Auxiliary tier to save ~95% on ingestion costs while maintaining compliance.
Managed Identity for Policy: Always grant the Security Admin role to your policy assignment identity to allow it to remediate non-enrolled subscriptions.