Security Baseline: Defender for Cloud and Microsoft Sentinel in a Landing Zone

Apr 8, 2026 min read
Security Baseline: Defender for Cloud and Microsoft Sentinel in a Landing Zone

The compliance report lands in your inbox on a Tuesday morning. One finding: a production subscription had diagnostic logs disabled for 47 days. No one noticed because no one was watching. The subscription was vended six weeks ago, the app team started deploying workloads a week after that, and somewhere in between, the security coverage that was supposed to be automatic… wasn’t.

That gap — between “we have a landing zone” and “we have a landing zone with security built in” — is where incidents live.

The Azure Security Baseline closes that gap by wiring two services into a single Unified Security Operations Platform: Microsoft Defender for Cloud (MDC) for Cloud Security Posture Management (CSPM) and Microsoft Sentinel for Security Information and Event Management (SIEM). Deploy it once at the Management Group scope and every subscription your vending machine creates inherits it automatically.

1. Unified Security Operations Architecture

The design principle is Defense-in-Depth through Centralization: Defender protects individual workloads, Sentinel correlates those signals into actionable incidents.

Unified Security Operations Architecture (SIEM + XDR)

[---[DPWAM[EoogI[[---FsreC(SEtknRLSAESATNultOoenCechDrolSgcaUctrEeaeOulRuieRds(FAry(IrvaMsATnitITeetFaPlatinYOnrSeSlyccSIIRaocrEysiDcnngtatNtTdAoctCeensTieReSrieLmcnIclunHedlOeti&NseltBeUninEmeOnDtogMLWesRAtneoteRs](t]rr]sDA(akyp(SSd(so]XBeaSpHnD)rtIausRvaEcb[e)e)Me)r)P&s]l,aRyeSbmQoeLod)kisat]ion)

2. Cloud Security Posture Management (CSPM)

MDC is your security scorecard. Assign the Microsoft Cloud Security Benchmark (ASB) at the Management Group scope and you get real-time visibility into your compliance against hundreds of standard controls — things like “MFA should be enabled on accounts with owner permissions.” The moment a new subscription lands in your Management Group, it’s already being measured.

Secure Score Tracking Flow

1.SC(eoCcmhuperlciiktaynAcSReBesSCocouanrntcreol(sM)DC)23..C([ael.Dcgru.il,fAatzt8ue5Dr%eeS)teePccoutlreiedcyS]cEonrgeine45..UApldearttePSlWeaoctrufkrobirotmoykDTaesahmboard

Bicep Implementation: Assigning the baseline at scale requires a Management Group-scoped policy assignment with a system-assigned managed identity for DINE remediation. Scope it to the Management Group root and every subscription beneath it inherits coverage — no per-subscription work required.

targetScope = 'managementGroup'

resource defenderInitiativeAssignment 'Microsoft.Authorization/policyAssignments@2023-04-01' = {
  name: 'defender-for-cloud-initiative'
  location: 'eastus'
  identity: {
    type: 'SystemAssigned'
  }
  properties: {
    policyDefinitionId: '/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8'
  }
}

3. Workload Protection Plans

Posture management tells you what’s misconfigured. Workload protection plans catch active threats. For servers and SQL, use Agentless Scanning — it gives you vulnerability and malware visibility without installing anything on the VM or fighting with agent update cycles. One less thing for your app teams to manage.

# Example: Enabling Defender for Servers P2
resource defenderServers 'Microsoft.Security/pricings@2024-01-01' = {
  name: 'VirtualMachines'
  properties: {
    pricingTier: 'Standard'
    subPlan: 'P2' # Enables advanced JIT and EDR features
  }
}

4. Microsoft Sentinel: The Intelligence Layer

Sentinel sits on top of your central Log Analytics Workspace and uses Analytics Rules to scan logs for patterns — a surge in failed logins followed by a successful one from an unusual IP, for example. MDC feeds it alerts; Sentinel turns those alerts into incidents with context your security team can actually act on.

Automated Data Connectors

The Codeless Connector Framework (CCF) is the current standard for data ingestion. Automate your connectors via Bicep so every new subscription’s Activity and Defender logs stream to the SIEM automatically. If you don’t automate this, you’ll spend the next 18 months manually connecting subscriptions one by one.

resource activityConnector 'Microsoft.SecurityInsights/dataConnectors@2023-02-01-preview' = {
  name: guid('activity-log-connector')
  kind: 'AzureActivity'
  properties: {
    subscriptionId: subscription().subscriptionId
  }
}

5. Security Posture Tracking with KQL

Query the SecurityResources table in your central hub to track Secure Score drift over time. When your score drops from 87% to 79% overnight, this is how you find out which subscription caused it — and which team to call.

Key Takeaways

  1. Unified is simpler: Manage MDC and Sentinel as a single platform. Two consoles fighting each other is how alerts get missed.
  2. Benchmark at the Management Group scope: One policy assignment gives you 100% coverage across every current and future subscription.
  3. Go agentless: Agentless scanning gives your team vulnerability visibility without adding anything to the app teams’ operational burden.
  4. Automate connector wiring: Every new subscription must automatically stream its logs to the SIEM. This is not optional — manual connector setup at 50 subscriptions is a full-time job.

Next Steps:

Sources