Microsoft Defender for CSPM is GA – Information about activation, billing and new pricing information

Microsoft announced with Defender for Cloud Security Posture Management a new plan in the Defender for Cloud product family which focuses on a central view on the security posture of the customer.

In this article I will give a overview about which topics Defender for CSPM covers, how it will be enabled and how the pricing is actual working which holds some suprises if Defender for Servers is already in use.


Defender for CSPM overview

Cloud Security Posture Management is a default available function in the Microsoft Defender space and was formaly known as Azure Security Center. Microsoft then announced as threat protection solution Azure Defender side by side to Azure Security Center and decided in 2021 to renamed the hole solution in the new brand Defender for Cloud.

Azure Security Center Center free changed to CSPM capabilities and was always a free Plan which contains the hole Security recommendatons in the Defender for Cloud area, which based in the backend on Azure Policy. The Defender for Cloud Stack has been enhanced with additional features during this time like Defender for Servers, Defender for DNS, etc.

The Defender for CSPM free tier grows which additional features and focuses on Multicloud capabilitites to cover the Security posture on AWS and GCP. Microsoft decided to integrate more functionalility in the CSPM solution and announced Defender for CSPM which contains additional extensions compared to the free tier wich are listed in the following table.

FeaturesFoundational CSPMDefender for CSPMCloud availability
Security recommendations to fix misconfigurationsYesYesAzure, AWS, GCP, lokal
Asset inventoryYesYesAzure, AWS, GCP, lokal
Secure scoreYesYesAzure, AWS, GCP, lokal
Data exportingYesYesAzure, AWS, GCP, lokal
Workflow automationYesYesAzure, AWS, GCP, lokal
Tools for remediationYesYesAzure, AWS, GCP, lokal
Microsoft Cloud Security BenchmarkYesYesAzure, AWS
GovernanceYesAzure, AWS, GCP, lokal
Regulatory complianceYesAzure, AWS, GCP, lokal
Cloud security explorerYesAzure, AWS
Attack path analysisYesAzure, AWS
Agentless scanning for machinesYesAzure, AWS
Agentless discovery for KubernetesYesAzure
Container registries vulnerability assessment, including registry scanningYesAzure
Data aware security postureYesAzure, AWS
EASM insights in network exposureYesAzure, AWS
The table below summarizes each plan and their cloud availability.

Focused ressource

Defender for CSPM is a Multicloud capability plan, that focus on different ressources/services. Actual Defender for CSPM secured the following ressources:

  • Virtual Machines (Azure VM & VMs via connected via Azure Arc)
  • Storage Accounts
  • SQL Managed Instances
  • SQL on Azure VMs
  • OSS DBs


Like all Defender for Cloud plans currently, Defender for CSPM is activated at the subscription level. Select in the Azure Portal Defender for Cloud and inside the Defender for Cloud blade under the “Management” topic Environment setting. Select inside the view the planned Subscription on which Defender for CSPM should be activated.

After enablement please go to the “Settings” tab and enable the current features for your environment.


There was a long ongoing discussion on Microsoft about the planned pricing for Defender for CSPM. Defender for CSPM will be billed on subscription level per supported ressource. Actual billable workloads will be VMs, Storage Accounts, OSS DBs, & SQL PaaS & Servers on VMs. Microsoft released DEfender for CSPM as a public preview at the end of March. With this announcement, the pricing of $15 per supported resource was published.

Pricing should start from 1st August 2023 and will be 5$ per billable resource.

Microsoft has now responded to feedback and revised the original pricing for this plan. Supported resources will now cost only $5 instead of $15 previously and the planned discount when using overlapping plans (like Defender for Server P2, and more) has been withdrawn, making billing much simpler.


Defender for CSPM features

Leave a Reply

Your email address will not be published. Required fields are marked *