November 26, 2025December 2, 2025 NextGen Defender for Cloud: Phase 1 – public preview Table of Contents The Next-Gen Microsoft Defender for Cloud (MDC) in it’s first phase is integrated to Defender XDR portal, delivering a unified, cloud-agnostic security platform that simplifies and strengthens cloud security operations across Azure, AWS, GCP, and other environments. It introduces enhanced visibility, improved performance, and scalability, along with new capabilities for Cloud Security Posture Management (CSPM) and threat protection. The key enhancements Unified Security Experience: Cloud security is now seamlessly integrated into the Microsoft Defender portal, giving security teams a single, unified view across all workloads. This eliminates the need to switch between Azure and Defender portal, enabling SOC teams to work more efficiently and achieve a complete security posture view across workloads.Enhanced Role-Based Access Control (RBAC): Security teams can now grant more granular access to security content, ensuring that only the relevant personas see the information they need. This allows users to access security insights without requiring direct permissions to the underlying resources, improving both operational security and compliance.Unified Scoping Capabilities: Cloud accounts can be segmented into logical groups, enabling better data pivoting, access control, and multi-tenant management.Integrated Exposure Management: Cloud security posture, recommendations, and attack paths are now part of a single exposure management experience.Cloud-Agnostic Architecture: Supports Azure, AWS, GCP, and other platforms, making it ideal for hybrid and multi-cloud organizations.Advanced Reporting & Visualization: Users can filter and export data to generate detailed reports, and leverage rich visualizations for attack paths, asset relationships, and security recommendations. Use cases for people Person / Team Use case Cloud Security Admins Monitor and manage security posture across cloud and code environments. Use the overview dashboard to identify top actions and track the org security status over time. Security Operations Center (SOC) Teams Investigate and respond to incidents using integrated cloud data, attack paths, and asset context. Vulnerability Management Admins View and manage cloud vulnerabilities alongside endpoint vulnerabilities in a unified Exposure Management experience. Developers Access security insights relevant to their cloud resources (e.g., APIs, containers) without requiring permissions in Azure portal. Managed Security Service Providers (MSSPs) Use cloud scopes and RBAC to manage customer environments securely, with scoped access to posture, recommendations, and inventory. Compliance & Risk Teams Export filtered reports on security posture, vulnerabilities, and asset exposure for audits and risk assessments. Phase 1 features This first milestone introduces foundational capabilities for consuming cloud security data at scale:A new Cloud Overview Dashboard with built-in overtime tracking and workload-specific pivotsA Risk-Based Cloud Secure Score in Exposure ManagementCloud Security recommendations in Exposure ManagementCloud Attack Path visualizations integrated into Exposure ManagementCloud Vulnerability Management alongside endpoint vulnerabilitiesA comprehensive Cloud Asset Inventory with full metadata, alerts, and posture insightsA new Cloud Scopes experience integrated with Unified RBAC Cloud Overview Dashboard This new dashboard shows the following graphics:for Security posture:Cloud secure scoreSecurity recommendationsfor Threat detection:Security alertsfor Virtual machines, Data, Containers, AI, Devops, CIEM, API:Asset summary and coverageInsightsRisk level categoriesUse filters like Last 7 days, Environment, and Scope for tailored views by time frame, cloud environment, and access scope. A new Cloud Overvierw dashboard. Click to enlarge. Risk-based Cloud Secure Score The new cloud Secure Score model introduces asset risk factors and asset criticality into the calculation, making the score more accurate and enabling smarter prioritization of high-risk level recommendations.You can also find this by going Exposure Management > Recommendations > Cloud Assets tab. New Risk-based cloud secure score view with Security recommendations and attack paths. Click to enlarge. is it simple ? The explanation to SecureScore formula Cloud Security recommendations Cloud security recommendations and attack paths are found also from Cloud initiative. Cloud Security recommendations. Click to enlarge. Cloud Attack paths The new Attack Paths experience in the Defender portal helps security teams visualize how threats could move across cloud environments spanning Azure, AWS, and GCP. It uses Defender for Cloud’s proprietary algorithm to dynamically generate attack paths based on real-time exposure data, rather than static templates. At the core is the Attack Path Map, a graph-based view that highlights vulnerable nodes, entry points, and target assets. Users can drill into each path to see associated MITRE tactics, recommendations, and remediation status.To access this experience, navigate to Exposure Management → Attack surface → Attack paths, where you’ll find an overview including:Attack paths over timeTop 5 choke pointsTop 5 attack path scenariosTop targetsTop entry points Cloud Security recommendations. Click to enlarge. Cloud Vulnerability Management Microsoft Defender Vulnerability Management has a new home under “Exposure Management” and now supports both Cloud and Devices environments. Vulnerability Management experiences section moves as it is into Exposure Management, including the pages: overview (dashboard), vulnerabilities (weaknesses), remediation, inventories and baseline assessment.To access the Vulnerability Management Dashboard, navigate to Exposure Management → Vulnerability Management → Overview → Cloud tabThis dashboard provides key insights including:Cloud vulnerabilities overviewTop cloud CVEsTop cloud recommendationsRecommendations by resource typeVulnerable resources insightsYou can also explore cloud-specific vulnerabilities by going to: Vulnerability Management → Vulnerabilities → Cloud New cloud asset vulnerability management overview. Click to enlarge. List of vulnerabilities in Cloud assets CVE insights CVE Insights for exposed assets Cloud Asset Inventory The new Assets experience in the Defender portal offers a unified, contextual view of cloud infrastructure across Azure, AWS, and GCP. It categorizes assets by workload, criticality, and coverage status, while integrating health data, device actions, and risk signals into a single interface. To view all cloud assets in your multi-cloud tenant, go to Assets → Cloud Infrastructure. For workload-specific insights, use the tabs for VMs, Data, Containers, AI, API, DevOps, Identity, and Serverless—each provides tailored visibility and data based on the selected workload.You’ll also see Advanced filtering, persistent scoping, and incident response workflows, helping security teams triage threats, assess posture, and drive remediation across complex multi-cloud environments. A new Cloud Asset inventory Cloud scopes & Unified RBAC The introduction of cloud scopes adds granular access control to Microsoft Defender for Cloud, allowing organizations to segment cloud environments by business unit, geography, or workload. Integrated with Defender Unified RBAC, cloud scopes enable precise role assignments and persistent filtering across dashboards, policies, and onboarding flows. Whether managing Azure subscriptions, AWS accounts, or GCP projects, cloud scopes ensure users only see what’s relevant to them enhancing both security and operational efficiency.Cloud Scopes enable teams to:Organize resources by business unit, geography, or workloadAssign roles based on team responsibilitiesSet specific access permissions per groupAvoid broad access to improve security and transparencyDefine roles with greater flexibility and controlMore info about Cloud Scopes.Unified RBAC roles are found normally from Settings -> DefenderXDR -> Roles and permissions: Click to enlarge And when you press number 1 in picture above you will see this permission selection. Conclusion This is the a first phase in Defender for Cloud transition to Defender portal. This is a start. There are lot more to come in coming months. Wait and see. Jussi Metso Author is a lifelong IT enthusiast, Microsoft Security MVP and interested in Cloud Security, XDR, SIEM and AI. Motto: Learning is the key for your future. Share on Social Media x facebook linkedinwhatsapp Discover more from Jussi Metso Subscribe to get the latest posts sent to your email. Type your email… Subscribe DEFENDER FOR CLOUD SECURITY #cloudsecurity#defenderforcloud#defenderxdr
DEFENDER FOR CLOUD Defender for Cloud – Part 7: Cloud Security Explorer February 22, 2025May 25, 2025 The Cloud Security Explorer allows you to run graph-based queries and proactively identify security risks in your cloud environment. You can query effective exposure to internet, permisisons, vulnerabilities, potential lateral movement and much more. Your security team can create and run different queries for different scenarios Read More
DEFENDER FOR CLOUD Defender for Cloud – Part 1: Getting Started January 25, 2024May 25, 2025 Let’s start with the Defender for Cloud’s UI. There are a lot of different functions which we are going to walk through. Read More
AI AI LLM attacks & how Microsoft Security products will help to reduce the Attack Surface November 24, 2024November 24, 2024 This post is the first part of my presentation which I held at Microsoft AI Summit Finland last October. In that presentation I handled topics like LLM attacks, risks, their prevention and mitigations. Also Azure related AI security topics. Read More