Once again this month, I’m back with my recurring series focused on the evolution of Azure management and security services, with a special focus on hybrid and multicloud scenarios enabled by Azure Arc and enhanced by the use of Artificial Intelligence.
This monthly series aims to:
-
Provide an overview of the most relevant updates released by Microsoft;
-
Share operational tips and field-proven best practices to help architects and IT leaders manage complex and distributed environments more effectively;
-
Follow the evolution towards a centralized, proactive, and AI-driven management model, in line with Microsoft’s vision of AI-powered Management.
The main areas addressed in this series, together with the corresponding tools and services, are described in this article.
Security posture across hybrid and multicloud infrastructures
Microsoft Defender for Cloud
Update to the CIEM recommendations logic
In the context of the retirement of Microsoft Entra Permissions Management, Microsoft Defender for Cloud is updating the logic behind CIEM recommendations across Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP), with the goal of improving accuracy and reducing noise in alerts. Among the key changes: the identification of inactive identities is now based on unused role assignments (rather than sign-in activity), the observation window is extended to 90 days (previously 45), and identities created within the last 90 days are not evaluated as inactive. Operationally, this update tends to make recommendations better aligned with actual risk, but it may also change the number and types of findings visible across multicloud tenants.
AWS CloudTrail ingestion (preview)
In preview, ingestion of AWS CloudTrail management events into Microsoft Defender for Cloud is now available. By enabling collection, Defender for Cloud enriches Cloud Infrastructure Entitlement Management (CIEM) analytics by including observed activity (management events) alongside the entitlement signals already available (for example, Access Advisor data). This additional usage context helps make security recommendations in Amazon Web Services (AWS) more accurate, improving the identification of unused permissions, dormant identities, and potential privilege escalation paths. The feature supports both individual AWS accounts and AWS Organizations with centralized logging, simplifying adoption in multi-account organizations.
Microsoft Security Private Link (preview)
Microsoft Defender for Cloud introduces Microsoft Security Private Link in preview, with the goal of enabling private connectivity between the security platform and protected workloads. The integration is implemented by creating private endpoints within the Virtual Network, so that traffic to Defender services remains on Microsoft’s backbone network, avoiding exposure on the public Internet and reducing the attack surface associated with public endpoints. At this stage, private endpoint support is available for the Defender for Containers plan, making it particularly interesting for Kubernetes clusters in “network-restricted” environments with controlled egress requirements.
Integration with Endor Labs
The integration between Microsoft Defender for Cloud and Endor Labs is now generally available (GA). This enhancement strengthens vulnerability analysis by introducing a reachability-based Software Composition Analysis (SCA) approach, which highlights vulnerabilities that could actually be exploitable along the “from code to runtime” path. In practice, the integration helps teams prioritize remediation more effectively, distinguishing what is merely “present” in libraries or dependencies from what is truly reachable and exploitable in running applications—reducing operational overhead and improving triage quality.
Cloud posture management adds serverless protection for Azure and AWS (preview)
Microsoft Defender for Cloud is extending, in preview, the capabilities of the Defender Cloud Security Posture Management (CSPM) plan to serverless workloads in Azure and Amazon Web Services (AWS), both in the Azure portal and in the Defender portal. This capability introduces automatic discovery and security posture assessment for components such as Azure Functions, Azure Web Apps, and AWS Lambda, providing centralized inventory and recommendations for misconfigurations, vulnerabilities, and insecure dependencies. This is a significant step for modern event-driven and microservices scenarios, where the traditional perimeter is more blurred and governance requires continuous visibility and consistent controls even for non-server-based resources.
Conclusions
This month’s updates focus on Microsoft Defender for Cloud and confirm a very clear direction: improving signal quality, expanding multicloud coverage, and reducing operational friction—especially in hybrid and distributed environments. The update to CIEM (Cloud Infrastructure Entitlement Management) recommendations logic goes exactly in this direction, making the identification of inactive identities and unused permissions more reliable thanks to a broader observation window and criteria that better reflect real usage. On the AWS side, ingestion of CloudTrail management events (preview) adds valuable context to refine analytics and more accurately identify escalation paths and unnecessary privileges, while the introduction of Microsoft Security Private Link (preview) opens up interesting scenarios for those who must operate in “network-restricted” environments with strict egress requirements and a need to minimize public exposure. Finally, the Endor Labs integration reaching GA and the extension of CSPM to serverless workloads (preview) highlight the evolution toward an increasingly “code-to-cloud” security posture—better able to prioritize remediation and to ensure visibility and governance even in modern event-driven models.
