6.5 Regulatory Compliance and Multicloud Posture

The Regulatory Compliance Dashboard

Defender for Cloud includes a regulatory compliance dashboard built on its continuous assessment of cloud resources. Microsoft frames it as providing insight into compliance with the standards that matter to your organization. The key SC-900 phrase is compliance posture, not legal certification: Defender for Cloud helps you monitor and track controls, findings, and progress against assigned standards — it does not issue a certificate.

Because the same assessment engine feeds both security recommendations and compliance, a resource that fails an MCSB control can appear in recommendations and contribute to a framework's compliance view. The dashboard typically shows:

• Compliance status for each assigned framework, with passing vs failing controls.
• A compliance percentage / score per standard and visual progress over time.
• Frameworks that require attention, and the ability to filter recommendations by framework.
• Framework-specific recommendations and remediation progress.

Built-in Standards, MCSB, and the Paid-Plan Boundary

The Microsoft Cloud Security Benchmark (MCSB) is the default standard, assigned automatically for Azure when Defender for Cloud is enabled, and it can extend to AWS and GCP. On top of MCSB you can add regulatory frameworks such as ISO/IEC 27001, PCI DSS, NIST SP 800-53, SOC 2, CIS benchmarks, and others. You do not need to memorize the full list for SC-900 — only that Defender for Cloud assesses resources against these standards across connected clouds.

An important and frequently tested nuance: the regulatory compliance dashboard (with frameworks beyond the free baseline) is a capability of the paid Defender CSPM plan. The MCSB policy runs under free Foundational CSPM, but the broader, multi-framework compliance dashboard belongs to Defender CSPM. If a question contrasts free vs paid, place the regulatory compliance dashboard on the paid side.

Multicloud Posture and Assessment Limits

Multicloud is central to the story. Defender for Cloud connects Amazon Web Services (AWS) accounts and Google Cloud Platform (GCP) projects using agentless methods, then assesses those workloads against industry standards and reports posture. Secure score and compliance views can display posture by environment — Azure, AWS, and GCP — so a single pane covers all three.

There are limits to automation. Microsoft notes that if a compliance control cannot be automatically assessed, Defender for Cloud cannot decide whether a resource complies; that control appears greyed out and must be addressed through manual attestation or external evidence. This is a useful caution for exam wording: Defender for Cloud provides compliance monitoring and insight, but it does not automatically prove every requirement.

Finally, separate Defender for Cloud compliance from Microsoft Purview Compliance Manager. Defender for Cloud assesses cloud resource posture against security standards; Compliance Manager (a Microsoft compliance solution) manages assessments, improvement actions, and compliance score for organizational and data compliance. If the scenario says cloud resources, Azure/AWS/GCP, recommendations, or MCSB, choose Defender for Cloud; if it says data classification, retention, eDiscovery, audit, or Compliance Manager, choose Purview.

• The regulatory compliance dashboard maps assessments to frameworks (ISO 27001, PCI DSS, NIST, and more).
• MCSB is the free default; the multi-framework compliance dashboard is a Defender CSPM (paid) feature.
• Multicloud posture spans connected Azure, AWS, and GCP.
• Non-assessable controls are greyed out and need manual attestation.

Connecting AWS and GCP

Defender for Cloud onboards other clouds through connectors: an AWS connector (linking AWS accounts) and a GCP connector (linking GCP projects). These connectors use agentless methods to read configuration and posture, so Defender for Cloud can deliver CSPM insight and, when the relevant Defender plans are enabled, CWPP protection across all three clouds. After onboarding, AWS and GCP resources appear in the asset inventory, contribute to secure score, and are measured against standards — including a cloud-appropriate version of MCSB — in the regulatory compliance dashboard.

This unified, cross-cloud view is the heart of why Defender for Cloud is a multicloud CNAPP and not an Azure-only tool.

For SC-900 you should be able to answer 'which service gives one compliance and posture view across Azure, AWS, and GCP?' with Defender for Cloud, and to recognize that the connectors are the mechanism that makes multicloud assessment possible.

Compliance Posture Is Not Certification

A subtle but tested point: the regulatory compliance dashboard reports how your resources measure against a framework's controls — it does not grant or replace a formal audit or certification. Defender for Cloud automates the technical control checks it can evaluate, but many framework controls are organizational or procedural (policies, training, physical security) that no tool can verify automatically. Those appear as greyed-out or manual controls requiring attestation.

So the honest exam framing is: Defender for Cloud helps you monitor and improve compliance posture and prepare for audits, while the actual certification comes from an accredited auditor.

Defender for Cloud vs Purview, One More Time

Because both products use the word compliance, keep the scope test handy. Defender for Cloud answers compliance questions about cloud resources and infrastructure (Azure/AWS/GCP, MCSB, recommendations, greyed-out controls). Microsoft Purview Compliance Manager answers compliance questions about the organization and its data (assessments, improvement actions, compliance score, and templates spanning Microsoft 365 and other services).

If the prompt centers on cloud subscriptions and resource hardening, it is Defender for Cloud; if it centers on data, records, eDiscovery, audit, or organizational improvement actions, it is Purview.