{"id":470,"date":"2026-04-14T04:17:14","date_gmt":"2026-04-14T04:17:14","guid":{"rendered":"https:\/\/www.devopsschool.com\/tutorials\/azure-defender-external-attack-surface-management-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-management-and-governance\/"},"modified":"2026-04-14T04:17:14","modified_gmt":"2026-04-14T04:17:14","slug":"azure-defender-external-attack-surface-management-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-management-and-governance","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/tutorials\/azure-defender-external-attack-surface-management-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-management-and-governance\/","title":{"rendered":"Azure Defender External Attack Surface Management Tutorial: Architecture, Pricing, Use Cases, and Hands-On Guide for Management and Governance"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Category<\/h2>\n\n\n\n<p>Management and Governance<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">1. Introduction<\/h2>\n\n\n\n<p>Defender External Attack Surface Management is an Azure-integrated security service that helps you discover, inventory, and monitor your organization\u2019s internet-facing assets\u2014domains, subdomains, IP addresses, certificates, cloud-hosted endpoints, and associated technologies\u2014so you can reduce exposure before attackers exploit it.<\/p>\n\n\n\n<p>In simple terms: it continuously finds \u201cwhat you have on the public internet,\u201d highlights risky exposures (like forgotten subdomains, misconfigured services, or unexpected open ports), and helps you prioritize what to fix.<\/p>\n\n\n\n<p>Technically, Defender External Attack Surface Management (often abbreviated as Defender EASM in Microsoft materials) performs continuous external discovery based on \u201cseeds\u201d you provide (for example, your corporate domains). It correlates discovered infrastructure, services, and signals into an asset inventory and exposure insights. This supports governance and operational security by keeping your external footprint accurate and actionable\u2014even as teams deploy new apps and services.<\/p>\n\n\n\n<p>The problem it solves is <strong>external asset sprawl<\/strong>: organizations frequently lose track of what is publicly reachable due to cloud migration, DevOps velocity, acquisitions, shadow IT, and third-party hosting. Attackers don\u2019t need internal access if they can find one forgotten endpoint. Defender External Attack Surface Management helps you find and reduce these externally visible risks systematically.<\/p>\n\n\n\n<blockquote>\n<p>Naming\/status note (verify in official docs): Microsoft markets the product as <strong>Microsoft Defender External Attack Surface Management<\/strong>. You may also see \u201cDefender EASM\u201d as shorthand, and historical references connected to RiskIQ (Microsoft acquired RiskIQ). In Azure, it is billed and managed through Azure constructs, but the service itself operates as a Microsoft Defender SaaS offering.<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">2. What is Defender External Attack Surface Management?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Official purpose (what it\u2019s for)<\/h3>\n\n\n\n<p>Defender External Attack Surface Management is designed to help organizations:\n&#8211; <strong>Discover<\/strong> internet-facing assets that are associated with the organization (known and unknown).\n&#8211; <strong>Inventory and classify<\/strong> assets so teams can assign ownership and track lifecycle.\n&#8211; <strong>Identify exposures<\/strong> and changes that increase risk.\n&#8211; <strong>Prioritize remediation<\/strong> by focusing on the most relevant, high-risk external findings.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Core capabilities (high-level)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>External asset discovery starting from seeds (for example, domains).<\/li>\n<li>Asset inventory with enrichment (such as technologies, hosting signals, certificates\u2014exact enrichment varies; verify in docs).<\/li>\n<li>Exposure insights (for example, potentially risky configurations or newly exposed services\u2014verify exact detection catalog in docs).<\/li>\n<li>Continuous monitoring and change tracking.<\/li>\n<li>Workflows to support triage, ownership, and remediation (exact workflow features depend on current portal experience; verify in docs).<\/li>\n<li>APIs and integrations for automation (verify current API endpoints and supported integrations).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Major components (conceptual)<\/h3>\n\n\n\n<p>While Microsoft may use specific product UI terms that evolve, the service typically maps to these components:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Component<\/th>\n<th>What it represents<\/th>\n<th>Why it matters<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Workspace \/ Instance<\/td>\n<td>The logical container where discovery, inventory, and insights are managed<\/td>\n<td>Separates environments (prod vs. corp), business units, or subsidiaries<\/td>\n<\/tr>\n<tr>\n<td>Seeds<\/td>\n<td>Starting points such as domains, IP ranges, ASNs, certificates (seed types vary; verify)<\/td>\n<td>Determines what the service looks for<\/td>\n<\/tr>\n<tr>\n<td>Discovery engine<\/td>\n<td>Continuous mapping\/correlation across public signals<\/td>\n<td>Finds unknown assets and relationships<\/td>\n<\/tr>\n<tr>\n<td>Inventory<\/td>\n<td>The resulting set of discovered assets and metadata<\/td>\n<td>Forms the source of truth for external footprint<\/td>\n<\/tr>\n<tr>\n<td>Insights \/ Exposures<\/td>\n<td>Findings about risk, misconfigurations, or suspicious changes<\/td>\n<td>Helps you prioritize actions<\/td>\n<\/tr>\n<tr>\n<td>Integrations \/ Export<\/td>\n<td>APIs or connectors to SIEM\/SOAR\/ticketing<\/td>\n<td>Operationalizes findings<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Service type<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>SaaS security management and governance service<\/strong> integrated with Azure for provisioning and billing.<\/li>\n<li>Works primarily against <strong>public internet-reachable assets<\/strong> rather than internal private resources.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Scope: global\/regional and tenant\/subscription considerations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Defender External Attack Surface Management is typically managed at the <strong>Microsoft Entra ID (Azure AD) tenant<\/strong> level for identity, with <strong>Azure subscription<\/strong> used for billing and resource provisioning.<\/li>\n<li>Many SaaS security services operate with a <strong>global control plane<\/strong> and region-dependent data processing\/storage.<br\/>\n<strong>Verify in official docs<\/strong> for: data residency, regional availability, and where data is stored\/processed.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">How it fits into the Azure ecosystem<\/h3>\n\n\n\n<p>Defender External Attack Surface Management complements Azure and Microsoft security operations by:\n&#8211; Providing an <strong>external perimeter view<\/strong> to augment internal posture tools like <strong>Microsoft Defender for Cloud<\/strong> (cloud security posture management) and <strong>Microsoft Defender XDR<\/strong> (incident and endpoint\/email\/identity protection).\n&#8211; Feeding external asset context into governance and operational processes (tagging, ownership, remediation SLAs).\n&#8211; Supporting SIEM workflows (often via <strong>Microsoft Sentinel<\/strong> integration patterns\u2014verify the specific connector availability).<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">3. Why use Defender External Attack Surface Management?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Business reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Reduce breach likelihood<\/strong> by eliminating unknown\/forgotten internet-facing services.<\/li>\n<li><strong>Improve M&amp;A and subsidiary governance<\/strong> by rapidly mapping new external footprints.<\/li>\n<li><strong>Protect brand and customer trust<\/strong> by catching accidental exposures early.<\/li>\n<li><strong>Support audit readiness<\/strong> by maintaining an authoritative inventory of external assets.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Technical reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>External assets change frequently: DNS, certificates, cloud endpoints, CDN configs, and ephemeral infrastructure.<\/li>\n<li>Traditional CMDBs and internal asset inventories rarely capture <strong>public internet exposure<\/strong> accurately.<\/li>\n<li>Defender External Attack Surface Management provides continuous discovery and correlation to help keep pace.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operational reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Helps define <strong>ownership<\/strong> and remediation workflow: \u201cWho owns this domain\/subdomain\/service?\u201d<\/li>\n<li>Enables <strong>change tracking<\/strong>: what became exposed recently?<\/li>\n<li>Creates an operational rhythm: discovery \u2192 classification \u2192 remediation \u2192 verification.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Security\/compliance reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Supports better alignment with controls that require asset inventory and vulnerability management processes (exact mapping depends on your compliance framework).<\/li>\n<li>Helps identify externally visible services that may violate policy (for example, unexpected admin panels or outdated TLS configs\u2014verify supported detections).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Scalability\/performance reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Designed to scale across large enterprises with many domains and distributed teams.<\/li>\n<li>Continuous discovery reduces manual scanning overhead and \u201cone-time snapshot\u201d gaps.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">When teams should choose it<\/h3>\n\n\n\n<p>Choose Defender External Attack Surface Management when you need:\n&#8211; Continuous <strong>internet-facing asset discovery<\/strong> and monitoring.\n&#8211; A centralized inventory to support security governance.\n&#8211; Operational workflows to reduce external exposure across many teams.\n&#8211; Integration with the broader Microsoft security ecosystem.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">When teams should not choose it<\/h3>\n\n\n\n<p>Consider alternatives (or complementary tools) when:\n&#8211; You only need <strong>internal<\/strong> vulnerability scanning or endpoint coverage (look at Defender Vulnerability Management and Defender for Cloud capabilities).\n&#8211; Your entire environment is private\/internal and not internet reachable (EASM focuses on external exposure).\n&#8211; You require a specialized niche function not covered by the service (for example, deep web content monitoring, brand protection beyond asset inventory\u2014verify scope).\n&#8211; You cannot accommodate SaaS-based processing due to strict sovereignty requirements (verify data residency options).<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">4. Where is Defender External Attack Surface Management used?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Industries<\/h3>\n\n\n\n<p>Commonly adopted in industries with high external exposure and strict risk tolerance:\n&#8211; Financial services and fintech\n&#8211; Healthcare\n&#8211; Retail\/e-commerce\n&#8211; Government and regulated public sector (subject to data residency\/sovereignty constraints\u2014verify)\n&#8211; Technology\/SaaS providers\n&#8211; Telecommunications\n&#8211; Manufacturing (especially with IoT\/OT-facing portals and vendor access)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Team types<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Security operations (SOC), detection engineering, and incident response<\/li>\n<li>Vulnerability management teams<\/li>\n<li>Governance, risk, and compliance (GRC)<\/li>\n<li>Platform engineering and SRE<\/li>\n<li>Cloud center of excellence (CCoE)<\/li>\n<li>IT operations and network\/security engineering<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Workloads<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Public web apps and APIs<\/li>\n<li>Multi-cloud and hybrid deployments (Azure + non-Azure)<\/li>\n<li>SaaS platforms with custom domains and many tenant endpoints<\/li>\n<li>CDN\/WAF fronted services<\/li>\n<li>Legacy public services during migration projects<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Architectures<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Microservices and API gateways exposed to the internet<\/li>\n<li>Multi-tenant architectures with per-customer subdomains<\/li>\n<li>Acquired companies with separate DNS and hosting<\/li>\n<li>Distributed marketing\/campaign domains managed by third parties<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Real-world deployment contexts<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Central security team runs the platform; app teams remediate.<\/li>\n<li>Security + IT jointly manage domain ownership and certificate lifecycle.<\/li>\n<li>M&amp;A teams use it during due diligence and post-merger integration.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Production vs dev\/test usage<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Production:<\/strong> primary usage. Continuous monitoring and governance are most valuable for real internet exposure.<\/li>\n<li><strong>Dev\/test:<\/strong> useful when dev\/test environments are internet-accessible (common), especially to prevent \u201ctemporary\u201d endpoints from becoming permanent liabilities.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">5. Top Use Cases and Scenarios<\/h2>\n\n\n\n<p>Below are practical, realistic use cases showing where Defender External Attack Surface Management fits.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1) Unknown subdomain discovery (shadow IT)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Teams spin up services under subdomains without central visibility.<\/li>\n<li><strong>Why this service fits:<\/strong> It discovers and correlates subdomains and associated endpoints starting from trusted seeds.<\/li>\n<li><strong>Example:<\/strong> Security adds <code>example.com<\/code> as a seed and finds <code>staging-api.example.com<\/code> pointing to a cloud service with no WAF.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">2) M&amp;A external footprint mapping<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> After acquiring a company, you don\u2019t know what internet-facing assets they operate.<\/li>\n<li><strong>Why this service fits:<\/strong> Rapid discovery from the acquired company\u2019s domains and public infrastructure signals.<\/li>\n<li><strong>Example:<\/strong> Add <code>acquiredco.com<\/code> seeds; discover legacy portals and exposed services that were never formally documented.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">3) External inventory for governance and ownership<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> No single source of truth for public assets; ownership is unclear.<\/li>\n<li><strong>Why this service fits:<\/strong> Central inventory supports classification and ownership assignment (workflow details vary; verify).<\/li>\n<li><strong>Example:<\/strong> Inventory shows dozens of domains registered to different teams; you standardize ownership tags and set remediation SLAs.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">4) Detect accidental exposure due to DNS changes<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> A DNS record change unintentionally exposes an internal admin service publicly.<\/li>\n<li><strong>Why this service fits:<\/strong> Continuous monitoring can highlight newly reachable endpoints and changes.<\/li>\n<li><strong>Example:<\/strong> A record change points <code>admin.example.com<\/code> to a public load balancer; the service flags the newly exposed surface for investigation.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">5) Certificate-based discovery and hygiene<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Certificates reveal hidden subdomains and services; expired\/weak certificates are operational and security risks.<\/li>\n<li><strong>Why this service fits:<\/strong> Uses certificate intelligence signals to discover and track external assets (verify exact certificate features).<\/li>\n<li><strong>Example:<\/strong> Certificate transparency logs show <code>vpn-old.example.com<\/code>; inventory finds it still resolves and is reachable.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6) Cloud migration and footprint control<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> During migration, old endpoints remain live and unpatched.<\/li>\n<li><strong>Why this service fits:<\/strong> Helps find orphaned endpoints across cloud providers and hosting environments.<\/li>\n<li><strong>Example:<\/strong> Migration to Azure leaves old IPs reachable in another cloud; EASM inventory highlights them for decommissioning.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">7) Third-party hosted marketing domains<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Marketing uses third-party providers; domains drift and security policies aren\u2019t enforced.<\/li>\n<li><strong>Why this service fits:<\/strong> Visibility into externally hosted assets tied to your domain namespace.<\/li>\n<li><strong>Example:<\/strong> <code>promo.example.com<\/code> is hosted on a third-party platform with insecure configuration; the service helps you track and govern it.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">8) Attack surface monitoring for incident response<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> During an incident, you need fast confirmation of exposed entry points.<\/li>\n<li><strong>Why this service fits:<\/strong> Maintains current external inventory, reducing time-to-context.<\/li>\n<li><strong>Example:<\/strong> SOC suspects DNS hijacking; EASM helps compare known assets and recent changes.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">9) Validate decommissioning and exposure reduction<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> You \u201cturned off\u201d a service but aren\u2019t sure it\u2019s no longer reachable.<\/li>\n<li><strong>Why this service fits:<\/strong> Continuous discovery and monitoring helps confirm that endpoints are removed.<\/li>\n<li><strong>Example:<\/strong> After shutting down a legacy app, the inventory still shows the endpoint responding\u2014indicating incomplete decommissioning.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">10) Security program metrics and reporting<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Leadership wants measurable exposure reduction and accountability.<\/li>\n<li><strong>Why this service fits:<\/strong> Inventory and insights provide measurable counts and trends (exact reporting varies; verify).<\/li>\n<li><strong>Example:<\/strong> Monthly report: number of externally exposed assets, newly discovered assets, and remediation SLA compliance.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">11) Preparation for penetration testing<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Pen testers miss assets because the asset list is incomplete.<\/li>\n<li><strong>Why this service fits:<\/strong> Provides a more complete view of the external scope.<\/li>\n<li><strong>Example:<\/strong> Provide the discovered inventory to the pentest vendor to define test boundaries accurately.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">12) Domain and IP range governance<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> IP ranges and ASNs associated with your org aren\u2019t consistently tracked.<\/li>\n<li><strong>Why this service fits:<\/strong> Supports discovery based on network ownership signals (verify supported seed types).<\/li>\n<li><strong>Example:<\/strong> Security monitors all assets associated with corporate ASNs and flags new exposed services.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">6. Core Features<\/h2>\n\n\n\n<p>Features evolve. The items below reflect common, documented capabilities of external attack surface management platforms and how Microsoft positions Defender External Attack Surface Management. <strong>Verify exact feature names and availability in current official documentation<\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1) Seed-based discovery<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Starts discovery from known identifiers (for example, domains) and expands to related assets.<\/li>\n<li><strong>Why it matters:<\/strong> You need an anchor to define what belongs to your organization.<\/li>\n<li><strong>Practical benefit:<\/strong> Faster onboarding and fewer false positives than open-ended internet scanning.<\/li>\n<li><strong>Limitations\/caveats:<\/strong> Discovery accuracy depends on seed quality and ownership signals; acquisitions and shared hosting can complicate attribution.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">2) Continuous external asset inventory<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Builds and maintains an inventory of internet-facing assets and their metadata.<\/li>\n<li><strong>Why it matters:<\/strong> Asset inventory is foundational for governance and risk management.<\/li>\n<li><strong>Practical benefit:<\/strong> Reduces reliance on stale spreadsheets and ad-hoc recon scripts.<\/li>\n<li><strong>Limitations\/caveats:<\/strong> Not a CMDB replacement; it focuses on <em>external<\/em> visibility, not internal assets.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">3) Enrichment and fingerprinting (technology\/service context)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Adds context such as DNS data, certificate signals, observed services, and technology indicators (exact enrichment varies; verify).<\/li>\n<li><strong>Why it matters:<\/strong> Prioritization requires context: \u201cIs this a production service? What tech is it?\u201d<\/li>\n<li><strong>Practical benefit:<\/strong> Better triage and routing to the right team.<\/li>\n<li><strong>Limitations\/caveats:<\/strong> Fingerprinting can be probabilistic; treat as a lead, not absolute truth.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">4) Exposure and risk insights<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Highlights exposures or conditions that may increase risk (catalog varies; verify).<\/li>\n<li><strong>Why it matters:<\/strong> Inventory alone doesn\u2019t tell you what to fix first.<\/li>\n<li><strong>Practical benefit:<\/strong> Drives a remediation backlog prioritized by exposure.<\/li>\n<li><strong>Limitations\/caveats:<\/strong> \u201cExposure\u201d is not always a confirmed vulnerability; validate before action.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">5) Change tracking<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Surfaces changes over time, like new assets, DNS shifts, or service changes (verify exact change types).<\/li>\n<li><strong>Why it matters:<\/strong> Many incidents start with change\u2014new endpoint, new port, new provider.<\/li>\n<li><strong>Practical benefit:<\/strong> Enables \u201cwhat changed?\u201d investigations and proactive alerts.<\/li>\n<li><strong>Limitations\/caveats:<\/strong> Change detection timing depends on scan cadence and data sources.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6) Asset classification and ownership workflows<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Helps you classify assets (for example, production vs test) and associate ownership (exact UX varies; verify).<\/li>\n<li><strong>Why it matters:<\/strong> Findings must route to owners; otherwise, nothing gets fixed.<\/li>\n<li><strong>Practical benefit:<\/strong> Supports operational accountability.<\/li>\n<li><strong>Limitations\/caveats:<\/strong> Ownership still requires organizational process; tooling can\u2019t solve accountability alone.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">7) Integrations and APIs<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Enables export\/automation with SIEM\/SOAR\/ticketing and custom tooling (verify supported integrations and API docs).<\/li>\n<li><strong>Why it matters:<\/strong> Security teams need to operationalize alerts and inventory in existing workflows.<\/li>\n<li><strong>Practical benefit:<\/strong> Automated ticket creation and enrichment of incidents with asset context.<\/li>\n<li><strong>Limitations\/caveats:<\/strong> API rate limits, permission models, and connector availability vary\u2014verify.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">8) Role-based access control (RBAC) via Microsoft Entra ID<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Controls who can view, manage, and administer EASM resources.<\/li>\n<li><strong>Why it matters:<\/strong> Inventory and exposure data can be sensitive.<\/li>\n<li><strong>Practical benefit:<\/strong> Least privilege and auditable access.<\/li>\n<li><strong>Limitations\/caveats:<\/strong> Role names and scope boundaries can change; confirm in your tenant\u2019s role list.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">9) Multi-workspace separation (organizational boundaries)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Supports separation by business unit, environment, or geography (verify constraints).<\/li>\n<li><strong>Why it matters:<\/strong> Large enterprises need boundaries and delegated administration.<\/li>\n<li><strong>Practical benefit:<\/strong> Reduces noise; aligns with governance structure.<\/li>\n<li><strong>Limitations\/caveats:<\/strong> Requires careful seed and scope planning to avoid duplication.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">7. Architecture and How It Works<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">High-level architecture<\/h3>\n\n\n\n<p>At a high level, Defender External Attack Surface Management works like this:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>You provision an EASM resource\/workspace in Azure and authenticate via Microsoft Entra ID.<\/li>\n<li>You provide \u201cseeds\u201d representing assets you know belong to you (like domains).<\/li>\n<li>The service performs continuous external discovery using public internet signals and scanning\/observation techniques (implementation details are proprietary; verify in docs).<\/li>\n<li>Discovered assets and metadata are stored in the service\u2019s inventory.<\/li>\n<li>The service derives exposure insights and changes over time.<\/li>\n<li>You review in the portal and operationalize via alerts\/integrations\/APIs.<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">Data flow vs control flow<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Control flow:<\/strong> Admins configure workspaces, seeds, roles, and export\/integration settings.<\/li>\n<li><strong>Data flow:<\/strong> Public discovery signals \u2192 correlation\/enrichment \u2192 inventory \u2192 insights \u2192 export.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Integrations with related Microsoft services (common patterns)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Microsoft Defender for Cloud:<\/strong> Complements internal cloud posture with external footprint visibility.<\/li>\n<li><strong>Microsoft Sentinel:<\/strong> Common place to operationalize signals and create incidents (verify if there is a dedicated connector for Defender External Attack Surface Management; if not, use API-based ingestion patterns).<\/li>\n<li><strong>Microsoft Defender XDR:<\/strong> Exposure context can support investigations, though direct integration specifics should be verified.<\/li>\n<li><strong>ITSM\/ticketing:<\/strong> Export findings to ServiceNow\/Jira via automation (typically through APIs or Logic Apps; verify supported connectors).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Dependency services<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Microsoft Entra ID (identity, SSO, RBAC)<\/li>\n<li>Azure subscription (resource provisioning and billing)<\/li>\n<li>Optional: Log Analytics workspace, Microsoft Sentinel, Logic Apps for automation (integration-dependent)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Security\/authentication model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Users authenticate via Microsoft Entra ID.<\/li>\n<li>Access is controlled by RBAC roles assigned at the appropriate scope (tenant\/workspace\/subscription depending on implementation).<\/li>\n<li>API access typically uses Entra ID OAuth2 tokens (verify supported auth flows for the EASM API).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Networking model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Defender External Attack Surface Management observes <strong>publicly reachable<\/strong> endpoints.<\/li>\n<li>You do not typically deploy agents or VMs for discovery; it is SaaS-driven.<\/li>\n<li>If you integrate\/export data, network egress from your environment may be relevant (for example, Logic Apps calling APIs).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Monitoring\/logging\/governance considerations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Track:<\/li>\n<li>Who changed seeds\/scope<\/li>\n<li>Who exported data \/ created integrations<\/li>\n<li>Discovery changes and exposure trends<\/li>\n<li>Use:<\/li>\n<li>Azure Activity Log for Azure resource changes (where applicable)<\/li>\n<li>Service audit logs (where available) and Entra sign-in logs<\/li>\n<li>SIEM ingestion for high-value alerts and change events (integration-dependent)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Simple architecture diagram (Mermaid)<\/h3>\n\n\n\n<pre><code class=\"language-mermaid\">flowchart LR\n  U[Security Analyst \/ Admin] --&gt;|Entra ID login| P[Azure Portal]\n  P --&gt; EASM[Defender External Attack Surface Management Workspace]\n  EASM --&gt;|Seeds| S[Domains \/ IPs \/ Other Seeds]\n  EASM --&gt;|Continuous discovery| I[(External Asset Inventory)]\n  I --&gt; X[Exposure Insights &amp; Changes]\n  X --&gt; U\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Production-style architecture diagram (Mermaid)<\/h3>\n\n\n\n<pre><code class=\"language-mermaid\">flowchart TB\n  subgraph Org[\"Organization (People &amp; Process)\"]\n    SOC[SOC \/ SecOps]\n    VM[Vuln Mgmt]\n    IT[IT Ops \/ Platform]\n    GRC[GRC \/ Audit]\n  end\n\n  subgraph Azure[\"Azure\"]\n    Portal[Azure Portal]\n    Entra[Microsoft Entra ID]\n    Sub[Azure Subscription (Billing\/Resource)]\n    Sentinel[Microsoft Sentinel (optional)]\n    LA[Logic Apps \/ Automation (optional)]\n  end\n\n  subgraph Defender[\"Microsoft Defender Security Suite\"]\n    EASM[Defender External Attack Surface Management]\n    MDOther[Other Defender products (contextual)]\n  end\n\n  subgraph Internet[\"Public Internet\"]\n    Assets[Domains, Subdomains, IPs, Web Apps, APIs, Certs]\n    ThirdParty[3rd-party hosting\/CDN\/SaaS]\n  end\n\n  SOC --&gt; Portal\n  VM --&gt; Portal\n  IT --&gt; Portal\n  GRC --&gt; Portal\n\n  Portal --&gt;|SSO\/RBAC| Entra\n  Portal --&gt;|Provision\/Manage| EASM\n  EASM --&gt;|Billed through| Sub\n\n  EASM --&gt;|Discovers\/Monitors| Assets\n  Assets --- ThirdParty\n\n  EASM --&gt;|Findings\/Changes| LA\n  LA --&gt;|Tickets\/ChatOps| IT\n  LA --&gt;|Ingest events| Sentinel\n  Sentinel --&gt; SOC\n\n  EASM --&gt;|Context| MDOther\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">8. Prerequisites<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Account\/subscription\/tenant requirements<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A Microsoft Entra ID tenant.<\/li>\n<li>An Azure subscription for provisioning and billing of Defender External Attack Surface Management.<\/li>\n<li>Ability to create the Defender External Attack Surface Management resource in Azure (availability varies; verify in your tenant).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Permissions \/ IAM roles<\/h3>\n\n\n\n<p>You typically need:\n&#8211; Azure permissions to create resources (for example, <strong>Contributor<\/strong> on a resource group) and register resource providers if required.\n&#8211; Appropriate Defender External Attack Surface Management roles in Entra\/within the service (role names can vary).<br\/>\n<strong>Verify in official docs<\/strong> for the current built-in roles and least-privilege guidance.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Billing requirements<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A valid Azure billing account\/subscription capable of purchasing the service.<\/li>\n<li>Some organizations require an Azure Marketplace purchase flow or security product enablement. <strong>Verify<\/strong> how your tenant enables the plan.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Tools (optional but useful)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Web browser access to Azure portal.<\/li>\n<li>(Optional) Azure CLI for identity troubleshooting and general Azure administration:<\/li>\n<li>Install: https:\/\/learn.microsoft.com\/cli\/azure\/install-azure-cli<\/li>\n<li>(Optional) Access to Microsoft Sentinel \/ Log Analytics if you plan to integrate.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Region availability<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Since it\u2019s SaaS-like, availability may be presented as \u201csupported markets\u201d rather than classic Azure regions.<br\/>\n<strong>Verify current availability and data residency<\/strong> in official documentation.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Quotas\/limits<\/h3>\n\n\n\n<p>Expect limits around:\n&#8211; Number of workspaces\/instances\n&#8211; Number of seeds\n&#8211; API rate limits\n&#8211; Data retention in the service<br\/>\n<strong>Verify<\/strong> the current limits in official docs.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Prerequisite services (optional)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Microsoft Sentinel (if you want SIEM ingestion)<\/li>\n<li>Logic Apps \/ Power Automate (if you want automated ticket creation)<\/li>\n<li>ITSM tooling (ServiceNow\/Jira) for operational workflows<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">9. Pricing \/ Cost<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Pricing model (what you pay for)<\/h3>\n\n\n\n<p>Pricing for Defender External Attack Surface Management is <strong>usage-based<\/strong> and can vary by agreement, region\/market, and how Microsoft defines billable units. In many external attack surface management offerings (including Microsoft\u2019s), pricing commonly depends on factors like:\n&#8211; Number of <strong>managed assets<\/strong> (or a similar billable asset concept)\n&#8211; Service tier\/edition (if applicable)\n&#8211; Additional capabilities or retention (if offered)<\/p>\n\n\n\n<p>Because pricing models can change and may be contract-specific, <strong>do not rely on static numbers<\/strong> in third-party blogs.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Official pricing sources (start here)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Azure pricing page (verify current URL and SKU details):<br\/>\n  https:\/\/azure.microsoft.com\/pricing\/<br\/>\n  Search for <strong>\u201cDefender External Attack Surface Management\u201d<\/strong>.<\/li>\n<li>Azure Pricing Calculator:<br\/>\n  https:\/\/azure.microsoft.com\/pricing\/calculator\/<\/li>\n<\/ul>\n\n\n\n<blockquote>\n<p>If you cannot find the pricing page easily, go to the official documentation landing page and follow the \u201cPricing\u201d link (when present). Always validate with your Microsoft account team for enterprise agreements.<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">Pricing dimensions to plan for<\/h3>\n\n\n\n<p>When estimating cost, identify:\n&#8211; <strong>What counts as an asset<\/strong> in billing terms (domain? hostname? IP? endpoint?) \u2014 <strong>verify<\/strong>.\n&#8211; Whether \u201cdiscovered but unconfirmed\u201d assets are billed differently than \u201cmanaged\u201d assets \u2014 <strong>verify<\/strong>.\n&#8211; Whether multiple workspaces duplicate billing for the same asset \u2014 <strong>verify<\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Cost drivers (direct)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Broad seed scope (large domains, many subsidiaries)<\/li>\n<li>High asset sprawl (many subdomains, ephemeral endpoints)<\/li>\n<li>Many workspaces with overlapping scope<\/li>\n<li>Long retention periods if retention affects cost (verify)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Hidden or indirect costs<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Operational cost<\/strong>: triage and remediation capacity. The tool will surface work; teams must be staffed to act.<\/li>\n<li><strong>SIEM ingestion<\/strong>: if you export findings into Microsoft Sentinel, you\u2019ll pay for data ingestion and retention based on your Sentinel\/Log Analytics pricing.<\/li>\n<li><strong>Automation runs<\/strong>: Logic Apps executions, connectors, and ticketing integration costs.<\/li>\n<li><strong>Third-party remediation<\/strong>: if findings require vendor action (CDN\/WAF provider, marketing platform).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Network\/data transfer implications<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The service primarily observes public endpoints; there isn\u2019t typical Azure VNet data transfer for discovery.<\/li>\n<li>Exporting data to your SIEM or storage may create data transfer and ingestion costs depending on destination.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">How to optimize cost (practical)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Start with <strong>high-confidence seeds<\/strong> (core corporate domains) before adding broad IP ranges.<\/li>\n<li>Use <strong>separate workspaces<\/strong> only when separation is required (org boundaries), not as a default.<\/li>\n<li>Establish an <strong>asset lifecycle process<\/strong>: decommission old assets so they don\u2019t remain in scope.<\/li>\n<li>Tune export\/integration to avoid sending noisy, low-value events to SIEM.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Example low-cost starter estimate (non-numeric)<\/h3>\n\n\n\n<p>A starter approach that tends to keep cost low:\n&#8211; 1 workspace\n&#8211; 1\u20133 primary domains as seeds\n&#8211; Limited additional seeds (only after validating results)\n&#8211; Minimal exports (portal-based triage initially)<\/p>\n\n\n\n<p>The cost will depend on how many billable assets are discovered and classified as in-scope. <strong>Use the official pricing page and calculator<\/strong> for your scenario.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Example production cost considerations (non-numeric)<\/h3>\n\n\n\n<p>In enterprise production:\n&#8211; Multiple subsidiaries\/domains and large subdomain volumes\n&#8211; Dedicated SIEM ingestion of change\/exposure signals\n&#8211; Automation workflows for ticketing and enrichment\n&#8211; Governance overhead (ownership, SLAs, reporting)<\/p>\n\n\n\n<p>Plan for both the service charges and the downstream operations\/tooling costs.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">10. Step-by-Step Hands-On Tutorial<\/h2>\n\n\n\n<p>This lab is designed to be executable for most Azure tenants, low-risk (no production changes), and focused on core value: onboarding, discovery, and triage.<\/p>\n\n\n\n<blockquote>\n<p>Note: The portal UI and exact labels change over time. If a button\/term differs, follow the closest equivalent in the current Defender External Attack Surface Management documentation.<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">Objective<\/h3>\n\n\n\n<p>Provision Defender External Attack Surface Management in Azure, configure seed-based discovery for a domain you control, review discovered assets, and set up a basic triage workflow.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Lab Overview<\/h3>\n\n\n\n<p>You will:\n1. Create an EASM workspace\/resource in Azure.\n2. Configure seeds (a domain you own\/control).\n3. Run\/confirm discovery and review inventory.\n4. Tag\/classify at least a few assets for ownership\/priority.\n5. (Optional) Export or integrate findings (only if your environment supports it).\n6. Validate and clean up.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 1: Prepare a safe seed (domain you control)<\/h3>\n\n\n\n<p><strong>Goal:<\/strong> Ensure you only scan assets you are authorized to manage.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Pick a domain you own\/control for the lab (for example, a sandbox domain or a delegated subdomain).<\/li>\n<li>If you don\u2019t have a domain:\n   &#8211; Use an internal test domain you own publicly (not a private DNS zone).\n   &#8211; Do not use third-party domains or targets you are not authorized to assess.<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome:<\/strong> You have 1 domain seed ready (for example, <code>example.net<\/code>).<\/p>\n\n\n\n<p><strong>Verification:<\/strong>\n&#8211; Confirm you can access the domain\u2019s DNS management or you have written authorization to manage it.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 2: Create a resource group (Azure)<\/h3>\n\n\n\n<p><strong>Goal:<\/strong> Keep the lab isolated for cleanup and governance.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>In the Azure portal, open <strong>Resource groups<\/strong>.<\/li>\n<li>Select <strong>Create<\/strong>.<\/li>\n<li>Choose:\n   &#8211; Subscription: your lab subscription\n   &#8211; Resource group: <code>rg-easm-lab<\/code>\n   &#8211; Region: choose your preferred region (resource group metadata region; SaaS may still be global)<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome:<\/strong> Resource group created.<\/p>\n\n\n\n<p><strong>Verification:<\/strong>\n&#8211; Navigate to <code>rg-easm-lab<\/code> and confirm it exists.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 3: Provision Defender External Attack Surface Management<\/h3>\n\n\n\n<p><strong>Goal:<\/strong> Create the EASM workspace\/instance.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>In the Azure portal, search for <strong>Defender External Attack Surface Management<\/strong>.\n   &#8211; If you do not see it, try searching <strong>External Attack Surface Management<\/strong> or <strong>EASM<\/strong>.<\/li>\n<li>Select <strong>Create<\/strong> (or equivalent).<\/li>\n<li>Provide:\n   &#8211; Subscription: your lab subscription\n   &#8211; Resource group: <code>rg-easm-lab<\/code>\n   &#8211; Name\/workspace name: <code>easm-lab-&lt;unique&gt;<\/code>\n   &#8211; Other options shown (if any): review and keep defaults for lab unless required<\/li>\n<li>Review pricing\/billing prompts and confirm.<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome:<\/strong> Workspace\/resource is deployed and accessible.<\/p>\n\n\n\n<p><strong>Verification:<\/strong>\n&#8211; Open the created Defender External Attack Surface Management resource and confirm you can access its dashboard\/landing page.<\/p>\n\n\n\n<p><strong>Common errors and fixes:<\/strong>\n&#8211; <strong>Resource\/provider not available:<\/strong> Your tenant may not have the service enabled or available in your market.<br\/>\n  Fix: Verify availability in official docs and confirm your subscription eligibility.\n&#8211; <strong>Insufficient permissions:<\/strong> You may need Contributor or a specific security admin role.<br\/>\n  Fix: Ask for least-privilege access required by the service documentation.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 4: Configure access (RBAC) for a second user (recommended)<\/h3>\n\n\n\n<p><strong>Goal:<\/strong> Validate that RBAC works and practice least privilege.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Identify a second test user (or a separate admin account) in your Entra tenant.<\/li>\n<li>In Azure portal, go to the EASM resource \u2192 <strong>Access control (IAM)<\/strong>.<\/li>\n<li>Assign a <strong>read-only<\/strong> role if available (for example, \u201cReader\u201d at resource scope) and, if the service has its own internal roles, assign a viewer role there too.<br\/>\n<strong>Verify role names in docs<\/strong>.<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome:<\/strong> Second user can view but not modify.<\/p>\n\n\n\n<p><strong>Verification:<\/strong>\n&#8211; Sign in as the second user and confirm view access without admin actions.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 5: Add seeds (domain) and start discovery<\/h3>\n\n\n\n<p><strong>Goal:<\/strong> Provide a seed and trigger discovery.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>In the EASM workspace UI, locate the section for <strong>Seeds<\/strong>, <strong>Discovery<\/strong>, or <strong>Scope management<\/strong> (naming varies).<\/li>\n<li>Add your domain seed (for example, <code>example.net<\/code>).<\/li>\n<li>Save\/apply and start discovery if there is a manual trigger; otherwise, discovery begins automatically.<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome:<\/strong> The service accepts the seed and begins discovery.<\/p>\n\n\n\n<p><strong>Verification:<\/strong>\n&#8211; The seed appears in the seed list with a status (for example, \u201cActive\u201d, \u201cProcessing\u201d, or similar).\n&#8211; After some time, inventory begins populating (timing varies).<\/p>\n\n\n\n<p><strong>Common errors and fixes:<\/strong>\n&#8211; <strong>Domain ownership validation required:<\/strong> Some services require proof of control (DNS TXT record or similar).<br\/>\n  Fix: Follow the portal instructions. If present, add the required DNS record and retry.\n&#8211; <strong>No assets discovered:<\/strong> This can happen for small domains or if discovery needs more time.<br\/>\n  Fix: Wait longer; verify the domain is publicly resolvable; add an additional seed you control (like a known subdomain).<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 6: Review the inventory and filter for actionable assets<\/h3>\n\n\n\n<p><strong>Goal:<\/strong> Turn raw discovery into a usable inventory view.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Open <strong>Inventory<\/strong> (or equivalent).<\/li>\n<li>Use filters to answer:\n   &#8211; What hostnames\/subdomains were found?\n   &#8211; Which assets appear newly discovered?\n   &#8211; Which are currently reachable?<\/li>\n<li>Pick 3\u20135 assets and open their detail pages.<\/li>\n<li>Record:\n   &#8211; DNS records\n   &#8211; Any associated IPs\n   &#8211; Observed services\/ports (if shown)\n   &#8211; Certificate details (if shown)<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome:<\/strong> You can see a list of discovered assets and details for each.<\/p>\n\n\n\n<p><strong>Verification:<\/strong>\n&#8211; Inventory count is &gt; 0 and asset detail pages show metadata.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 7: Classify and assign ownership (basic triage)<\/h3>\n\n\n\n<p><strong>Goal:<\/strong> Make findings operational by adding classification\/ownership metadata (if supported).<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>For a few assets, set:\n   &#8211; Environment classification (prod\/dev\/test) if available\n   &#8211; Owner\/team field if available\n   &#8211; Tags such as <code>lab<\/code>, <code>owned-by-platform<\/code>, <code>internet-facing<\/code><\/li>\n<li>Create a simple triage list:\n   &#8211; <strong>Keep<\/strong> (known, expected, protected)\n   &#8211; <strong>Investigate<\/strong> (unknown, unexpected)\n   &#8211; <strong>Remove<\/strong> (orphaned, should be decommissioned)<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome:<\/strong> Assets are organized and ready for remediation workflow.<\/p>\n\n\n\n<p><strong>Verification:<\/strong>\n&#8211; Filters based on tags\/ownership\/classification work (if supported).\n&#8211; You can export a view\/report if the UI provides it.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 8: Review exposures\/insights and choose one safe action<\/h3>\n\n\n\n<p><strong>Goal:<\/strong> Learn how to interpret exposures without making risky changes.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Open <strong>Insights<\/strong>, <strong>Exposures<\/strong>, or <strong>Recommendations<\/strong> (naming varies).<\/li>\n<li>Select one finding that is safe to validate (for example, an outdated DNS record or an unused subdomain).<\/li>\n<li>Validate using non-invasive checks:\n   &#8211; Confirm DNS resolution with <code>nslookup<\/code>\/<code>dig<\/code>\n   &#8211; Confirm HTTP response headers with <code>curl -I<\/code><\/li>\n<\/ol>\n\n\n\n<p>Example commands:<\/p>\n\n\n\n<pre><code class=\"language-bash\"># DNS check\nnslookup subdomain.example.net\n\n# HTTP header check (non-invasive)\ncurl -I https:\/\/subdomain.example.net\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome:<\/strong> You confirm whether the asset is real, reachable, and expected.<\/p>\n\n\n\n<p><strong>Verification:<\/strong>\n&#8211; The DNS and HTTP results match the inventory details.<\/p>\n\n\n\n<p><strong>Common errors and fixes:<\/strong>\n&#8211; <strong>403\/401 responses:<\/strong> Not necessarily a problem; it may indicate access control is working.\n&#8211; <strong>Timeouts:<\/strong> Could mean the endpoint is down or filtered; inventory may lag\u2014recheck later.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 9 (Optional): Integrate with Microsoft Sentinel or ticketing<\/h3>\n\n\n\n<p>Only do this if you already have Microsoft Sentinel or an ITSM tool and you understand ingestion cost implications.<\/p>\n\n\n\n<p>Two common patterns:\n1. <strong>Native connector<\/strong> (if available): use the Defender External Attack Surface Management data connector in Sentinel.<br\/>\n2. <strong>API-based export<\/strong>: scheduled Logic App pulls findings via API and writes to Log Analytics\/custom table.<\/p>\n\n\n\n<p>Because connector availability and API endpoints can change, <strong>verify the current integration guidance<\/strong> in official docs before implementing.<\/p>\n\n\n\n<p><strong>Expected outcome:<\/strong> Findings can be routed into your SOC workflow.<\/p>\n\n\n\n<p><strong>Verification:<\/strong>\n&#8211; Sentinel receives events\/incidents, or\n&#8211; Your ticketing tool receives created issues.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Validation<\/h3>\n\n\n\n<p>Use this checklist:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>[ ] EASM resource\/workspace exists in <code>rg-easm-lab<\/code><\/li>\n<li>[ ] At least one domain seed is active<\/li>\n<li>[ ] Inventory shows discovered assets<\/li>\n<li>[ ] You validated at least one asset with DNS\/HTTP checks<\/li>\n<li>[ ] RBAC: second user can view (read-only) if configured<\/li>\n<li>[ ] (Optional) Export\/integration is functioning<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Troubleshooting<\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Issue<\/th>\n<th>Likely cause<\/th>\n<th>Fix<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Service not visible in Azure portal<\/td>\n<td>Not enabled\/available for your tenant\/market<\/td>\n<td>Verify official availability docs; check subscription eligibility<\/td>\n<\/tr>\n<tr>\n<td>Cannot create resource<\/td>\n<td>Permissions or policy restrictions<\/td>\n<td>Ask for Contributor on RG; check Azure Policy denies<\/td>\n<\/tr>\n<tr>\n<td>Seed added but nothing discovered<\/td>\n<td>Small footprint, time delay, validation pending<\/td>\n<td>Wait; verify DNS; add another authorized seed<\/td>\n<\/tr>\n<tr>\n<td>Inventory shows assets you don\u2019t recognize<\/td>\n<td>Attribution\/correlation ambiguity<\/td>\n<td>Validate ownership, tag as \u201cinvestigate,\u201d refine seeds\/scope<\/td>\n<\/tr>\n<tr>\n<td>Too much noise<\/td>\n<td>Seeds too broad, no classification process<\/td>\n<td>Start small, define ownership\/tags, create triage rules<\/td>\n<\/tr>\n<tr>\n<td>Export to SIEM too costly\/noisy<\/td>\n<td>Over-ingestion<\/td>\n<td>Export only high-value changes\/insights; aggregate and deduplicate<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Cleanup<\/h3>\n\n\n\n<p>To avoid ongoing cost and monitoring:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Remove or disable seeds in the workspace (if your organization requires data retention policies, follow them).<\/li>\n<li>Delete the EASM resource\/workspace from the resource group:\n   &#8211; Azure portal \u2192 <code>rg-easm-lab<\/code> \u2192 select the EASM resource \u2192 <strong>Delete<\/strong><\/li>\n<li>Delete the resource group:\n   &#8211; Resource groups \u2192 <code>rg-easm-lab<\/code> \u2192 <strong>Delete resource group<\/strong><\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome:<\/strong> All lab resources are removed, stopping further billing for this lab instance.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">11. Best Practices<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Architecture best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Start with scope design:<\/strong> Decide if you need one workspace or multiple (by subsidiary, environment, or geography).<\/li>\n<li><strong>Minimize overlap:<\/strong> Avoid multiple workspaces scanning the same domains unless separation is a compliance requirement.<\/li>\n<li><strong>Integrate thoughtfully:<\/strong> Plan how findings become tickets\/incidents; otherwise, insights remain unused.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">IAM\/security best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Enforce <strong>least privilege<\/strong>: separate admin roles (seed management) from viewer roles (inventory consumers).<\/li>\n<li>Use <strong>Privileged Identity Management (PIM)<\/strong> for just-in-time admin access where possible.<\/li>\n<li>Limit who can create\/export integrations to prevent data leakage.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Cost best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Begin with <strong>narrow seeds<\/strong>, expand gradually.<\/li>\n<li>Track <strong>asset counts<\/strong> over time; sudden spikes may indicate scope creep or discovery drift.<\/li>\n<li>Be intentional about <strong>SIEM export volume<\/strong> (filtering, deduplication, severity thresholds).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Performance best practices (operational efficiency)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Establish a weekly cadence:<\/li>\n<li>Review newly discovered assets<\/li>\n<li>Review notable changes<\/li>\n<li>Triage top exposures<\/li>\n<li>Maintain a backlog with SLAs and ownership.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Reliability best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use documented processes for seed changes (change management).<\/li>\n<li>Maintain a small set of \u201cgolden seeds\u201d and require approvals for adding broad IP ranges.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operations best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Define an \u201casset owner\u201d model:<\/li>\n<li>Platform team owns shared domains and edge services<\/li>\n<li>App teams own application subdomains<\/li>\n<li>Create standard tags:<\/li>\n<li><code>env:prod|dev|test<\/code><\/li>\n<li><code>owner:&lt;team&gt;<\/code><\/li>\n<li><code>criticality:high|medium|low<\/code><\/li>\n<li>Define response playbooks:<\/li>\n<li>New unknown asset discovered<\/li>\n<li>New service exposure detected<\/li>\n<li>Ownership unknown (routing workflow)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Governance\/tagging\/naming best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Workspace naming: <code>easm-&lt;org&gt;-&lt;region\/market&gt;-&lt;purpose&gt;<\/code> (even if SaaS\/global, naming helps governance).<\/li>\n<li>Resource group: <code>rg-sec-easm-&lt;org&gt;-&lt;env&gt;<\/code>.<\/li>\n<li>Tags: <code>CostCenter<\/code>, <code>Owner<\/code>, <code>Environment<\/code>, <code>DataClassification<\/code>.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">12. Security Considerations<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Identity and access model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Authentication typically uses <strong>Microsoft Entra ID<\/strong>.<\/li>\n<li>Authorization uses RBAC at the Azure resource level and\/or within the service (verify exact role model).<\/li>\n<li>Treat EASM data as sensitive: it reveals your external footprint and potential weak points.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Encryption<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>SaaS security services generally encrypt data at rest and in transit; <strong>verify<\/strong> specific compliance and encryption statements in official docs.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Network exposure<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The service observes internet assets; ensure your security team understands that:<\/li>\n<li>Discovery is about <em>publicly reachable<\/em> endpoints.<\/li>\n<li>Some organizations need legal approval or explicit internal policy for external scanning\u2014align with policy.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Secrets handling<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>If you build automation (Logic Apps\/API clients):<\/li>\n<li>Use <strong>Managed Identities<\/strong> where possible<\/li>\n<li>Store secrets in <strong>Azure Key Vault<\/strong><\/li>\n<li>Rotate secrets and restrict scopes<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Audit\/logging<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use:<\/li>\n<li>Entra ID sign-in logs (who accessed)<\/li>\n<li>Azure Activity Log (who changed the Azure resource)<\/li>\n<li>Service audit logs if available (verify)<\/li>\n<li>Export high-value events to Sentinel if you have compliance requirements.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Compliance considerations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Validate:<\/li>\n<li>Data residency and processing regions<\/li>\n<li>Retention defaults and how to configure retention<\/li>\n<li>Whether inventory data may be considered sensitive under your compliance rules<br\/>\n<strong>Verify in official docs and your compliance team.<\/strong><\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Common security mistakes<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Giving too many users admin rights to seeds\/scope.<\/li>\n<li>Not validating ownership before acting on a \u201cdiscovered asset.\u201d<\/li>\n<li>Exporting all findings to SIEM without filtering (creates noise and cost).<\/li>\n<li>Treating probabilistic fingerprinting as certainty.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Secure deployment recommendations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Start with a pilot workspace and a small set of seeds.<\/li>\n<li>Use PIM for privileged roles.<\/li>\n<li>Create an internal runbook for:<\/li>\n<li>Adding\/removing seeds<\/li>\n<li>Ownership assignment<\/li>\n<li>Remediation verification<\/li>\n<li>Incident response usage<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">13. Limitations and Gotchas<\/h2>\n\n\n\n<p>Because this is a SaaS service and evolves, validate current constraints in official docs. Common limitations\/gotchas to plan for:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Attribution ambiguity:<\/strong> Internet signals can misattribute assets (shared hosting, CDNs, third-party services). Always validate.<\/li>\n<li><strong>Discovery timing:<\/strong> New assets may take time to appear; don\u2019t assume \u201cnot found\u201d means \u201cdoesn\u2019t exist.\u201d<\/li>\n<li><strong>Seed quality matters:<\/strong> Overly broad seeds can create noise; overly narrow seeds can miss assets.<\/li>\n<li><strong>Overlapping scope:<\/strong> Multiple teams scanning the same domains can create duplication and governance confusion.<\/li>\n<li><strong>Export\/integration cost:<\/strong> SIEM ingestion can dwarf service costs if you export everything.<\/li>\n<li><strong>Data residency constraints:<\/strong> Some organizations cannot use services without explicit residency guarantees\u2014verify.<\/li>\n<li><strong>RBAC complexity:<\/strong> There may be both Azure RBAC and service-level roles; misconfiguration can cause unexpected access.<\/li>\n<li><strong>Operational overload:<\/strong> Discovery is easy; remediation capacity is hard. Without a process, you get \u201calert fatigue.\u201d<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">14. Comparison with Alternatives<\/h2>\n\n\n\n<p>Defender External Attack Surface Management sits at the intersection of security, Management and Governance, and external-facing asset inventory. Here are realistic alternatives\/complements.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Comparison table<\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Option<\/th>\n<th>Best For<\/th>\n<th>Strengths<\/th>\n<th>Weaknesses<\/th>\n<th>When to Choose<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>Defender External Attack Surface Management (Azure)<\/strong><\/td>\n<td>Continuous external discovery and exposure governance integrated with Microsoft security ecosystem<\/td>\n<td>External asset inventory, change tracking, governance workflows, Microsoft integrations<\/td>\n<td>SaaS scope; attribution ambiguity; costs depend on asset counts; integrations vary<\/td>\n<td>You need enterprise-grade external attack surface visibility with Microsoft-aligned operations<\/td>\n<\/tr>\n<tr>\n<td><strong>Microsoft Defender for Cloud<\/strong><\/td>\n<td>Cloud security posture and workload protection for Azure (and some multicloud)<\/td>\n<td>Strong Azure-native CSPM\/CWPP, policy, posture management<\/td>\n<td>Not focused on discovering unknown <em>external<\/em> assets across the internet<\/td>\n<td>You primarily need cloud posture and protection of known cloud resources<\/td>\n<\/tr>\n<tr>\n<td><strong>Microsoft Defender Vulnerability Management<\/strong><\/td>\n<td>Endpoint and software vulnerability management<\/td>\n<td>Deep endpoint visibility, patch\/vuln workflows<\/td>\n<td>Not an external asset discovery platform<\/td>\n<td>You need device\/app vulnerability management rather than internet footprint discovery<\/td>\n<\/tr>\n<tr>\n<td><strong>Microsoft Sentinel (SIEM)<\/strong><\/td>\n<td>Central SIEM\/SOAR analytics and response<\/td>\n<td>Correlation, detection engineering, automation<\/td>\n<td>Needs data sources; not an EASM discovery engine<\/td>\n<td>You already have signals and need analytics\/response at scale<\/td>\n<\/tr>\n<tr>\n<td><strong>AWS Security Hub + Amazon Inspector<\/strong><\/td>\n<td>AWS-centric posture\/vulnerability management<\/td>\n<td>Strong AWS integration<\/td>\n<td>Doesn\u2019t discover unknown external assets broadly<\/td>\n<td>Your footprint is mostly AWS and you want AWS-native posture tools<\/td>\n<\/tr>\n<tr>\n<td><strong>Google Security Command Center<\/strong><\/td>\n<td>GCP-centric security management<\/td>\n<td>Strong GCP integration<\/td>\n<td>Same limitation: mostly known cloud resources<\/td>\n<td>Your footprint is mostly GCP<\/td>\n<\/tr>\n<tr>\n<td><strong>Palo Alto Cortex Xpanse \/ Mandiant ASM \/ Tenable ASM \/ Censys ASM<\/strong><\/td>\n<td>External attack surface management across vendors<\/td>\n<td>Mature ASM features; strong external intelligence in some tools<\/td>\n<td>Separate vendor ecosystem; integration overhead; cost<\/td>\n<td>You want a best-of-breed ASM or you\u2019re not standardized on Microsoft<\/td>\n<\/tr>\n<tr>\n<td><strong>Self-managed recon (OWASP Amass, subfinder, Nmap, custom)<\/strong><\/td>\n<td>Small teams, research, bespoke workflows<\/td>\n<td>Flexible, low tooling cost<\/td>\n<td>High engineering\/maintenance cost; no enterprise governance<\/td>\n<td>You need a custom pipeline and can maintain it, or you\u2019re experimenting<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">15. Real-World Example<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Enterprise example (regulated financial organization)<\/h3>\n\n\n\n<p><strong>Problem:<\/strong><br\/>\nA bank has multiple brands, thousands of subdomains, and frequent changes due to DevOps and third-party marketing vendors. The SOC repeatedly encounters incidents tied to forgotten endpoints.<\/p>\n\n\n\n<p><strong>Proposed architecture:<\/strong>\n&#8211; One primary Defender External Attack Surface Management workspace per major subsidiary (to align with governance).\n&#8211; Seeds: corporate domains + controlled subdomains; carefully curated to reduce overlap.\n&#8211; Weekly operational workflow:\n  &#8211; Newly discovered assets triaged and assigned\n  &#8211; Exposures reviewed and prioritized\n&#8211; Integration:\n  &#8211; High-severity changes and key exposure insights forwarded to Microsoft Sentinel\n  &#8211; Ticketing integration for remediation tasks (via automation)<\/p>\n\n\n\n<p><strong>Why this service was chosen:<\/strong>\n&#8211; Existing Microsoft security stack and Entra ID governance.\n&#8211; Need for continuous external inventory with enterprise RBAC.\n&#8211; Desire to reduce incident response time by having current asset context.<\/p>\n\n\n\n<p><strong>Expected outcomes:<\/strong>\n&#8211; Fewer unknown\/forgotten endpoints.\n&#8211; Faster routing to asset owners.\n&#8211; Improved audit posture for asset inventory requirements.\n&#8211; Reduced mean time to identify external entry points during incidents.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Startup\/small-team example (SaaS company)<\/h3>\n\n\n\n<p><strong>Problem:<\/strong><br\/>\nA SaaS startup runs on Azure with rapid releases. Engineers create temporary subdomains and preview environments. The security lead worries about accidental exposure.<\/p>\n\n\n\n<p><strong>Proposed architecture:<\/strong>\n&#8211; Single workspace.\n&#8211; Seeds: primary domain and a dedicated sandbox subdomain (for preview envs).\n&#8211; Lightweight process:\n  &#8211; Daily\/weekly review of newly discovered assets\n  &#8211; Tag \u201cpreview\u201d vs \u201cprod\u201d\n  &#8211; Decommission unknown\/unneeded endpoints immediately<\/p>\n\n\n\n<p><strong>Why this service was chosen:<\/strong>\n&#8211; Low operational overhead compared to custom recon tooling.\n&#8211; Integrated billing and access via Azure.\n&#8211; Quick visibility into what\u2019s exposed as the startup scales.<\/p>\n\n\n\n<p><strong>Expected outcomes:<\/strong>\n&#8211; Fewer lingering preview endpoints.\n&#8211; Better control of DNS sprawl.\n&#8211; A simple, repeatable asset governance process.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">16. FAQ<\/h2>\n\n\n\n<p>1) <strong>Is Defender External Attack Surface Management the same as Defender for Cloud?<\/strong><br\/>\nNo. Defender for Cloud focuses on cloud resource security posture and protection. Defender External Attack Surface Management focuses on <strong>discovering and governing internet-facing assets<\/strong>, including unknown ones.<\/p>\n\n\n\n<p>2) <strong>Do I need to install agents?<\/strong><br\/>\nTypically no. EASM is generally SaaS-driven and based on external discovery. <strong>Verify<\/strong> if any optional agents\/connectors exist for specific scenarios.<\/p>\n\n\n\n<p>3) <strong>Can it discover assets outside Azure (AWS\/GCP\/on-prem hosting)?<\/strong><br\/>\nExternal ASM tools can often discover assets regardless of hosting because discovery is based on public internet signals. <strong>Verify<\/strong> the exact supported discovery scope in official docs.<\/p>\n\n\n\n<p>4) <strong>Does it perform vulnerability scanning?<\/strong><br\/>\nIt surfaces exposures and risk insights; whether it performs deep vulnerability scanning like a dedicated scanner depends on product capabilities. <strong>Verify<\/strong> the detection catalog and whether it includes vulnerability checks.<\/p>\n\n\n\n<p>5) <strong>How do I prove ownership of a domain?<\/strong><br\/>\nSome workflows require DNS-based validation (for example, adding a TXT record). If prompted, follow the portal steps. <strong>Verify<\/strong> current requirements.<\/p>\n\n\n\n<p>6) <strong>Will it find everything?<\/strong><br\/>\nNo tool finds everything. Discovery depends on seeds, public signals, scan cadence, and attribution confidence.<\/p>\n\n\n\n<p>7) <strong>How do I avoid false positives (assets that aren\u2019t ours)?<\/strong><br\/>\nStart with high-confidence seeds, validate ownership signals, and use classification\/ownership tagging. Treat discovery as leads that require confirmation.<\/p>\n\n\n\n<p>8) <strong>Can I separate subsidiaries or environments?<\/strong><br\/>\nTypically yes, via multiple workspaces or scope segmentation\u2014but it increases complexity. Design scopes carefully to avoid overlap.<\/p>\n\n\n\n<p>9) <strong>Can I export inventory to a CMDB?<\/strong><br\/>\nOften via API or export mechanisms (verify). Many teams export a curated subset rather than the entire raw inventory.<\/p>\n\n\n\n<p>10) <strong>Does it integrate with Microsoft Sentinel?<\/strong><br\/>\nThere may be a native connector or API-based patterns. <strong>Verify current integration options<\/strong> in official docs and Sentinel connector listings.<\/p>\n\n\n\n<p>11) <strong>How quickly does it detect changes?<\/strong><br\/>\nDepends on scan cadence and data sources. Some changes appear quickly; others may lag. Verify the product\u2019s documented cadence\/SLAs.<\/p>\n\n\n\n<p>12) <strong>What\u2019s the biggest operational mistake teams make?<\/strong><br\/>\nTurning on broad discovery without an ownership and remediation workflow, creating noise and unresolved findings.<\/p>\n\n\n\n<p>13) <strong>Is the service global? Where is my data stored?<\/strong><br\/>\nMany Defender services are SaaS with global operation, but data residency varies. <strong>Verify data location and compliance statements<\/strong> in official documentation.<\/p>\n\n\n\n<p>14) <strong>Does it replace penetration testing?<\/strong><br\/>\nNo. It helps define scope, find unknown assets, and reduce exposure continuously. Pen testing remains necessary for deep validation.<\/p>\n\n\n\n<p>15) <strong>How do I start safely?<\/strong><br\/>\nCreate one workspace, add 1\u20133 domains you control, review inventory, and build a triage workflow before expanding scope.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">17. Top Online Resources to Learn Defender External Attack Surface Management<\/h2>\n\n\n\n<p>Use official sources first because names, UI, APIs, and pricing can change.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Resource Type<\/th>\n<th>Name<\/th>\n<th>Why It Is Useful<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Official documentation<\/td>\n<td>Microsoft Learn: Defender External Attack Surface Management<\/td>\n<td>Canonical feature descriptions, onboarding, RBAC, and operational guidance. Start here. https:\/\/learn.microsoft.com\/ (search for the service name)<\/td>\n<\/tr>\n<tr>\n<td>Official pricing page<\/td>\n<td>Azure Pricing \u2013 Defender External Attack Surface Management (verify exact page)<\/td>\n<td>Explains billing dimensions and any tiers. https:\/\/azure.microsoft.com\/pricing\/<\/td>\n<\/tr>\n<tr>\n<td>Pricing calculator<\/td>\n<td>Azure Pricing Calculator<\/td>\n<td>Model scenarios and estimate cost drivers. https:\/\/azure.microsoft.com\/pricing\/calculator\/<\/td>\n<\/tr>\n<tr>\n<td>Official security documentation hub<\/td>\n<td>Microsoft Defender documentation<\/td>\n<td>Shows how EASM fits into the Defender family. https:\/\/learn.microsoft.com\/microsoft-365\/security\/<\/td>\n<\/tr>\n<tr>\n<td>SIEM documentation<\/td>\n<td>Microsoft Sentinel documentation<\/td>\n<td>Integration patterns, connectors, ingestion cost planning. https:\/\/learn.microsoft.com\/azure\/sentinel\/<\/td>\n<\/tr>\n<tr>\n<td>Identity\/RBAC<\/td>\n<td>Microsoft Entra documentation<\/td>\n<td>RBAC, PIM, audit logs, access governance. https:\/\/learn.microsoft.com\/entra\/<\/td>\n<\/tr>\n<tr>\n<td>Architecture guidance<\/td>\n<td>Azure Architecture Center<\/td>\n<td>Broader security architecture patterns (even if EASM-specific diagrams are limited). https:\/\/learn.microsoft.com\/azure\/architecture\/<\/td>\n<\/tr>\n<tr>\n<td>Product updates<\/td>\n<td>Azure Updates \/ Microsoft Security blog (verify relevant feed)<\/td>\n<td>Tracks new features, GA announcements, and changes. https:\/\/azure.microsoft.com\/updates\/ and https:\/\/www.microsoft.com\/security\/blog\/<\/td>\n<\/tr>\n<tr>\n<td>API documentation<\/td>\n<td>Defender External Attack Surface Management API docs (verify)<\/td>\n<td>Automate exports, integrate with ticketing\/SIEM, build workflows. Start from Microsoft Learn search.<\/td>\n<\/tr>\n<tr>\n<td>Community learning<\/td>\n<td>Microsoft Tech Community (security)<\/td>\n<td>Practical deployment stories and Q&amp;A validate against official docs. https:\/\/techcommunity.microsoft.com\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">18. Training and Certification Providers<\/h2>\n\n\n\n<p>The following training providers are listed as requested. Details such as course availability and delivery modes can change\u2014verify on their websites.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Institute<\/th>\n<th>Suitable Audience<\/th>\n<th>Likely Learning Focus<\/th>\n<th>Mode<\/th>\n<th>Website URL<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>DevOpsSchool.com<\/td>\n<td>DevOps engineers, cloud engineers, platform teams<\/td>\n<td>Azure operations, DevOps practices, security fundamentals<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n<tr>\n<td>ScmGalaxy.com<\/td>\n<td>Students, early-career engineers, DevOps practitioners<\/td>\n<td>SCM\/DevOps foundations, cloud &amp; automation<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.scmgalaxy.com\/<\/td>\n<\/tr>\n<tr>\n<td>CLoudOpsNow.in<\/td>\n<td>Cloud ops teams, SREs, operations engineers<\/td>\n<td>Cloud operations, monitoring, governance practices<\/td>\n<td>Check website<\/td>\n<td>https:\/\/cloudopsnow.in\/<\/td>\n<\/tr>\n<tr>\n<td>SreSchool.com<\/td>\n<td>SREs, reliability engineers, platform teams<\/td>\n<td>SRE practices, incident response, reliability engineering<\/td>\n<td>Check website<\/td>\n<td>https:\/\/sreschool.com\/<\/td>\n<\/tr>\n<tr>\n<td>AiOpsSchool.com<\/td>\n<td>Ops\/SRE teams exploring AIOps<\/td>\n<td>AIOps concepts, automation, operational analytics<\/td>\n<td>Check website<\/td>\n<td>https:\/\/aiopsschool.com\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">19. Top Trainers<\/h2>\n\n\n\n<p>The following trainer-related sites are listed as requested. Treat them as training resource platforms unless you have verified individual trainer credentials directly.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Platform\/Site<\/th>\n<th>Likely Specialization<\/th>\n<th>Suitable Audience<\/th>\n<th>Website URL<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>RajeshKumar.xyz<\/td>\n<td>DevOps\/cloud training content (verify offerings)<\/td>\n<td>Students, engineers seeking practical guidance<\/td>\n<td>https:\/\/rajeshkumar.xyz\/<\/td>\n<\/tr>\n<tr>\n<td>devopstrainer.in<\/td>\n<td>DevOps training services (verify course list)<\/td>\n<td>DevOps engineers, cloud practitioners<\/td>\n<td>https:\/\/devopstrainer.in\/<\/td>\n<\/tr>\n<tr>\n<td>devopsfreelancer.com<\/td>\n<td>Freelance DevOps support\/training (verify scope)<\/td>\n<td>Teams needing short-term expertise<\/td>\n<td>https:\/\/devopsfreelancer.com\/<\/td>\n<\/tr>\n<tr>\n<td>devopssupport.in<\/td>\n<td>DevOps support and learning resources (verify scope)<\/td>\n<td>Ops\/DevOps teams<\/td>\n<td>https:\/\/devopssupport.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">20. Top Consulting Companies<\/h2>\n\n\n\n<p>The following consulting companies are listed as requested. Descriptions are intentionally neutral and based on typical consulting service patterns\u2014verify exact offerings with each company.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Company<\/th>\n<th>Likely Service Area<\/th>\n<th>Where They May Help<\/th>\n<th>Consulting Use Case Examples<\/th>\n<th>Website URL<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>cotocus.com<\/td>\n<td>Cloud\/DevOps consulting (verify portfolio)<\/td>\n<td>Cloud governance, security operations, automation<\/td>\n<td>EASM onboarding program; Sentinel integration planning; remediation workflow design<\/td>\n<td>https:\/\/cotocus.com\/<\/td>\n<\/tr>\n<tr>\n<td>DevOpsSchool.com<\/td>\n<td>DevOps and cloud consulting\/training<\/td>\n<td>Implementation accelerators, ops maturity<\/td>\n<td>EASM pilot + process design; RBAC\/PIM alignment; cost\/ingestion optimization<\/td>\n<td>https:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n<tr>\n<td>DEVOPSCONSULTING.IN<\/td>\n<td>DevOps consulting services (verify scope)<\/td>\n<td>DevOps\/SRE process, tooling integration<\/td>\n<td>Build automation for exporting EASM insights; integrate with ticketing; operational dashboards<\/td>\n<td>https:\/\/devopsconsulting.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">21. Career and Learning Roadmap<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">What to learn before this service<\/h3>\n\n\n\n<p>To get the most value from Defender External Attack Surface Management, you should understand:\n&#8211; DNS fundamentals (A\/AAAA\/CNAME\/TXT, delegation, TTLs)\n&#8211; TLS\/certificates basics (issuance, expiration, certificate transparency concepts)\n&#8211; Web and API basics (HTTP headers, common server technologies)\n&#8211; Azure fundamentals:\n  &#8211; Subscriptions, resource groups, RBAC\n  &#8211; Azure Policy basics (to understand governance context)\n&#8211; Security fundamentals:\n  &#8211; Attack surface concepts\n  &#8211; Exposure vs vulnerability vs risk\n  &#8211; Incident response basics<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">What to learn after this service<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Microsoft Sentinel engineering:<\/li>\n<li>Data connectors, analytics rules, automation rules<\/li>\n<li>Cost management and ingestion optimization<\/li>\n<li>Microsoft Defender for Cloud for internal posture and cloud workload protection<\/li>\n<li>Vulnerability management and remediation programs<\/li>\n<li>Threat modeling and secure SDLC<\/li>\n<li>Advanced asset management and CMDB integration practices<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Job roles that use it<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Security Engineer (SecOps \/ Detection \/ Security tooling)<\/li>\n<li>Vulnerability Management Analyst\/Engineer<\/li>\n<li>Cloud Security Architect<\/li>\n<li>SOC Analyst (Tier 2\/3) for investigations<\/li>\n<li>Platform\/SRE leads for ownership and remediation workflows<\/li>\n<li>GRC professionals for asset inventory evidence (with support from engineering)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Certification path (if available)<\/h3>\n\n\n\n<p>There is not always a standalone certification specifically for Defender External Attack Surface Management. A practical path is:\n&#8211; Azure fundamentals (AZ-900)\n&#8211; Azure security (for example, AZ-500) and Microsoft security certifications relevant to Defender\/Sentinel (verify current certification lineup on Microsoft Learn)\n&#8211; Sentinel-focused learning paths (Microsoft Learn)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Project ideas for practice<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Build an \u201cexternal asset ownership\u201d model for your organization (tags + process).<\/li>\n<li>Create a weekly \u201cnew asset\/change report\u201d and review it with platform\/app teams.<\/li>\n<li>Implement a controlled export of high-severity exposures to Sentinel and measure alert quality.<\/li>\n<li>Build a simple ticketing automation workflow (Logic Apps) for new unknown assets (verify API\/export method).<\/li>\n<li>Run an M&amp;A simulation: onboard a new domain set and produce a 30-day exposure reduction plan.<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">22. Glossary<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Attack Surface:<\/strong> All points where an attacker can attempt to enter or extract data from a system.<\/li>\n<li><strong>External Attack Surface:<\/strong> The subset of your attack surface that is reachable or observable from the public internet.<\/li>\n<li><strong>Asset:<\/strong> An internet-relevant entity such as a domain, subdomain, IP, endpoint, certificate, or hosted service (definition varies by product).<\/li>\n<li><strong>Seed:<\/strong> A known starting identifier (like a domain) used to begin discovery of related assets.<\/li>\n<li><strong>Discovery:<\/strong> The process of finding assets and relationships using public signals and scanning\/observation.<\/li>\n<li><strong>Inventory:<\/strong> The managed list of discovered assets and metadata maintained by the service.<\/li>\n<li><strong>Exposure:<\/strong> A risky condition that increases the chance of compromise (not always a confirmed vulnerability).<\/li>\n<li><strong>RBAC (Role-Based Access Control):<\/strong> Permissions system that assigns roles to identities at specific scopes.<\/li>\n<li><strong>Microsoft Entra ID:<\/strong> Microsoft\u2019s identity service (formerly Azure Active Directory).<\/li>\n<li><strong>SIEM:<\/strong> Security Information and Event Management (for example, Microsoft Sentinel).<\/li>\n<li><strong>SOAR:<\/strong> Security Orchestration, Automation and Response (automation workflows tied to security signals).<\/li>\n<li><strong>Change Tracking:<\/strong> Monitoring and recording changes over time (new assets, DNS changes, etc.).<\/li>\n<li><strong>Attribution:<\/strong> The process of determining whether a discovered asset belongs to your organization.<\/li>\n<li><strong>CMDB:<\/strong> Configuration Management Database\u2014an internal system of record for IT assets and services.<\/li>\n<li><strong>PIM:<\/strong> Privileged Identity Management\u2014just-in-time privileged access controls in Entra.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">23. Summary<\/h2>\n\n\n\n<p>Defender External Attack Surface Management (Azure) is a Management and Governance-aligned security service that continuously discovers and monitors your organization\u2019s internet-facing assets, turning unknown external footprint into an actionable inventory with exposure insights and change visibility.<\/p>\n\n\n\n<p>It matters because external asset sprawl is a common root cause of breaches: forgotten subdomains, orphaned services, and ungoverned third-party hosting create easy entry points. Defender External Attack Surface Management helps you reduce this risk by continuously mapping what\u2019s exposed and enabling operational workflows for ownership and remediation.<\/p>\n\n\n\n<p>Cost is driven by how the service defines and counts billable assets and by downstream integrations (especially SIEM ingestion). Security success depends on strong RBAC, careful scope\/seeds, and a practical triage\/remediation process.<\/p>\n\n\n\n<p>Use it when you need continuous external visibility and governance integrated with Azure and Microsoft security operations. Next, deepen your implementation by validating pricing\/limits in official docs, defining ownership workflows, and (optionally) integrating high-value signals into Microsoft Sentinel for operational response.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Management and Governance<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[40,33],"tags":[],"class_list":["post-470","post","type-post","status-publish","format-standard","hentry","category-azure","category-management-and-governance"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/470","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/comments?post=470"}],"version-history":[{"count":0,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/470\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/media?parent=470"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/categories?post=470"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/tags?post=470"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}