Exclude a storage account from Microsoft Defender for Storage protections
Caution
Excluding resources from advanced threat protection is not recommended and leaves your cloud workload exposed.
When you enable Microsoft Defender for Storage on a subscription, all existing Azure Storage accounts will be protected and any storage resources added to that subscription in the future will also be automatically protected.
If you need to exempt a specific Azure Storage account from this Defender plan, use the instructions on this page.
Tip
We recommend enabling Microsoft Defender for Resource Manager for any accounts with unprotected Azure Storage resources. Defender for Resource Manager automatically monitors your organization's resource management operations, whether they're performed through the Azure portal, Azure REST APIs, Azure CLI, or other Azure programmatic clients.
Exclude a specific storage account
To exclude specific storage accounts from Microsoft Defender for Storage when the plan is enabled on a subscription:
Use PowerShell to exclude an Azure Storage account
If you don't have the Azure Az PowerShell module installed, install it using the instructions from the Azure PowerShell documentation.
Using an authenticated account, connect to Azure with the
Connect-AzAccountcmdlet, as explained in Sign in with Azure PowerShell.Define the AzDefenderPlanAutoEnable tag on the storage account with the
Update-AzTagcmdlet (replace the ResourceId with the resource ID of the relevant storage account):Update-AzTag -ResourceId <resourceID> -Tag @{"AzDefenderPlanAutoEnable" = "off"} -Operation MergeIf you skip this stage, your untagged resources will continue receiving daily updates from the subscription level enablement policy. That policy will enable Defender for Storage again on the account.
Tip
Learn more about tags in Use tags to organize your Azure resources and management hierarchy.
Disable Microsoft Defender for Storage for the desired account on the relevant subscription with the
Disable-AzSecurityAdvancedThreatProtectioncmdlet (using the same resource ID):Disable-AzSecurityAdvancedThreatProtection -ResourceId <resourceId>
Exclude an Azure Databricks Storage account
Exclude an active Databricks workspace
Microsoft Defender for Storage can exclude specific active Databricks workspace storage accounts, when the plan is already enabled on a subscription.
To exclude an active Databricks workspace:
Sign in to the Azure portal.
Navigate to Azure Databricks >
Your Databricks workspace> Tags.In the Name field, enter
AzDefenderPlanAutoEnable.In the Value field, enter
off.Select Apply.
Navigate to Microsoft Defender for Cloud > Environment settings >
Your subscription.Toggle the Defender for Storage plan to Off.
Select Save.
Toggle the Defender for Storage plan to On.
Select Save.
The tags will be inherited by the Storage account of the Databricks workspace and prevent Defender for Storage from turning on.
Note
Tags can't be added directly to the Databricks Storage account, or its Managed Resource Group.
Prevent auto-enabling on a new Databricks workspace storage account
When you create a new Databricks workspace, you have the ability to add a tag that will prevent your Microsoft Defender for Storage account from enabling automatically.
To prevent auto-enabling on a new Databricks workspace storage account:
Follow these steps to create a new Azure Databricks workspace.
In the Tags tab, enter a tag named
AzDefenderPlanAutoEnable.Enter the value
off.
Continue following the instructions to create your new Azure Databricks workspace.
The Microsoft Defender for Storage account will inherit the tag of the Databricks workspace, which will prevent Defender for Storage from turning on automatically.
Next steps
Обратна връзка
Подаване и преглед на обратна връзка за