Exclude a storage account from Microsoft Defender for Storage protections


Excluding resources from advanced threat protection is not recommended and leaves your cloud workload exposed.

When you enable Microsoft Defender for Storage on a subscription, all existing Azure Storage accounts will be protected and any storage resources added to that subscription in the future will also be automatically protected.

If you need to exempt a specific Azure Storage account from this Defender plan, use the instructions on this page.


We recommend enabling Microsoft Defender for Resource Manager for any accounts with unprotected Azure Storage resources. Defender for Resource Manager automatically monitors your organization's resource management operations, whether they're performed through the Azure portal, Azure REST APIs, Azure CLI, or other Azure programmatic clients.

Exclude a specific storage account

To exclude specific storage accounts from Microsoft Defender for Storage when the plan is enabled on a subscription:

Use PowerShell to exclude an Azure Storage account

  1. If you don't have the Azure Az PowerShell module installed, install it using the instructions from the Azure PowerShell documentation.

  2. Using an authenticated account, connect to Azure with the Connect-AzAccount cmdlet, as explained in Sign in with Azure PowerShell.

  3. Define the AzDefenderPlanAutoEnable tag on the storage account with the Update-AzTag cmdlet (replace the ResourceId with the resource ID of the relevant storage account):

    Update-AzTag -ResourceId <resourceID> -Tag @{"AzDefenderPlanAutoEnable" = "off"} -Operation Merge 

    If you skip this stage, your untagged resources will continue receiving daily updates from the subscription level enablement policy. That policy will enable Defender for Storage again on the account.

  4. Disable Microsoft Defender for Storage for the desired account on the relevant subscription with the Disable-AzSecurityAdvancedThreatProtection cmdlet (using the same resource ID):

    Disable-AzSecurityAdvancedThreatProtection -ResourceId <resourceId> 

    Learn more about this cmdlet.

Exclude an Azure Databricks Storage account

Exclude an active Databricks workspace

Microsoft Defender for Storage can exclude specific active Databricks workspace storage accounts, when the plan is already enabled on a subscription.

To exclude an active Databricks workspace:

  1. Sign in to the Azure portal.

  2. Navigate to Azure Databricks > Your Databricks workspace > Tags.

  3. In the Name field, enter AzDefenderPlanAutoEnable.

  4. In the Value field, enter off.

  5. Select Apply.

    Screenshot showing the location, and how to apply the tag to your Azure Databricks account.

  6. Navigate to Microsoft Defender for Cloud > Environment settings > Your subscription.

  7. Toggle the Defender for Storage plan to Off.

    Screenshot showing how to switch the Defender for Storage plan to off.

  8. Select Save.

  9. Toggle the Defender for Storage plan to On.

  10. Select Save.

The tags will be inherited by the Storage account of the Databricks workspace and prevent Defender for Storage from turning on.


Tags can't be added directly to the Databricks Storage account, or its Managed Resource Group.

Prevent auto-enabling on a new Databricks workspace storage account

When you create a new Databricks workspace, you have the ability to add a tag that will prevent your Microsoft Defender for Storage account from enabling automatically.

To prevent auto-enabling on a new Databricks workspace storage account:

  1. Follow these steps to create a new Azure Databricks workspace.

  2. In the Tags tab, enter a tag named AzDefenderPlanAutoEnable.

  3. Enter the value off.

    Screenshot that shows how to create a tag in the Databricks workspace.

  4. Continue following the instructions to create your new Azure Databricks workspace.

The Microsoft Defender for Storage account will inherit the tag of the Databricks workspace, which will prevent Defender for Storage from turning on automatically.

Next steps