Enable and configure Microsoft Defender for Storage

Microsoft Defender for Storage is an Azure-native solution offering an advanced layer of intelligence for threat detection and mitigation in storage accounts, powered by Microsoft Threat Intelligence, Microsoft Defender Antimalware technologies, and Sensitive Data Discovery. With protection for Azure Blob Storage, Azure Files, and Azure Data Lake Storage services, it provides a comprehensive alert suite, near real-time Malware Scanning (add-on), and sensitive data threat detection (no extra cost), allowing quick detection, triage, and response to potential security threats with contextual information.

With Microsoft Defender for Storage, organizations can customize their protection and enforce consistent security policies by enabling it on subscriptions and storage accounts with granular control and flexibility.

Learn more about Microsoft Defender for Storage capabilities and security threats and alerts.

Tip

If you're currently using Microsoft Defender for Storage classic, consider upgrading to the new plan, which offers several benefits over the classic plan. Learn more about migrating to the new plan.

Availability

Aspect Details
Release state: General Availability (GA)
Feature availability: - Activity monitoring (security alerts) - General Availability (GA)
- Malware Scanning - General Availability (GA)
- Sensitive data threat detection (Sensitive Data Discovery) - General Availability (GA)
Pricing: Visit the pricing page to learn more.
Supported storage types: Blob Storage (Standard/Premium StorageV2, including Data Lake Gen2): Activity monitoring, Malware Scanning, Sensitive Data Discovery
Azure Files (over REST API and SMB): Activity monitoring
Required roles and permissions: For Malware Scanning and sensitive data threat detection at subscription and storage account levels, you need Owner roles (subscription owner/storage account owner) or specific roles with corresponding data actions. To enable Activity Monitoring, you need 'Security Admin' permissions. Read more about the required permissions.
Clouds: Commercial clouds*
Azure Government (only activity monitoring support on the classic plan)
Microsoft Azure operated by 21Vianet
Connected AWS accounts

* Azure DNS Zone is not supported for Malware Scanning and sensitive data threat detection.

Prerequisites for Malware Scanning

Permissions

To enable and configure Malware Scanning, you must have Owner roles (such as Subscription Owner or Storage Account Owner) or specific roles with the necessary data actions. Learn more about the required permissions.

Event Grid resource provider

Event Grid resource provider must be registered to be able to create the Event Grid System Topic used for detect upload triggers. Follow these steps to verify Event Grid is registered on your subscription.

Diagram showing how to register Event Grid as a resource provider.

You must have permission to the /register/action operation for the resource provider. This permission is included in the Contributor and Owner roles.

Set up Microsoft Defender for Storage

To enable and configure Microsoft Defender for Storage to ensure maximum protection and cost optimization, the following configuration options are available:

  • Enable/disable Microsoft Defender for Storage.

  • Enable/disable the Malware Scanning or sensitive data threat detection configurable features.

  • Set a monthly cap on the Malware Scanning per storage account to control costs (Default value is 5000GB per storage account per month).

  • Configure additional methods for saving malware scanning results and logging.

    Tip

    The Malware Scanning features has advanced configurations to help security teams support different workflows and requirements.

  • Override subscription-level settings to configure specific storage accounts with custom configurations that differ from the settings configured at the subscription level.

You can enable and configure Microsoft Defender for Storage from the Azure portal, built-in Azure policies, programmatically using IaC templates (Bicep and ARM) or directly with REST API.

Note

To prevent migrating back to the legacy classic plan, make sure to disable the old Defender for Storage policies. Look for and disable policies named Configure Azure Defender for Storage to be enabled, Azure Defender for Storage should be enabled, or Configure Microsoft Defender for Storage to be enabled (per-storage account plan).

We recommend that you enable Defender for Storage on the subscription level. Doing so ensures all storage accounts in the subscription will be protected, including future ones.

There are several ways to enable Defender for Storage on subscriptions:

Tip

You can override or set custom configuration settings for specific storage accounts within protected subscriptions.

Azure portal

To enable Defender for Storage at the subscription level using the Azure portal:

  1. Sign in to the Azure portal.

  2. Navigate to Microsoft Defender for Cloud > Environment settings.

  3. Select the subscription for which you want to enable Defender for Storage.

    Screenshot showing how to select a subscription in Defender for Cloud.

  4. On the Defender plans page, locate Storage in the list and select On and Save.

    If you currently have Defender for Storage enabled with per-transaction pricing, select the New pricing plan available link and confirm the pricing change.

    Screenshot showing how to enable Defender for Storage in Defender for Cloud.

Microsoft Defender for Storage is now enabled for this subscription, and is fully protected, including on-upload malware scanning and sensitive data threat detection.

If you want to turn off the On-upload malware scanning or Sensitive data threat detection, you can select Settings and change the status of the relevant feature to Off.

If you want to change the malware scanning size cap per storage account per month for malware, change the settings in Edit configuration.

Screenshot showing where to enable Malware Scanning and Sensitive data threat protection.

If you want to disable the plan, toggle the status button to Off for the Storage plan on the Defender plans page.

Enable and configure at scale with an Azure built-in policy

To enable and configure Defender for Storage at scale with an Azure built-in policy to ensure that consistent security policies are applied across all existing and new storage accounts within the subscriptions, follow these steps:

  1. Sign in to the Azure portal and navigate to the Policy dashboard.
  2. In the Policy dashboard, select Definitions from the left-side menu.
  3. In the “Security Center” category, search for and then select the Configure Microsoft Defender for Storage to be enabled. This policy will enable all Defender for Storage capabilities: Activity Monitoring, Malware Scanning and Sensitive Data Threat Detection. You can also get it here: List of built-in policy definitions If you want to enable a policy without the configurable features, use Configure basic Microsoft Defender for Storage to be enabled (Activity Monitoring only).
  4. Choose the policy and review it.
  5. Select Assign and edit the policy details. You can fine-tune, edit, and add custom rules to the policy.
  6. Once you have completed reviewing, select Review + create.
  7. Select Create to assign the policy.

Enable and configure with IaC templates

Bicep template

To enable and configure Microsoft Defender for Storage at the subscription level using Bicep, make sure your target scope is set to subscription, and add the following to your Bicep template:

resource StorageAccounts 'Microsoft.Security/pricings@2023-01-01' = {
  name: 'StorageAccounts'
  properties: {
    pricingTier: 'Standard'
    subPlan: 'DefenderForStorageV2'
    extensions: [
      {
        name: 'OnUploadMalwareScanning'
        isEnabled: 'True'
        additionalExtensionProperties: {
          CapGBPerMonthPerStorageAccount: '5000'
        }
      }
      {
        name: 'SensitiveDataDiscovery'
        isEnabled: 'True'
      }
    ]
  }
}

To modify the monthly cap for malware scanning per storage account, simply adjust the CapGBPerMonthPerStorageAccount parameter to your preferred value. This parameter sets a cap on the maximum data that can be scanned for malware each month per storage account. If you want to permit unlimited scanning, assign the value -1. The default limit is set at 5,000 GB.

If you want to turn off the On-upload malware scanning or Sensitive data threat detection features, you can change the isEnabled value to False under Sensitive data discovery.

To disable the entire Defender for Storage plan, set the pricingTier property value to Free and remove the subPlan and extensions properties. Learn more about the Bicep template AzAPI reference.

ARM template

To enable and configure Microsoft Defender for Storage at the subscription level using an ARM template, add this JSON snippet to the resources section of your ARM template:

{
    "type": "Microsoft.Security/pricings",
    "apiVersion": "2023-01-01",
    "name": "StorageAccounts",
    "properties": {
        "pricingTier": "Standard",
        "subPlan": "DefenderForStorageV2",
        "extensions": [
            {
                "name": "OnUploadMalwareScanning",
                "isEnabled": "True",
                "additionalExtensionProperties": {
                    "CapGBPerMonthPerStorageAccount": "5000"
                }
            },
            {
                "name": "SensitiveDataDiscovery",
                "isEnabled": "True"
            }
        ]
    }
}

To modify the monthly threshold for malware scanning in your storage accounts, simply adjust the CapGBPerMonthPerStorageAccount parameter to your preferred value. This parameter sets a cap on the maximum data that can be scanned for malware each month, per storage account. If you want to permit unlimited scanning, assign the value -1. The default limit is set at 5,000 GB.

If you want to turn off the On-upload malware scanning or Sensitive data threat detection features, you can change the isEnabled value to False under Sensitive data discovery.

To disable the entire Defender plan, set the pricingTier property value to Free and remove the subPlan and extensions properties.

Learn more in the ARM template reference.

Enable and configure with REST API

To enable and configure Microsoft Defender for Storage at the subscription level using REST API, create a PUT request with this endpoint (replace the subscriptionId in the endpoint URL with your own Azure subscription ID):

PUT https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Security/pricings/StorageAccounts?api-version=2023-01-01

And add the following request body:

{
    "properties": {
        "extensions": [
            {
                "name": "OnUploadMalwareScanning",
                "isEnabled": "True",
                "additionalExtensionProperties": {
                    "CapGBPerMonthPerStorageAccount": "5000"
                }
            },
            {
                "name": "SensitiveDataDiscovery",
                "isEnabled": "True"
            }
        ],
        "subPlan": "DefenderForStorageV2",
        "pricingTier": "Standard"
    }
}

To modify the monthly threshold for malware scanning in your storage accounts, simply adjust the CapGBPerMonthPerStorageAccount parameter to your preferred value. This parameter sets a cap on the maximum data that can be scanned for malware each month, per storage account. If you want to permit unlimited scanning, assign the value -1. The default limit is set at 5,000 GB.

If you want to turn off the On-upload malware scanning or Sensitive data threat detection features, you can change the isEnabled value to False under Sensitive data discovery.

To disable the entire Defender plan, set the pricingTier property value to Free and remove the subPlan and extensions properties.

Learn more about the updating Defender plans with the REST API in HTTP, Java, Go and JavaScript.

Override Defender for Storage subscription-level settings

Defender for Storage settings on each storage account is inherited by the subscription-level settings. Use Override Defender for Storage subscription-level settings to configure settings that are different from the settings that are configured on the subscription-level.

The override setting is usually used for the following scenarios:

  1. Enable the malware scanning or the data sensitivity threat detection features.

  2. Configure custom settings for Malware Scanning.

  3. Disable Microsoft Defender for Storage on specific storage accounts.

Note

We recommend that you enable Defender for Storage on the entire subscription to protect all existing and future storage accounts in it. However, there are some cases where you would want to exclude specific storage accounts from Defender protection. If you've decided to exclude, follow the steps below to use the override setting and then disable the relevant storage account. If you are using the Defender for Storage (classic), you can also exclude storage accounts.

Azure portal

To override Defender for Storage subscription-level settings to configure settings that are different from the settings that are configured on the subscription-level using the Azure portal:

  1. Sign in to the Azure portal.

  2. Navigate to your storage account that you want to configure custom settings.

  3. In the storage account menu, in the Security + networking section, select Microsoft Defender for Cloud.

  4. Select Settings in Microsoft Defender for Storage.

  5. Set the status of Override Defender for Storage subscription-level settings (under Advanced settings) to On. This ensures that the settings are saved only for this storage account and will not be overrun by the subscription settings.

  6. Configure the settings you want to change:

    1. To enable malware scanning or sensitive data threat detection, set the status to On.

    2. To modify the settings of malware scanning:

      1. Switch the "On-upload malware scanning" to On if it’s not already enabled.

      2. To adjust the monthly threshold for malware scanning in your storage accounts, you can modify the parameter called "Set limit of GB scanned per month" to your desired value. This parameter determines the maximum amount of data that can be scanned for malware each month, specifically for each storage account. If you wish to allow unlimited scanning, you can uncheck this parameter. By default, the limit is set at 5,000 GB.

    Learn more about malware scanning settings.

  7. To disable Defender for Storage on this storage accounts, set the status of Microsoft Defender for Storage to Off.

    Screenshot showing where to turn off Defender for Storage in the Azure portal.

  8. Select Save.

REST API

To override Defender for Storage subscription-level settings to configure settings that are different from the settings that are configured on the subscription-level using the REST API:

  1. Create a PUT request with this endpoint. Replace the subscriptionId, resourceGroupName, and accountName in the endpoint URL with your own Azure subscription ID, resource group and storage account names accordingly.

    Request URL:

    PUT
    https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Storage/storageAccounts/{accountName}/providers/Microsoft.Security/DefenderForStorageSettings/current?api-version=2022-12-01-preview
    

    Request Body:

    {
        "properties": {
            "isEnabled": true,
            "malwareScanning": {
                "onUpload": {
                    "isEnabled": true,
                    "capGBPerMonth": 5000
                }
            },
            "sensitiveDataDiscovery": {
                "isEnabled": true
            },
            "overrideSubscriptionLevelSettings": true
        }
    }
    
    1. To enable malware scanning or sensitive data threat detection, set the value of isEnabled to true under the relevant features.

    2. To modify the settings of malware scanning, edit the relevant fields under “onUpload”, make sure the value of isEnabled is true. If you wish to permit unlimited scanning, assign the value -1 to the capGBPerMonth parameter.

      Learn more about malware scanning settings.

    3. To disable Defender for Storage on this storage accounts, use the following request body:

    {
        "properties": {
            "isEnabled": false,
            "overrideSubscriptionLevelSettings": true
        }
    }
    
    
  2. Make sure you add the parameter overrideSubscriptionLevelSettings and its value is set to true. This ensures that the settings are saved only for this storage account and will not be overrun by the subscription settings.