Jonard Feferman

Microsoft Defender for Storage is an Azure-native solution offering an advanced layer of intelligence for threat detection and mitigation in storage accounts, powered by Microsoft Threat Intelligence, Microsoft Defender Antimalware technologies, and Sensitive Data Discovery. With protection for Azure Blob Storage, Azure Files, and Azure Data Lake Storage services, it provides a comprehensive alert suite, near real-time Malware Scanning (add-on), and sensitive data threat detection (no extra cost), allowing quick detection, triage, and response to potential security threats with contextual information.

With Microsoft Defender for Storage, organizations can customize their protection and enforce consistent security policies by enabling it on subscriptions and storage accounts with granular control and flexibility.

Learn more about Microsoft Defender for Storage capabilities and security threats and alerts.

* Azure DNS Zone is not supported for Malware Scanning and sensitive data threat detection.

Malware Scanning supports storage accounts with “Networking” > “Public network access” enabled, either from all networks or from selected virtual networks. Malware Scanning is not supported for storage accounts with “Public network access” set to disabled.

:::image type="content" source="../../defender-for-cloud/media/azure-defender-storage-configure/networking.png" alt-text="Screenshot showing where to configure Public network access.":::

To enable and configure Malware Scanning, you must have Owner roles (such as Subscription Owner or Storage Account Owner) or specific roles with the necessary data actions. Learn more about the required permissions.

Event Grid resource provider must be registered to be able to create the Event Grid System Topic used for detect upload triggers. Follow these steps to verify Event Grid is registered on your subscription.

:::image type="content" source="media/azure-defender-storage-configure/register-event-grid-resource-provider.png" alt-text="Diagram showing how to register Event Grid as a resource provider." lightbox="media/azure-defender-storage-configure/register-event-grid-resource-provider.png":::

You must have permission to the /register/action operation for the resource provider. This permission is included in the Contributor and Owner roles.

To enable and configure Microsoft Defender for Storage to ensure maximum protection and cost optimization, the following configuration options are available:

You can enable and configure Microsoft Defender for Storage from the Azure portal, built-in Azure policies, programmatically using IaC templates (Bicep and ARM) or directly with REST API.

We recommend that you enable Defender for Storage on the subscription level. Doing so ensures all storage accounts in the subscription will be protected, including future ones.

There are several ways to enable Defender for Storage on subscriptions:

To enable Defender for Storage at the subscription level using the Azure portal:

Microsoft Defender for Storage is now enabled for this subscription, and is fully protected, including on-upload malware scanning and sensitive data threat detection.

If you want to turn off the On-upload malware scanning or Sensitive data threat detection, you can select Settings and change the status of the relevant feature to Off.

If you want to change the malware scanning size cap per storage account per month for malware, change the settings in Edit configuration.

:::image type="content" source="../../defender-for-cloud/media/azure-defender-storage-configure/defender-for-storage-configuration.png" alt-text="Screenshot showing where to enable Malware Scanning and Sensitive data threat protection.":::

If you want to disable the plan, toggle the status button to Off for the Storage plan on the Defender plans page.

To enable and configure Defender for Storage at scale with an Azure built-in policy to ensure that consistent security policies are applied across all existing and new storage accounts within the subscriptions, follow these steps:

To enable and configure Microsoft Defender for Storage at the subscription level using Bicep, make sure your target scope is set to subscription, and add the following to your Bicep template:

To modify the monthly cap for malware scanning per storage account, simply adjust the CapGBPerMonthPerStorageAccount parameter to your preferred value. This parameter sets a cap on the maximum data that can be scanned for malware each month per storage account. If you want to permit unlimited scanning, assign the value -1. The default limit is set at 5,000 GB.

If you want to turn off the On-upload malware scanning or Sensitive data threat detection features, you can change the isEnabled value to False under Sensitive data discovery.

To disable the entire Defender for Storage plan, set the pricingTier property value to Free and remove the subPlan and extensions properties. Learn more about the Bicep template AzAPI reference.

To enable and configure Microsoft Defender for Storage at the subscription level using an ARM template, add this JSON snippet to the resources section of your ARM template:

To modify the monthly threshold for malware scanning in your storage accounts, simply adjust the CapGBPerMonthPerStorageAccount parameter to your preferred value. This parameter sets a cap on the maximum data that can be scanned for malware each month, per storage account. If you want to permit unlimited scanning, assign the value -1. The default limit is set at 5,000 GB.

If you want to turn off the On-upload malware scanning or Sensitive data threat detection features, you can change the isEnabled value to False under Sensitive data discovery.

To disable the entire Defender plan, set the pricingTier property value to Free and remove the subPlan and extensions properties.

Learn more in the ARM template reference.

To enable and configure Microsoft Defender for Storage at the subscription level using REST API, create a PUT request with this endpoint (replace the subscriptionId in the endpoint URL with your own Azure subscription ID):

And add the following request body:

To modify the monthly threshold for malware scanning in your storage accounts, simply adjust the CapGBPerMonthPerStorageAccount parameter to your preferred value. This parameter sets a cap on the maximum data that can be scanned for malware each month, per storage account. If you want to permit unlimited scanning, assign the value -1. The default limit is set at 5,000 GB.

If you want to turn off the On-upload malware scanning or Sensitive data threat detection features, you can change the isEnabled value to False under Sensitive data discovery.

To disable the entire Defender plan, set the pricingTier property value to Free and remove the subPlan and extensions properties.

Learn more about the updating Defender plans with the REST API in HTTP, Java, Go and JavaScript.

You can enable and configure Microsoft Defender for Storage on specific storage accounts in several ways:

The steps below include instructions on how to set up logging and an Event Grid for the Malware Scanning.

To enable and configure Microsoft Defender for Storage for a specific account using the Azure portal:

:::image type="content" source="../../defender-for-cloud/media/azure-defender-storage-configure/storage-account-enablement.png" alt-text="Screenshot showing where to enable On-upload malware scanning and Sensitive data threat detection for a specific storage account.":::

Microsoft Defender for Storage is now enabled on this storage account.

If you want to disable Defender for Storage on the storage account or disable one of the features (On-upload malware scanning or Sensitive data threat detection), select Settings, edit the settings, and select Save.

To enable and configure Microsoft Defender for Storage at the storage account level using an ARM template, add this JSON snippet to the resources section of your ARM template:

To modify the monthly threshold for malware scanning in your storage accounts, simply adjust the capGBPerMonth parameter to your preferred value. This parameter sets a cap on the maximum data that can be scanned for malware each month, per storage account. If you want to permit unlimited scanning, assign the value -1. The default limit is set at 5,000 GB.

If you want to turn off the On-upload malware scanning or Sensitive data threat detection features, you can change the isEnabled value to false under the malwareScanning or sensitiveDataDiscovery properties sections.

To disable the entire Defender plan for the storage account, set the isEnabled property value to false and remove the malwareScanning and sensitiveDataDiscovery sections from the properties.

To enable and configure Microsoft Defender for Storage at the storage account level using Bicep, add the following to your Bicep template:

To modify the monthly threshold for malware scanning in your storage accounts, simply adjust the capGBPerMonth parameter to your preferred value. This parameter sets a cap on the maximum data that can be scanned for malware each month, per storage account. If you want to permit unlimited scanning, assign the value -1. The default limit is set at 5,000 GB.

If you want to turn off the On-upload malware scanning or Sensitive data threat detection features, you can change the isEnabled value to false under the malwareScanning or sensitiveDataDiscovery properties sections.

To disable the entire Defender plan for the storage account, set the isEnabled property value to false and remove the malwareScanning and sensitiveDataDiscovery sections from the properties.

Learn more about the Bicep template AzAPI reference.

To enable and configure Microsoft Defender for Storage at the storage account level using REST API, create a PUT request with this endpoint. Replace the subscriptionId , resourceGroupName, and accountName in the endpoint URL with your own Azure subscription ID, resource group and storage account names accordingly.

And add the following request body:

To modify the monthly threshold for malware scanning in your storage accounts, simply adjust the capGBPerMonth parameter to your preferred value. This parameter sets a cap on the maximum data that can be scanned for malware each month, per storage account. If you want to permit unlimited scanning, assign the value -1. The default limit is set at 5,000 GB.

If you want to turn off the On-upload malware scanning or Sensitive data threat detection features, you can change the isEnabled value to false under the malwareScanning or sensitiveDataDiscovery properties sections.

To disable the entire Defender plan for the storage account, set the isEnabled property value to false and remove the malwareScanning and sensitiveDataDiscovery sections from the properties.

Learn more about the updating Defender plans with the REST API in HTTP, Java, Go and JavaScript.

For each storage account enabled with Malware Scanning, you can define a Log Analytics workspace destination to store every scan result in a centralized log repository that is easy to query.

:::image type="content" source="../../defender-for-cloud/media/azure-defender-storage-configure/log-analytics-settings.png" alt-text="Screenshot showing where to configure a Log Analytics destination for scan logs.":::

This configuration can be performed using REST API as well:

Request URL:

Request Body:

For each storage account enabled with Malware Scanning, you can configure to send every scan result using Event Grid event for automation purposes.

:::image type="content" source="../../defender-for-cloud/media/azure-defender-storage-configure/event-grid-settings.png" alt-text="Screenshot showing where to enable an Event Grid destination for scan logs.":::

This configuration can be performed using REST API as well:

Request URL:

Request Body:

Defender for Storage settings on each storage account is inherited by the subscription-level settings. Use Override Defender for Storage subscription-level settings to configure settings that are different from the settings that are configured on the subscription-level.

The override setting is usually used for the following scenarios:

To override Defender for Storage subscription-level settings to configure settings that are different from the settings that are configured on the subscription-level using the Azure portal:

Sago is an edible starch that is made from the pith of an array of tropical palm trees. It's a staple food in parts of the tropics. Tapioca pearls, on the other hand, are made with tapioca or the starch from cassava, a root crop.

Can I drive from Russia to Ukraine ? Yes, the driving distance between Russia to Ukraine is 851 km · Which airlines fly from Moscow Sheremetyevo Airport to