Impossible to enable Defender for Storage Malware scanning

PP 20 Reputation points
2023-05-16T15:33:43.44+00:00

I would like to enable Azure Defender Malware scanning on my (StorageV2) Storage Account.

I upgraded my subscription's MS Defender for Cloud plan.

However, any attempt on enabling Malware scanning or Sensitive data discovery fails.

  1. While enabling on the subscription level (Subscription -> MS Defender for Cloud -> Cloud Workload Protection (CWP) -> Storage) I receive an error
    sub level
  2. While enabling it on the Storage Account level I receive a different error
    User's image

Let me add, that I'm testing this functionality on Visual Studio Proffesional subscription.

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,841 questions
Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,241 questions
0 comments No comments
{count} vote

5 answers

Sort by: Most helpful
  1. PP 20 Reputation points
    2023-05-17T09:16:08.8633333+00:00

    I resolved this issue myself. Thanks @Mohammed Altamash Khan for some initial hints.

    The entire problem comes from the fact, that being an owner of the subscriptions does not give you the full rights.

    I came up with a custom role defined like this:

    
    {
      "properties": {
        "roleName": "Custome role for EventGrid",
        "description": "",
        "assignableScopes": ["/subscriptions/<my_subscription_guid>"],
        "permissions": [
          {
            "actions": ["Microsoft.EventGrid/eventSubscriptions/write"],
            "notActions": [],
            "dataActions": [],
            "notDataActions": []
          }
        ]
      }
    }
    

    After the role was created, I went to PIM (Privileged Identity Management) for my subscription and created a new role assignment to my account.

    Enabling malware scanning was possible from the Storage Account level (subscription settings override), but not from the entire subscription level. However, this resolves my issue enough.

    3 people found this answer helpful.

  2. Mohammed Altamash Khan 2,086 Reputation points
    2023-05-16T17:58:08.7+00:00

    Hi PP

    Solution: Its an RBAC issue, you need to assign the client id the appropriate role.

    If i write the solution, it would be hard to explain bcoz im not sure about your experty in azure neither what access you have.

    To assign the role, you need to be OWNER of the subscription.

    Maybe we can connect on teams and i can show how to resolve that access issue.

    Regards

    --please don't forget to upvote and Accept as answer if the reply is helpful--

    1 person found this answer helpful.

  3. KarishmaTiwari-MSFT 18,667 Reputation points Microsoft Employee
    2023-05-17T17:35:43.8033333+00:00

    @PP I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this!

    Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer. Accepted answers show up at the top, resulting in improved discoverability for others.
    User's image

    Issue: Customer was unable to enable Defender for Storage Malware scanning for Azure Storage account

    Cause: Being the owner of the subscriptions does not provide full rights to achieve that.

    Solution: Customer came up with a custom role defined like this:

    {
      "properties": {
        "roleName": "Custome role for EventGrid",
        "description": "",
        "assignableScopes": ["/subscriptions/<my_subscription_guid>"],
        "permissions": [
          {
            "actions": ["Microsoft.EventGrid/eventSubscriptions/write"],
            "notActions": [],
            "dataActions": [],
            "notDataActions": []
          }
        ]
      }
    }
    

    After the role was created, the customer went to PIM (Privileged Identity Management) for their subscription and created a new role assignment for their account.

    Enabling malware scanning was possible from the Storage Account level (subscription settings override), but not from the entire subscription level. However, this resolved their issue.

    0 comments No comments

  4. Shiva Sadayan 41 Reputation points
    2023-07-28T15:22:24.2466667+00:00

    Hi All,

    I see similar issues, created gen purpose V2, registered event grid, and created a custom topic, and when I try to enable on-upload get Could not enable on-upload malware scanning: Client 'c44b---' with objectId '9c5ec047-' does not have permissions 'Microsoft.EventGrid/eventSubscriptions/write' on scope '/subscriptions/edfbe/resourceGroups/mal/providers/Microsoft.Storage/storageAccounts/xxx'

    Thanks

    0 comments No comments

  5. Ron Michael Zettlemoyer 1 Reputation point
    2024-01-10T20:51:21.62+00:00

    FWIW you can also use the built in "EventGrid EventSubscription Contributor" role instead of creating a new custom role.

    0 comments No comments