Impossible to enable Defender for Storage Malware scanning

Question

I would like to enable Azure Defender Malware scanning on my (StorageV2) Storage Account.

I upgraded my subscription's MS Defender for Cloud plan.

However, any attempt on enabling Malware scanning or Sensitive data discovery fails.

1. While enabling on the subscription level (Subscription -> MS Defender for Cloud -> Cloud Workload Protection (CWP) -> Storage) I receive an error
   
2. While enabling it on the Storage Account level I receive a different error
   

Let me add, that I'm testing this functionality on Visual Studio Proffesional subscription.

Answer 1

I resolved this issue myself. Thanks @Mohammed Altamash Khan for some initial hints.

The entire problem comes from the fact, that being an owner of the subscriptions does not give you the full rights.

I came up with a custom role defined like this:

{
  "properties": {
    "roleName": "Custome role for EventGrid",
    "description": "",
    "assignableScopes": ["/subscriptions/<my_subscription_guid>"],
    "permissions": [
      {
        "actions": ["Microsoft.EventGrid/eventSubscriptions/write"],
        "notActions": [],
        "dataActions": [],
        "notDataActions": []
      }
    ]
  }
}

After the role was created, I went to PIM (Privileged Identity Management) for my subscription and created a new role assignment to my account.

Enabling malware scanning was possible from the Storage Account level (subscription settings override), but not from the entire subscription level. However, this resolves my issue enough.

Answer 2

Hi PP

Solution: Its an RBAC issue, you need to assign the client id the appropriate role.

If i write the solution, it would be hard to explain bcoz im not sure about your experty in azure neither what access you have.

To assign the role, you need to be OWNER of the subscription.

Maybe we can connect on teams and i can show how to resolve that access issue.

Regards

--please don't forget to upvote and Accept as answer if the reply is helpful--

Answer 3

@PP I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this!

Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer. Accepted answers show up at the top, resulting in improved discoverability for others.

Issue: Customer was unable to enable Defender for Storage Malware scanning for Azure Storage account

Cause: Being the owner of the subscriptions does not provide full rights to achieve that.

Solution: Customer came up with a custom role defined like this:

{
  "properties": {
    "roleName": "Custome role for EventGrid",
    "description": "",
    "assignableScopes": ["/subscriptions/<my_subscription_guid>"],
    "permissions": [
      {
        "actions": ["Microsoft.EventGrid/eventSubscriptions/write"],
        "notActions": [],
        "dataActions": [],
        "notDataActions": []
      }
    ]
  }
}

After the role was created, the customer went to PIM (Privileged Identity Management) for their subscription and created a new role assignment for their account.

Enabling malware scanning was possible from the Storage Account level (subscription settings override), but not from the entire subscription level. However, this resolved their issue.

Answer 4

Hi All,

I see similar issues, created gen purpose V2, registered event grid, and created a custom topic, and when I try to enable on-upload get Could not enable on-upload malware scanning: Client 'c44b---' with objectId '9c5ec047-' does not have permissions 'Microsoft.EventGrid/eventSubscriptions/write' on scope '/subscriptions/edfbe/resourceGroups/mal/providers/Microsoft.Storage/storageAccounts/xxx'

Thanks

Answer 5

FWIW you can also use the built in "EventGrid EventSubscription Contributor" role instead of creating a new custom role.