Edit

Share via

Enable Microsoft Defender for Storage (classic)

This article explains how to enable and configure Microsoft Defender for Storage (classic) on your subscriptions using various templates such as PowerShell, REST API, and others.

Note

Defender for Storage (classic) is unavailable for new subscriptions as of February 5, 2025.

You can also upgrade to the new Microsoft Defender for Storage plan and use advanced security capabilities, including malware scanning and sensitive data threat detection. Benefit from a predictable and granular pricing structure that charges per storage account, with extra costs for high-volume transactions. This new pricing plan also encompasses all new security features and detections.

Note

If you use Defender for Storage (classic) with per-transaction or per-storage account pricing, you need to migrate to the new Defender for Storage plan to access these features and pricing. Learn about migrating to the new Defender for Storage plan.

Microsoft Defender for Storage is an Azure-native security intelligence layer that detects unusual and potentially harmful attempts to access or exploit your storage accounts. It uses advanced threat detection capabilities and Microsoft Defender Threat Intelligence data to provide contextual security alerts. These alerts include steps to mitigate detected threats and prevent future attacks.

Microsoft Defender for Storage continuously analyzes transactions of Azure Blob Storage, Azure Data Lake Storage, and Azure Files services. When potentially malicious activities are detected, security alerts generate. Microsoft Defender for Cloud shows alerts with details of suspicious activity, appropriate investigation steps, remediation actions, and security recommendations.

Analyzed telemetry of Azure Blob Storage includes operation types like Get Blob, Put Blob, Get Container ACL, List Blobs, and Get Blob Properties. Examples of analyzed Azure Files operation types include Get File, Create File, List Files, Get File Properties, and Put Range.

Defender for Storage classic doesn’t access Storage account data and has no impact on its performance.

Learn more about the benefits, features, and limitations of Defender for Storage. You can also learn more about Defender for Storage in the Defender for Storage episode of the Defender for Cloud in the Field video series.

Availability

Aspect Details
Release state: General availability (GA)
Pricing: Microsoft Defender for Storage is billed as shown in the pricing details and in the Defender plans in the Azure portal
Protected storage types: Blob Storage (Standard/Premium StorageV2, Block Blobs)
Azure Files (over REST API and SMB)
Azure Data Lake Storage Gen2 (Standard/Premium accounts with hierarchical namespaces enabled)
Clouds: Commercial clouds
Azure Government (Only for per-transaction plan)
Microsoft Azure operated by 21Vianet
Connected AWS accounts

Set up per-transaction pricing for a storage account

You can configure Microsoft Defender for Storage with per-transaction pricing on your accounts in several ways:

ARM template

To enable Microsoft Defender for Storage for a specific storage account with per-transaction pricing using an ARM template, use the prepared Azure template.

If you want to disable Defender for Storage on the account:

  1. Sign in to the Azure portal.
  2. Navigate to your storage account.
  3. In the Security + networking section of the Storage account menu, select Microsoft Defender for Cloud.
  4. Select Disable.

PowerShell

To enable Microsoft Defender for Storage for a specific storage account with per-transaction pricing using PowerShell:

  1. If you don't have it already, install the Azure Az PowerShell module.

  2. Use the Connect-AzAccount cmdlet to sign in to your Azure account. Learn more about signing in to Azure with Azure PowerShell.

  3. Enable Microsoft Defender for Storage for the desired storage account with the Enable-AzSecurityAdvancedThreatProtection cmdlet:

    Enable-AzSecurityAdvancedThreatProtection -ResourceId "/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.Storage/storageAccounts/<storage-account>/"

    Replace <subscriptionId>, <resource-group>, and <storage-account> with the values for your environment.

If you want to disable per-transaction pricing for a specific storage account, use the Disable-AzSecurityAdvancedThreatProtection cmdlet:

Disable-AzSecurityAdvancedThreatProtection -ResourceId "/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.Storage/storageAccounts/<storage-account>/"

Learn more about the using PowerShell with Microsoft Defender for Cloud.

Azure CLI

To enable Microsoft Defender for Storage for a specific storage account with per-transaction pricing using Azure CLI:

  1. If you don't have it already, install the Azure CLI.

  2. Use the az login command to sign in to your Azure account. Learn more about signing in to Azure with Azure CLI.

  3. Enable Microsoft Defender for Storage for your subscription with the az security atp storage update command:

    az security atp storage update \
--resource-group <resource-group> \
--storage-account <storage-account> \
--is-enabled true

Tip

You can use the az security atp storage show command to see if Defender for Storage is enabled on an account.

To disable Microsoft Defender for Storage (classic) for your subscription, use the az security atp storage update command:

az security atp storage update \
--resource-group <resource-group> \
--storage-account <storage-account> \
--is-enabled false

Learn more about the az security atp storage command.

Exclude a storage account from a protected subscription in the per-transaction plan

When a subscription has Microsoft Defender for Storage enabled, all current and future Azure Storage accounts in that subscription are protected. You can exclude specific storage accounts from Defender for Storage protections using the Azure portal, PowerShell, or the Azure CLI.

We recommend that you enable Defender for Storage on the entire subscription to protect all existing and future storage accounts in it. However, there are some cases where people want to exclude specific storage accounts from Defender protection.

Exclusion of storage accounts from protected subscriptions requires you to:

  1. Add a tag to block inheriting the subscription enablement.
  2. Disable Defender for Storage (classic).

Note

Consider upgrading to the new Defender for Storage plan if you have storage accounts you would like to exclude from the Defender for Storage classic plan. Not only will you save on costs for transaction-heavy accounts, but you'll also gain access to enhanced security features. Learn more about the benefits of migrating to the new plan.

Excluded storage accounts in the Defender for Storage classic are not automatically excluded when you migrate to the new plan.

Exclude an Azure Storage account protection on a subscription with per-transaction pricing

To exclude an Azure Storage account from Microsoft Defender for Storage (classic), you can use:

Use PowerShell to exclude an Azure Storage account

  1. If you don't have the Azure Az PowerShell module installed, install it using the instructions from the Azure PowerShell documentation.

  2. Using an authenticated account, connect to Azure with the Connect-AzAccount cmdlet, as explained in Sign in with Azure PowerShell.

  3. Define the AzDefenderPlanAutoEnable tag on the storage account with the Update-AzTag cmdlet (replace the ResourceId with the resource ID of the relevant storage account):

    Update-AzTag -ResourceId <resourceID> -Tag @{"AzDefenderPlanAutoEnable" = "off"} -Operation Merge

    If you skip this stage, your untagged resources continue receiving daily updates from the subscription level enablement policy. That policy enables Defender for Storage again on the account. Learn more about tags in Use tags to organize your Azure resources and management hierarchy.

  4. Disable Microsoft Defender for Storage for the desired account on the relevant subscription with the Disable-AzSecurityAdvancedThreatProtection cmdlet (using the same resource ID):

    Disable-AzSecurityAdvancedThreatProtection -ResourceId <resourceId>

    Learn more about this cmdlet.

Use Azure CLI to exclude an Azure Storage account

  1. If you don't have Azure CLI installed, install it using the instructions from the Azure CLI documentation.

  2. Using an authenticated account, connect to Azure with the login command as explained in Sign in with Azure CLI and enter your account credentials when prompted:

    az login

  3. Define the AzDefenderPlanAutoEnable tag on the storage account with the tag update command (replace the ResourceId with the resource ID of the relevant storage account):

    az tag update --resource-id MyResourceId --operation merge --tags AzDefenderPlanAutoEnable=off

    If you skip this stage, your untagged resources continue receiving daily updates from the subscription level enablement policy. That policy enables Defender for Storage again on the account.

    Tip

    Learn more about tags in az tag.

  4. Disable Microsoft Defender for Storage for the desired account on the relevant subscription with the security atp storage command (using the same resource ID):

    az security atp storage update --resource-group MyResourceGroup  --storage-account MyStorageAccount --is-enabled false

    Learn more about this command.

Exclude an Azure Databricks Storage account

Exclude an active Databricks workspace

Microsoft Defender for Storage can exclude specific active Databricks workspace storage accounts, when the plan is already enabled on a subscription.

To exclude an active Databricks workspace:

  1. Sign in to the Azure portal.

  2. Navigate to Azure Databricks > Your Databricks workspace > Tags.

  3. In the Name field, enter AzDefenderPlanAutoEnable.

  4. In the Value field, enter off and then select Apply.

    Screenshot showing the location, and how to apply the tag to your Azure Databricks account.

  5. Navigate to Microsoft Defender for Cloud > Environment settings > Your subscription.

  6. Turn the Defender for Storage plan to Off and select Save.

    Screenshot showing how to switch the Defender for Storage plan to off.

  7. Re-enable Defender for Storage (classic) using one of the supported methods (you can’t enable Defender for Storage classic from the Azure portal).

The tags are inherited by the Storage account of the Databricks workspace and prevent Defender for Storage from turning on.

Note

Tags can't be added directly to the Databricks Storage account, or its Managed Resource Group.

Prevent autoenabling on a new Databricks workspace storage account

When you create a new Databricks workspace, you have the ability to add a tag that prevents your Microsoft Defender for Storage account from enabling automatically.

To prevent auto-enabling on a new Databricks workspace storage account:

  1. Follow these steps to create a new Azure Databricks workspace.

  2. In the Tags tab, enter a tag named AzDefenderPlanAutoEnable.

  3. Enter the value off.

    Screenshot that shows how to create a tag in the Databricks workspace.

  4. Continue following the instructions to create your new Azure Databricks workspace.

The Microsoft Defender for Storage account inherits the tag of the Databricks workspace, which prevents Defender for Storage from turning on automatically.

Disable Microsoft Defender for Storage (classic)

Disable per-transaction pricing for a subscription

Terraform template

To disable Microsoft Defender for Storage (classic) at the subscription level with per-transaction pricing using a Terraform template, add this code snippet to your template with your subscription ID as the parent_id value:

resource "azapi_resource" "symbolicname" {
  type = "Microsoft.Security/pricings@2022-03-01"
  name = "StorageAccounts"
  parent_id = "<subscriptionId>"
  body = jsonencode({
    properties = {
      pricingTier = "Free"
    }
  })
}

Learn more about the ARM template AzAPI reference.

Bicep template

To disable Microsoft Defender for Storage (classic) at the subscription level with per-transaction pricing using Bicep, add the following to your Bicep template:

resource symbolicname 'Microsoft.Security/pricings@2022-03-01' = {
  name: 'StorageAccounts'
  properties: {
    pricingTier: 'Free'
  }
}

Learn more about the Bicep template AzAPI reference.

ARM template

To disable Microsoft Defender for Storage (classic) at the subscription level with per-transaction pricing using an ARM template, add this JSON snippet to the resources section of your ARM template:

{
  "type": "Microsoft.Security/pricings",
  "apiVersion": "2022-03-01",
  "name": "StorageAccounts",
  "properties": {
    "pricingTier": "Free",
  }
}

Learn more about the ARM template AzAPI reference.

PowerShell

To disable Microsoft Defender for Storage (classic) at the subscription level with per-transaction pricing using PowerShell:

  1. If you don't have it already, install the Azure Az PowerShell module.

  2. Use the Connect-AzAccount cmdlet to sign in to your Azure account. Learn more about signing in to Azure with Azure PowerShell. Disable Microsoft Defender for Storage for your subscription with the Set-AzSecurityPricing cmdlet:

    Set-AzSecurityPricing -Name "StorageAccounts" -PricingTier "Free"

Azure CLI

To disable Microsoft Defender for Storage at the subscription level with per-transaction pricing using Azure CLI:

  1. If you don't have it already, install the Azure CLI.

  2. Use the az login command to sign in to your Azure account. Learn more about signing in to Azure with Azure CLI.

  3. Use these commands to set the subscription ID and name:

    az account set --subscription "<subscriptionId or name>"

    Replace <subscriptionId> with your subscription ID.

  4. Disable Microsoft Defender for Storage for your subscription with the az security pricing create command:

    az security pricing create -n StorageAccounts --tier "free"

Tip

You can use the az security pricing show command to see all of the Defender for Cloud plans that are enabled for the subscription.

To disable the plan, set the -tier property value to free.

Learn more about the az security pricing create command.

REST API

To enable Microsoft Defender for Storage at the subscription level with per-transaction pricing using the Microsoft Defender for Cloud REST API, create a PUT request with this endpoint and body:

PUT https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Security/pricings/StorageAccounts?api-version=2022-03-01

{
"properties": {
    "pricingTier": "Standard",
    "subPlan": "PerTransaction"
    }
}

Replace {subscriptionId} with your subscription ID.

To disable the plan, set the -pricingTier property value to Free and remove the subPlan parameter.

Learn more about the updating Defender plans with the REST API in HTTP, Java, Go and JavaScript.

Next steps