Exclude a storage account from a protected subscription in the per-transaction plan

When you enable Microsoft Defender for Storage on a subscription for the per-transaction pricing, all current and future Azure Storage accounts in that subscription are protected. You can exclude specific storage accounts from the Defender for Storage protections using the Azure portal, PowerShell, or the Azure CLI.

We don't recommend that you exclude storage accounts from Defender for Storage because attackers can use any opening in order to compromise your environment. If you want to optimize your Azure costs and remove storage accounts that you feel are low risk from Defender for Storage, you can use the Price Estimation Workbook in the Azure portal to evaluate the cost savings.

Exclude an Azure Storage account protection on a subscription with per-transaction pricing

To exclude an Azure Storage account from Microsoft Defender for Storage:

PowerShell

Use PowerShell to exclude an Azure Storage account

1. If you don't have the Azure Az PowerShell module installed, install it using the instructions from the Azure PowerShell documentation.

2. Using an authenticated account, connect to Azure with the Connect-AzAccount cmdlet, as explained in Sign in with Azure PowerShell.

3. Define the AzDefenderPlanAutoEnable tag on the storage account with the Update-AzTag cmdlet (replace the ResourceId with the resource ID of the relevant storage account):

   Update-AzTag -ResourceId <resourceID> -Tag @{"AzDefenderPlanAutoEnable" = "off"} -Operation Merge 
   

   If you skip this stage, your untagged resources will continue receiving daily updates from the subscription level enablement policy. That policy will enable Defender for Storage again on the account.

   Tip

   Learn more about tags in Use tags to organize your Azure resources and management hierarchy.

4. Disable Microsoft Defender for Storage for the desired account on the relevant subscription with the Disable-AzSecurityAdvancedThreatProtection cmdlet (using the same resource ID):

   Disable-AzSecurityAdvancedThreatProtection -ResourceId <resourceId> 
   

   Learn more about this cmdlet.

Azure CLI

Use Azure CLI to exclude an Azure Storage account

1. If you don't have Azure CLI installed, install it using the instructions from the Azure CLI documentation.

2. Using an authenticated account, connect to Azure with the login command as explained in Sign in with Azure CLI and enter your account credentials when prompted:

   az login
   

3. Define the AzDefenderPlanAutoEnable tag on the storage account with the tag update command (replace the ResourceId with the resource ID of the relevant storage account):

   az tag update --resource-id MyResourceId --operation merge --tags AzDefenderPlanAutoEnable=off
   

   If you skip this stage, your untagged resources will continue receiving daily updates from the subscription level enablement policy. That policy will enable Defender for Storage again on the account.

   Tip

   Learn more about tags in az tag.

4. Disable Microsoft Defender for Storage for the desired account on the relevant subscription with the security atp storage command (using the same resource ID):

   az security atp storage update --resource-group MyResourceGroup  --storage-account MyStorageAccount --is-enabled false 
   

   Learn more about this command.

Azure portal

Use the Azure portal to exclude an Azure Storage account

1. Define the AzDefenderPlanAutoEnable tag on the storage account:

   1. From the Azure portal, open the storage account and select the Tags page.
   2. Enter the tag name AzDefenderPlanAutoEnable and set the value to off.
   3. Select Apply.

   

2. Verify that the tag has been added successfully. It should look similar to this:

   

3. Disable and then enable the Microsoft Defender for Storage on the subscription:

   1. From the Azure portal, open Microsoft Defender for Cloud.
   2. Open Environment settings > select the relevant subscription > Defender plans > toggle the Defender for Storage plan off > select Save > turn it back on > select Save.

   

Exclude an Azure Databricks Storage account

Exclude an active Databricks workspace

Microsoft Defender for Storage can exclude specific active Databricks workspace storage accounts, when the plan is already enabled on a subscription.

To exclude an active Databricks workspace:

1. Sign in to the Azure portal.

2. Navigate to Azure Databricks > Your Databricks workspace > Tags.

3. In the Name field, enter AzDefenderPlanAutoEnable.

4. In the Value field, enter off.

5. Select Apply.

   

6. Navigate to Microsoft Defender for Cloud > Environment settings > Your subscription.

7. Toggle the Defender for Storage plan to Off.

   

8. Select Save.

9. Toggle the Defender for Storage plan to On.

10. Select Save.

The tags will be inherited by the Storage account of the Databricks workspace and prevent Defender for Storage from turning on.

Note

Tags can't be added directly to the Databricks Storage account, or its Managed Resource Group.

Prevent auto-enabling on a new Databricks workspace storage account

When you create a new Databricks workspace, you have the ability to add a tag that will prevent your Microsoft Defender for Storage account from enabling automatically.

To prevent auto-enabling on a new Databricks workspace storage account:

1. Follow these steps to create a new Azure Databricks workspace.

2. In the Tags tab, enter a tag named AzDefenderPlanAutoEnable.

3. Enter the value off.

   

4. Continue following the instructions to create your new Azure Databricks workspace.

The Microsoft Defender for Storage account will inherit the tag of the Databricks workspace, which will prevent Defender for Storage from turning on automatically.

Next steps

• Explore the Microsoft Defender for Storage – Price Estimation Dashboard