Exclude a storage account from a protected subscription in the per-transaction plan
When you enable Microsoft Defender for Storage on a subscription for the per-transaction pricing, all current and future Azure Storage accounts in that subscription are protected. You can exclude specific storage accounts from the Defender for Storage protections using the Azure portal, PowerShell, or the Azure CLI.
We don't recommend that you exclude storage accounts from Defender for Storage because attackers can use any opening in order to compromise your environment. If you want to optimize your Azure costs and remove storage accounts that you feel are low risk from Defender for Storage, you can use the Price Estimation Workbook in the Azure portal to evaluate the cost savings.
Exclude an Azure Storage account protection on a subscription with per-transaction pricing
To exclude an Azure Storage account from Microsoft Defender for Storage:
Use PowerShell to exclude an Azure Storage account
If you don't have the Azure Az PowerShell module installed, install it using the instructions from the Azure PowerShell documentation.
Using an authenticated account, connect to Azure with the
Connect-AzAccount
cmdlet, as explained in Sign in with Azure PowerShell.Define the AzDefenderPlanAutoEnable tag on the storage account with the
Update-AzTag
cmdlet (replace the ResourceId with the resource ID of the relevant storage account):Update-AzTag -ResourceId <resourceID> -Tag @{"AzDefenderPlanAutoEnable" = "off"} -Operation Merge
If you skip this stage, your untagged resources will continue receiving daily updates from the subscription level enablement policy. That policy will enable Defender for Storage again on the account.
Tip
Learn more about tags in Use tags to organize your Azure resources and management hierarchy.
Disable Microsoft Defender for Storage for the desired account on the relevant subscription with the
Disable-AzSecurityAdvancedThreatProtection
cmdlet (using the same resource ID):Disable-AzSecurityAdvancedThreatProtection -ResourceId <resourceId>
Exclude an Azure Databricks Storage account
Exclude an active Databricks workspace
Microsoft Defender for Storage can exclude specific active Databricks workspace storage accounts, when the plan is already enabled on a subscription.
To exclude an active Databricks workspace:
Sign in to the Azure portal.
Navigate to Azure Databricks >
Your Databricks workspace
> Tags.In the Name field, enter
AzDefenderPlanAutoEnable
.In the Value field, enter
off
.Select Apply.
Navigate to Microsoft Defender for Cloud > Environment settings >
Your subscription
.Toggle the Defender for Storage plan to Off.
Select Save.
Toggle the Defender for Storage plan to On.
Select Save.
The tags will be inherited by the Storage account of the Databricks workspace and prevent Defender for Storage from turning on.
Note
Tags can't be added directly to the Databricks Storage account, or its Managed Resource Group.
Prevent auto-enabling on a new Databricks workspace storage account
When you create a new Databricks workspace, you have the ability to add a tag that will prevent your Microsoft Defender for Storage account from enabling automatically.
To prevent auto-enabling on a new Databricks workspace storage account:
Follow these steps to create a new Azure Databricks workspace.
In the Tags tab, enter a tag named
AzDefenderPlanAutoEnable
.Enter the value
off
.Continue following the instructions to create your new Azure Databricks workspace.
The Microsoft Defender for Storage account will inherit the tag of the Databricks workspace, which will prevent Defender for Storage from turning on automatically.
Next steps
Feedback
Submit and view feedback for