Exclude a storage account from a protected subscription in the per-transaction plan

When you enable Microsoft Defender for Storage on a subscription for the per-transaction pricing, all current and future Azure Storage accounts in that subscription are protected. You can exclude specific storage accounts from the Defender for Storage protections using the Azure portal, PowerShell, or the Azure CLI.

We don't recommend that you exclude storage accounts from Defender for Storage because attackers can use any opening in order to compromise your environment. If you want to optimize your Azure costs and remove storage accounts that you feel are low risk from Defender for Storage, you can use the Price Estimation Workbook in the Azure portal to evaluate the cost savings.

Exclude an Azure Storage account protection on a subscription with per-transaction pricing

To exclude an Azure Storage account from Microsoft Defender for Storage:

Use PowerShell to exclude an Azure Storage account

  1. If you don't have the Azure Az PowerShell module installed, install it using the instructions from the Azure PowerShell documentation.

  2. Using an authenticated account, connect to Azure with the Connect-AzAccount cmdlet, as explained in Sign in with Azure PowerShell.

  3. Define the AzDefenderPlanAutoEnable tag on the storage account with the Update-AzTag cmdlet (replace the ResourceId with the resource ID of the relevant storage account):

    Update-AzTag -ResourceId <resourceID> -Tag @{"AzDefenderPlanAutoEnable" = "off"} -Operation Merge 

    If you skip this stage, your untagged resources will continue receiving daily updates from the subscription level enablement policy. That policy will enable Defender for Storage again on the account.

  4. Disable Microsoft Defender for Storage for the desired account on the relevant subscription with the Disable-AzSecurityAdvancedThreatProtection cmdlet (using the same resource ID):

    Disable-AzSecurityAdvancedThreatProtection -ResourceId <resourceId> 

    Learn more about this cmdlet.

Exclude an Azure Databricks Storage account

Exclude an active Databricks workspace

Microsoft Defender for Storage can exclude specific active Databricks workspace storage accounts, when the plan is already enabled on a subscription.

To exclude an active Databricks workspace:

  1. Sign in to the Azure portal.

  2. Navigate to Azure Databricks > Your Databricks workspace > Tags.

  3. In the Name field, enter AzDefenderPlanAutoEnable.

  4. In the Value field, enter off.

  5. Select Apply.

    Screenshot showing the location, and how to apply the tag to your Azure Databricks account.

  6. Navigate to Microsoft Defender for Cloud > Environment settings > Your subscription.

  7. Toggle the Defender for Storage plan to Off.

    Screenshot showing how to switch the Defender for Storage plan to off.

  8. Select Save.

  9. Toggle the Defender for Storage plan to On.

  10. Select Save.

The tags will be inherited by the Storage account of the Databricks workspace and prevent Defender for Storage from turning on.


Tags can't be added directly to the Databricks Storage account, or its Managed Resource Group.

Prevent auto-enabling on a new Databricks workspace storage account

When you create a new Databricks workspace, you have the ability to add a tag that will prevent your Microsoft Defender for Storage account from enabling automatically.

To prevent auto-enabling on a new Databricks workspace storage account:

  1. Follow these steps to create a new Azure Databricks workspace.

  2. In the Tags tab, enter a tag named AzDefenderPlanAutoEnable.

  3. Enter the value off.

    Screenshot that shows how to create a tag in the Databricks workspace.

  4. Continue following the instructions to create your new Azure Databricks workspace.

The Microsoft Defender for Storage account will inherit the tag of the Databricks workspace, which will prevent Defender for Storage from turning on automatically.

Next steps