Enable and configure at scale with an Azure built-in policy
Enabling Defender for Storage via a policy is recommended because it facilitates enablement at scale and ensures that a consistent security policy is applied across all existing and future storage accounts within the defined scope (such as entire management groups). This keeps the storage accounts protected with Defender for Storage according to the organization's defined configuration.
You can always configure specific storage accounts with custom configurations that differ from the settings configured at the subscription level (override subscription-level settings).
Azure built-in policy
To enable and configure Defender for Storage at scale with an Azure built-in policy, follow these steps:
Sign in to the Azure portal and navigate to the Policy dashboard.
In the Policy dashboard, select Definitions from the left-side menu.
In the “Security Center” category, search for and then select Configure Microsoft Defender for Storage to be enabled. This policy enables all Defender for Storage capabilities: Activity Monitoring, Malware Scanning and Sensitive Data Threat Detection. You can also get it here: List of built-in policy definitions. If you want to enable a policy without the configurable features, use Configure basic Microsoft Defender for Storage to be enabled (Activity Monitoring only).
Select the policy and review it.
Select Assign and edit the policy details. You can fine-tune, edit, and add custom rules to the policy.
Once you have completed reviewing, select Review + create.
Select Create to assign the policy.
Malware Scanning can be configured to send scanning results to the following:
Event Grid custom topic - for near-real time automatic response based on every scanning result. Learn more how to configure malware scanning to send scanning events to an Event Grid custom topic.
Log Analytics workspace - for storing every scan result in a centralized log repository for compliance and audit. Learn more how to configure malware scanning to send scanning results to a Log Analytics workspace.
Learn more on how to set up response for malware scanning results.