Required permissions for enabling Defender for Storage and its features
This article lists the permissions required to enable Defender for Storage and its features.
Microsoft Defender for Storage is an Azure-native layer of security intelligence that detects potential threats to your storage accounts. It helps prevent the three major impacts on your data and workload: malicious file uploads, sensitive data exfiltration, and data corruption.
Activity monitoring: Detects suspicious activities in storage accounts by analyzing data plane and control plane activities and using Microsoft Threat Intelligence, behavioral modeling, and machine-learning.
Malware Scanning: Scans all uploaded blobs in near-real time using Microsoft Defender Antivirus to protect storage accounts from malicious content.
Sensitive data threat detection: Prioritizes security alerts based on data sensitivity discovered by the Sensitive Data Discovery Engine, detects exposure events and suspicious activities, enhancing protection against data breaches.
Depending on the scenario, you need different levels of permissions to enable Defender for Storage and its features. You can enable and configure Defender for Storage at the subscription level or at the storage account level. You can also use built-in Azure policies to enable Defender for Storage and enforce its enablement on a desired scope.
The following table summarizes the permissions you need for each scenario. The permissions are either built-in Azure roles or action sets that you can assign to custom roles.
| Capability | Subscription level | Storage account level |
|---|---|---|
| Activity monitoring | Security Admin or Pricings/read, Pricings/write | Security Admin or Microsoft.Security/defenderforstoragesettings/read, Microsoft.Security/defenderforstoragesettings/write |
| Malware scanning | Subscription Owner or action set 1 | Storage Account Owner or action set 2 |
| Sensitive data threat detection | Subscription Owner or action set 1 | Storage Account Owner or action set 2 |
Note
Activity monitoring is always enabled when you enable Defender for Storage.
The action sets are collections of Azure resource provider operations that you can use to create custom roles. The action sets for enabling Defender for Storage and its features are:
Action set 1: Subscription level enablement and configuration
- Microsoft.Security/pricings/write
- Microsoft.Security/pricings/read
- Microsoft.Security/pricings/SecurityOperators/read
- Microsoft.Security/pricings/SecurityOperators/write
- Microsoft.Authorization/roleAssignments/read
- Microsoft.Authorization/roleAssignments/write
- Microsoft.Authorization/roleAssignments/delete
Action set 2: Storage account level enablement and configuration
- Microsoft.Storage/storageAccounts/write
- Microsoft.Storage/storageAccounts/read
- Microsoft.Security/defenderforstoragesettings/read
- Microsoft.Security/defenderforstoragesettings/write
- Microsoft.EventGrid/eventSubscriptions/read
- Microsoft.EventGrid/eventSubscriptions/write
- Microsoft.EventGrid/eventSubscriptions/delete
- Microsoft.Authorization/roleAssignments/read
- Microsoft.Authorization/roleAssignments/write
- Microsoft.Authorization/roleAssignments/delete
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for