Enable Microsoft Defender for Storage

Microsoft Defender for Storage is an Azure-native layer of security intelligence that detects unusual and potentially harmful attempts to access or exploit your storage accounts. It uses advanced threat detection capabilities and Microsoft Threat Intelligence data to provide contextual security alerts. Those alerts also include steps to mitigate the detected threats and prevent future attacks.

Microsoft Defender for Storage continuously analyzes the transactions of Azure Blob Storage, Azure Data Lake Storage, and Azure Files services. When potentially malicious activities are detected, security alerts are generated. Alerts are shown in Microsoft Defender for Cloud with the details of the suspicious activity, appropriate investigation steps, remediation actions, and security recommendations.

Analyzed transactions of Azure Blob Storage include operation types such as Get Blob, Put Blob, Get Container ACL, List Blobs, and Get Blob Properties. Examples of analyzed Azure Files operation types include Get File, Create File, List Files, Get File Properties, and Put Range.

Defender for Storage doesn't access the Storage account data, doesn't require you to enable access logs, and has no impact on Storage performance.

Note

A new pricing is now available for Microsoft Defender for Cloud that charges you according to the number of storage accounts that you protect (per-storage account).

In the legacy pricing, the cost increases according to the number of analyzed transactions in the storage account (per-transaction). The new per-storage account fixes costs per storage account, but accounts with an exceptionally high transaction volume incur an overage charge.

For details about Defender for Storage pricing, see Microsoft Defender for Cloud pricing page.

Learn more about the benefits, features, and limitations of Defender for Storage. You can also learn more about Defender for Storage in the Defender for Storage episode of the Defender for Cloud in the Field video series.

Availability

Aspect Details
Release state: General availability (GA)
Pricing: Microsoft Defender for Storage is billed as shown on the pricing page and in the Defender plans page in the Azure portal
Protected storage types: Blob Storage (Standard/Premium StorageV2, Block Blobs)
Azure Files (over REST API and SMB)
Azure Data Lake Storage Gen2 (Standard/Premium accounts with hierarchical namespaces enabled)
Clouds: Commercial clouds
Azure Government (Only for per-transaction plan)
Azure China 21Vianet
Connected AWS accounts

Set up Microsoft Defender for Storage

Note

You can only enable per-storage account pricing at the subscription level.

With the Defender for Storage per-storage account pricing, you can configure Defender for Storage on your subscriptions in several ways to protect all your existing and new storage accounts in that subscription.

You can configure Microsoft Defender for Storage on your subscriptions in several ways:

Azure portal

To enable Microsoft Defender for Storage at the subscription level with per-storage account pricing using the Azure portal:

  1. Sign in to the Azure portal.

  2. Navigate to Microsoft Defender for Cloud > Environment settings.

  3. Select the subscription for which you want to enable Defender for Storage.

    Screenshot showing how to select a subscription in Defender for Cloud.

  4. On the Defender plans page, enable Defender for Storage per-storage account pricing with one of the following options:

    • Choose the Enable all button to enable Microsoft Defender for Cloud in the subscription.

    • To enable Microsoft Defender for Storage, locate Storage in the list and toggle the On button. Then choose Save.

      If you currently have Defender for Storage enabled with per-transaction pricing, select the New pricing plan available link and confirm the pricing change.

      Screenshot showing how to enable Defender for Storage in Defender for Cloud.

Microsoft Defender for Storage is now enabled for this storage account.

To disable the plan, toggle the Off button for Defender for Storage on the Defender plans page.

Enable per-storage account pricing programmatically

Bicep template

To enable Microsoft Defender for Storage at the subscription level with per-storage account pricing using Bicep, add the following to your Bicep template:

resource symbolicname 'Microsoft.Security/pricings@2022-03-01' = {
  name: 'StorageAccounts'
  properties: {
    pricingTier: 'Standard'
    subPlan: 'PerStorageAccount'
  }
}

To disable the plan, set the pricingTier property value to Free and remove the subPlan property.

Learn more about the Bicep template AzAPI reference.

ARM template

To enable Microsoft Defender for Storage at the subscription level with per-storage account pricing using an ARM template, add this JSON snippet to the resources section of your ARM template:

{
  "type": "Microsoft.Security/pricings",
  "apiVersion": "2022-03-01",
  "name": "StorageAccounts",
  "properties": {
    "pricingTier": "Standard",
    "subPlan": "PerStorageAccount"
  }
}

To disable the plan, set the pricingTier property value to Free and remove the subPlan property.

Learn more about the ARM template AzAPI reference.

Terraform template

To enable Microsoft Defender for Storage at the subscription level with per-storage account pricing using a Terraform template, add this code snippet to your template with your subscription ID as the parent_id value:

resource "azapi_resource" "symbolicname" {
  type = "Microsoft.Security/pricings@2022-03-01"
  name = "StorageAccounts"
  parent_id = "<subscriptionId>"
  body = jsonencode({
    properties = {
      pricingTier = "Standard"
      subPlan = "PerStorageAccount"
    }
  })
}

To disable the plan, set the pricingTier property value to Free and remove the subPlan property.

Learn more about the Terraform template AzAPI reference.

REST API

To enable Microsoft Defender for Storage at the subscription level with per-storage account pricing using the Microsoft Defender for Cloud REST API, create a PUT request with this endpoint and body:

PUT https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Security/pricings/StorageAccounts?api-version=2022-03-01

{
  "properties": {
    "pricingTier": "Standard",
    "subPlan": "PerStorageAccount"
  }
}

Replace {subscriptionId} with your subscription ID.

Tip

You can use the Get and List API requests to see all of the Defender for Cloud plans that are enabled for the subscription.

To disable the plan, set the -pricingTier property value to Free and remove the subPlan parameter.

Learn more about the updating Defender plans with the REST API in HTTP, Java, Go and JavaScript.

FAQ - Microsoft Defender for Storage pricing

Can I switch from an existing per-transaction pricing to per-storage account pricing?

Yes, you can migrate to per-storage account pricing in the Azure portal or using any of the other supported enablement methods. To migrate to per-storage account pricing, enable per-storage account pricing at the subscription level.

Can I return to per-transaction pricing after switching to per-storage account pricing?

Yes, you can enable per-transaction pricing to migrate back from per-storage account pricing using all enablement methods except for the Azure portal.

Will you continue supporting per-transaction pricing?

Yes, you can enable per-transaction pricing from all the enablement methods, except for the Azure portal.

Can I exclude specific storage accounts from protections in per-storage account pricing?

No, you can only enable per-storage account pricing for each subscription. All storage accounts in the subscription are protected.

How long does it take for per-storage account pricing to be enabled?

When you enable Microsoft Defender for Storage at the subscription level for per-storage account or per-transaction pricing, it takes up to 24 hours for the plan to be enabled.

Is there any difference in the feature set of per-storage account pricing compared to the legacy per-transaction pricing?

No. Both per-storage account and per-transaction pricing include the same features. The only difference is the pricing.

How can I estimate the cost for each pricing?

To estimate the cost according to each pricing for your environment, we created a pricing estimation workbook and a PowerShell script that you can run in your environment.

Next steps