Enable and configure with PowerShell

We recommend that you enable Defender for Storage on the subscription level. Doing so ensures all storage accounts currently in the subscription are protected. Storage accounts that are created after enabling Defender for Storage on the subscription level are protected within 24 hours of creation.

Tip

You can always configure specific storage accounts with custom configurations that differ from the settings configured at the subscription level (override subscription-level settings).

Before working with PowerShell, perform the following steps:

1. If you don't have it already, install the Azure Az PowerShell module.

2. Use the Connect-AzAccount cmdlet to sign in to your Azure account. Learn more about signing in to Azure with Azure PowerShell.

3. Use these commands to register your subscription to the Microsoft Defender for Cloud Resource Provider:

   Set-AzContext -Subscription <subscriptionId>
   Register-AzResourceProvider -ProviderNamespace 'Microsoft.Security'
   

   Replace <subscriptionId> with your subscription ID.

Enable on a subscription

Enable Microsoft Defender for Storage at the subscription level with per-transaction pricing using Set-AzSecurityPricing cmdlet:

Set-AzSecurityPricing -Name "StorageAccounts" -PricingTier "Standard" -SubPlan "DefenderForStorageV2" -Extension '[
    {
        "name": "OnUploadMalwareScanning",
            "isEnabled": "True",
        "additionalExtensionProperties": {
            "CapGBPerMonthPerStorageAccount": "6000"
        }
    },
    {
        "name": "SensitiveDataDiscovery",
        "isEnabled": "True"
    }]'

If no extension properties are provided for the cmdlet, both malware scanning and sensitive data discovery are enabled by default. The default monthly threshold per storage account for malware scanning is 5,000 GB.

To modify the monthly threshold for on-upload malware scanning in your storage accounts, adjust the CapGBPerMonthPerStorageAccount property to your preferred value. This parameter sets a cap on the maximum data that can be scanned for malware each month, per storage account. If you want to permit unlimited scanning, assign the value -1. The default limit is set at 5,000 GB.

If you want to turn off the on-upload malware scanning or sensitive data threat detection features, you can change the isEnabled value to False on the OnUploadMalwareScanning or SensitiveDataDiscovery extension properties respectively. To disable the entire Defender plan, set the -PricingTier property value to Free and remove the -SubPlan and extension properties.

Tip

You can use the GetAzSecurityPricing cmdlet to see all of the Defender for Cloud plans that are enabled for the subscription.

Refer to the Azure PowerShell reference for details on the Set-AzSecurityPricing cmdlet.

Enable on a storage account

Enable and configure Microsoft Defender for Storage at the storage account level using the Update-AzSecurityDefenderForStorage cmdlet. In this example, replace the <SubscriptionId>, <ResourceGroupName>, and <StorageAccountName> with your own Azure subscription ID, resource group, and storage account names:

Update-AzSecurityDefenderForStorage -ResourceId "/subscriptions/<SubscriptionId>/resourcegroups/<ResourceGroupName>/providers/Microsoft.Storage/storageAccounts/<StorageAccountName>" -IsEnabled -OverrideSubscriptionLevelSetting -OnUploadIsEnabled -OnUploadCapGbPerMonth 7000 -SensitiveDataDiscoveryIsEnabled

Note

With Defender for Storage enabled at the subscription level, the -OverrideSubscriptionLevelSetting parameter is necessary to override the settings at the subscription level. If the override parameter is not used, the extensions will be set according to the subscription level settings, regardless of the parameter values supplied in the cmdlet.

To modify the monthly threshold for malware scanning the storage account, adjust the -OnUploadCapGBPerMonth parameter to your preferred value. This parameter sets a cap on the maximum data to be scanned for malware each month, per storage account. If you want to permit unlimited scanning, assign the value -1. The default limit is set at 5,000 GB.

The malware scan results can be sent to the Event Grid by supplying the Event Grid topic resource ID in the parameter -MalwareScanningScanResultsEventGridTopicResourceId "<resourceId>".

If you want to turn off the on-upload malware scanning or sensitive data threat detection features for the storage account, set -OnUploadIsEnabled:$false or -SensitiveDataDiscoveryIsEnabled:$false respectively.

To disable the entire Defender plan for the storage account, set IsEnabled:$false, -OnUploadIsEnabled:$false, and -SensitiveDataDiscoveryIsEnabled:$false.

Tip

You can use the Get-AzSecurityDefenderForStorage cmdlet to see the Defender for Storage settings for a storage account.

Refer to the Azure PowerShell reference for details on the Update-AzSecurityDefenderForStorage cmdlet.

Learn more about using PowerShell with Microsoft Defender for Cloud.

Tip

Malware Scanning can be configured to send scanning results to the following:
Event Grid custom topic - for near-real time automatic response based on every scanning result. Learn more how to configure malware scanning to send scanning events to an Event Grid custom topic.
Log Analytics workspace - for storing every scan result in a centralized log repository for compliance and audit. Learn more how to configure malware scanning to send scanning results to a Log Analytics workspace.

Learn more on how to set up responses for malware scanning results.

Next steps

• Learn how to enable and Configure the Defender for Storage plan at scale with an Azure built-in policy.