Enable and configure with Infrastructure as Code templates
We recommend that you enable Defender for Storage on the subscription level. Doing so ensures all storage accounts currently in the subscription will be protected. Storage accounts that are created after enabling Defender for Storage on the subscription level will be protected up to 24 hours after creation.
Tip
You can always configure specific storage accounts with custom configurations that differ from the settings configured at the subscription level (override subscription-level settings).
Terraform template
To enable and configure Microsoft Defender for Storage at the subscription level using Terraform, you can use the following code snippet:
resource "azurerm_security_center_subscription_pricing" "DefenderForStorage" {
tier = "Standard"
resource_type = "StorageAccounts"
subplan = "DefenderForStorageV2"
extension {
name = "OnUploadMalwareScanning"
additional_extension_properties = {
CapGBPerMonthPerStorageAccount = "5000"
}
}
extension {
name = "SensitiveDataDiscovery"
}
}
Modifying the monthly cap for malware scanning:
To modify the monthly cap for malware scanning per storage account, adjust the CapGBPerMonthPerStorageAccount
parameter to your preferred value. This parameter sets a cap on the maximum data that can be scanned for malware each month per storage account. If you want to permit unlimited scanning, assign the value "-1". The default limit is set at 5,000 GB.
Disabling features:
If you want to turn off the on-upload malware scanning or sensitive data threat detection features, you can remove the corresponding extension block from the Terraform code.
Disabling the entire Defender for Storage plan:
To disable the entire Defender for Storage plan, set the tier
property value to "Free" and remove the subPlan
and extension
properties.
Learn more about the azurerm_security_center_subscription_pricing
resource by referring to the azurerm_security_center_subscription_pricing documentation. Additionally, you can find comprehensive details on the Terraform provider for Azure in the Terraform AzureRM Provider documentation.
Bicep template
To enable and configure Microsoft Defender for Storage at the subscription level using Bicep, make sure your target scope is set to subscription, and add the following to your Bicep template:
resource StorageAccounts 'Microsoft.Security/pricings@2023-01-01' = {
name: 'StorageAccounts'
properties: {
pricingTier: 'Standard'
subPlan: 'DefenderForStorageV2'
extensions: [
{
name: 'OnUploadMalwareScanning'
isEnabled: 'True'
additionalExtensionProperties: {
CapGBPerMonthPerStorageAccount: '5000'
}
}
{
name: 'SensitiveDataDiscovery'
isEnabled: 'True'
}
]
}
}
Modifying the monthly cap for malware scanning:
To modify the monthly cap for malware scanning per storage account, adjust the CapGBPerMonthPerStorageAccount
parameter to your preferred value. This parameter sets a cap on the maximum data that can be scanned for malware each month per storage account. If you want to permit unlimited scanning, assign the value -1. The default limit is set at 5,000 GB.
Disabling features:
If you want to turn off the On-upload malware scanning or Sensitive data threat detection features, you can change the isEnabled
value to False under sensitive data discovery.
Disabling the entire Defender for Storage plan:
To disable the entire Defender for Storage plan, set the pricingTier
property value to Free and remove the subPlan
and extensions
properties.
Learn more about the Bicep template in the Microsoft security/pricings documentation.
Azure Resource Manager template
To enable and configure Microsoft Defender for Storage at the subscription level using an ARM (Azure Resource Manager) template, add this JSON snippet to the resources section of your ARM template:
{
"type": "Microsoft.Security/pricings",
"apiVersion": "2023-01-01",
"name": "StorageAccounts",
"properties": {
"pricingTier": "Standard",
"subPlan": "DefenderForStorageV2",
"extensions": [
{
"name": "OnUploadMalwareScanning",
"isEnabled": "True",
"additionalExtensionProperties": {
"CapGBPerMonthPerStorageAccount": "5000"
}
},
{
"name": "SensitiveDataDiscovery",
"isEnabled": "True"
}
]
}
}
Modifying the monthly cap for malware scanning:
To modify the monthly threshold for malware scanning in your storage accounts, simply adjust the CapGBPerMonthPerStorageAccount
parameter to your preferred value. This parameter sets a cap on the maximum data that can be scanned for malware each month, per storage account. If you want to permit unlimited scanning, assign the value -1. The default limit is set at 5,000 GB.
Disabling features:
If you want to turn off the on-upload malware scanning or sensitive data threat detection features, you can change the isEnabled
value to False under sensitive data discovery.
Disabling the entire Defender for Storage plan:
To disable the entire Defender plan, set the pricingTier
property value to Free and remove the subPlan
and extension
properties.
Learn more about the ARM template in the Microsoft.Security/Pricings documentation.
Next steps
Learn more about the Microsoft.Security/DefenderForStorageSettings API documentation.