Enable and configure with Infrastructure as Code templates

We recommend that you enable Defender for Storage on the subscription level. Doing so ensures all storage accounts currently in the subscription are protected. Storage accounts that are created after enabling Defender for Storage on the subscription level will be protected up to 24 hours after creation.

Tip

You can always configure specific storage accounts with custom configurations that differ from the settings configured at the subscription level (override subscription-level settings).

Terraform template

To enable and configure Microsoft Defender for Storage at the subscription level using Terraform, you can use the following code snippet:

resource "azurerm_security_center_subscription_pricing" "DefenderForStorage" {
  tier          = "Standard"
  resource_type = "StorageAccounts"
  subplan       = "DefenderForStorageV2"
 
  extension {
    name = "OnUploadMalwareScanning"
    additional_extension_properties = {
      CapGBPerMonthPerStorageAccount = "5000"
    }
  }
 
  extension {
    name = "SensitiveDataDiscovery"
  }
}

Modifying the monthly cap for malware scanning:

To modify the monthly cap for malware scanning per storage account, adjust the CapGBPerMonthPerStorageAccount parameter to your preferred value. This parameter sets a cap on the maximum data that can be scanned for malware each month per storage account. If you want to permit unlimited scanning, assign the value -1. The default limit is set at 5,000 GB.

Disabling features:

If you want to turn off the on-upload malware scanning or sensitive data threat detection features, you can remove the corresponding extension block from the Terraform code.

Disabling the entire Defender for Storage plan:

To disable the entire Defender for Storage plan, set the tier property value to "Free" and remove the subPlan and extension properties.

Learn more about the azurerm_security_center_subscription_pricing resource by referring to the azurerm_security_center_subscription_pricing documentation. Additionally, you can find comprehensive details on the Terraform provider for Azure in the Terraform AzureRM Provider documentation.

Bicep template

To enable and configure Microsoft Defender for Storage at the subscription level using Bicep, make sure your target scope is set to subscription, and add the following to your Bicep template:

resource StorageAccounts 'Microsoft.Security/pricings@2023-01-01' = {
  name: 'StorageAccounts'
  properties: {
    pricingTier: 'Standard'
    subPlan: 'DefenderForStorageV2'
    extensions: [
      {
        name: 'OnUploadMalwareScanning'
        isEnabled: 'True'
        additionalExtensionProperties: {
          CapGBPerMonthPerStorageAccount: '5000'
        }
      }
      {
        name: 'SensitiveDataDiscovery'
        isEnabled: 'True'
      }
    ]
  }
}

Modifying the monthly cap for malware scanning:

To modify the monthly cap for malware scanning per storage account, adjust the CapGBPerMonthPerStorageAccount parameter to your preferred value. This parameter sets a cap on the maximum data that can be scanned for malware each month per storage account. If you want to permit unlimited scanning, assign the value -1. The default limit is set at 5,000 GB.

Disabling features:

If you want to turn off the On-upload malware scanning or Sensitive data threat detection features, you can change the isEnabled value to False under sensitive data discovery.

Disabling the entire Defender for Storage plan:

To disable the entire Defender for Storage plan, set the pricingTier property value to Free and remove the subPlan and extensions properties.

Learn more about the Bicep template in the Microsoft security/pricings documentation.

Azure Resource Manager template

To enable and configure Microsoft Defender for Storage at the subscription level using an Azure Resource Manager (ARM) template, add this JSON snippet to the resources section of your ARM template:

{
    "type": "Microsoft.Security/pricings",
    "apiVersion": "2023-01-01",
    "name": "StorageAccounts",
    "properties": {
        "pricingTier": "Standard",
        "subPlan": "DefenderForStorageV2",
        "extensions": [
            {
                "name": "OnUploadMalwareScanning",
                "isEnabled": "True",
                "additionalExtensionProperties": {
                    "CapGBPerMonthPerStorageAccount": "5000"
                }
            },
            {
                "name": "SensitiveDataDiscovery",
                "isEnabled": "True"
            }
        ]
    }
}

Modifying the monthly cap for malware scanning:

To modify the monthly threshold for malware scanning in your storage accounts, adjust the CapGBPerMonthPerStorageAccount parameter to your preferred value. This parameter sets a cap on the maximum data that can be scanned for malware each month, per storage account. If you want to permit unlimited scanning, assign the value -1. The default limit is set at 5,000 GB.

Disabling features:

If you want to turn off the on-upload malware scanning or sensitive data threat detection features, you can change the isEnabled value to False under sensitive data discovery.

Disabling the entire Defender for Storage plan:

To disable the entire Defender plan, set the pricingTier property value to Free and remove the subPlan and extension properties.

Learn more about the ARM template in the Microsoft.Security/Pricings documentation.

Next step

Learn more about the Microsoft.Security/DefenderForStorageSettings API documentation.