Enable and configure with PowerShell
We recommend that you enable Defender for Storage on the subscription level. Doing so ensures all storage accounts currently in the subscription are protected. Storage accounts that are created after enabling Defender for Storage on the subscription level are protected within 24 hours of creation.
Tip
You can always configure specific storage accounts with custom configurations that differ from the settings configured at the subscription level (override subscription-level settings).
Before working with PowerShell, perform the following steps:
If you don't have it already, install the Azure Az PowerShell module.
Use the
Connect-AzAccount
 cmdlet to sign in to your Azure account. Learn more about signing in to Azure with Azure PowerShell.Use these commands to register your subscription to the Microsoft Defender for Cloud Resource Provider:
Set-AzContext -Subscription <subscriptionId> Register-AzResourceProvider -ProviderNamespace 'Microsoft.Security'
Replace
<subscriptionId>
with your subscription ID.
Enable Microsoft Defender for Storage at the subscription level with per-transaction pricing using Set-AzSecurityPricing
cmdlet:
Set-AzSecurityPricing -Name "StorageAccounts" -PricingTier "Standard" -SubPlan "DefenderForStorageV2" -Extension '[
{
"name": "OnUploadMalwareScanning",
"isEnabled": "True",
"additionalExtensionProperties": {
"CapGBPerMonthPerStorageAccount": "6000"
}
},
{
"name": "SensitiveDataDiscovery",
"isEnabled": "True"
}]'
If no extension properties are provided for the cmdlet, both malware scanning and sensitive data discovery are enabled by default. The default monthly threshold per storage account for malware scanning is 5,000 GB.
To modify the monthly threshold for on-upload malware scanning in your storage accounts, adjust the CapGBPerMonthPerStorageAccount
property to your preferred value. This parameter sets a cap on the maximum data that can be scanned for malware each month, per storage account. If you want to permit unlimited scanning, assign the value -1. The default limit is set at 5,000 GB.
If you want to turn off the on-upload malware scanning or sensitive data threat detection features, you can change the isEnabled
value to False
on the OnUploadMalwareScanning
or SensitiveDataDiscovery
extension properties respectively. To disable the entire Defender plan, set the -PricingTier
property value to Free
and remove the -SubPlan
and extension properties.
Tip
You can use the GetAzSecurityPricing cmdlet to see all of the Defender for Cloud plans that are enabled for the subscription.
Refer to the Azure PowerShell reference for details on the Set-AzSecurityPricing cmdlet.
Learn more about using PowerShell with Microsoft Defender for Cloud.
Tip
Malware scanning can be configured to send scanning results to the following:
Event Grid custom topic - for near-real time automatic response based on every scanning result. Learn more how to configure malware scanning to send scanning events to an Event Grid custom topic.
Log Analytics workspace - for storing every scan result in a centralized log repository for compliance and audit. Learn more how to configure malware scanning to send scanning results to a Log Analytics workspace.
Learn more on how to set up responses for malware scanning results.