Deploy Microsoft Defender for Storage
Microsoft Defender for Storage is an Azure-native solution. It offers an advanced layer of intelligence for detecting and mitigating threats in storage accounts. It uses Microsoft Threat Intelligence, Microsoft Defender Antimalware technologies, and Sensitive Data Discovery. It protects Azure Blob Storage, Azure Files, and Azure Data Lake Storage services. The service provides a comprehensive alert suite, near real-time malware scanning (as an add-on), and sensitive data threat detection at no extra cost. This allows you to quickly detect, assess, and respond to potential security threats with detailed information. It helps prevent major impacts on your data and workload, including malicious file uploads, sensitive data exfiltration, and data corruption.
With Microsoft Defender for Storage, organizations can customize their protection and enforce consistent security policies by enabling it on subscriptions and storage accounts with granular control and flexibility.
Tip
If you're currently using Microsoft Defender for Storage classic, consider migrating to the new plan, which offers several benefits over the classic plan.
Check out the Defender for Cloud pricing page to learn about pricing and regional availability.
Prerequisites
Before you enable Microsoft Defender for Storage, ensure you have the necessary permissions and prerequisites in place. For more information, see Prerequisites for Microsoft Defender for Storage.
Set up and configure Microsoft Defender for Storage
To enable and configure Microsoft Defender for Storage and ensure maximum protection and cost optimization, the following configuration options are available:
- Enable/disable Microsoft Defender for Storage at the subscription and storage account levels.
- Enable/disable the malware scanning or sensitive data threat detection configurable features.
- Set a monthly cap ("capping") on the malware scanning per storage account per month for controlling costs (default value is 5,000 GB).
- Configure methods to set up response to malware scanning results.
- Configure methods for saving malware scanning results logging.
Tip
The malware scanning feature has advanced configurations to help security teams support different workflows and requirements.
- Override subscription-level settings to configure specific storage accounts with custom configurations that differ from the settings configured at the subscription level.
There are several ways to enable and configure Defender for Storage:
- Using the Azure built-in policy (the recommended method),
- Programmatically using Infrastructure as Code templates, including
- Using the Azure portal
- Using PowerShell
- Directly with the REST API.
We recommend enabling Defender for Storage via a policy. This method facilitates enablement at scale and ensures a consistent security policy is applied across all existing and future storage accounts within the defined scope, such as entire management groups. This keeps the storage accounts protected with Defender for Storage according to the organization's defined configuration.
Note
To prevent migrating back to the legacy classic plan, make sure to disable the old Defender for Storage policies. Look for and disable policies named Configure Azure Defender for Storage to be enabled, Azure Defender for Storage should be enabled, or Configure Microsoft Defender for Storage to be enabled (per-storage account plan) or deny policies that prevent the disablement of the classic plan.