I would like to enable Azure Defender Malware scanning on my (StorageV2) Storage Account. I upgraded my subscription's MS Defender for Cloud plan. However, any attempt on enabling Malware scanning or Sensitive data discovery fails. While enabling on the subscription level (Subscription -> MS Defender for Cloud -> Cloud Workload Protection (CWP) -> Storage) I receive an error While enabling it on the Storage Account level I receive a different error Let me add, that I'm testing this functionality on Visual Studio Proffesional subscription.

The suggested solution here requires Azure Entra P1 or similar to create custom roles. Further the build in roles for EventGrid Contributor (etc. ) that one could use to avoid custom roles were not available to me in the list of built in roles in Entra. My solution to this was to navigate to Event Grid and create a new system topic for the storage account at hand. After deployment, with no further actions in the new resource, i could go back and successfully activate Malware Scanning . https://portal.azure.com/#view/Microsoft_Azure_EventGrid/SystemTopicCreateBlade After this I had a new event subscription in my previously created Event Grid

Impossible to enable Defender for Storage Malware scanning

PP 20

I would like to enable Azure Defender Malware scanning on my (StorageV2) Storage Account.

I upgraded my subscription's MS Defender for Cloud plan.

However, any attempt on enabling Malware scanning or Sensitive data discovery fails.

While enabling on the subscription level (Subscription -> MS Defender for Cloud -> Cloud Workload Protection (CWP) -> Storage) I receive an error
While enabling it on the Storage Account level I receive a different error

Let me add, that I'm testing this functionality on Visual Studio Proffesional subscription.

6 answers

Bobby 0 Reputation points

2025-02-26T14:10:02.32+00:00

The suggested solution here requires Azure Entra P1 or similar to create custom roles. Further the build in roles for EventGrid Contributor (etc. ) that one could use to avoid custom roles were not available to me in the list of built in roles in Entra.

My solution to this was to navigate to Event Grid and create a new system topic for the storage account at hand. After deployment, with no further actions in the new resource, i could go back and successfully activate Malware Scanning .

https://portal.azure.com/#view/Microsoft_Azure_EventGrid/SystemTopicCreateBlade

After this I had a new event subscription in my previously created Event Grid
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Impossible to enable Defender for Storage Malware scanning

6 answers

Your answer