Enable and configure at scale with an Azure built-in policy

We recommend enabling Defender for Storage via a policy. This method facilitates enablement at scale and ensures a consistent security policy is applied across all existing and future storage accounts within the defined scope, such as entire management groups. This keeps the storage accounts protected with Defender for Storage according to the organization's defined configuration.

Tip

You can always configure specific storage accounts with custom configurations that differ from the settings configured at the subscription level (override subscription-level settings).

Azure built-in policy

To enable and configure Defender for Storage at scale with an Azure built-in policy, follow these steps:

  1. Sign in to the Azure portal and navigate to the Policy dashboard.

  2. In the Policy dashboard, select Definitions from the left-side menu.

  3. In the "Security Center" category, search for and then select Configure Microsoft Defender for Storage to be enabled. This policy enables all Defender for Storage capabilities: Activity monitoring, Malware scanning, and Sensitive data threat detection. You can also get it here: List of built-in policy definitions. If you want to enable a policy without the configurable features, use Configure basic Microsoft Defender for Storage to be enabled (Activity Monitoring only).

    Screenshot that shows where to select policy definitions.

  4. Select the policy and review it.

  5. Select Assign and edit the policy details. You can fine-tune, edit, and add custom rules to the policy.

    Screenshot that shows where to assign the policy.

  6. Once you completed reviewing, select Review + create.

  7. Select Create to assign the policy.

Tip

Malware scanning can be configured to send scanning results to the following:
Event Grid custom topic - for near-real time automatic response based on every scanning result. Learn more how to configure malware scanning to send scanning events to an Event Grid custom topic.
Log Analytics workspace - for storing every scan result in a centralized log repository for compliance and audit. Learn more how to configure malware scanning to send scanning results to a Log Analytics workspace.

Learn more on how to set up response for malware scanning results.

Next steps

Learn how to enable and configure Microsoft Defender for Storage with IaC templates.