Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,183 questions
Setting defender settings for storage account via bicep does not work
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(112.00000000000001, 8%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Sabine Seljeseth
0
Reputation points
I have included the following in my bicep in order to use Microsoft defender for cloud for my storage account (see code below). The pipeline that deploys the resources in azure goes through without issues and Microsoft defender for cloud gets enabled. The issue is that it does not seem to turn on malware scanning and sensitive data discovery which is also set in the bicep file. Has anyone experienced the same?
resource defenderForStorageSettings 'Microsoft.Security/DefenderForStorageSettings@2022-12-01-preview' = {
name: 'current'
scope: storageaccountname
properties: {
isEnabled: true
malwareScanning: {
onUpload: {
isEnabled: true
capGBPerMonth: 100
}
}
sensitiveDataDiscovery: {
isEnabled: true
}
overrideSubscriptionLevelSettings: true
}
}
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(265.6, 2%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHB%3C/text%3E%3C/svg%3E)
Hari Babu Vattepally 80 Reputation points Microsoft Vendor2024-10-18T14:22:21.4+00:00 Thank you for contacting us on Microsoft Q&A Forum. Happy to help!
We see that the Bicep configuration for enabling Microsoft Defender for Storage is set up correctly. We would suggest you follow steps from the below document for advanced settings.
We also see that there are certain limitations on supporting features and services.
Here are some limitations of Unsupported features and services.
Unsupported features and services
- Unsupported storage accounts: Legacy v1 storage accounts aren't supported by malware scanning.
- Unsupported service: Azure Files isn't supported by malware scanning.
- Unsupported client: Blobs uploaded with Network File System (NFS) 3.0 protocol will not be scanned for malware upon upload.
- Unsupported regions: Jio India West, Korea South, South Africa West.
- Regions that are supported by Defender for Storage but not by malware scanning. Learn more about availability for Defender for Storage.
- Unsupported blob types: Append and Page blobs aren't supported for Malware Scanning.
- Unsupported encryption: Client-side encrypted blobs aren't supported as they can't be decrypted before scanning by the service. However, data encrypted at rest by Customer Managed Key (CMK) is supported.
- Unsupported index tag results: Index tag scan result isn't supported in storage accounts with Hierarchical namespace enabled (Azure Data Lake Storage Gen2).
- Event Grid: Event Grid topics that don't have public network access enabled (i.e. private endpoint connections) are not supported by malware scanning in Defender for Storage.
Here we have Advance configurations for Malware Scanning: https://zcusa.951200.xyz/en-us/azure/defender-for-cloud/advanced-configurations-for-malware-scanning
Hope this helps!
Please let us know if you have any further queries. I’m happy to assist you further.
Please do not forget to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Sign in to comment
Sign in to answer