Deploying Defender for Storage with Azure Policy
Hello everyone!
Protecting your data in Azure is nowadays very important, because threats can be anywhere and your data needs to be protected. Defender for Storage can protect you from malicious file uploads, sensitive data exfiltration and data corruption. Storage accounts can get very large over time, your data could be very important. This could hold some very important application data or company data. Use Defender for Storage to protect these assets of the company. The configuration is very easy and I’m going to show you how to configure it with Azure Policy.
Prerequisites
- Azure subscription with credits
- Owner rights on the subscription (less rights is also possible, but will take more time to setup)
- Storage account setup with some data
Configure Defender for Storage
- When you have met the prerequisites you can start by going to the Azure portal. Here you can search at the top for the word Policy and click on it.

- Now you can go to the assignment tab to search for the correct policy.

- Click on Assignments and then on Assign Policy.

- Now you are in the assignment tab from Azure Policy. Here you can click on the Policy definition and search for Defender for Storage. Click on the Latest version on the top. This will have the correct parameters setup.

- Now that the correct policy is in place, please check if the scope on top is correct. I will run this on subscription level, but it is also possible on management group level to run it on multiple subscriptions. Now you can click on Next.

- The next tab does not have any configuration needed, this can be available on some of the policies in Azure. We will show the exact parameters configured later on. Click on Next.

- This step needs you to assign a remediation task. It is important that storage accounts get Defender for Storage activated. This policy can ensure that it is active on all of your storage accounts in your subscriptions.

- Here you can define your Non-compliance message for your resources that are not compliant. This can be useful when working with a team of cloud engineers that do not have their resources secured. They see this message on their storage accounts. Click on Next.

- Here you see the overview of your settings configured. Please check if everything is in place correctly. Click on create.

- When your policy is created, you will see this in the list of assignments. When your list is very large, you need to search for it.

Checking the compliance
When the Azure policy is configured you can check if everything is setup correctly. In the beginning this policy needs time to check and remediate your resources in the subscriptions. Here you can see a overview of your non-compliant resources. As you can see that my Storage Account was not ready yet.

You can also click on it and check what resources are not compliant. Now you see my resources. I only have one storage account for this setup. This will be remediated eventually. This could take some time if your have multiple storage accounts.

Remediation of resources
After some time, the remediation takes place and your resources will have Defender for Storage activated. Here are some screenshots of the remediated resources.


Parameters explained
All Azure policies have some settings configured to take action and to check on compliance. These are the parameters of the Defender for Storage policy in Azure now. This can be outdated when this post gets older by time.
As you can see here that the the following parameters are active.

Sensitive Data Threat Detection Enabled: This will ensure that your data is protected and it will check on sensitive data on your storage accounts.
Malware Scanning Enabled: This will use the Microsoft Antivirus Defender features to scan on malware on your storage accounts, this will help to stay safe with your data. You do not want malware corrupting your data. Microsoft actively scans this data to prevent corruption.
Cap GB Per Month per Storage Account: Your Defender for Storage plan will be capped to 5000 GB. Because data can get very large and this can raise your Azure running costs significantly. This can be changed when clicking on Edit Assignment.
Final Thoughts
Working with Azure Policy is very easy and securing your data in the Azure environment is very important. This can also be used on FSLogix profiles, but be aware of the high costs monthly. Some industries need to be complaint and Defender for Storage can help you to get complaint. This software will monitor all your threats on Storage Accounts, this could save up a lot of time. So please check this feature in the Azure portal. Feel free to comment on this post if you have any questions.
Resources
Understand scope in Azure Policy – Azure Policy | Microsoft Learn
 


