Edit

Share via

Enable and configure Defender for Storage at scale by using an Azure built-in policy

You should enable Microsoft Defender for Storage via a built-in policy. This method facilitates enablement at scale. It also ensures that a consistent security policy is applied across all existing and future storage accounts within the defined scope, such as entire management groups. This approach keeps the storage accounts protected with Defender for Storage according to your organization's defined configuration.

Tip

You can always configure specific storage accounts with custom settings that differ from the settings configured at the subscription level. That is, you can override subscription-level settings.

Azure built-in policy

To enable and configure Defender for Storage at scale by using an Azure built-in policy, follow these steps:

  1. Sign in to the Azure portal and go to the Policy dashboard.

  2. On the left menu, select Definitions.

  3. In the Security Center category, search for and then select Configure Microsoft Defender for Storage to be enabled.

    This policy enables all Defender for Storage capabilities: activity monitoring, malware scanning, and sensitive-data threat detection. You can also get it here: List of built-in policy definitions. If you want to enable a policy without the configurable features, use Configure basic Microsoft Defender for Storage to be enabled (Activity Monitoring only).

    Screenshot that shows where to select policy definitions.

  4. Select the policy and review it.

  5. Select Assign. You can fine-tune, edit, and add custom rules to the policy.

    Screenshot that shows where to assign a policy.

  6. After you finish reviewing the policy details, select Review + create.

  7. Select Create to assign the policy.

Tip

You can configure malware scanning to send scanning results to:

Learn more on how to set up a response for malware scanning results.

Related content