Lensix
Back to blog
AzureBest PracticesCloud SecurityMonitoring & LoggingStorage

Defender for Storage Not Enabled: Detecting and Fixing the Azure Gap

Learn why Microsoft Defender for Storage matters, the attacks it catches, and how to enable it across Azure subscriptions with CLI, Terraform, and Azure Policy.

TL;DR

Microsoft Defender for Storage gives you threat detection for Blob, File, and Data Lake storage, catching malware uploads, suspicious access patterns, and data exfiltration. If it's off, those attacks go unnoticed. Turn it on at the subscription level with a single Azure CLI command or a built-in Azure Policy.

Azure Storage accounts are one of the most heavily targeted resources in the cloud. They hold backups, customer uploads, application data, logs, and sometimes secrets that should never have been written there in the first place. Microsoft Defender for Storage is the layer that watches those accounts for malicious activity, and this Lensix check flags any subscription where it isn't switched on.

This post covers what the check looks at, why an unmonitored storage account is a real liability, and exactly how to enable Defender for Storage without breaking anything or running up a surprise bill.

What this check detects

The defender_storage check inspects the Microsoft Defender for Cloud pricing configuration for each Azure subscription. Specifically, it looks at the StorageAccounts plan and confirms whether the tier is set to Standard (enabled) or Free (disabled).

When the plan is set to Free, you get the baseline Defender for Cloud recommendations but none of the active threat detection for storage. That means no alerts when someone uploads a malicious file, no detection of anomalous access from unusual locations, and no warning when a principal suddenly starts enumerating and downloading containers.

Note: Defender for Storage is a subscription-level plan, not a per-account setting. Enabling it once covers every existing and newly created storage account in that subscription, which is why this check operates at the subscription scope.

Why it matters

Without Defender for Storage, a compromised storage account looks exactly like a healthy one. There's no behavioral baseline and nothing watching for the patterns that usually precede a breach. Here are the scenarios it's built to catch.

Malware distribution through blob storage

Attackers love storage accounts that serve files to end users or back a public website. Upload a malicious payload to a container that's later downloaded by victims, and you've turned someone else's infrastructure into a malware host. Defender for Storage scans uploaded blobs on access and raises alerts when known malware hashes or suspicious files appear.

Data exfiltration

A leaked SAS token or an over-permissioned service principal can be used to bulk-download data. Defender flags unusual extraction volumes, access from Tor exit nodes, and downloads from IP addresses that have never touched the account before.

Reconnaissance and access anomalies

Before stealing data, attackers map what's there. Defender detects unusual enumeration of containers and blobs, access using anonymous methods on accounts that normally require authentication, and permission changes that widen exposure.

Warning: Compliance frameworks including PCI DSS, SOC 2, and ISO 27001 expect threat monitoring on systems that store sensitive data. An auditor who finds storage accounts with no detection coverage will treat it as a gap, regardless of whether an incident occurred.

The business impact is straightforward: a storage breach without detection is a breach you find out about from a customer, a researcher, or a ransom note rather than from your own tooling. The detection lag is where the damage compounds.

How to fix it

You can enable Defender for Storage from the portal, the CLI, or infrastructure as code. The recommended plan today is the per-transaction pricing model with malware scanning and sensitive data discovery, which replaced the older per-storage-account model.

Option 1: Azure CLI

Set the Defender for Storage plan to Standard for the subscription:

az security pricing create \
  --name StorageAccounts \
  --tier Standard \
  --subscription "<subscription-id>"

To enable the newer sub-plan with malware scanning and sensitive data threat detection, use the REST API or the extensions parameter:

az security pricing create \
  --name StorageAccounts \
  --tier Standard \
  --subplan DefenderForStorageV2 \
  --extensions name=OnUploadMalwareScanning isEnabled=True \
  --extensions name=SensitiveDataDiscovery isEnabled=True \
  --subscription "<subscription-id>"

Confirm it took effect:

az security pricing show \
  --name StorageAccounts \
  --query "{name:name, tier:pricingTier, subplan:subPlan}" \
  --output table

Warning: Defender for Storage V2 bills per million transactions, and on-upload malware scanning adds a per-GB charge for scanned data. High-throughput accounts can generate meaningful cost. Review your transaction volumes and set a monthly cap on malware scanning per account if needed before enabling it broadly.

Option 2: Azure Portal

  1. Open Microsoft Defender for Cloud in the portal.
  2. Go to Environment settings and select your subscription.
  3. On the Defender plans page, find the Storage row.
  4. Toggle the plan to On.
  5. Click Settings next to the plan to enable On-upload malware scanning and Sensitive data threat detection, then set a monthly scanning cap if you want one.
  6. Click Save.

Option 3: Terraform

If you manage Azure with Terraform, enable the plan declaratively so it stays enabled:

resource "azurerm_security_center_subscription_pricing" "storage" {
  tier          = "Standard"
  resource_type = "StorageAccounts"
  subplan       = "DefenderForStorageV2"

  extension {
    name = "OnUploadMalwareScanning"
    additional_extension_properties = {
      CapGBPerMonthPerStorageAccount = "5000"
    }
  }

  extension {
    name = "SensitiveDataDiscovery"
  }
}

Tip: The CapGBPerMonthPerStorageAccount property is your safety valve against runaway scanning costs. Set it to a value that matches your expected upload volume so a sudden spike in uploads can't blow up the bill.

How to prevent it from happening again

Enabling the plan once isn't enough. New subscriptions get created, plans get toggled off during cost reviews, and Terraform state drifts. Make the desired state enforceable.

Use the built-in Azure Policy

Azure ships a policy that configures Defender for Storage automatically. Assign it at the management group level so every subscription underneath inherits it:

# Assign the built-in policy that enables Defender for Storage
az policy assignment create \
  --name "enable-defender-storage" \
  --display-name "Configure Microsoft Defender for Storage" \
  --policy "cfdc5972-75b3-4418-8155-edab9c0d8e26" \
  --scope "/providers/Microsoft.Management/managementGroups/<mg-id>" \
  --location "eastus" \
  --mi-system-assigned \
  --role "Owner"

This is a DeployIfNotExists policy, so it remediates subscriptions that drift back to the free tier. Run a remediation task after assignment to bring existing subscriptions into line.

Note: DeployIfNotExists policies need a managed identity with permissions to make the change. The --mi-system-assigned and --role flags above handle that. Without the right role assignment, the policy will report non-compliance but never fix it.

Gate it in CI/CD

If your subscriptions are provisioned through pipelines, add a check that fails the build when the Defender for Storage plan is anything other than Standard:

tier=$(az security pricing show --name StorageAccounts --query pricingTier -o tsv)
if [ "$tier" != "Standard" ]; then
  echo "Defender for Storage is not enabled. Failing pipeline."
  exit 1
fi

Keep Lensix watching

Policy enforcement covers the subscriptions you know about. Continuous monitoring covers the ones you don't, including subscriptions created outside your IaC workflow. The defender_storage check runs on every scan and surfaces any subscription that slips through, so you find the gap before an attacker does.

Best practices

  • Enable at the management group level. Configuring each subscription by hand guarantees you'll eventually miss one. Inheritance from a management group covers new subscriptions automatically.
  • Turn on malware scanning for accounts that accept uploads. Any storage account that ingests files from users or external systems is a malware vector. On-upload scanning is the most direct mitigation.
  • Set scanning caps before going broad. Protect the budget with per-account monthly limits so a misbehaving client or a load test doesn't generate an unexpected invoice.
  • Route alerts to a real destination. Connect Defender for Cloud alerts to your SIEM, Microsoft Sentinel, or a notification workflow. Detection that nobody sees is the same as no detection.
  • Pair detection with prevention. Defender tells you when something is wrong. Disabling public blob access, requiring Entra ID authentication, and rotating SAS tokens reduce the chances it has anything to alert on.

Tip: Defender for Storage works best alongside the other Defender plans. If you're enabling it, take the same pass through Defender for Servers, Key Vault, and Containers in the same subscription so your detection coverage is consistent rather than patchy.

Defender for Storage is a low-effort, high-leverage control. One subscription-level setting buys you malware scanning, exfiltration detection, and access anomaly alerts across every storage account you own. The only real decision is managing the cost, and the per-account caps make that manageable. Enable it, enforce it with policy, and let Lensix confirm it stays that way.