How to deploy Microsoft Defender for a storage account with bicep

Question

How to deploy Microsoft Defender for a storage account with bicep

Christopher Solum-Faeste 30

I'm trying to use bicep to enable Microsoft Defender for Cloud for a storage account in Azure. However, the defender is enabled but the "On-upload malware scanning" is not enabled even though I set the property to "true" in the bicep file.

I have been using the template from https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-storage-infrastructure-as-code-enablement?tabs=enable-storage-account#bicep-template---storage-account

resource storageAccount 'Microsoft.Storage/storageAccounts@2021-04-01' ...
resource defenderForStorageSettings 'Microsoft.Security/DefenderForStorageSettings@2022-12-01-preview' = {
  name: 'current'
  scope: storageAccount
  properties: {
    isEnabled: true
    malwareScanning: {
      onUpload: {
        isEnabled: true
        capGBPerMonth: 5000
      }
    }
    sensitiveDataDiscovery: {
      isEnabled: true
    }
    overrideSubscriptionLevelSettings: true
  }
}

Anybody that stumble upon this issue before and have a solution?

Answer accepted by question author

1 additional answer

Your answer

Answer 1

Stanislav Zhelyazkov 29,481 MVP Volunteer Moderator

Hi,

This is the correct method. How have you identified that is not applied? Did you also enabled the Defender for Storage plan on the subscription where the storage account is located?

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Christopher Solum-Faeste 30 Reputation points

2024-04-03T14:29:56.9066667+00:00

I have checked in Azure:

I have also tried to upload a file to the storage and it wont trigger the malware scanning.

Everything looks as expected(as far as I know) except that the on-upload is not enabled.

Is there another template that needs to be used as well to get it all up and running except the one I posted before?

Stanislav Zhelyazkov 29,481 MVP Volunteer Moderator

I would try to enable the Defender for Storage plan as well. I think it is required that the plan is enabled on the subscription even if malware is not configured on subscription:

targetScope = 'subscription'

resource storageAccountsPricing 'Microsoft.Security/pricings@2023-01-01' = {
  name: 'StorageAccounts'
  properties: {
    pricingTier: 'Standard'
    subPlan: 'DefenderForStorageV2'
    extensions: [
      {
        name: 'OnUploadMalwareScanning'
        isEnabled: 'True'
        additionalExtensionProperties: {
          CapGBPerMonthPerStorageAccount: 5000
        }
      }
    ]
  }
}

Christopher Solum-Faeste 30 Reputation points

2024-04-08T12:11:26.4866667+00:00

I tried to enable both on subscription level and the storage settings with the bicep script and It now say its enabled. However, it doesn´t seem to trigger a scan when uploading to the storage account deployed through the bicep. But the defender scan does trigger when I create a storage account manually in Azure Portal and upload a file to it.
Stanislav Zhelyazkov 29,481 Reputation points MVP Volunteer Moderator

2024-04-08T13:33:38.27+00:00

May be open separate question for this or support request.

Christopher Solum-Faeste 30

I found out why the scan wouldn´t trigger. I had created a storage account looking like this:


resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {
  name: 'storageaccountname'
  location: 'location'
  kind: 'BlobStorage' .....

Apparently the tier of the storage account needs to be:

resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = { 
	name: 'storageaccountname'  
	location: 'location'  
	kind: 'StorageV2' <----- I changed this from 'BlobStorage' to 'StorageV2'.

So the change on the "kind" property made the difference.

Stanislav Zhelyazkov 29,481 Reputation points MVP Volunteer Moderator

2024-04-10T07:30:04.5333333+00:00

Yes, Defender for Cloud is supported on StorageV2 only but there is no way to know what kind of account you were testing. I was assuming that everything is ok there.

Nevertheless please mark reply as answer as Defender for Storage plan is required to be enabled on the subscription in order to successfully configure the settings per storage account.
Trent Richardson 0 Reputation points

2025-05-28T13:43:32.44+00:00

In my case, I have not enabled defender at the subscription level for cost reasons.

I want to apply this only to a specific storage account.

I have the same bicep as in the original question, and the kind: 'StorageV2' is set against the storage account.

I get the same result as mentioned in the issue:

Is there a way to fix this without enabling this at the subscription level?
Trent Richardson 0 Reputation points

2025-06-04T09:04:10.4133333+00:00
I managed to solve this.
My account was not on V2 at the subscription level.
Fix:

Upgrade account to V2

Enabled at subscription level

Enabled the malware scanning extension

Disabled again at the subscription level

Then applied against the storage account (using bicep above).

Answer 2

Steph Locke 0

Yes, I'm having the same issue and there's a (super quiet, msft haven't responded) discussion about it at https://github.com/Azure/bicep/discussions/15760

Share via

How to deploy Microsoft Defender for a storage account with bicep

1 additional answer

Your answer