During Microsoft Ignite in November 2021, Azure Security Center and Azure Defender are now called Microsoft Defender for Cloud. They’ve also renamed Azure Defender plans to Microsoft Defender plans. For example, Azure Defender for Storage is now Microsoft Defender for Storage.
In this article, we will show you how to exclude a storage account from Microsoft Defender for Storage to reduce costs for your dev and test environments.
Table of Contents
Introduction
Microsoft Defender for Cloud (MDC) gives you complete visibility and control over the security of hybrid cloud workloads, including compute, network, storage, identity, and application workloads. Microsoft Defender for Cloud has two main value propositions:
1) Cloud Security Posture Management (CSPM) – Helps you prevent misconfiguration to strengthen your security posture for all different types of cloud workloads and resources in Azure (IaaS, PaaS, and SaaS).
2) Cloud Workload Protection Platform (CWPP) – Protect against threats for servers whether they are running in Azure, on-premises, or other clouds such as Amazon AWS or Google GCP, in addition to cloud-native workloads such as Web Apps, Containers, Key Vaults, as well as for SQL databases (PaaS/VM) and storage accounts.
Microsoft Defender for Cloud is an evolution of the threat-protection technologies in Azure Security Center, protecting Azure and hybrid environments. When you enable Defender plans from the Environment settings area of Microsoft Defender for Cloud, the following Microsoft Defender plans are all enabled simultaneously and provide comprehensive defenses for the compute data, and service layers of your environment:
- Microsoft Defender for servers
- Microsoft Defender for App Service
- Microsoft Defender for Storage
- Microsoft Defender for SQL
- Microsoft Defender for Containers (Kubernetes)
- Microsoft Defender for Containers (Container registries)
- Microsoft Defender for Key Vault
- Microsoft Defender for Azure DNS
- Microsoft Defender for Resource Manager
Microsoft Defender (Advanced Threat Protection) for Storage is one of the advanced protection that is included in Microsoft Defender for Cloud that falls under the Cloud Workload Protection Platform (CWPP) which is something you must consider for Azure storage accounts that provide an additional layer of security intelligence.
The good news is, you can also use Advanced Threat Protection for Azure Files (Azure File Shares), and Azure Data Lake Storage Gen2 in addition to blob containers service. And guess what, this also protects your Azure File Sync deployment on-premises against malware. You can read more about the announcement here.
When you enable Microsoft Defender for Storage on a subscription, all existing Azure Storage accounts will be protected and any newly created storage resources in the future will also be automatically protected.
What if you don’t want to enable Microsoft Defender for Storage for all storage accounts in the scope of the subscription? Read on…
Prerequisites
To follow this article, you need to have the following:
1) Microsoft Azure subscription. If you don’t have an Azure subscription, you can create a free one here.
2) MicrosoftDefender for storage (plan) enabled per subscription under the Environment settings page as shown in the figure below.
3) Azure storage account – To create a general-purpose storage account, follow the instructions described on Microsoft documentation.
4) You have a couple of options to exclude a storage account from Microsoft Defender for storage, you can either use Azure Cloud Shell, Azure PowerShell, Azure CLI, or the Azure portal. We will describe each option in the next section.
a) If you want to use Azure PowerShell, you can use the following PowerShell command to install and update the “Az module” locally on your machine.
# Make sure you have the latest version of PowerShellGet installed
Install-Module -Name PowerShellGet -Force
# Install and update to the latest Az PowerShell module
Install-Module -Name Az -AllowClobber -Force
# Sign in interactively -> Skip if you are using the Cloud Shell
Connect-AzAccountb) If you prefer to use Azure CLI, you can check the CLI version on your machine and upgrade its version with the following commands:
# Check Azure CLI version
az --version
# Upgrade Azure CLI
az upgrade
# Sign in interactively -> Skip if you are using the Cloud Shell
az loginExclude a storage account
Microsoft recently added a new capability based on Azure tags that you could use to assign it to a specific storage account to disable or enable Microsoft Defender for Storage when the Defender plan is enabled at the subscription level.
Azure PowerShell
Here is the PowerShell version to exclude an Azure Storage account from Microsoft Defender:
# Set the Azure context for the relevant subscription
Set-AzContext -Subscription "xxxx-xxxx-xxxx-xxxx"
$storageAccountRG = "resource-group-name-here"
$storageAccountName = "storageaccountnamehere"
# Get Storage account resource ID
$storageAccountId = (Get-AzStorageAccount -ResourceGroupName $storageAccountRG -Name $storageAccountName).Id
# Set Azure Defender Plan Auto Enable to OFF
Update-AzTag -ResourceId $storageAccountId -Tag @{"AzDefenderPlanAutoEnable" = "off"} -Operation Merge
Last but not least, you need to disable Microsoft Defender for Storage for the desired account on the relevant subscription with the Disable-AzSecurityAdvancedThreatProtection cmdlet below:
# Get Storage account resource ID
$storageAccountId = (Get-AzStorageAccount -ResourceGroupName $storageAccountRG -Name $storageAccountName).Id
# Disable Advanced Threat Protection (ATP) policy for Azure storage / cosmos DB account
Disable-AzSecurityAdvancedThreatProtection -ResourceId $storageAccountIdPlease note that if you disable Advanced Threat Protection (ATP) policy for storage and/or cosmos DB account only without setting the resource tag to “AzDefenderPlanAutoEnable” = “off“, and Microsoft Defender for storage plan is enabled at the subscription level, then the policy will enable Defender for Storage again on the storage account.
To enable again Microsoft Defender for Storage for the desired account with PowerShell, run the Enable-AzSecurityAdvancedThreatProtection cmdlet below:
# Get Storage account resource ID
$storageAccountId = (Get-AzStorageAccount -ResourceGroupName $storageAccountRG -Name $storageAccountName).Id
# Enable Advanced Threat Protection (ATP) policy for Azure storage / cosmos DB account
Enable-AzSecurityAdvancedThreatProtection -ResourceId $storageAccountIdAzure CLI
Here is the Azure CLI version to exclude an Azure Storage account from Microsoft Defender:
# Set the Azure context for the relevant subscription where your storage accounts are deployed az account set --subscription "xxxx-xxxx-xxxx-xxxx" # Set the required variables $resourceGroupName = "rg-weu-afs-demo" $storageAccountName = "frstorageafs01"# Get Storage account resource ID $storageAccountId=$(az storage account show -g $resourceGroupName -n $storageAccountName --query id --output tsv) # Set Azure Defender Plan Auto Enable to OFF az tag update --resource-id $storageAccountId --operation merge --tags AzDefenderPlanAutoEnable=off
Last but not least, you need to disable Microsoft Defender for Storage for the desired account on the relevant subscription with the az security ATP storage cmdlet below:
# Disable Advanced Threat Protection (ATP) policy for Azure storage / cosmos DB account
az security atp storage update --resource-group $resourceGroupName --storage-account $storageAccountName --is-enabled falseAs noted in the previous section, if you only disable Advanced Threat Protection (ATP) policy for storage and/or cosmos DB account without setting the resource tag to “AzDefenderPlanAutoEnable” = “off“, and Microsoft Defender for storage plan is enabled at the subscription level, then the policy will enable Defender for Storage again on the storage account.
You can verify that Advanced Threat Protection (ATP) is disabled for a storage account by running the following command:
# Show Advanced Threat Protection settings for a storage account
az security atp storage show --resource-group $resourceGroupName --storage-account $storageAccountName
Azure Portal
If you prefer to use the Azure portal, then you need to define the AzDefenderPlanAutoEnable tag on the storage account by taking the following steps:
Launch the Azure portal, open the desired storage account and select the Tags page.
Enter the tag name “AzDefenderPlanAutoEnable” and set the value to “off” as shown in the figure below. Then select Apply.
AzDefenderPlanAutoEnable
Last but not least, if the Microsoft Defender for Storage was enabled at the subscription level, then you need to disable and then enable the plan on the relevant subscription for the policy to take effect.
Launch the Azure portal, and then open Microsoft Defender for Cloud.
On the left-hand side select Environment settings > select the relevant subscription > Defender plans > toggle the Defender for Storage plan Off > select Save > turn it back On > select Save.
You could also use Azure PowerShell or Azure CLI to disable and enable Microsoft Defender for Storage plan by running the following commands:
Azure PowerShell
# Set the Azure context for the relevant subscription
Set-AzContext -Subscription "xxxx-xxxx-xxxx-xxxx"
# Disable Defender for Storage plan by setting the -PricingTier to "Free"
Set-AzSecurityPricing -Name "StorageAccounts" -PricingTier "Free"
# Enable Defender for Storage plan by setting the -PricingTier to "Standard"
Set-AzSecurityPricing -Name "StorageAccounts" -PricingTier "Standard"
# Show Defender for Storage plan
Get-AzSecurityPricing -Name "StorageAccounts"Azure CLI
# Set the Azure context for the relevant subscription where your storage accounts are deployed
az account set --subscription "xxxx-xxxx-xxxx-xxxx"
# Disable Defender for Storage plan by setting the -PricingTier to "Free"
az security pricing create -n StorageAccounts --tier 'Free'
# Enable Defender for Storage plan by setting the -PricingTier to "Standard"
az security pricing create -n StorageAccounts --tier 'Standard'
# Show Defender for Storage plan
az security pricing show -n StorageAccountsThat’s it there you have it!
Summary
In this article, we showed you how to exclude a specific storage account from Microsoft Defender for Storage with Azure PowerShell, Azure CLI, and the Azure portal.
This is useful to exclude storage accounts that are used for development and test environments to reduce costs. Microsoft Defender for Storage is billed for $0.02 for 10,000 transactions.
Please note that excluding production storage accounts from advanced threat protection from Microsoft Defender for Storage is not recommended and leaves your cloud workload exposed.
Similar to excluding Defender for Storage for a specific storage account, you could also exclude a specific Azure SQL database from Microsoft Defender. We hope that Microsoft will provide in the future a new way to enable/disable Microsoft Defender at the App Service (Web App / Function App) level instead of the entire subscription.
Microsoft Defender for Storage is an Azure-native layer of security intelligence that detects unusual and potentially harmful attempts to access or exploit your storage accounts. It uses advanced threat detection capabilities and Microsoft Threat Intelligence data to provide contextual security alerts. Those alerts also include steps to mitigate the detected threats and prevent future attacks.
__
Thank you for reading my blog.
If you have any questions or feedback, please leave a comment.
-Charbel Nemnom-
