Microsoft Defender for Storage configuration (and limits/scope of Bicep)

[jacksorjacksor]

Hi there!

I've got an Azure Storage Account. I've recently enabled Microsoft Defender for Cloud on that account, and enabled "On-upload malware scanning", setting the scan results to be sent over to an Event Grid topic.

My question is - how much of this can be handled in Bicep? Is this sort of functionality something I should be able to do from a code-first perspective, or will I always need to define this manually through the Portal [at present unsure on CLI options]?

I've had good experiences using Bicep for deploying core infrastructure (App Config, Azure SQL etc.) but my curiosity is around the limitations - should every option available through the Azure Portal be replicable via Bicep? What is out of scope for Bicep?

Cheers!

Rich

[stephlocke]

This is still a problem today :/

Example code:

resource defenderForStorage 'Microsoft.Security/defenderForStorageSettings@2022-12-01-preview' = {
  name: 'current'
  scope: storageAccount
  properties: {
    isEnabled: true
    malwareScanning: {
      onUpload: {
        isEnabled: true
        capGBPerMonth: malwareScanCapGBPerMonth
      }
      scanResultsEventGridTopicResourceId: defenderScanResultsTopic.id
    }
    sensitiveDataDiscovery: {
      isEnabled: true
    }
    overrideSubscriptionLevelSettings: true
  }
}

[slavizh]

@stephlocke it is unclear what problem exactly you are hitting. The event grid integration can be set and the partial code you have provided looks ok. Note that if something is not visible in the portal that does not mean it is not configured. Sometimes the portal expect certain values and if not in that particular way it will not show the correct information. In Azure Portal there is API Playground functionality (type API Playground in search) where you can execute Rest API calls to see what is returned as resource configuration. You might also want to use higher API version for Microsoft.Security/defenderForStorageSettings resource. The latest one available is 2025-09-01-preview.

[mlhaufe]

I'm experiencing a similar problem. My Bicep:

resource defenderForStorage 'Microsoft.Security/defenderForStorageSettings@2025-09-01-preview' = {
  name: 'current'
  scope: storageAccount
  properties: {
    isEnabled: true
    malwareScanning: {
      onUpload: {
        isEnabled: true
        capGBPerMonth: -1
      }
      blobScanResultsOptions: 'BlobIndexTags'
    }
    sensitiveDataDiscovery: {
      isEnabled: true
    }
    overrideSubscriptionLevelSettings: true
  }
}

This doesn't have any effect

If I try to set it manually:

I see the following network traffic:

PUT https://management.azure.com//subscriptions/{subscription-id}/resourceGroups/rg-marketplace-dev/providers/Microsoft.Storage/storageAccounts/stbfmardevoxava3/providers/Microsoft.Security/DefenderForStorageSettings/current?api-version=2025-07-01-preview
{
    "properties": {
        "isEnabled": true,
        "sensitiveDataDiscovery": {
            "isEnabled": true
        },
        "malwareScanning": {
            "onUpload": {
                "isEnabled": true,
                "capGBPerMonth": -1,
                "filters": {}
            },
            "blobScanResultsOptions": "BlobIndexTags",
            "automatedResponse": "None"
        },
        "overrideSubscriptionLevelSettings": true,
        "dataScannerResourceId": "/subscriptions/{subscription-id}/providers/Microsoft.Security/datascanners/StorageDataScanner"
    }
}

The response is 201 Created

{
    "properties": {
        "isEnabled": true,
        "malwareScanning": {
            "onUpload": {
                "isEnabled": false,
                "capGBPerMonth": -1
            },
            "automatedResponse": "None",
            "blobScanResultsOptions": "BlobIndexTags",
            "operationStatus": {
                "code": "UnknownError",
                "message": "Failed to update malware scanning."
            }
        },
        "sensitiveDataDiscovery": {
            "isEnabled": true,
            "operationStatus": {
                "code": "Succeeded"
            }
        },
        "dataScannerResourceId": "/subscriptions/{subscription_id}/providers/Microsoft.Security/datascanners/StorageDataScanner",
        "overrideSubscriptionLevelSettings": true
    },
    "id": "/subscriptions/{subscription_id}/resourceGroups/rg-marketplace-dev/providers/Microsoft.Storage/storageAccounts/stbfmardevoxava3/providers/Microsoft.Security/defenderForStorageSettings/current",
    "type": "Microsoft.Security/defenderForStorageSettings",
    "name": "current"
}

THe generic UnknownError is not actionable. Is this a temporary problem, or is there some other undocumented setting that needs to be configured for this to work?

[slavizh]

My testing like:

resource defenderForStorage 'Microsoft.Security/defenderForStorageSettings@2025-09-01-preview' = {
  name: 'current'
  scope: str
  properties: {
    isEnabled: true
    malwareScanning: {
      onUpload: {
        isEnabled: true
        capGBPerMonth: -1
        filters: {
          excludeBlobsLargerThan: null
          excludeBlobsWithPrefix: null
          excludeBlobsWithSuffix: null
        }
      }
      scanResultsEventGridTopicResourceId: null
      blobScanResultsOptions: 'None'
      automatedResponse: 'BlobSoftDelete'
    }
    sensitiveDataDiscovery: {
      isEnabled: true
    }
    overrideSubscriptionLevelSettings: true
  }
}

shows that everything is configured correctly

[mlhaufe]

THat didn't work for me. It stays disabled.

I watched the network inspector as I tried to enable this manually again and I saw the following:

GET https://management.azure.com/subscriptions/{subscription-id}/providers/Microsoft.Features/featureProviders/Microsoft.Security/subscriptionFeatureRegistrations/DFSFilesOnDemand?api-version=2020-09-01

Response:

{
    "properties": {
        "subscriptionId": "...",
        "featureName": "DFSFilesOnDemand",
        "displayName": "DFSFilesOnDemand",
        "providerNamespace": "Microsoft.Security",
        "state": "NotRegistered",
        "releaseDate": "2025-06-26T08:23:59.0488449Z",
        "description": "Defender for Storage Files On Demand",
        "approvalType": "ApprovalRequired",
        "documentationLink": "http://aka.ms/defenderforstorage",
        "shouldFeatureDisplayInPortal": true
    },
    "id": "/subscriptions/{subscription-id}/providers/Microsoft.Features/featureProviders/Microsoft.Security/subscriptionFeatureRegistrations/DFSFilesOnDemand",
    "name": "DFSFilesOnDemand",
    "type": "Microsoft.Features/featureProviders/subscriptionFeatureRegistrations"
}

I looked under Subscription > Settings > Resource Providers but this is not listed as an option.

Via the azure CLI:

az feature show --namespace Microsoft.Security --name DFSFilesOnDemand --query "properties.state"

I get: "NotRegistered"

So, I ran:

az feature register --namespace Microsoft.Security --name DFSFilesOnDemand

Response:

Once the feature 'DFSFilesOnDemand' is registered, invoking 'az provider register -n Microsoft.Security' is required to get the change propagated
{
  "id": "/subscriptions/{subscription-id}/providers/Microsoft.Features/providers/Microsoft.Security/features/DFSFilesOnDemand",
  "name": "Microsoft.Security/DFSFilesOnDemand",
  "properties": {
    "state": "Pending"
  },
  "type": "Microsoft.Features/providers/features"
}

Microsoft.Security is already enabled in the subscription, so I assume this is a waiting game

[slavizh]

That feature is not preview and it is widely available so I doubt that the registration of the feature is the problem. May be the storage account is a kind/type that is not supported for defender for storage or there is something wrong with the account. Try with another storage account or may be it is best to reach out support.

[marsontret]

I did this successfully a few years back. Will have a look at the code.