Forum Discussion
Possible to Disable Defender on individual Storage Accounts?
We do not recommend excluding storage accounts from the Azure Defender, but If you want to perform cost optimization and you are considering the exclusion of specific storage accounts that are characterized with high traffic from the Azure Defender threat protection (e.g. storage accounts that are not open to the internet and do not contain sensitive data), it is possible to estimate the Defender for Storage costs first by following the blog post here.
To exclude specific storage accounts from Azure Defender, follow the following steps:
Step 1:
Enter the Tags section from the storage account(s) menu, and assign the following tag for the desired account(s) you would like to exclude:
Name
AzDefenderPlanAutoEnable
Value
off
After assigning the Tag name and value, click Apply.
It should look like the screenshot below after applying:
The tag excludes the account from getting updates from the subscription level enablement policy, these updates that occurs daily (If required, you can find here more information on assigning tags)
Step 2:
Disable "Azure Defender" on the desired accounts(s) by performing one of the following actions:
Option A (PowerShell command):
Run the following command in PowerShell on the relevant resource(s):
Disable-AzSecurityAdvancedThreatProtection -ResourceId <resourceId>(the cmdlet is documented here)
Option B - Enable/Disable on the account level (from the Azure Security Center portal):
Security Center ➡ Pricing & settings ➡ Select the desired subscription ➡ Toggle Storage off/on (and click Save)
MicrosoftWe do not recommend excluding storage accounts from the Azure Defender, but If you want to perform cost optimization and you are considering the exclusion of specific storage accounts that are characterized with high traffic from the Azure Defender threat protection (e.g. storage accounts that are not open to the internet and do not contain sensitive data), it is possible to estimate the Defender for Storage costs first by following the blog post here.
To exclude specific storage accounts from Azure Defender, follow the following steps:
Step 1:
Enter the Tags section from the storage account(s) menu, and assign the following tag for the desired account(s) you would like to exclude:
|
Name |
AzDefenderPlanAutoEnable |
|
Value |
off |
After assigning the Tag name and value, click Apply.
It should look like the screenshot below after applying:
The tag excludes the account from getting updates from the subscription level enablement policy, these updates that occurs daily (If required, you can find here more information on assigning tags)
Step 2:
Disable "Azure Defender" on the desired accounts(s) by performing one of the following actions:
Option A (PowerShell command):
Run the following command in PowerShell on the relevant resource(s):
Disable-AzSecurityAdvancedThreatProtection -ResourceId <resourceId>
(the cmdlet is documented here)
Option B - Enable/Disable on the account level (from the Azure Security Center portal):
Security Center ➡ Pricing & settings ➡ Select the desired subscription ➡ Toggle Storage off/on (and click Save)
After awhile I found some of the storage accounts having defender enabled, even I've add the tag and I am sure that I stopped all of them previously!
Have you ever heard of such case?
StanislavBelov will this tag option to exclude work on a Resource Group as well?
Stanislav,
Pardon the ingenuity of my question, but what's the risk of disabling ATP for a storage account that's exclusively used to support an Azure Function App transaction?
We currently leverage Function Apps to implement our microservice architecture. ATP accounts for 69% of the billing for each Function App due to the number of transactions each generates on its dedicated storage account. As a CSP, I have to justify to my customers what type of protection this (high relative) cost adds to our architecture.- Thank you Stanislav!
Totally agree that we don't want to disable Defender for these accounts either, but we were running up $30 - $50 per day in Threat Protection because of how transactional the storage accounts were.
