Forum Discussion
Solved
Possible to Disable Defender on individual Storage Accounts?
Hi folks, The gist is that we have Azure Defender enabled at a Subscription level. With that comes Advanced Threat Protection for Storage Accounts which is charged per transaction within those S...
We do not recommend excluding storage accounts from the Azure Defender, but If you want to perform cost optimization and you are considering the exclusion of specific storage accounts that are characterized with high traffic from the Azure Defender threat protection (e.g. storage accounts that are not open to the internet and do not contain sensitive data), it is possible to estimate the Defender for Storage costs first by following the blog post here.
To exclude specific storage accounts from Azure Defender, follow the following steps:
Step 1:
Enter the Tags section from the storage account(s) menu, and assign the following tag for the desired account(s) you would like to exclude:
Name
AzDefenderPlanAutoEnable
Value
off
After assigning the Tag name and value, click Apply.
It should look like the screenshot below after applying:
The tag excludes the account from getting updates from the subscription level enablement policy, these updates that occurs daily (If required, you can find here more information on assigning tags)
Step 2:
Disable "Azure Defender" on the desired accounts(s) by performing one of the following actions:
Option A (PowerShell command):
Run the following command in PowerShell on the relevant resource(s):
Disable-AzSecurityAdvancedThreatProtection -ResourceId <resourceId>(the cmdlet is documented here)
Option B - Enable/Disable on the account level (from the Azure Security Center portal):
Security Center ➡ Pricing & settings ➡ Select the desired subscription ➡ Toggle Storage off/on (and click Save)
StanislavBelov
Microsoft
MicrosoftWe do not recommend excluding storage accounts from the Azure Defender, but If you want to perform cost optimization and you are considering the exclusion of specific storage accounts that are characterized with high traffic from the Azure Defender threat protection (e.g. storage accounts that are not open to the internet and do not contain sensitive data), it is possible to estimate the Defender for Storage costs first by following the blog post here.
To exclude specific storage accounts from Azure Defender, follow the following steps:
Step 1:
Enter the Tags section from the storage account(s) menu, and assign the following tag for the desired account(s) you would like to exclude:
|
Name |
AzDefenderPlanAutoEnable |
|
Value |
off |
After assigning the Tag name and value, click Apply.
It should look like the screenshot below after applying:
The tag excludes the account from getting updates from the subscription level enablement policy, these updates that occurs daily (If required, you can find here more information on assigning tags)
Step 2:
Disable "Azure Defender" on the desired accounts(s) by performing one of the following actions:
Option A (PowerShell command):
Run the following command in PowerShell on the relevant resource(s):
Disable-AzSecurityAdvancedThreatProtection -ResourceId <resourceId>
(the cmdlet is documented here)
Option B - Enable/Disable on the account level (from the Azure Security Center portal):
Security Center ➡ Pricing & settings ➡ Select the desired subscription ➡ Toggle Storage off/on (and click Save)
Stanislav,
Pardon the ingenuity of my question, but what's the risk of disabling ATP for a storage account that's exclusively used to support an Azure Function App transaction?
We currently leverage Function Apps to implement our microservice architecture. ATP accounts for 69% of the billing for each Function App due to the number of transactions each generates on its dedicated storage account. As a CSP, I have to justify to my customers what type of protection this (high relative) cost adds to our architecture.