Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

Possible to Disable Defender on individual Storage Accounts?

Copper Contributor

Hi folks,

 

The gist is that we have Azure Defender enabled at a Subscription level.  With that comes Advanced Threat Protection for Storage Accounts which is charged per transaction within those Storage Accounts.
 
We have four storage accounts out of 176 that are very highly transactional and the monthly billing for Advanced Threat Protection is close to $1,000.  They are internal storage accounts with very limited public exposure so we are not worried about threats within those transactions.  
 
Our ideal scenario would be to keep Defender enabled at the subscription level for all of our Storage accounts and all future storage accounts but not be billed for (or use) Advanced Threat Protection.  It seems like this cmdlet:
 
 
Should do the job, but it does not.  Either it does not disable ATP or it does not disable the billing.  In either of those cases it does not do what we need.
 
After 2.5 months or trying to work through it the only option I have been given is to disable Defender at the Subscription level for all of our Storage Accounts, and then re-enable the 172 storage accounts that we do want Defender for individually via PS.  That will and does work, but it will require overhead on our part to ensure they all stay enabled and that any future accounts are enabled by the creator and none get missed.  
 
Do we have any other avenues to suppress Advanced Threat Protection on a subset of accounts within a Subscription?  
10 Replies
This option to selectively disable Defender for certain storage accounts is currently being tested (closed private preview) and will likely be released later this year. No solid ETA though.
Thank you Stanislav,

Is there a way to petition to join the beta?

Failing that, is it understood that the Disable-AzSecurityAdvancedThreatProtection cmdlet is not expected to disable billing for the ATP feature?
There is something else you need to do before running that cmdlet. Can't disclose all details publicly yet. Let me double check if this preview is still open for new participants.
i am interested too for my customers.
Hi there, we'd also be interested in testing this feature. We are currently using SAs for FSLogix which are generating significant Defender costs.
We will add a guidance how to exclude certain accounts to our official documentation soon. Once it's there I will let you also know here. Thank you.
best response confirmed by CSP_MO (Copper Contributor)
Solution

We do not recommend excluding storage accounts from the Azure Defender, but If you want to perform cost optimization and you are considering the exclusion of specific storage accounts that are characterized with high traffic from the Azure Defender threat protection (e.g. storage accounts that are not open to the internet and do not contain sensitive data), it is possible to estimate the Defender for Storage costs first by following the blog post here.

 

To exclude specific storage accounts from Azure Defender, follow the following steps:

Step 1:

Enter the Tags section from the storage account(s) menu, and assign the following tag for the desired account(s) you would like to exclude:

Name

AzDefenderPlanAutoEnable

Value

off

After assigning the Tag name and value, click Apply.

It should look like the screenshot below after applying:

StanislavBelov_0-1634059256807.png

The tag excludes the account from getting updates from the subscription level enablement policy, these updates that occurs daily (If required, you can find here more information on assigning tags)

 

Step 2:

Disable "Azure Defender" on the desired accounts(s) by performing one of the following actions:

 

Option A (PowerShell command):

Run the following command in PowerShell on the relevant resource(s):
Disable-AzSecurityAdvancedThreatProtection -ResourceId <resourceId>

(the cmdlet is documented here)

 

Option B - Enable/Disable on the account level (from the Azure Security Center portal):
Security Center ➡ Pricing & settings ➡ Select the desired subscription ➡ Toggle Storage off/on (and click Save)

 

Thank you Stanislav!

Totally agree that we don't want to disable Defender for these accounts either, but we were running up $30 - $50 per day in Threat Protection because of how transactional the storage accounts were.

Stanislav,

Pardon the ingenuity of my question, but what's the risk of disabling ATP for a storage account that's exclusively used to support an Azure Function App transaction?
We currently leverage Function Apps to implement our microservice architecture. ATP accounts for 69% of the billing for each Function App due to the number of transactions each generates on its dedicated storage account. As a CSP, I have to justify to my customers what type of protection this (high relative) cost adds to our architecture.

@Stanislav Belov will this tag option to exclude work on a Resource Group as well?

1 best response

Accepted Solutions
best response confirmed by CSP_MO (Copper Contributor)
Solution

We do not recommend excluding storage accounts from the Azure Defender, but If you want to perform cost optimization and you are considering the exclusion of specific storage accounts that are characterized with high traffic from the Azure Defender threat protection (e.g. storage accounts that are not open to the internet and do not contain sensitive data), it is possible to estimate the Defender for Storage costs first by following the blog post here.

 

To exclude specific storage accounts from Azure Defender, follow the following steps:

Step 1:

Enter the Tags section from the storage account(s) menu, and assign the following tag for the desired account(s) you would like to exclude:

Name

AzDefenderPlanAutoEnable

Value

off

After assigning the Tag name and value, click Apply.

It should look like the screenshot below after applying:

StanislavBelov_0-1634059256807.png

The tag excludes the account from getting updates from the subscription level enablement policy, these updates that occurs daily (If required, you can find here more information on assigning tags)

 

Step 2:

Disable "Azure Defender" on the desired accounts(s) by performing one of the following actions:

 

Option A (PowerShell command):

Run the following command in PowerShell on the relevant resource(s):
Disable-AzSecurityAdvancedThreatProtection -ResourceId <resourceId>

(the cmdlet is documented here)

 

Option B - Enable/Disable on the account level (from the Azure Security Center portal):
Security Center ➡ Pricing & settings ➡ Select the desired subscription ➡ Toggle Storage off/on (and click Save)

 

View solution in original post