This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(252.8, 52%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECS%3C/text%3E%3C/svg%3E)
I'm trying to use bicep to enable Microsoft Defender for Cloud for a storage account in Azure. However, the defender is enabled but the "On-upload malware scanning" is not enabled even though I set the property to "true" in the bicep file.
I have been using the template from https://video2.skills-academy.com/en-us/azure/defender-for-cloud/defender-for-storage-infrastructure-as-code-enablement?tabs=enable-storage-account#bicep-template---storage-account
resource storageAccount 'Microsoft.Storage/storageAccounts@2021-04-01' ...
resource defenderForStorageSettings 'Microsoft.Security/DefenderForStorageSettings@2022-12-01-preview' = {
name: 'current'
scope: storageAccount
properties: {
isEnabled: true
malwareScanning: {
onUpload: {
isEnabled: true
capGBPerMonth: 5000
}
}
sensitiveDataDiscovery: {
isEnabled: true
}
overrideSubscriptionLevelSettings: true
}
}
Anybody that stumble upon this issue before and have a solution?
Hi,
This is the correct method. How have you identified that is not applied? Did you also enabled the Defender for Storage plan on the subscription where the storage account is located?
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
I have checked in Azure:
I have also tried to upload a file to the storage and it wont trigger the malware scanning.
Everything looks as expected(as far as I know) except that the on-upload is not enabled.
Is there another template that needs to be used as well to get it all up and running except the one I posted before?
I would try to enable the Defender for Storage plan as well. I think it is required that the plan is enabled on the subscription even if malware is not configured on subscription:
targetScope = 'subscription'
resource storageAccountsPricing 'Microsoft.Security/pricings@2023-01-01' = {
name: 'StorageAccounts'
properties: {
pricingTier: 'Standard'
subPlan: 'DefenderForStorageV2'
extensions: [
{
name: 'OnUploadMalwareScanning'
isEnabled: 'True'
additionalExtensionProperties: {
CapGBPerMonthPerStorageAccount: 5000
}
}
]
}
}
I tried to enable both on subscription level and the storage settings with the bicep script and It now say its enabled. However, it doesn´t seem to trigger a scan when uploading to the storage account deployed through the bicep. But the defender scan does trigger when I create a storage account manually in Azure Portal and upload a file to it.
May be open separate question for this or support request.
I found out why the scan wouldn´t trigger. I had created a storage account looking like this:
resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {
name: 'storageaccountname'
location: 'location'
kind: 'BlobStorage' .....
Apparently the tier of the storage account needs to be:
resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {
name: 'storageaccountname'
location: 'location'
kind: 'StorageV2' <----- I changed this from 'BlobStorage' to 'StorageV2'.
So the change on the "kind" property made the difference.
Yes, Defender for Cloud is supported on StorageV2 only but there is no way to know what kind of account you were testing. I was assuming that everything is ok there.
Nevertheless please mark reply as answer as Defender for Storage plan is required to be enabled on the subscription in order to successfully configure the settings per storage account.