Microsoft Defender for Storage is one of those services where the feature set sounds simple until you try to work out what you actually need. There are three distinct protection layers, each with its own pricing, capabilities, and use cases. Enabling all three "just in case" is the expensive default. Understanding what each does lets you make a targeted decision.
The Three Layers
Layer 1: Threat Detection (Activity Monitoring)
This is the base layer, included in the standard Defender for Storage plan. It analyses storage account activity logs (access patterns, IP addresses, user agents, and anomalous behaviour) to detect potential threats.
What it catches:
- Access from suspicious IP addresses (known malicious IPs, Tor exit nodes)
- Unusual access patterns (mass download, enumeration behaviour)
- Anomalous data exfiltration patterns
- Access from unexpected geographic locations
What it does not do: it does not scan the content of files. A blob containing malware will not trigger an alert unless the access pattern around it is suspicious. This layer is about behaviour analytics, not content inspection.
Layer 2: On-Upload Malware Scanning
This scans every blob as it is uploaded to the storage account. When a new blob arrives, Defender sends it through Microsoft's malware scanning engine and returns a verdict. Malicious files can be automatically quarantined or tagged.
The scan happens synchronously or near-synchronously with the upload. By the time the blob is available for download, the scan result is typically available.
Pricing: Per-GB scanned. At the time of writing, approximately $0.15 per GB for the first 50TB/month, with volume discounts beyond that.
Layer 3: On-Demand Malware Scanning
This scans blobs that already exist in the storage account, either triggered manually, on a schedule, or in response to an event. It covers the data that was uploaded before on-upload scanning was enabled, or data that arrived through mechanisms that bypass the upload scan (AzCopy with certain configurations, data factory, etc.).
Pricing: Same per-GB rate as on-upload scanning.
The Key Question: Do You Need On-Demand If You Have On-Upload?
If on-upload malware scanning has been enabled from the very beginning (from the moment the storage account was created, before any data was uploaded) then on-demand scanning is largely unnecessary for that account. Every blob has already been scanned on arrival. Running an on-demand scan would re-scan data that has already passed through the malware engine.
The scenarios where on-demand scanning adds value:
Pre-existing data. If the storage account contained data before on-upload scanning was enabled, that data has never been scanned. An on-demand scan covers the gap.
Data ingestion bypasses. Some data movement methods may not trigger the on-upload scan. Azure Data Factory copy activities, AzCopy in certain modes, and server-side copy operations between storage accounts may not trigger the scan depending on configuration and timing. If your data pipeline uses these methods, an on-demand scan catches anything that slipped through.
Updated threat definitions. Malware scanning uses signature-based and heuristic detection. A file that was clean when uploaded might match a newly identified threat signature. An on-demand scan with current definitions catches these cases. Whether this is worth the cost depends on your risk tolerance.
Compliance requirements. Some regulatory frameworks require periodic scanning of all data at rest, regardless of whether it was scanned on upload. If your compliance posture mandates it, on-demand scanning satisfies the requirement.
Our Recommendation
For most environments:
-
Enable threat detection. Always. The behaviour analytics layer is relatively inexpensive and catches access-pattern threats that content scanning cannot.
-
Enable on-upload scanning. For any storage account that receives data from external sources, user uploads, or untrusted pipelines. This is your primary malware defence.
-
Run one initial on-demand scan. For production storage accounts that contained data before on-upload scanning was enabled. This is a one-time cost to establish a clean baseline.
-
Skip ongoing on-demand scanning. Unless compliance mandates it or your data ingestion pipeline has known bypass paths.
For a production environment with 1.3TB of existing data, the one-time on-demand scan costs approximately $65 (£50). That is cheap insurance for establishing that your existing data is clean.
Configuring the Alert Flow
When Defender detects malware, the alert flows through:
- Defender for Cloud. Alert appears in the Security Alerts blade.
- Email notification. Sent to configured recipients (subscription owners by default).
- Log Analytics. If diagnostic settings are configured, alerts are logged for SIEM integration.
The email notification is important to configure explicitly. By default, only subscription owners receive alerts. For storage accounts managed by a platform team, the subscription owner might not be the right person to respond to a malware detection.
# Configure security contact email
az security contact create \
--name default \
--email "security-team@company.com" \
--alert-notifications on \
--alerts-to-admins on
Distinguishing Scan Telemetry from Security Alerts
A common point of confusion: scan telemetry and security alerts are different things that go to different places.
Scan telemetry. Metadata about every scan (blob name, scan result, scan duration). Goes to Log Analytics if you configure diagnostic settings on the storage account. This is operational data for tracking scan volume, identifying errors, and auditing coverage.
Security alerts. Fired only when malware is detected. These appear in Defender for Cloud and trigger email notifications. This is the action-oriented output that someone needs to respond to.
If you only configure one, configure security alerts. Scan telemetry is useful for operational visibility but is not critical for security response.
Attack Path Analysis
While configuring Defender for Storage, also enable attack path analysis in Defender for Cloud. This is a separate feature that maps exploitable paths through your environment: a storage account with a public endpoint, containing sensitive data, accessible by an over-privileged service principal.
Set the notification threshold to Critical and High risk levels. Lower thresholds generate noise that dilutes the actionable findings.
Attack path notifications surface compound risks that individual alerts miss. A storage account might pass every individual security check (encryption enabled, network restricted, scanning active) but still represent a risk when combined with other environmental factors (over-permissive RBAC, exposed service principal credentials, missing network segmentation).
The Cost Summary
| Layer | Pricing | Recommendation |
|---|---|---|
| Threat detection | Included in Defender for Storage plan | Always enable |
| On-upload scanning | ~$0.15/GB scanned | Enable for externally-facing accounts |
| On-demand scanning | ~$0.15/GB scanned | One-time baseline scan, then disable |
| Attack path analysis | Included in Defender CSPM | Enable at Critical/High threshold |
For a typical environment with 10 storage accounts averaging 500GB each, the on-upload scanning cost depends entirely on upload volume, not stored data volume. If you upload 100GB per month, the scanning cost is approximately $15/month. If you upload 1TB per month, it is $150/month.
This is why understanding your data flow matters more than your data volume. A 10TB storage account that receives 50GB of new uploads monthly is cheaper to scan than a 500GB account that receives 500GB of new uploads monthly.
Not sure which Defender for Storage features you actually need? Our security assessment reviews your storage security posture and recommends the right level of protection for your environment.