Recently, I wanted to enable Defender for Storage on a dedicated storage account using Terraform. Since I already did this some time ago, I looked up the existing solution. After updating the terraform configuration based on the existing solution, I applied the updated configuration to the infrastructure.
resource "azurerm_storage_account" "sa" {
name = replace(local.name_template_short, "<service>", "satest")
resource_group_name = azurerm_resource_group.rg.name
location = var.default_location
account_tier = "Standard"
account_replication_type = "GRS"
account_kind = "StorageV2"
default_to_oauth_authentication = true
min_tls_version = "TLS1_2"
allow_nested_items_to_be_public = false
# shared_access_key_enabled = false # not possible with tf
}
# Enable and configure Defender for Storage at the storage account level
resource "azapi_resource_action" "enable-defender-for-sa" {
type = "Microsoft.Security/defenderForStorageSettings@2025-07-01-preview"
resource_id = "${azurerm_storage_account.sa.id}/providers/Microsoft.Security/defenderForStorageSettings/current"
method = "PUT"
body = {
properties = {
isEnabled = true
malwareScanning = {
onUpload = {
isEnabled = true
capGBPerMonth = 1
}
blobScanResultsOptions = "BlobIndexTags"
automatedResponse = "BlobSoftDelete"
}
sensitiveDataDiscovery = {
isEnabled = true
}
overrideSubscriptionLevelSettings = true
}
}
}
Terraform apply got executed successfully – so far, so good. However, when I checked the configuration in the Azure portal, I noticed Defender for Storage did not get enabled as expected, despite the successful Terraform apply…
After checking several resources (documentation, Microsoft Learn Q&A, …) I was able to fix it by assigning role Owner at resource group level or by assigning role Defender for Storage Scanner Operator at storage account level to the executing user / service principal. Running terraform apply again produced the expected result.
A working example can be found here.
blog.rufer.be 
Leave a comment