best response confirmed by CSP_MO (New Contributor)

We do not recommend excluding storage accounts from the Azure Defender, but If you want to perform cost optimization and you are considering the exclusion of specific storage accounts that are characterized with high traffic from the Azure Defender threat protection (e.g. storage accounts that are not open to the internet and do not contain sensitive data), it is possible to estimate the Defender for Storage costs first by following the blog post here.


To exclude specific storage accounts from Azure Defender, follow the following steps:

Step 1:

Enter the Tags section from the storage account(s) menu, and assign the following tag for the desired account(s) you would like to exclude:





After assigning the Tag name and value, click Apply.

It should look like the screenshot below after applying:


The tag excludes the account from getting updates from the subscription level enablement policy, these updates that occurs daily (If required, you can find here more information on assigning tags)


Step 2:

Disable "Azure Defender" on the desired accounts(s) by performing one of the following actions:


Option A (PowerShell command):

Run the following command in PowerShell on the relevant resource(s):
Disable-AzSecurityAdvancedThreatProtection -ResourceId <resourceId>

(the cmdlet is documented here)


Option B - Enable/Disable on the account level (from the Azure Security Center portal):
Security Center ➡ Pricing & settings ➡ Select the desired subscription ➡ Toggle Storage off/on (and click Save)