Configure Data Sensitivity

Implementation Effort: Medium — Requires enabling and configuring sensitive data threat detection at the subscription or storage account level, with appropriate permissions.

User Impact: Low — The feature runs agentlessly in the background; no user interaction is required.

Overview

Configuring data sensitivity in Microsoft Defender for Storage enables organizations to detect and respond to threats involving sensitive data stored in Azure Blob Storage and Azure Data Lake Storage Gen2. This feature is powered by an agentless sensitive data discovery engine that uses Microsoft Purview’s classification labels and sensitive information types (SITs) to identify and prioritize risks.

Key capabilities include:

• Automatic scanning of supported storage accounts (Standard GPv1, GPv2, Premium block blobs, ADLS Gen2)
• Smart sampling to identify resources with sensitive data
• Weekly recurring scans after initial enablement
• Integration with Microsoft Purview for consistent classification
• Alerts that prioritize incidents involving sensitive data
• No additional cost for enabling the feature

To configure data sensitivity:

1. Ensure you have the necessary permissions (Subscription Owner or Storage Account Owner).
2. Navigate to Microsoft Defender for Cloud in the Azure portal.
3. Select your subscription or storage account.
4. Enable Defender for Storage and toggle on Sensitive data threat detection.

Once enabled, the engine scans existing storage accounts within 24 hours and scans new accounts within 6 hours of creation. This helps security teams focus on high-risk alerts and reduce the likelihood of data breaches.

This capability supports the Zero Trust principle of "Verify Explicitly" by continuously evaluating the sensitivity of stored data and prioritizing alerts accordingly.

Reference

• Sensitive data threat detection in Microsoft Defender for Storage
• Enable sensitive data threat detection
• What is Microsoft Defender for Storage