Enable Sensitive Data Discovery
Implementation Effort: Medium — Requires configuration at the subscription or storage account level and appropriate permissions to enable scanning and integrate with Microsoft Purview.
User Impact: Low — Sensitive data discovery is agentless and runs in the background; no user action is required.
Overview
Sensitive data discovery in Microsoft Defender for Storage helps organizations detect and protect sensitive information stored in Azure Blob Storage and Azure Data Lake Storage. This feature uses an agentless engine that automatically scans storage accounts to identify sensitive data types based on Microsoft Purview’s classification labels and sensitive information types (SITs).
Key capabilities include:
- Automatic scanning of supported storage accounts (Standard GPv1, GPv2, Premium block blobs, ADLS Gen2)
- Weekly recurring scans after initial enablement
- Discovery of sensitive data exposure events and suspicious activities
- Integration with Microsoft Purview for consistent classification
- No additional cost for enabling the feature
To enable sensitive data discovery:
- Ensure you have the required permissions (Subscription Owner or Storage Account Owner).
- Navigate to Microsoft Defender for Cloud in the Azure portal.
- Select your subscription or storage account.
- Enable Defender for Storage and toggle on Sensitive data threat detection.
If this feature is not enabled, organizations may miss critical exposure risks, leading to potential data breaches and compliance violations.
This capability supports the Zero Trust principle of "Verify Explicitly" by continuously evaluating the sensitivity of stored data and prioritizing alerts based on data classification.