Check Resource Coverage

Implementation Effort: Low — Requires administrators to review Defender for Storage coverage via the Azure portal or programmatically using Azure Resource Graph or API.

User Impact: Low — This is a backend administrative task; no user interaction is required.

Overview

Checking resource coverage in Microsoft Defender for Storage ensures that all relevant storage accounts are protected by the Defender plan. When Defender for Storage is enabled at the subscription level, all existing and newly created storage accounts are automatically onboarded. However, administrators can exclude specific accounts, and some accounts may be missed due to misconfiguration or policy exceptions.

To verify coverage:

1. Go to Microsoft Defender for Cloud in the Azure portal.
2. Navigate to Environment settings and select your subscription.
3. Under Defender plans, ensure Defender for Storage is enabled.
4. Use Azure Resource Graph or Azure Policy to query which storage accounts are covered or excluded.
5. Review the Recommendations tab for alerts about unprotected resources.

Ensuring full coverage is critical to avoid blind spots in threat detection and data protection. Unprotected storage accounts may be vulnerable to malware, data exfiltration, or unauthorized access.

This activity supports the Zero Trust principle of "Assume Breach" by ensuring continuous visibility and protection across all storage resources.

Reference

• What is Microsoft Defender for Storage
• Investigate the health of your resources