Microsoft.Security/defenderForStorageSettings does not set filter settings on malware scanning

[waggonerh]

Bicep version
Bicep CLI version 0.39.26 (1e90b06e40)

Describe the bug
When deploying Microsoft.Security/defenderForStorageSettings, values set for excludeBlobsWithPrefix or excludeBlobsWithSuffix are not deployed.

We've tried with API versions 2025-05-01 and 2025-07-01-preview.

To Reproduce
Steps to reproduce the behavior:

Run a bicep deployment to configure storage defender settings:
resource storage_defender 'Microsoft.Security/defenderForStorageSettings@2025-06-01' = { name: 'current' scope: storage properties: { isEnabled: true overrideSubscriptionLevelSettings: true malwareScanning: { automatedResponse: 'None' blobScanResultsOptions: 'blobIndexTags' onUpload: { isEnabled: true capGBPerMonth: 5000 filters: { excludeBlobsWithPrefix: [ 'bronze/archive/' 'silver/archive/' 'gold/archive/' ] excludeBlobsWithSuffix: } } } sensitiveDataDiscovery: { isEnabled: true } } }

Additional context
Running the command with what-if, the change is expected, but when deployed it's not applied.

~ Microsoft.Storage/storageAccounts/*/providers/Microsoft.Security/defenderForStorageSettings/current [2025-07-01-preview]
- properties.dataScannerResourceId: "/subscriptions/*/providers/Microsoft.Security/datascanners/StorageDataScanner"
~ properties.malwareScanning.blobScanResultsOptions: "BlobIndexTags" => "blobIndexTags"
~ properties.malwareScanning.onUpload.filters.excludeBlobsWithPrefix: [
+ 1: "bronze/archive/"
+ 2: "silver/archive/"
+ 3: "gold/archive/"
]

[coRpTitan]

We are facing same issue. Following code:

// Configure Defender for Storage resource defenderForStorage 'Microsoft.Security/defenderForStorageSettings@2025-07-01-preview' = { name: 'current' // Fixed name for this settings resource scope: sa properties: { overrideSubscriptionLevelSettings: true // Use custom settings for this account isEnabled: true sensitiveDataDiscovery: { isEnabled: true } malwareScanning: { blobScanResultsOptions: 'blobIndexTags' onUpload: { capGBPerMonth: 10000 filters: { excludeBlobsWithSuffix: [ // BUG: https://github.com/Azure/bicep-types-az/issues/2654 '.mp4' '.mp3' ] } isEnabled: true } scanResultsEventGridTopicResourceId: topicsDefenderMalwareId // BUG: https://github.com/Azure/bicep-types-az/issues/2654 } } }

Is deployed via standard Azure DevOps runner. Deployment is successful in ADO, but in Azure excludeBlobsWithSuffix and scanResultsEventGridTopicResourceId are both ignored(=not set). Also noticed that there is no option for in Bicep for settings configuration option "Send scan results to Log Analytics".

[stephaniezyen]

Please raise a support ticket or create an issue with the Microsoft.Security team, unfortunately the Bicep team doesn't have the ability to resolve this

[waggonerh]

Is there a little more insight to forward to the security team? Is this an underlying API issue?

Edit: Support ticket - 2601150040007347

[aprilrains]

We are experiencing the same issue.

In the portal I'm able to set both (Filter Item excludeBlobsWithPrefix and scanResultsEventGridTopicResourceId) but running our AzureDevOps pipeline deployment (Hosted agent and ubuntu-latest) and setting them with Bicep I get a successful deployment reported from ADO and the Portal but no changes to the resource for either of these fields.

Deployed using the following API's with the same results
Microsoft.Security/defenderForStorageSettings@2025-02-01-preview
Microsoft.Security/defenderForStorageSettings@2025-06-01
Microsoft.Security/defenderForStorageSettings@2025-07-01-preview

[waggonerh]

After working with support on the API side, this is a resource type definition issue in bicep. Specifically, the property "dataScannerResourceId" is required for the API to set the values.

The line to go just inside of properties, for anyone that wants to copy paste:
dataScannerResourceId: '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Security/datascanners/StorageDataScanner'