A cloud-native solution that protects workloads across hybrid and multi-cloud environments with threat detection and security recommendations
After enable On-upload malware scanning for storage account, the result tag is not created for new upload file
I have a storage account associated with a Network Security Perimeter (NSP). After enabling Defender for Storage on-upload malware scanning with "Store scan results as blob index tags", newly uploaded blobs do not get the Malware Scanning scan results index tag.
Details I've already verified:
• Hierarchical namespace (HNS/ADLS Gen2) is disabled — so blob index tags are supported.
• Files are small block blobs, well under the scan size limit.
• Blobs are uploaded after scanning was enabled.
• The StorageDataScanner managed identity has the Defender Storage Malware Data Scanner role on the account.
• An identical storage account without an NSP shows the tag correctly
Questions:
- Is this a known limitation of malware scanning when the account is inside an NSP?
- What is the correct way to allow the Defender for Storage scanner to write index tags through the perimeter — e.g., a subscription-based inbound access rule, a service tag, or another mechanism?