After enable On-upload malware scanning for storage account, the result tag is not created for new upload file

Bingran Luo 0 Reputation points Microsoft Employee
2026-06-24T22:26:23.2166667+00:00

I have a storage account associated with a Network Security Perimeter (NSP). After enabling Defender for Storage on-upload malware scanning with "Store scan results as blob index tags", newly uploaded blobs do not get the  Malware Scanning scan results  index tag.

Details I've already verified:

• Hierarchical namespace (HNS/ADLS Gen2) is disabled — so blob index tags are supported.

• Files are small block blobs, well under the scan size limit.

• Blobs are uploaded after scanning was enabled.

• The  StorageDataScanner  managed identity has the Defender Storage Malware Data Scanner role on the account.

• An identical storage account without an NSP shows the tag correctly

Questions:

  1. Is this a known limitation of malware scanning when the account is inside an NSP?
  2. What is the correct way to allow the Defender for Storage scanner to write index tags through the perimeter — e.g., a subscription-based inbound access rule, a service tag, or another mechanism?
Microsoft Security | Microsoft Defender | Microsoft Defender for Cloud
0 comments No comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.