Deploy the Azure Storage Discovery service

To deploy the Azure Storage Discovery service, you need to create a Discovery workspace resource in one of your resource groups. With this resource, you define which storage resources you want to cover across your Microsoft Entra tenant and how you want to segment reporting for them. The workspace offers prebuilt reports in the Azure portal that you can use to retrieve the insights you need about your storage resources.

Follow the steps in this article to create an Azure Storage Discovery workspace resource.

Create a storage discovery workspace

You can create a storage discovery workspace using the Azure portal, Azure PowerShell, or the Azure CLI.

Create an Azure Storage Discovery Workspace resource in the Azure portal by selecting Create as shown in the following image.

Choose the Subscription and Resource group in which to create the discovery workspace. The following table describes each element.

Element	Description
`Name`	The name of the Discovery workspace resource.
`Description`	Optional. Description of the Discovery workspace resource.
`Region`	Azure region where the Discovery resource is created.¹
`Pricing plan`	Storage Discovery pricing plan.²

¹ For information on regions covered, see Storage Discovery workspace regions. ² For information on Storage Discovery pricing plan, see Understand Storage Discovery Pricing.

Define workspaceRoots

A workspaceRoot specifies the top-level Azure resource identifiers where Storage Discovery initiates its scan for storage accounts. These identifiers are typically subscriptions or resource groups, and serve as the root of the discovery process. WorkspaceRoots define the overall scope and boundaries of your Azure estate for analysis.

Select the subscriptions and/or resource groups you want to include in the workspace.

Note

Ensure that the user or service principal deploying the workspace is granted at least Reader access to each specified root.
Up to 100 resources - subscriptions and/or resource groups can be included in one workspace.
The default limit of 100 resources per workspace can be increased. Reach out Azure Support. Provide the tenantID, SubscriptionID where you would want this limit to be increased.

After you add your subscriptions or resource groups to your workspace, the service runs an access check to verify that the user has Microsoft.Storage/storageAccounts/read on the added resources. The following image provides an example of an access check failure with the associated status message.

If you don't have Microsoft.Storage/storageAccounts/read on any of the resources added, remove the resource from the workSpaceRoots to proceed with the creation of workspace or resolve the access issue and try again.

Create a Scope

Scopes are logical groupings of storage accounts within the defined workspaceRoots. Scopes allow you to filter and organize data using tags and resource types, enabling targeted insights. For example, you can create scopes for individual departments, environments, or compliance zones.

Important

A default Scope is added automatically, which includes all storage accounts within subscriptions or resource groups added in the workspaceRoots.

You can optionally add tags to this workspace resource. Then select Review and Create. If the access validation is still running, you can't create the workspace resource yet. Wait for this check to finish, correct any issues, then confirm by selecting Create.

Note

Discovery resource creation fails if the access checks on any subscription or resource group isn't successful.

After the access checks complete successfully, the resource can be deployed as shown in the following sample image.

Create an Azure Storage Discovery workspace resource in the Azure portal by modifying the variables in the following PowerShell script to include your resource group, workspace name, and location. Verify that your values are correct, and then run the script in the Azure PowerShell console.


# First, set variables for the resources
$resGroupName   = "myResourceGroup"
$workSpaceName  = "myStorageDiscoveryWorkspace"
$location       = "East US"
$DiscoveryScopeLevel1 = "myScopeLevel1"
$DiscoveryScopeLevel2 = "myScopeLevel2"

# Next, prepare a DiscoveryScope object
$scope1 =  New-AzStorageDiscoveryScopeObject -DisplayName "test1" `
            -ResourceType "Microsoft.Storage/storageAccounts"  `
            -TagKeysOnly "e2etest1" -Tag @{"tag1" = "value1"; "tag2" = "value2" }
$scope2 =  New-AzStorageDiscoveryScopeObject -DisplayName "test2" `
            -ResourceType "Microsoft.Storage/storageAccounts"  `
            -TagKeysOnly "e2etest2" -Tag @{"tag3" = "value3" }

# Finally, create the discovery workspace
New-AzStorageDiscoveryWorkspace -Name $workSpaceName  -ResourceGroupName $resGroupName `
-Location $location -Description 123 -WorkspaceRoot $DiscoveryScopeLevel1 `
-Sku Standard   -Scope $scope1

Create an Azure Storage Discovery workspace resource using CLI.


az storage-discovery workspace create \
            --resource-group <your-resource-group> \
            --name <your-workspace-name> \
            --location <azure-region> \
            --workspace-roots "/subscriptions/<your-subscription-id>/resourceGroups/<your-resource-group>" \
            --scopes '[{"displayName":"basic","resourceTypes":["Microsoft.Storage/storageAccounts"]}]' \
            --sku Standard \
            --description "Optional description"

Required parameters

Parameter	Description
resource-group	The resource group where the workspace is created.
name	The name of the workspace.
location	Azure region for deployment.
workspace-roots	The workspace root designates the storage resources to get insights for. This `string[]` can contain a combination of subscription IDs and resource group IDs. You may mix and match these resource types. The identity under which you deploy the workspace must have permissions to all resources you list at the time of deployment.
scopes	You can create several scopes in a workspace. A scope allows you to filter the storage resources the workspace covers and obtain different reports for each of these scopes. Filtering is based on ARM resource tags on your storage resources. This property expects a `JSON` object containing sections for `tag key name` : `value` combinations or `tag key names` only. When your storage resources have matching ARM resource tags, they're included in this scope.
sku	Pricing tier (Free or Standard).

Optional parameters

Parameter	Description
description	Optional metadata for the workspace.

Note

It can take up to 24 hours after scope creation for metrics to begin appearing in reports.

Feedback

Was this page helpful?

Last updated on 2025-10-10

Share via

Deploy the Azure Storage Discovery service

Create a storage discovery workspace

Define workspaceRoots

Create a Scope

Feedback

Additional resources