Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article discusses the key concepts of the Azure Storage Discovery service.
Azure Storage Discovery workspace
You deploy the Storage Discovery service by creating a Discovery workspace resource in one of your resource groups. As part of creating this resource, you also specify what portions of your Azure Storage estate you want to cover.
You can then access your workspace in the Azure portal to find insights in prebuilt reports. You also need a workspace when asking the Azure Copilot about insights from Storage Discovery.
Workspace Root
The workspace root designates the storage resources to get insights for. A workspace root can contain a combination of subscriptions and resource groups. You may mix and match these resource types. The identity under which you deploy the workspace must have permissions to all resources you list at the time of deployment.
Example:
"workspaceRoots": [
"/subscriptions/ffff5f5f-aa6a-bb7b-cc8c-dddddd9d9d9d",
"/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myResourceGroup"
]
This configuration covers storage accounts under the specified subscription and resource group.
Scope
You can create several scopes in a workspace. A scope allows you to filter the storage resources the workspace covers and obtain different reports for each of these scopes. Filtering is based on ARM resource tags on your storage resources. A scope contains tag key name : value combinations or tag key names only. When your storage resources have matching ARM resource tags, they're included in this scope.
Here's an example of the JSON structure defining a single scope in a Discovery workspace.
Storage resources are included in this scope when they have both ARM resource tags:
- The tag key
Departmentordepartmentwith case-matching valueMarketing. - The tag key
Apporapp, regardless of its value.
"scopes": [
{
"displayName": "Marketing App Resources",
"resourceTypes": [
"Microsoft.Storage/storageAccounts"
],
"tags": {
"Department": "Marketing"
},
"tagsKeyOnly": [
"App"
]
}
Note
In Azure, tag names (keys) are case-insensitive for operations. Tag values are case-sensitive.
Select a subscription and region for Azure Storage Discovery workspace deployment
An Azure Storage Discovery workspace can be deployed in one of the supported Azure regions.
- France Central
- Canada Central
- East US2
- North Europe
- West Europe
- West US 2
- South Central US
- Australia East
- Central India
- Japan East
- Brazil South
A workspace can cover all storage resources from the same Entra tenant, regardless of their public cloud locations.
Permissions
To deploy a Discovery Workspace, user must have following access:
| Scenario | Minimal Role Based Access Control (RBAC) role assignments needed |
|---|---|
| To deploy Discovery workspace | Contributor access on the subscription or the resource group |
| To include the subscription or resource groups in a Discovery workspace as part of workspaceRoots | Microsoft.Storage/storageAccounts/read access on the subscription or resource group |
| To view Discovery reports | Reader access on the Discovery workspace |
Azure Storage Discovery pricing plans
You can choose between different pricing plans for your Discovery workspace.
| Pricing Plan | Best for | Capacity | Transactions | Configuration | History |
|---|---|---|---|---|---|
| Free | Small-scale deployments and evaluation | • Trends • Distributions • Top storage accounts |
Not available | • Resource configuration | • Backfill: 15 days • Retention: 15 days |
| Standard | Production deployments with comprehensive insights | • Trends • Distributions • Top storage accounts |
• Trends • Distributions • Top storage accounts |
• Resource configuration • Security configuration |
• Backfill: 15 days • Retention: 18 months |