Ensure that the Cross-Tenant Replication feature is disabled for your Azure Storage accounts in order to prevent object replication across Microsoft Entra tenants. Cross-Tenant Replication enables replication of data across different Microsoft Entra tenants, allowing for redundancy and disaster recovery across organizational boundaries. Although advantageous for data accessibility and sharing, this feature also poses a significant security risk if not properly managed. Potential risks include unauthorized data access, data leakage, and compliance breaches.
This rule resolution is part of the Conformity Security & Compliance tool for Azure.
Disabling cross-tenant object replication reduces the chance of unauthorized data access and ensures strict adherence to data governance policies. This control is crucial for organizations with rigorous data security and privacy needs, preventing inadvertent sharing of sensitive information.
Audit
To determine if cross-tenant object replication is disabled for your Azure Storage accounts, perform the following operations:
Remediation / Resolution
To disable cross-tenant object replication for your Microsoft Azure Storage accounts, perform the following operations:
References
- Azure Official Documentation
- Object replication for block blobs
- Configure object replication for block blobs
- Prevent object replication across Microsoft Entra tenants
- Azure Command Line Interface (CLI) Documentation
- az storage account list
- az storage account show
- az storage account update