Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Disable Cross-Tenant Object Replication

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: StorageAccounts-025

Ensure that the Cross-Tenant Replication feature is disabled for your Azure Storage accounts in order to prevent object replication across Microsoft Entra tenants. Cross-Tenant Replication enables replication of data across different Microsoft Entra tenants, allowing for redundancy and disaster recovery across organizational boundaries. Although advantageous for data accessibility and sharing, this feature also poses a significant security risk if not properly managed. Potential risks include unauthorized data access, data leakage, and compliance breaches.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

Disabling cross-tenant object replication reduces the chance of unauthorized data access and ensures strict adherence to data governance policies. This control is crucial for organizations with rigorous data security and privacy needs, preventing inadvertent sharing of sensitive information.


Audit

To determine if cross-tenant object replication is disabled for your Azure Storage accounts, perform the following operations:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to Storage accounts blade available at https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Storage%2FStorageAccounts.

03 On the Storage accounts page, select the subscription that you want to examine from the Subscription filter box.

04 Click on the name (link) of the Azure Storage account that you want to examine.

05 In the resource navigation panel, under Data management, choose Object replication to access the object replication settings and policies available for the selected storage account.

06 Choose Advanced settings and check the Allow cross-tenant replication setting checkbox available under Cross-tenant replication. If the Allow cross-tenant replication checkbox is selected, the Cross-Tenant Replication feature is enabled for the selected Azure Storage account.

07 Repeat steps no. 4 – 6 for each Azure Storage account available in the selected subscription.

08 Repeat steps no. 3 – 7 for each subscription created within your Microsoft Azure cloud account.

Using Azure CLI

01 Run storage account list command (Windows/macOS/Linux) with custom query filters to describe the identifier of each Azure Storage account available within the current subscription:

az storage account list
  --query '[*].name'

02 The command output should return the requested storage account identifiers (names):

[
	"abcdabcdabcd123412341234",
	"abcd1234abcd1234abcd1234"
]

03 Use the storage account show command (Windows/macOS/Linux) to describe the status of the Cross-Tenant Replication feature for the Azure Storage account identified by the --name parameter:

az storage account show
  --name "abcd1234abcd1234abcd1234"
  --query allowCrossTenantReplication

04 The command output should return the requested feature status (true for enabled, false for disabled):

true

If the the storage account show command output returns true, as shown in the example above, the Cross-Tenant Replication feature is enabled for the selected Azure Storage account.

05 Repeat steps no. 3 and 4 for each Azure Storage account available in the selected subscription.

06 Repeat steps no. 1 – 5 for each subscription created within your Microsoft Azure cloud account.

Remediation / Resolution

To disable cross-tenant object replication for your Microsoft Azure Storage accounts, perform the following operations:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to Storage accounts blade available at https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Storage%2FStorageAccounts.

03 On the Storage accounts page, select the subscription that you want to access from the Subscription filter box.

04 Click on the name (link) of the Azure Storage account that you want to configure.

05 In the resource navigation panel, under Data management, choose Object replication to access the object replication settings and policies available for the selected storage account.

06 Choose Advanced settings and uncheck the Allow cross-tenant replication checkbox to disable the Cross-Tenant Replication feature for the selected Azure Storage account. If the Allow cross-tenant replication setting checkbox can't be deselected, your storage account is currently participating in one or more cross-tenant replication policies, therefore, to disable cross-tenant object replication, you must remove those policies.

07 Repeat steps no. 4 – 6 for each Azure Storage account that you want to configure, available in the selected subscription.

08 Repeat steps no. 3 – 7 for each subscription created within your Microsoft Azure cloud account.

Using Azure CLI

01 Run the storage account update command (Windows/macOS/Linux) to disable cross-tenant object replication for the Azure Storage account identified by the --name parameter by setting the --allow-cross-tenant-replication command parameter to false. If your storage account is currently participating in one or more cross-tenant replication policies, you will not be able to disable the feature until you delete those policies:

az storage account update
  --name "abcdabcdabcd123412341234"
  --allow-cross-tenant-replication false

02 The command output should return the configuration information of the modified storage account:

{
	"accessTier": "Hot",
	"accountMigrationInProgress": null,
	"allowBlobPublicAccess": false,
	"allowCrossTenantReplication": false,
	"allowSharedKeyAccess": null,
	"allowedCopyScope": null,
	"azureFilesIdentityBasedAuthentication": null,
	"blobRestoreStatus": null,
	"creationTime": "2024-03-18T11:10:00.799725+00:00",
	"customDomain": null,
	"defaultToOAuthAuthentication": null,
	"dnsEndpointType": null,
	"enableHttpsTrafficOnly": true,
	"enableNfsV3": null,
	"extendedLocation": null,
	"failoverInProgress": null,
	"geoReplicationStats": null,
	"id": "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Storage/storageAccounts/abcdabcdabcd123412341234",
	"identity": null,
	"immutableStorageWithVersioning": null,
	"isHnsEnabled": null,
	"isLocalUserEnabled": null,
	"isSftpEnabled": null,
	"isSkuConversionBlocked": null,
	"primaryLocation": "westeurope",
	"privateEndpointConnections": [],
	"provisioningState": "Succeeded",
	"publicNetworkAccess": null,
	"resourceGroup": "cloud-shell-storage-westeurope",
	"routingPreference": null,
	"sasPolicy": null,
	"secondaryEndpoints": null,
	"secondaryLocation": null,
	"statusOfPrimary": "available",
	"statusOfSecondary": null,
	"storageAccountSkuConversionStatus": null,
	"tags": {
		"ms-resource-usage": "azure-cloud-shell"
	},
	"type": "Microsoft.Storage/storageAccounts"
  }

03 Repeat steps no. 1 and 2 for each Azure Storage account that you want to configure, available in the selected subscription.

04 Repeat steps no. 1 – 3 for each subscription available in your Microsoft Azure cloud account.

References

Publication date May 27, 2024