Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Disable Shared Key Authorization

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)

To mitigate security risks associated with compromised keys and to enforce least privilege access and more granular access control through Microsoft Entra ID, disable Shared Key authorization for your Microsoft Azure Storage accounts. Once Shared Key authorization is disabled, Microsoft Azure will reject all subsequent requests to that account authorized with access keys. Only secure requests authorized with Microsoft Entra ID will succeed.

Security

Preventing Shared Key authorization for Azure Storage accounts enhances security by reducing the risk of key leakage. Shared Keys grant full access to storage resources, making them a high-risk target. Instead, use Microsoft Entra ID authorization, which offers more granular, role-based access control (RBAC) and better auditing. Trend Cloud One™ – Conformity strongly recommends Microsoft Entra ID for its superior security compared to Shared Key authorization. To follow security best practices and ensure compliance, disable Shared Key authorization on your Azure Storage accounts, requiring all clients to use Microsoft Entra ID.

Audit

To determine if Shared Key authorization is disabled for your Azure Storage accounts, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

04 From the Type equals all filter box, choose Equals, select Storage account, and choose Apply to list only the Storage accounts available in the selected Azure subscription.

05 Click on the name (link) of the Azure Storage account that you want to examine.

06 In the resource navigation panel, under Settings, choose Configuration to access the configuration settings available for the selected Storage account.

07 Check the Allow storage account key access configuration setting to determine if Shared Key authorization is disallowed. If Allow storage account key access is set to Enabled, Shared Key authorization is not disabled for the selected Microsoft Azure Storage account.

08 Repeat steps no. 5 – 7 for each Azure Storage account available within the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run storage account list command (Windows/macOS/Linux) with custom output filters to describe the identifier (name) of each storage account provisioned in the selected subscription: 

az storage account list
	--query '[*].name'

05 The command output should return the requested storage account names: 

[
	"project5storageaccount",
	"cloudaistorageaccount"
]

06 Run storage account show command (Windows/macOS/Linux) with the name of the Azure Storage account that you want to examine as the identifier parameter and custom output filters to determine if Shared Key access is allowed for the selected Storage account: 

az storage account show
	--name project5storageaccount
	--query 'allowSharedKeyAccess'

07 The command output should return the requested configuration status (true for enabled, false for disabled): 

true

If the storage account show command output returns true, as shown in the example above, Shared Key authorization is not disabled for the selected Microsoft Azure Storage account.

08 Repeat steps no. 6 and 7 for each Azure Storage account created within the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To disable Shared Key authorization for your Microsoft Azure Storage accounts, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

04 From the Type equals all filter box, choose Equals, select Storage account, and choose Apply to list only the Storage accounts available in the selected Azure subscription.

05 Click on the name (link) of the Azure Storage account that you want to configure.

06 In the resource navigation panel, under Settings, choose Configuration to access the configuration settings available for the selected Storage account.

07 Set the Allow storage account key access configuration setting to Disabled and choose Save to deactivate Shared Key authorization for the selected Azure Storage account. Once the configuration settings are applied, any requests to the selected Storage account that are authorized with Shared Key, including shared access signatures (SAS), will be denied (403 Forbidden). This will enforce all clients to use Microsoft Entra ID for authorization.

08 Repeat steps no. 5 – 7 for each Azure Storage account provisioned within the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run storage account update command (OSX/Linux/UNIX) with the name of the Azure Storage account that you want to configure as the identifier parameter, to disable Shared Key authorization for the selected Azure Storage account. Once the Shared Key authorization is disallowed, any requests to the selected Storage account that are authorized with Shared Key, including shared access signatures (SAS), will be denied. This will enforce all clients to use Microsoft Entra ID for authorization: 

az storage account update
	--name project5storageaccount
	--allow-shared-key-access false

05 The command output should return the configuration information available for the modified resource: 

{
	"accessTier": "Hot",
	"accountMigrationInProgress": null,
	"allowBlobPublicAccess": false,
	"allowCrossTenantReplication": false,
	"allowSharedKeyAccess": false,
	"allowedCopyScope": null,
	"azureFilesIdentityBasedAuthentication": null,
	"blobRestoreStatus": null,
	"customDomain": null,
	"defaultToOAuthAuthentication": false,
	"dnsEndpointType": "Standard",
	"enableExtendedGroups": null,
	"enableHttpsTrafficOnly": true,
	"enableNfsV3": null,
	"encryption": {
		"encryptionIdentity": null,
		"keySource": "Microsoft.Storage",
		"keyVaultProperties": null,
		"requireInfrastructureEncryption": false,
		"services": {
			"blob": {
				"enabled": true,
				"keyType": "Account",
			},
			"file": {
				"enabled": true,
				"keyType": "Account",
			},
			"queue": null,
			"table": null
		}
	},
	"extendedLocation": null,
	"failoverInProgress": null,
	"geoReplicationStats": null,
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Storage/storageAccounts/project5storageaccount",
	"identity": null,
	"immutableStorageWithVersioning": null,
	"isHnsEnabled": null,
	"isLocalUserEnabled": null,
	"isSftpEnabled": null,
	"isSkuConversionBlocked": null,
	"keyPolicy": null,
	"kind": "StorageV2",
	"largeFileSharesState": "Enabled",
	"lastGeoFailoverTime": null,
	"location": "westeurope",
	"minimumTlsVersion": "TLS1_2",
	"name": "project5storageaccount",
	"networkRuleSet": {
		"bypass": "AzureServices",
		"defaultAction": "Deny",
		"ipRules": [],
		"ipv6Rules": [],
		"resourceAccessRules": [],
		"virtualNetworkRules": [
			{
				"action": "Allow",
				"state": "Succeeded",
				"virtualNetworkResourceId": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/virtualNetworks/cc-project5-vnet/subnets/cc-project5-vnet-subnet-001"
			}
		]
	},
	"primaryLocation": "westeurope",
	"privateEndpointConnections": [],
	"provisioningState": "Succeeded",
	"publicNetworkAccess": "Disabled",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"routingPreference": null,
	"sasPolicy": null,
	"secondaryEndpoints": null,
	"secondaryLocation": null,
	"sku": {
		"name": "Standard_LRS",
		"tier": "Standard"
	},
	"statusOfPrimary": "available",
	"statusOfSecondary": null,
	"storageAccountSkuConversionStatus": null,
	"tags": {},
	"type": "Microsoft.Storage/storageAccounts"
}

06 Repeat steps no. 4 and 5 for each Azure Storage account created within the selected subscription.

07 Repeat steps no. 3 – 6 for each subscription created in your Microsoft Azure cloud account.

References

Publication date May 8, 2025

Related StorageAccounts rules