Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Enable Geo-Redundant Storage (GRS)

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)

To provide robust data protection against regional failures, ensure that geo-redundant storage (GRS) is enabled for your Microsoft Azure Storage accounts. Azure GRS replicates data three times within the primary region using Locally Redundant Storage (LRS) and asynchronously copies it to a secondary region. This methodology provides 16 nines (99.99999999999999%) annual durability, ensuring high availability and resilience against regional outages.

Reliability

Once geo-redundant storage (GRS) is enabled, Microsoft Azure copies your data to a geographically separate location so that it is protected from transient hardware failures, network or power outages, and natural disasters. This significantly reduces the risk of data loss, supports business continuity, and meets high availability requirements for disaster recovery.

Audit

To determine if geo-redundant storage is enabled for your Microsoft Azure Storage accounts, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

04 From the Type equals all filter box, choose Equals, select Storage account, and choose Apply to list only the Storage accounts available in the selected Azure subscription.

05 Click on the name (link) of the Azure Storage account that you want to examine.

06 In the resource navigation panel, under Data management, choose Redundancy to access the redundancy settings available for the selected Storage account.

07 Check the Redundancy configuration setting to determine the replication strategy chosen for your Storage account. If Redundancy is not set to Geo-redundant storage (GRS), geo-redundant storage is not enabled for the selected Microsoft Azure Storage account.

08 Repeat steps no. 5 – 7 for each Azure Storage account available within the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run storage account list command (Windows/macOS/Linux) with custom output filters to describe the identifier (name) of each storage account provisioned in the selected subscription: 

az storage account list
	--query '[*].name'

05 The command output should return the requested storage account names: 

[
	"project5storageaccount",
	"cloudaistorageaccount"
]

06 Run storage account show command (Windows/macOS/Linux) with the name of the Azure Storage account that you want to examine as the identifier parameter and custom output filters to determine the replication strategy chosen for the selected Storage account. 

az storage account show
	--name project5storageaccount
	--query 'sku.name'

07 The command output should return the name of replication strategy used ("Standard_LRS" for locally-redundant storage, "Standard_GRS" for geo-redundant storage, "Standard_RAGRS" for read-access geo-redundant storage, etc.): 

"Standard_LRS"

If the storage account show command output does not return "Standard_GRS", geo-redundant storage (GRS) is not enabled for the selected Microsoft Azure Storage account.

08 Repeat steps no. 6 and 7 for each Azure Storage account created within the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To ensure that geo-redundant storage (GRS) is enabled for your Microsoft Azure Storage accounts, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

04 From the Type equals all filter box, choose Equals, select Storage account, and choose Apply to list only the Storage accounts available in the selected Azure subscription.

05 Click on the name (link) of the Azure Storage account that you want to configure.

06 In the resource navigation panel, under Data management, choose Redundancy to access the redundancy settings available for the selected Storage account.

07 Set Redundancy to Geo-redundant storage (GRS) and choose Save to apply the configuration changes. This will implement the geo-redundant storage (GRS) replication strategy for the selected Microsoft Azure Storage account.

08 Repeat steps no. 5 – 7 for each Azure Storage account that you want to configure, provisioned within the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run storage account update command (OSX/Linux/UNIX) with the name of the Microsoft Azure Storage account that you want to configure as the identifier parameter, to implement the geo-redundant storage (GRS) replication strategy for the selected Azure Storage account: 

az storage account update
	--name project5storageaccount
	--sku Standard_GRS

05 The command output should return the configuration information available for the modified resource: 

{
	"accessTier": "Hot",
	"accountMigrationInProgress": null,
	"allowBlobPublicAccess": false,
	"allowCrossTenantReplication": false,
	"allowSharedKeyAccess": false,
	"allowedCopyScope": null,
	"azureFilesIdentityBasedAuthentication": null,
	"blobRestoreStatus": null,
	"customDomain": null,
	"defaultToOAuthAuthentication": false,
	"dnsEndpointType": "Standard",
	"enableExtendedGroups": null,
	"enableHttpsTrafficOnly": true,
	"enableNfsV3": null,
	"encryption": {
		"encryptionIdentity": null,
		"keySource": "Microsoft.Storage",
		"keyVaultProperties": null,
		"requireInfrastructureEncryption": false,
		"services": {
			"blob": {
				"enabled": true,
				"keyType": "Account",
			},
			"file": {
				"enabled": true,
				"keyType": "Account",
			},
			"queue": null,
			"table": null
		}
	},
	"extendedLocation": null,
	"failoverInProgress": null,
	"geoReplicationStats": null,
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Storage/storageAccounts/project5storageaccount",
	"identity": null,
	"immutableStorageWithVersioning": null,
	"isHnsEnabled": null,
	"isLocalUserEnabled": null,
	"isSftpEnabled": null,
	"isSkuConversionBlocked": null,
	"keyPolicy": null,
	"kind": "StorageV2",
	"largeFileSharesState": "Enabled",
	"lastGeoFailoverTime": null,
	"location": "westeurope",
	"minimumTlsVersion": "TLS1_2",
	"name": "project5storageaccount",
	"networkRuleSet": {
		"bypass": "AzureServices",
		"defaultAction": "Deny",
		"ipRules": [],
		"ipv6Rules": [],
		"resourceAccessRules": [],
		"virtualNetworkRules": [
			{
				"action": "Allow",
				"state": "Succeeded",
				"virtualNetworkResourceId": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/virtualNetworks/cc-project5-vnet/subnets/cc-project5-vnet-subnet-001"
			}
		]
	},
	"primaryLocation": "westeurope",
	"privateEndpointConnections": [],
	"provisioningState": "Succeeded",
	"publicNetworkAccess": "Disabled",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"routingPreference": null,
	"sasPolicy": null,
	"secondaryEndpoints": null,
	"secondaryLocation": null,
	"sku": {
		"name": "Standard_GRS",
		"tier": "Standard"
	},
	"statusOfPrimary": "available",
	"statusOfSecondary": null,
	"storageAccountSkuConversionStatus": null,
	"tags": {},
	"type": "Microsoft.Storage/storageAccounts"
}

06 Repeat steps no. 4 and 5 for each Azure Storage account that you want to configure, created in the selected subscription.

07 Repeat steps no. 3 – 6 for each subscription created in your Microsoft Azure cloud account.

References

Publication date May 8, 2025

Related StorageAccounts rules