Ensure that "Allow trusted Microsoft services to access this storage account" exception is enabled within your Azure Storage account configuration settings to grant access to trusted cloud services.
This rule resolution is part of the Conformity Security & Compliance tool for Azure.
Enabling firewall rules for your storage account will block access to incoming requests for data, including from other Azure services. To allow these Azure services to work as intended and be able to access your storage account resources, you have to add an exception so that the trusted Microsoft Azure services can bypass your network rules. If the "Allow trusted Microsoft services to access this storage account" exception is enabled, the following services: Azure Backup, Azure Event Grid, Azure Site Recovery, Azure DevTest Labs, Azure Event Hubs, Azure Networking, Azure Monitor and Azure SQL Data Warehouse (when registered in the subscription), are granted access to your storage account. To enhance access security, all these cloud services are using strong authentication methods to access storage account resources.
Audit
To determine if "Allow trusted Microsoft services to access this storage account" exception is enabled, perform the following actions:
Remediation / Resolution
To allow trusted Microsoft services to access your Azure Storage accounts, perform the following actions:
References
- Azure Official Documentation
- Configure Azure Storage firewalls and virtual networks
- CIS Microsoft Azure Foundations
- Azure Command Line Interface (CLI) Documentation
- az
- az storage account list
- az storage account show
- az storage account update