Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Data Access Authentication Mode

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that the Data Access Authentication Mode feature is enabled for your Azure virtual machine (VM) disks in order to provide secure and restricted disk upload/export operations.

Security

If you are utilizing Microsoft Entra ID to manage Azure resource access, you can now implement restrictions on the uploads and downloads of Azure virtual machine (VM) disks. When a user tries to upload or download a disk, Azure verifies the identity of the requesting user through Microsoft Entra ID and ensures that the user has the necessary permissions. Furthermore, a system administrator can define an Azure policy to mandate that all disks use Microsoft Entra ID for upload or download operations. Data Access Authentication Mode enhances security by providing an additional layer of protection for your Azure virtual machine (VM) managed disks.

Audit

To determine if the data access authentication mode is enabled for your Azure virtual machine disks, perform the following operations:

Using Azure Portal

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Virtual machine, and choose Apply to list only the virtual machine (VM) instances available in the selected subscription.

05 Click on the name (link) of the Azure virtual machine that you want to examine.

06 In the VM navigation panel, under Settings, select Disks to view the disk volumes currently attached to the selected virtual machine.

07 Click on the name (link) of the VM disk that you want to examine.

08 In the disk navigation panel, under Settings, select Disk Export to access the upload/export settings available for the selected disk volume.

09 Verify the Enable data access authentication mode setting checkbox to determine if data access with Microsoft Entra ID authentication is enabled for disk upload/export. If the Enable data access authentication mode setting checkbox is unchecked, the Data Access Authentication Mode feature is not enabled for the selected Azure virtual machine (VM) disk.

10 Repeat steps no. 7 - 9 for each VM disk provisioned for the selected virtual machine.

11 Repeat steps no. 5 – 10 for each Azure virtual machine available within the selected subscription.

12 Repeat steps no. 3 – 11 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run vm list command (Windows/macOS/Linux) with custom output filters to list the ID of each Azure virtual machine (VM) provisioned in the selected subscription: 

az vm list
	--query '[*].id'

05 The command output should return the requested VM resource identifiers (IDs): 

[
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-project5-web-vm",
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-wordpress-server"
]

06 Run vm show command (Windows/macOS/Linux) with the ID of the Azure virtual machine that you want to examine as the identifier parameter and custom output filters to describe the ID of each disk volume attached to the selected virtual machine: 

az vm show
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-project5-web-vm"
	--query 'storageProfile.{"dataDisks":dataDisks[].managedDisk.id,"osDisk":osDisk.managedDisk.id}'

07 The command output should return an array with the requested disk volume identifiers (IDs): 

{
	"osDisk": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Compute/disks/cc-project5-web-vm_OsDisk_1",
	"dataDisks": [
		"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Compute/disks/cc-project5-web-vm_DataDisk_1"
	]
}

08 Run disk show command (Windows/macOS/Linux) with the ID of the Azure VM disk volume that you want to examine as the identifier parameter and custom output filters to determine if data access with Microsoft Entra ID authentication is enabled for disk upload/export: 

az disk show
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Compute/disks/cc-project5-web-vm_OsDisk_1"
	--query '{"dataAccessAuthMode":dataAccessAuthMode}'

09 The command output should return the status of the data access authentication mode configured for the disk resource: 

{
	"dataAccessAuthMode": "None"
}

If the disk show command output does not return "AzureActiveDirectory" for "dataAccessAuthMode", the Data Access Authentication Mode feature is not enabled for the selected Azure virtual machine (VM) disk.

10 Repeat steps no. 8 and 9 for each VM disk provisioned for the selected virtual machine.

11 Repeat steps no. 6 – 10 for each Azure virtual machine available in the selected subscription.

12 Repeat steps no. 3 – 11 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To ensure that data access authentication mode is enabled for your Microsoft Azure virtual machine (VM) disks, perform the following operations:

Using Azure Portal

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Virtual machine, and choose Apply to list only the virtual machine (VM) instances available in the selected subscription.

05 Click on the name (link) of the Azure virtual machine that you want to configure.

06 In the VM navigation panel, under Settings, select Disks to view the disk volumes currently attached to the selected virtual machine.

07 Click on the name (link) of the VM disk that you want to configure.

08 In the disk navigation panel, under Settings, select Disk Export to access the upload/export settings available for the selected disk volume.

09 Check the Enable data access authentication mode setting checkbox to enable the Data Access Authentication Mode feature for the selected Azure virtual machine (VM) disk. Choose Save to apply the configuration settings. This will allow data access with Microsoft Entra ID authentication for secure disk upload/export.

10 Repeat steps no. 7 - 9 for each VM disk provisioned for the selected virtual machine.

11 Repeat steps no. 5 – 10 for each Azure virtual machine available within the selected subscription.

12 Repeat steps no. 3 – 11 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run disk update command (Windows/macOS/Linux) with the ID of the Azure VM disk volume that you want to configure as the identifier parameter, to enable the Data Access Authentication Mode feature for the selected Azure virtual machine (VM) disk. This will allow data access with Microsoft Entra ID authentication for secure disk upload/export: 

az disk update
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Compute/disks/cc-project5-web-vm_OsDisk_1"
	--data-access-auth-mode AzureActiveDirectory

05 The command output should return the configuration information available for the modified resource: 

{
	"LastOwnershipUpdateTime": "2025-02-11T16:00:00.42784+00:00",
	"creationData": {
		"createOption": "FromImage",
		"imageReference": {
			"id": "/Subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/Providers/Microsoft.Compute/Locations/westeurope/Publishers/canonical/ArtifactTypes/VMImage/Offers/ubuntu-24_04-lts/Skus/server/Versions/24.04.2025"
		}
	},
	"dataAccessAuthMode": "AzureActiveDirectory",
	"diskIOPSReadWrite": 120,
	"diskMBpsReadWrite": 25,
	"diskSizeBytes": 32213303296,
	"diskSizeGB": 30,
	"diskState": "Attached",
	"encryption": {
		"type": "EncryptionAtRestWithPlatformKey"
	},
	"hyperVGeneration": "V2",
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Compute/disks/cc-project5-web-vm_OsDisk_1",
	"location": "westeurope",
	"managedBy": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Compute/virtualMachines/cc-project5-web-vm",
	"name": "cc-project5-web-vm_OsDisk_1",
	"networkAccessPolicy": "AllowAll",
	"osType": "Linux",
	"provisioningState": "Succeeded",
	"publicNetworkAccess": "Enabled",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"sku": {
		"name": "Premium_LRS",
		"tier": "Premium"
	},
	"supportedCapabilities": {
		"acceleratedNetwork": true,
		"architecture": "x64",
		"diskControllerTypes": "SCSI, NVMe"
	},
	"supportsHibernation": true,
	"tier": "P4",
	"type": "Microsoft.Compute/disks",
	"zones": [
		"1"
	]
}

06 Repeat steps no. 4 and 5 for each VM disk provisioned for the selected virtual machine.

07 Repeat steps no. 4 – 6 for each Azure virtual machine available in the selected subscription.

08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Feb 13, 2025

Related VirtualMachines rules