Storage Accounts should have ‘Trusted Microsoft Services’ enabled

Description

Some Microsoft services that interact with storage accounts operate from networks that can’t be granted access through network rules. Enabling “Trusted Microsoft Services” allows Azure Backup, Azure Site Recovery, Azure Networking, Azure Monitor, and other Azure services to access your storage account and bypass any firewall rules.

Remediation Steps

Azure Portal

  • Navigate to Storage Accounts.

  • Select the storage account and in the left navigation, select Networking.

  • Select the Firewalls and virtual networks tab, and in the Allow access from section, select Selected networks.

  • Under Exceptions, select Allow Azure services on the trusted services list to access this storage account.

  • Click Save.

Azure CLI

  • Update trusted Microsoft services:

    • az storage account update --name <StorageAccountName> --resource-group <resourceGroupName> --bypass AzureServices

Azure Resource Manager

{
  "properties": {
  "networkAcls": {
    "bypass": "AzureServices"
    }
  }
}

Example Configuration

{
  "type": "Microsoft.Storage/storageAccounts",
  "apiVersion": "2021-06-01",
  "properties": {
    "networkAcls": {
      "bypass": "AzureServices"
      }
    }
  #other required fields here
}