AzPolicyAdvertizer

last sync: 2025-Oct-31 18:22:59 UTC

Resource Access Rules Tenants should be restricted for Storage Accounts

Azure Landing Zones (ALZ) Policy definition

Source

Repository Azure Landing Zones (ALZ) GitHub
JSON Deny-Storage-ResourceAccessRulesTenantId

Display name

Resource Access Rules Tenants should be restricted for Storage Accounts

Deny-Storage-ResourceAccessRulesTenantId

Version

1.0.0
Details on versioning

Category

Storage

Description

Azure Storage accounts should restrict the resource access rule for service-level network ACLs to service from the same AAD tenant. Enforce this for increased data exfiltration protection.

Cloud environments

AzureChinaCloud
AzureCloud
AzureUSGovernment

Mode

All

Type

Custom Azure Landing Zones (ALZ)

Preview

False

Deprecated

False

Effect

Default
Deny
Allowed
Audit, Deny, Disabled

RBAC role(s)

none

Rule aliases

IF (2)

Alias	Namespace	ResourceType	Path	PathIsDefault	DefaultPath	Modifiable
Microsoft.Storage/storageAccounts/networkAcls.resourceAccessRules[*]	Microsoft.Storage	storageAccounts	properties.networkAcls.resourceAccessRules[*]	True		False
Microsoft.Storage/storageAccounts/networkAcls.resourceAccessRules[*].tenantId	Microsoft.Storage	storageAccounts	properties.networkAcls.resourceAccessRules[*].tenantId	True		False

Rule resource types

IF (1)
Microsoft.Storage/storageAccounts

Initiatives usage

Initiative DisplayName	Initiative Id	Initiative Category	State
Enforce recommended guardrails for Storage Account	Enforce-Guardrails-Storage	Storage	GA

History

Date/Time (UTC ymd) (i)	Change type	Change detail
2024-06-03 17:39:43	add	Deny-Storage-ResourceAccessRulesTenantId

JSON compare

n/a

JSON

EPAC