Configure your Storage account public access to be disallowed

Azure BuiltIn Policy definition

Alias

Namespace

ResourceType

Path

PathIsDefault

DefaultPath

Modifiable

Microsoft.Storage/storageAccounts/allowBlobPublicAccess

Microsoft.Storage

storageAccounts

properties.allowBlobPublicAccess

True

Alias

Namespace

ResourceType

Path

PathIsDefault

DefaultPath

Modifiable

Microsoft.Storage/storageAccounts/allowBlobPublicAccess

Microsoft.Storage

storageAccounts

properties.allowBlobPublicAccess

True

Rows: 1-2 / 2

Records:

Use the filters above each column to filter and limit table data. Advanced searches can be performed by using the following operators:
<, <=, >, >=, =, *, !, {, }, ||,&&, [empty], [nonempty], rgx:
Learn more

TableFilter v0.7.3

https://www.tablefilter.com/
©2015-2025 Max Guglielmi

Page of 1

Initiative DisplayName

Initiative Id

Initiative Category

State

Type

polSet in AzUSGov

[Preview]: Control the use of Storage Accounts in a Virtual Enclave

ca122c06-05f6-4423-9018-ccb523168eb2

VirtualEnclaves

Preview

BuiltIn

true

Enforce recommended guardrails for Storage Account

Enforce-Guardrails-Storage

Storage

ALZ

Date/Time (UTC ymd) (i)

Change type

Change detail

2022-09-02 16:33:37

add

13502221-8df0-4414-9937-de9c5c4e396b

{

displayName: "Configure your Storage account public access to be disallowed",
policyType: "BuiltIn",
mode: "Indexed",
description: "Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.",
metadata: {2 items
- version: "1.0.0",
- category: "Storage"
},
parameters: {1 item
- effect: {4 items
  - type: "String",
  - metadata: {2 items
    - displayName: "Effect",
    - description: "The effect determines what happens when the policy rule is evaluated to match"
    },
  - allowedValues: [2 items
    - "Modify",
    - "Disabled"
    ],
  - defaultValue: "Modify"
  }
},
policyRule: {2 items
- if: {1 item
  - allOf: [2 items
    - {2 items
      - field: "type",
      - equals: "Microsoft.Storage/storageAccounts"
      },
    - {1 item
      - anyOf: [2 items
        {1 item
        allOf: [2 items
        {2 items
        value: "[requestContext().apiVersion]",
        less: "2019-04-01"
        },
        {2 items
        field: "Microsoft.Storage/storageAccounts/allowBlobPublicAccess",
        exists: "true"
        }
        ]
        },
        {2 items
        field: "Microsoft.Storage/storageAccounts/allowBlobPublicAccess",
        equals: "true"
        }
        ]
      }
    ]
  },
- then: {2 items
  - effect: "[parameters('effect')]",
  - details: {3 items
    - conflictEffect: "audit",
    - roleDefinitionIds: [1 item
      - "/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab" Storage Account Contributor
      ],
    - operations: [1 item
      - {4 items
        condition: 🔍"[ greaterOrEquals( requestContext().apiVersion, '2019-04-01' ) ]",
        operation: "addOrReplace",
        field: "Microsoft.Storage/storageAccounts/allowBlobPublicAccess",
        value: false
        }
      ]
    }
  }
}

}