AzPolicyAdvertizer

last sync: 2025-May-09 17:30:01 UTC

Storage accounts should prevent allowed copy scope outside AAD tenant

Community Policy definition

Source Repository Community-Policy GitHub
JSON Community-Policy GitHub
Deploy policy 63dd3af3-11bb-4328-92d2-85ec87cbf923 (1.0.0) to Azure
Display name Storage accounts should prevent allowed copy scope outside AAD tenant
Id 63dd3af3-11bb-4328-92d2-85ec87cbf923
Version 1.0.0
Details on versioning
Category Storage
Microsoft Learn
Description Audit restriction of copy operations for your storage account. By default, users can copy from source storage account in one Azure AD tenant and a destination account in a different tenant. It is a security concern because customer's data can be replicated to a storage account that is owned by the customer. By setting allowedCopyScope to AAD, copy operations can be done only if both source and destination accounts are in the same Azure AD tenant.
Mode All
Type Custom Community
Effect Default
Audit
Allowed
Deny, Audit, Disabled
RBAC role(s) none
Rule aliases IF (1)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.Storage/storageAccounts/allowedCopyScope Microsoft.Storage storageAccounts properties.allowedCopyScope True True
Rule resource types IF (1)
Microsoft.Storage/storageAccounts
JSON
EPAC
Deploy policy 63dd3af3-11bb-4328-92d2-85ec87cbf923 (1.0.0) to Azure