last sync: 2021-Jan-15 16:07:21 UTC

Azure Policy definition

Storage accounts should allow access from trusted Microsoft services

Name Storage accounts should allow access from trusted Microsoft services
Azure Portal
Id c9d007d0-c057-4772-b18c-01e546713bcd
Version 1.0.0
details on versioning
Category Storage
Microsoft docs
Description Some Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. These services will then use strong authentication to access the storage account.
Mode Indexed
Type BuiltIn
Preview FALSE
Deprecated FALSE
Effect Default: Audit
Allowed: (Audit, Deny, Disabled)
Used RBAC Role none
History none
Used in Initiatives
Initiative DisplayName Initiative Id Initiative Category State
CIS Microsoft Azure Foundations Benchmark 1.1.0 1a5bb27d-173f-493e-9568-eb56638dde4d Regulatory Compliance GA
Json
{
  "properties": {
    "displayName": "Storage accounts should allow access from trusted Microsoft services",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Some Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. These services will then use strong authentication to access the storage account.",
    "metadata": {
      "version": "1.0.0",
      "category": "Storage"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "The effect determines what happens when the policy rule is evaluated to match"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Storage/storageAccounts"
          },
          {
            "field": "Microsoft.Storage/storageAccounts/networkAcls.bypass",
            "exists": "true"
          },
          {
            "field": "Microsoft.Storage/storageAccounts/networkAcls.bypass",
            "notContains": "AzureServices"
          }
        ]
      },
      "then": {
      "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/c9d007d0-c057-4772-b18c-01e546713bcd",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "c9d007d0-c057-4772-b18c-01e546713bcd"
}