Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Enable Microsoft Entra Authorization By Default

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that Microsoft Entra authorization in the Azure portal is enabled by default for your Microsoft Azure Storage accounts. This promotes a more secure, identity-based access control compared to shared keys or SAS tokens, aligning with best practices for least privilege and compliance.

Security

For enhanced security, Microsoft Entra authorization is recommended over Shared Key authorization. Microsoft Entra ID provides robust, role-based access control (RBAC) and comprehensive auditing capabilities. Upon enablement, the Azure portal defaults to Microsoft Entra ID for authorizing requests to blobs, files, queues, and tables, effectively enforcing least privilege and granular access management.

Audit

To determine if Microsoft Entra authorization in the Azure portal is enabled by default for your Storage accounts, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

04 From the Type equals all filter box, choose Equals, select Storage account, and choose Apply to list only the Storage accounts available in the selected Azure subscription.

05 Click on the name (link) of the Azure Storage account that you want to examine.

06 In the resource navigation panel, under Settings, choose Configuration to access the configuration settings available for the selected Storage account.

07 Check the Default to Microsoft Entra authorization in the Azure portal configuration setting to determine if Microsoft Entra authorization in the Azure portal is enabled by default. If Default to Microsoft Entra authorization in the Azure portal is set to Disabled, Microsoft Entra authorization in the Azure portal is not enabled by default for the selected Storage account.

08 Repeat steps no. 5 – 7 for each Azure Storage account available within the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run storage account list command (Windows/macOS/Linux) with custom output filters to describe the identifier (name) of each storage account provisioned in the selected subscription: 

az storage account list
	--query '[*].name'

05 The command output should return the requested storage account names: 

[
	"project5storageaccount",
	"cloudaistorageaccount"
]

06 Run storage account show command (Windows/macOS/Linux) with the name of the Azure Storage account that you want to examine as the identifier parameter and custom output filters to determine if Microsoft Entra authorization in the Azure portal is enabled by default: 

az storage account show
	--name project5storageaccount
	--query 'defaultToOAuthAuthentication'

07 The command output should return the requested configuration status (true for enabled, false for disabled): 

false

If the storage account show command output returns false, as shown in the example above, Microsoft Entra authorization in the Azure portal is not enabled by default for the selected Storage account.

08 Repeat steps no. 6 and 7 for each Azure Storage account created within the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To disable public network access to your Azure virtual machine (VM) disks, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

04 From the Type equals all filter box, choose Equals, select Storage account, and choose Apply to list only the Storage accounts available in the selected Azure subscription.

05 Click on the name (link) of the Azure Storage account that you want to configure.

06 In the resource navigation panel, under Settings, choose Configuration to access the configuration settings available for the selected Storage account.

07 Set the Default to Microsoft Entra authorization in the Azure portal configuration setting to Enabled and choose Save to enable Microsoft Entra authorization in the Azure portal by default for the selected Azure Storage account. This will allow all clients to use Microsoft Entra ID for secure authorization.

08 Repeat steps no. 5 – 7 for each Azure Storage account provisioned within the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run storage account update command (OSX/Linux/UNIX) with the name of the Azure Storage account that you want to configure as the identifier parameter, to enable Microsoft Entra authorization in the Azure portal by default for the selected Storage account. This will allow all clients to use Microsoft Entra ID for secure authorization: 

az storage account update
	--name project5storageaccount
	--set defaultToOAuthAuthentication=true

05 The command output should return the configuration information available for the modified resource: 

{
	"accessTier": "Hot",
	"accountMigrationInProgress": null,
	"allowBlobPublicAccess": false,
	"allowCrossTenantReplication": false,
	"allowSharedKeyAccess": false,
	"allowedCopyScope": null,
	"azureFilesIdentityBasedAuthentication": null,
	"blobRestoreStatus": null,
	"customDomain": null,
	"defaultToOAuthAuthentication": true,
	"dnsEndpointType": "Standard",
	"enableExtendedGroups": null,
	"enableHttpsTrafficOnly": true,
	"enableNfsV3": null,
	"encryption": {
		"encryptionIdentity": null,
		"keySource": "Microsoft.Storage",
		"keyVaultProperties": null,
		"requireInfrastructureEncryption": false,
		"services": {
			"blob": {
				"enabled": true,
				"keyType": "Account",
			},
			"file": {
				"enabled": true,
				"keyType": "Account",
			},
			"queue": null,
			"table": null
		}
	},
	"extendedLocation": null,
	"failoverInProgress": null,
	"geoReplicationStats": null,
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Storage/storageAccounts/project5storageaccount",
	"identity": null,
	"immutableStorageWithVersioning": null,
	"isHnsEnabled": null,
	"isLocalUserEnabled": null,
	"isSftpEnabled": null,
	"isSkuConversionBlocked": null,
	"keyPolicy": null,
	"kind": "StorageV2",
	"largeFileSharesState": "Enabled",
	"lastGeoFailoverTime": null,
	"location": "westeurope",
	"minimumTlsVersion": "TLS1_2",
	"name": "project5storageaccount",
	"networkRuleSet": {
		"bypass": "AzureServices",
		"defaultAction": "Deny",
		"ipRules": [],
		"ipv6Rules": [],
		"resourceAccessRules": [],
		"virtualNetworkRules": [
			{
				"action": "Allow",
				"state": "Succeeded",
				"virtualNetworkResourceId": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/virtualNetworks/cc-project5-vnet/subnets/cc-project5-vnet-subnet-001"
			}
		]
	},
	"primaryLocation": "westeurope",
	"privateEndpointConnections": [],
	"provisioningState": "Succeeded",
	"publicNetworkAccess": "Disabled",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"routingPreference": null,
	"sasPolicy": null,
	"secondaryEndpoints": null,
	"secondaryLocation": null,
	"sku": {
		"name": "Standard_LRS",
		"tier": "Standard"
	},
	"statusOfPrimary": "available",
	"statusOfSecondary": null,
	"storageAccountSkuConversionStatus": null,
	"tags": {},
	"type": "Microsoft.Storage/storageAccounts"
}

06 Repeat steps no. 4 and 5 for each Azure Storage account created within the selected subscription.

07 Repeat steps no. 3 – 6 for each subscription created in your Microsoft Azure cloud account.

References

Publication date May 8, 2025

Related StorageAccounts rules