Azure Storage to disable anonymous access and cross-tenant replication on new storage accounts by default .
Update: This change has rolled out in all storage regions. All new accounts should disallow anonymous access and cross tenant replication by default irrespective of what API version is used for creation.
Azure storage will begin phased roll out of changes that disables anonymous access and cross tenant replication for all new storage accounts by default, to align with best practices for security and reduce the risk of data exfiltration. Existing storage accounts will not be impacted by this change. This change will be made to all Azure clouds.
Azure storage gives the ability to configure anonymous access to storage accounts or containers. Anonymous access to containers is already disabled by default to ensure customer data is not vulnerable. With this rollout, anonymous access to storage accounts will also be disabled by default. The configuration at storage account is called "properties.allowBlobPublicAccess".
Disabling cross-tenant replication by default will also reduce possibility of data exfiltration due to unintentional or malicious replication of data when the right permissions are given to a user. The configuration at storage account is called "properties.allowCrossTenantReplication".
While existing storage accounts are not impacted by this change, we highly recommend you follow best practices for security and disable anonymous access and cross tenant replication settings if these capabilities are not required for your scenarios.
Once this rollout is complete,
- The new defaults for both these configurations will be applied to all new storage accounts regardless of how they are created, through existing versions of the storage REST API, PowerShell, CLI, SDKs, portal, Azure storage explorer, Terraform.
- New accounts created through Azure Portal should see new defaults for both these configurations starting September 2023.
- For accounts created through Storage REST API, PowerShell, CLI, SDKs, Terraform and ARM templates, the new defaults for both configurations will be applied starting Nov 2023.
- Applications that require anonymous access to containers/blobs must explicitly configure the storage accounts to be anonymous.
- For applications that require cross-tenant replication, the setting must be set to true
- For both these settings, an update to automation scripts, ARM templates or other tools to enable them on new storage account may be required.
- If you use Azure policy to enforce only authorized access for storage accounts with “Deny” effect or enforce replication within the same tenant, these changes should have no impact on your new accounts.
Learn more about how to prepare for anonymous access change and cross-tenant replication change. You can enable these settings for new accounts during or after creation.
To opt-out from disabling anonymous access for your subscription, please register for "EnableAnonymousAccessForNewStorageAccounts" from Azure portal or Powershell or REST API.
Please note that opt out will take effect for new accounts created via Azure portal starting Sept 2023. For accounts created via REST API, Powershell/CLI, SDKs, Terraform or ARM templates, the opt out for anonymous access will take effect starting from Nov 2023.
Help and support
If you have questions, get answers from community experts in Microsoft Q&A. If you have a support plan and you need technical help, create a support request:
- For Issue type, select Technical.
- For Subscription, select your subscription.
- For Service, select My services.
- For Service type, select Blob Storage.
- For Resource, select the Azure resource you are creating a support request for.
- For Summary, type a description of your issue.
- For Problem type, select Authentication and Authorization for anonymous access or Data Migration for cross-tenant replication.
- For Problem subtype, select Issues using Anonymous Access for anonymous access or Issues with object replication for cross-tenant replication.
