Azure Storage to disable anonymous access and cross-tenant replication on new storage accounts by default .
Update: This change has rolled out in all storage regions. All new accounts should disallow anonymous access and cross tenant replication by default irrespective of what API version is used for creation.
Azure storage will begin phased roll out of changes that disables anonymous access and cross tenant replication for all new storage accounts by default, to align with best practices for security and reduce the risk of data exfiltration. Existing storage accounts will not be impacted by this change. This change will be made to all Azure clouds.
Azure storage gives the ability to configure anonymous access to storage accounts or containers. Anonymous access to containers is already disabled by default to ensure customer data is not vulnerable. With this rollout, anonymous access to storage accounts will also be disabled by default. The configuration at storage account is called "properties.allowBlobPublicAccess".
Disabling cross-tenant replication by default will also reduce possibility of data exfiltration due to unintentional or malicious replication of data when the right permissions are given to a user. The configuration at storage account is called "properties.allowCrossTenantReplication".
While existing storage accounts are not impacted by this change, we highly recommend you follow best practices for security and disable anonymous access and cross tenant replication settings if these capabilities are not required for your scenarios.
Once this rollout is complete,
Learn more about how to prepare for anonymous access change and cross-tenant replication change. You can enable these settings for new accounts during or after creation.
To opt-out from disabling anonymous access for your subscription, please register for "EnableAnonymousAccessForNewStorageAccounts" from Azure portal or Powershell or REST API.
Please note that opt out will take effect for new accounts created via Azure portal starting Sept 2023. For accounts created via REST API, Powershell/CLI, SDKs, Terraform or ARM templates, the opt out for anonymous access will take effect starting from Nov 2023.
Help and support
If you have questions, get answers from community experts in Microsoft Q&A. If you have a support plan and you need technical help, create a support request:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.