Skip to main content

🛡️ Azure Storage Account Default To OAuth Authentication is not set to Yes🟢

  • Contextual name: 🛡️ Default To OAuth Authentication is not set to Yes🟢
  • ID: /ce/ca/azure/storage/default-to-microsoft-entra-autorization
  • Tags:
  • Policy Type: BEST_PRACTICE
  • Policy Categories: SECURITY

Logic

Description

Open File

Description

When this property is enabled, the Azure portal authorizes requests to blobs, files, queues, and tables with Microsoft Entra ID by default.

Rationale

Microsoft Entra ID provides superior security and ease of use over Shared Key.

Audit

This policy flags an Azure Storage Account as INCOMPLIANT if its Default To OAuth Authentication is not set to Yes.

Default Value

By default, defaultToOAuthAuthentication is disabled.

References

  1. https://learn.microsoft.com/en-us/azure/storage/blobs/authorize-data-operations-portal#default-to-microsoft-entra-authorization-in-the-azure-portal
  2. https://learn.microsoft.com/en-us/cli/azure/storage/account?view=azure-cli-latest

Remediation

Open File

Remediation

From Azure Portal

  1. Go to Storage accounts.
  2. Click the name of a storage account.
  3. Under Settings, click Configuration.
  4. Under Default to Microsoft Entra authorization in the Azure portal, click the radio button next to Enabled.
  5. Click Save.
  6. Repeat steps 1-5 for each storage account requiring remediation.

From Azure CLI

For each storage account requiring remediation, run the following command to enable defaultToOAuthAuthentication:

az storage account update --resource-group <resource-group> --name <storage-account> --set defaultToOAuthAuthentication=true

policy.yaml

Open File

Linked Framework Sections

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
💼 CIS Azure v4.0.0 → 💼 10.3.3.1 Ensure that 'Default to Microsoft Entra authorization in the Azure portal' is set to 'Enabled' (Automated)1no data
💼 Cloudaware Framework → 💼 Secure Access55no data