Azure Storage updating some default security settings on new accounts - Aug 2023

Azure Storage to disable anonymous access and cross-tenant replication on new storage accounts by default  

Beginning August 2023, Azure storage will begin phased roll out of changes that disables anonymous access and cross tenant replication for all new storage accounts by default, to align with best practices for security and reduce the risk of data exfiltration. Existing storage accounts will not be impacted by this change. This change will be made to all Azure clouds. 

Azure storage gives the ability to configure anonymous access to storage accounts or containers. Anonymous access to containers is already disabled by default to ensure customer data is not vulnerable. With this rollout, anonymous access to storage accounts will also be disabled by default. 

Disabling cross-tenant replication by default will also reduce possibility of data exfiltration due to unintentional or malicious replication of data when the right permissions are given to a user. 

While existing storage accounts are not impacted by this change, we highly recommend you follow best practices for security and disable anonymous access and cross tenant replication settings if these capabilities are not required for your scenarios.  

Once this rollout is complete,  

• The new defaults for both these configurations will be applied to all new storage accounts regardless of how they are created, through existing versions of the storage REST API, PowerShell, CLI, SDKs, portal, Azure storage explorer, Terraform.  
• Applications that require anonymous access to containers/blobs must explicitly configure the storage accounts to be anonymous.  

• For applications that require cross-tenant replication, the setting must be set to true 
• For both these settings, an update to automation scripts, ARM templates or other tools to enable them on new storage account may be required.  
• If you use Azure policy to enforce only authorized access for storage accounts with “Deny” effect or enforce replication within the same tenant, these changes should have no impact on your new accounts. 

Learn more about how to prepare for anonymous access change and cross-tenant replication change. You can enable these settings for new accounts during or after creation.  

To opt-out from disabling anonymous access for your subscription, please register for "EnableAnonymousAccessForNewStorageAccounts" from Azure portal or Powershell or REST API. Please note that opt out will take effect for new accounts starting August 2023.   

Help and support 

If you have questions, get answers from community experts in Microsoft Q&A. If you have a support plan and you need technical help, create a support request: 

• For Issue type, select Technical. 

• For Subscription, select your subscription. 

• For Service, select My services. 

• For Service type, select Blob Storage. 

• For Resource, select the Azure resource you are creating a support request for. 

• For Summary, type a description of your issue. 

• For Problem type, select Authentication and Authorization for anonymous access or Data Migration for cross-tenant replication. 

• For Problem subtype, select Issues using Anonymous Access for anonymous access or Issues with object replication for cross-tenant replication.