Storage account uses Microsoft Entra authorization by default
storage_default_to_entra_authorization_enabled
Azure Storage accounts with Default to Microsoft Entra authorization in the Azure portal use token-based Microsoft Entra ID (Azure RBAC) by default to access blobs, files, queues, and tables, rather than account keys
Risk
Defaulting to access keys/Shared Key enables broad, non-scoped access and weak auditing. A stolen key grants full data access, risking confidentiality (exfiltration), integrity (unauthorized writes/deletes), and availability (destructive actions). It can also bypass least privilege and enable lateral movement via key reuse.
prowler azure --checks storage_default_to_entra_authorization_enabled
Recommendation
Enable this setting so the portal uses Microsoft Entra ID by default. Apply least privilege with Azure RBAC, prefer managed identities and user-delegation SAS, and where feasible disable Shared Key use. Rotate any existing keys, and monitor access with logs to enforce defense in depth.
Remediation
az storage account update -g <resource-group-name> -n <storage-account-name> --set defaultToOAuthAuthentication=true
- In the Azure portal, go to Storage accounts and select your account
- Under Settings, select Configuration
- Set "Default to Microsoft Entra authorization in the Azure portal" to Enabled
- Click Save
Source Code
Resource Type
microsoft.storage/storageaccounts
References
- https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/StorageAccounts/enable-microsoft-entra-authorization-by-default.html
- https://learn.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory
- https://learn.microsoft.com/en-us/azure/storage/files/authorize-data-operations-portal