Microsoft AzureOverview
Data Access Authentication Mode provides a method of uploading or exporting Virtual Machine Disks.
Rationale
Enabling data access authentication mode adds a layer of protection using an Entra ID role to further restrict users from creating and using Secure Access Signature (SAS) tokens for exporting a detached managed disk or virtual machine state. Users will need the Data operator for managed disk role within Entra ID to download a VHD or VM Guest state using a secure URL.
Impact
To apply this setting, the virtual machine to which the disk or disks are attached must be powered down and have their disk detached. Users without the Data operator for managed disk role within Entra ID cannot export VHD or VM Guest state using the secure download URL.
Remediation guidance
Remediate from Azure Portal
Part A. Select the Virtual Machine to Remediate
- Using the search bar, search for and open the
Virtual Machinesservice. - Click on the name of the Virtual Machine to be remediated.
Part B. Remediate each Virtual Machine Disk individually
- From the selected Virtual Machine resource window, expand the
Settingsmenu item and clickDisks. - For each disk, click the name of the disk to open the disk resource window.
- From the selected Disk resource window, expand the
Settingsmenu item, and clickDisk Export.
check the checkbox next to Enable Data Access Authentication Mode.
Repeat Part B for each Disk attached to a VM.
Repeat Parts A and B to remediate all Disks in all VMs.
Remediate from PowerShell
Ensure that each disk is detached from its associated Virtual Machine before proceeding. Once detached, run the following for each disk:
$disk = Get-AzDisk -ResourceGroupName '<resource_group_name>' -DiskName '<disk_name>'
$disk.DataAccessAuthMode = 'AzureActiveDirectory'
Update-AzDisk -ResourceGroup '<resource_group_name>' -DiskName $disk.Name -Disk $disk
Remediate from Azure CLI
Ensure that each disk is detached from its associated Virtual Machine before proceeding. Once detached, run the following for each disk:
az disk update --name <disk_name> --resource-group <resource_group_name> --data-access-auth-mode AzureActiveDirectory
Service-wide remediation
Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.
Azure
Use management group or subscription Azure Policy assignments, remediation tasks where supported, landing-zone standards, and IaC modules so drift is prevented at scale.
Operational rollout
- Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
- Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
- Re-scan and track approved exceptions with an owner and expiry date.
Query logic
These are the stored checks tied to this control.
Azure disks without data access authentication mode
Connectors
Covered asset types
Expected check: eq []
{
disks(where: { dataAccessAuthMode: "None" }) {
...AssetFragment
}
}
