Cyscale
Back to controls

Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access

Some Azure services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the trusted Azure services to bypass the network rules. These services will then use strong authentication to access the storage account. If the Allow trusted Azure services exception is enabled, the following services are granted access to the storage account: Azure Backup, Azure Site Recovery, Azure DevTest Labs, Azure Event Grid, Azure Event Hubs, Azure Networking, Azure Monitor, and Azure SQL Data Warehouse (when registered in the subscription).

Category

Controls

Medium

Applies to

Microsoft Azure

Coverage

null controls, 1 queries

Asset types

1 covered

Overview

Some Azure services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the trusted Azure services to bypass the network rules. These services will then use strong authentication to access the storage account. If the Allow trusted Azure services exception is enabled, the following services are granted access to the storage account: Azure Backup, Azure Site Recovery, Azure DevTest Labs, Azure Event Grid, Azure Event Hubs, Azure Networking, Azure Monitor, and Azure SQL Data Warehouse (when registered in the subscription).

Rationale

Turning on firewall rules for a storage account will block access to incoming data requests, including from other Azure services. We can re-enable this functionality by enabling "Trusted Azure Services" through networking exceptions.

Impact

This creates authentication credentials for services that need access to storage resources so that services will no longer need to communicate via a network request. As you set each storage account, there may be a temporary loss of communication. It is recommended not to do this on mission-critical resources during business hours.

Default Value

By default, Storage Accounts will accept connections from clients on any network.

References

  1. https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security
  2. https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-network-security#ns-2-secure-cloud-services-with-network-controls

Remediation guidance

Azure Console

  1. Open the storage account in the Azure Portal using the Open in Azure button.
  2. Under Networking, click on the Firewalls and virtual networks heading
  3. Ensure that Enabled from selected virtual networks and IP addresses is selected
  4. Under the Exceptions label, check Allow Azure services on the trusted services list to access this storage account.
  5. Click Save to apply your changes.

Azure CLI

Use the below command to update Azure services:

az storage account update --name  --resource-group <resourceGroupName> --bypass AzureServices

Multiple Remediation Paths

Azure

SERVICE-WIDE (RECOMMENDED when many resources are affected): Assign Azure Policy initiatives at management group/subscription scope and trigger remediation tasks.

az policy assignment create --name <assignment-name> --scope /subscriptions/<subscription-id> --policy-set-definition <initiative-id>
az policy remediation create --name <remediation-name> --policy-assignment <assignment-id>

ASSET-LEVEL: Apply the resource-specific remediation steps above to the listed non-compliant resources.

PREVENTIVE: Embed Azure Policy checks into landing zones and IaC workflows to block or auto-remediate drift.

References for Service-Wide Patterns

  • Azure Policy overview: https://learn.microsoft.com/en-us/azure/governance/policy/overview
  • Azure Policy remediation: https://learn.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources
  • Azure Policy initiative structure: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/initiative-definition-structure

Operational Rollout Workflow

Use this sequence to reduce risk and avoid repeated drift.

1. Contain at Service-Wide Scope First (Recommended)

  • Azure: assign policy initiatives at management group/subscription scope and run remediation tasks.
az policy assignment create --name <assignment-name> --scope /subscriptions/<subscription-id> --policy-set-definition <initiative-id>
az policy remediation create --name <remediation-name> --policy-assignment <assignment-id>

2. Remediate Existing Affected Assets

  • Execute the control-specific Console/CLI steps documented above for each flagged resource.
  • Prioritize internet-exposed and production assets first.

3. Validate and Prevent Recurrence

  • Re-scan after each remediation batch.
  • Track exceptions with owner and expiry date.
  • Add preventive checks in IaC/CI pipelines.

Query logic

These are the stored checks tied to this control.

Storage accounts not allowing access from trusted Azure Services

Connectors

Microsoft Azure

Covered asset types

StorageAccount

Expected check: eq []

{
  storageAccounts(
    where: {
      OR: [
        { AND: [{ networkRuleSetDefaultAction_CONTAINS: "Allow" }] }
        {
          AND: [
            { networkRuleSetDefaultAction_CONTAINS: "Deny" }
            { NOT: { networkRuleSetBypass_CONTAINS: "AzureServices" } }
          ]
        }
      ]
    }
  ) {
    ...AssetFragment
  }
}
Cyscale Logo
Cyscale is an agentless cloud-native application protection platform (CNAPP) that automates the contextual analysis of cloud misconfigurations, vulnerabilities, access, and data, to provide an accurate and actionable assessment of risk.

Stay connected

Receive new blog posts and product updates from Cyscale

By clicking Subscribe, I agree to Cyscale’s Privacy Policy

© 2026 Cyscale Limited

© 2026 Cyscale Limited

Terms of useSecurity PolicyPrivacy PolicyStatusSitemap
Terms of useSecurity PolicyPrivacy Policy
StatusSitemap
LinkedIn icon
Twitter icon
Facebook icon
crunch base icon
angel icon