Control: 8.6 Ensure that 'Enable Data Access Authentication Mode' is 'Checked'

Description

Data Access Authentication Mode provides a method of uploading or exporting Virtual Machine Disks.

Enabling data access authentication mode adds a layer of protection using an Entra ID role to further restrict users from creating and using Secure Access Signature (SAS) tokens for exporting a detached managed disk or virtual machine state. Users will need the Data operator for managed disk role within Entra ID in order to download a VHD or VM Guest state using a secure URL.

Remediation

From Azure Portal

Part A. Select the Virtual Machine to Remediate

1. Using the search bar, search for and open the Virtual Machines service.
2. Click on the name of the Virtual Machine to be remediated.

Part B. Remediate each Virtual Machine Disk individually

1. From the selected Virtual Machine resource window, expand the Settings menu item and click Disks.
2. For each disk, click the name of the disk to open the disk resource window.
3. From the selected Disk resource window, expand the Settings menu item, and click Disk Export.

check the checkbox next to Enable Data Access Authentication Mode.

Repeat Part B for each Disk attached to a VM.

Repeat Parts A and B to remediate all Disks in all VMs.

From Powershell

Ensure that each disk is detached from its associated Virtual Machine before proceeding. Once detached, run the following for each disk:

$disk = Get-AzDisk -ResourceGroupName '<resource_group_name>' -DiskName '<disk_name>'
$disk.DataAccessAuthMode = 'AzureActiveDirectory'
Update-AzDisk -ResourceGroup '<resource_group_name>' -DiskName $disk.Name -Disk $disk

From Azure CLI

Ensure that each disk is detached from its associated Virtual Machine before proceeding. Once detached, run the following for each disk:

az disk update --name <disk_name> --resource-group <resource_group_name> --data-access-auth-mode AzureActiveDirectory

Default Value

By default, Data Access Authentication Mode is Disabled.