Control: 10.3.3.1 Ensure that 'Default to Microsoft Entra authorization in the Azure portal' is set to 'Enabled'
Description
When this property is enabled, the Azure portal authorizes requests to blobs, files, queues, and tables with Microsoft Entra ID by default.
Microsoft Entra ID provides superior security and ease of use over Shared Key.
Remediation
From Azure Portal
- Go to
Storage accounts. - Click the name of a storage account.
- Under
Settings, clickConfiguration. - Under
Default to Microsoft Entra authorization in the Azure portal, click the radio button next toEnabled. - Click
Save. - Repeat steps 1-5 for each storage account requiring remediation.
From Azure CLI
For each storage account requiring remediation, run the following command to enable defaultToOAuthAuthentication:
az storage account update --resource-group <resource-group> --name <storage-account> --set defaultToOAuthAuthentication=true
Default Value
By default, defaultToOAuthAuthentication is disabled.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v400_10_3_3_1Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v400_10_3_3_1 --shareSQL
This control uses a named query:
select sa.id as resource, case when default_to_oauth_authentication then 'ok' else 'alarm' end as status, case when default_to_oauth_authentication then sa.name || ' default to Microsoft Entra authorization is enabled.' else sa.name || ' default to Microsoft Entra authorization is disabled.' end as reason , sa.resource_group as resource_group , sub.display_name as subscriptionfrom azure_storage_account sa, azure_subscription subwhere sub.subscription_id = sa.subscription_id;