Severity : High
Description:
...
This control ensures that Azure Active directory domain service authentication is enabled for the file access in storage account. it enables to authenticate to a storage account using an OAuth token obtained via Azure Active Directory. Using AAD, allows applications to access storage account without the access key , which prevents use of compromised access key. Also role based access allows control to limit access permissions.
Remediation Steps:
Perform following to use Azure Active directory :
Login to Azure Portal usingĀ https://portal.azure.com.
Configure Storage account to use Azure Active Directory
Navigate to StorageAccounts service.
Select the account reported storage accounts
Navigate to File Share in the selected storage account.
Select Active Directory: Not configure.
Select Azure Active Directory Domain Service then toggle to Enable.
Select Save.
Assign access permission to an Identity :
In the File Share, Select Access Control (IAM).
Select Add a role assignment.
In the Add role assignment tab, select the appropriate built-in role from Role list.
Select the taget Azure AD identity by name or email address.
Select Save to complete role assignment.
Important:
Azure role assignments may take up to 30 minutes to propagate.
Reference: