Azure-StorageAccounts-Storage-Accounts-AAD-Enabled

Severity : High

Description: This control ensures that Azure Active directory domain service authentication is enabled for the file access in storage account. it enables to authenticate to a storage account using an OAuth token obtained via Azure Active Directory. Using AAD, allows applications to access storage account without the access key , which prevents use of compromised access key. Also role based access allows control to limit access permissions.

Remediation Steps:

Perform following to use Azure Active directory :

1. Login to Azure Portal using https://portal.azure.com.

Configure Storage account to use Azure Active Directory

1. Navigate to StorageAccounts service.

2. Select the account reported storage accounts

3. Navigate to File Share in the selected storage account.

4. Select Active Directory: Not configure.

5. Select Azure Active Directory Domain Service then toggle to Enable.

6. Select Save.

Assign access permission to an Identity :

1. In the File Share, Select Access Control (IAM).

2. Select Add a role assignment.

3. In the Add role assignment tab, select the appropriate built-in role from Role list.

4. Select the taget Azure AD identity by name or email address.

5. Select Save to complete role assignment.

Important:

• Azure role assignments may take up to 30 minutes to propagate.

Reference:

• https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-domain-service-enable?tabs=azure-portal