Description:

The “Allow Azure services on the trusted services list to access this storage account” setting in Azure Storage Accounts allows Microsoft-designated trusted Azure platform services to bypass network restrictions, such as firewalls or virtual network rules, in order to access the storage account. This exception applies only to services explicitly identified by Microsoft as trusted and does not permit public access or user-initiated connections.


Rationale:

Enabling this setting ensures that critical Azure platform services continue to function even when the storage account is restricted to selected networks. Without this configuration, essential services such as backups, monitoring, and replication may fail, potentially impacting business continuity and compliance with operational standards.


Impact:

  • Ensures critical Azure services (backup, monitoring, disaster recovery, logging) can operate without interruption.

  • Maintains business continuity while enforcing network security restrictions.

  • Reduces the risk of service failures due to blocked storage access.

  • Only Microsoft trusted services are allowed; user access or unknown services remain blocked.

  • Does not expose the storage account to the public internet.


Default Value:

  • When network restrictions are configured on an Azure Storage Account, trusted Microsoft services are not allowed by default.

  • The “Allow trusted Microsoft services to access this storage account” setting must be explicitly enabled.


Pre-requisites:

  • An existing Azure Storage Account

  • Required permissions: Owner, Contributor, or Storage Account Contributor


Test Plan:

  1. Sign in to the Azure Portal https://portal.azure.com

  2. Navigate to Storage Accounts

  3. Select the target storage account

  4. In the left navigation pane, under Security + networking, select Networking

  5. Under Public network access, verify that the setting is configured as:
    Enabled from selected networks.

  6. Locate the Exceptions section

  7. Verify that “Allow trusted Microsoft services to access resource” is enabled

  8. If not, follow the implementation steps

Implementation Steps:

  1. Sign in to the Microsoft Azure Portal https://portal.azure.com

  2. Search for Storage Accounts and select the target storage account.

  3. In the left-hand menu, under Security + networking, select Networking.




  1. Click Public network access and set the scope to Enable from Selected networks.



  1. Ensure that Enabled from selected virtual networks and IP addresses is selected.

  2. Locate the Exceptions section, select Allow trusted Microsoft services to access this resource.

  3. Click Save to apply the changes


Backout Plan:

  1. Sign in to the Microsoft Azure Portal https://portal.azure.com

  2. Navigate to Storage Accounts

  3. Select the target storage account

  4. In the left navigation pane, under Security + networking, select Networking

  5. Under Public network access, ensure the setting remains configured as:
    Enabled from selected networks

  6. Locate the Exceptions section

  7. Disable Allow trusted Microsoft services to access this storage account

  8. Click Save to apply the changes


Reference: