Anonymous read access to blob data keep reset to False

Question

the "Remediate anonymous read access to blob data" option of the Azure storage blob keeps getting reset to "False" for many times. I want to grant users anonymous read access to blob data so that they can get the resource they want. I want to know why and how to prevent this option to be automatically reset to "False"

Answer 1

Thanks for reaching out to Microsoft Q&A. It will be set to False by default. But it shouldn't reset itself to false, never experienced that. I believe you have also considered the following behaviour and limitations of this feature.

By default, anonymous access to your blob data is always prohibited. The default configuration for an Azure Resource Manager storage account prohibits users from configuring anonymous access to containers and blobs in a storage account.If your scenario requires that certain containers need to be available for anonymous access, then you should move those containers and their blobs into separate storage accounts that are reserved for anonymous access.Remediating anonymous access requires version 2019-04-01 or later of the Azure Storage resource provider.

Please 'Upvote'(Thumbs-up) and 'Accept' as answer if the reply was helpful. This will benefit other community members who face the same issue.

Answer 2

@junyu.li Welcome to Microsoft Q&A Forum, Thank you for posting your query here!

Adding more information to the above response!

It is not recommended to grant anonymous read access to blob data as it presents a security risk. However, if you still want to grant anonymous read access to blob data, you need to understand that the default configuration for an Azure Resource Manager storage account prohibits public access to blob data. If you have enabled anonymous read access to blob data, it may be reset to "False" automatically due to security reasons.

Azure Blob Storage supports optional anonymous read access to containers and blobs. However, anonymous access may present a security risk. We recommend that you disable anonymous access for optimal security. Disallowing anonymous access helps to prevent data breaches caused by undesired anonymous access.

By default, anonymous access to your blob data is always prohibited. The default configuration for an Azure Resource Manager storage account prohibits users from configuring anonymous access to containers and blobs in a storage account. This default configuration disallows all anonymous access to an Azure Resource Manager storage account, regardless of the access setting for an individual container. When anonymous access for the storage account is disallowed, Azure Storage rejects all anonymous read requests against blob data. Users can't later configure anonymous access for containers in that account. Any containers that have already been configured for anonymous access will no longer accept anonymous requests.

Permissions for disallowing anonymous access To prevent this option from being automatically reset to "False", you can disallow all public access to an Azure Resource Manager storage account, regardless of the public access setting for an individual container, by setting the AllowBlobPublicAccess property on the storage account to False. After you disallow public blob access for the storage account, Azure Storage rejects all anonymous requests to that account. Disallowing public access to a storage account prevents users from subsequently configuring public access for containers in that account. Any containers that have already been configured for public access will no longer accept anonymous requests. You can learn more about how to remediate anonymous public read access to blob data for Azure Resource Manager storage accounts in the following article: [Remediate anonymous public read access to blob data

Please let us know if you have any further queries. I’m happy to assist you further.     

---Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Answer 3

I have the same issue. No matter what I did, it keeps reverting to Disabled. Frustrating.