Checking Public Network Access Status for Azure Storage Accounts

BindingnavaleSunil, Anirudh 25 Reputation points
2024-02-13T14:41:32.3+00:00

How can I identify the public network access status for different storage accounts using PowerShell script across all subscriptions? I need to determine if the access is enabled from all networks, enabled from selected virtual networks and IP addresses, or disabled.

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,160 questions
0 comments No comments
{count} vote

Accepted answer
  1. Sam Cogan 10,582 Reputation points MVP
    2024-02-13T17:40:41.8266667+00:00

    The easiest way to get this sort of data is using resource graph queries. You can run this directly in the portal using resource graph explorer, or if you really want to use PowerShell you can run them using the Search-AzGraph command.

    What you are after is a little tricky to search for as the three options you mention are not acutally discrete options, they are a combination of a few things. First, the default action is defined on the storage account:

    • Allow - this means public access is allowed
    • Deny - this means either all public access is blocked, or if there are any items in the IP or vNet array then it is enabled from selected networks.

    This query will get you the state of the default action, but it won't tell you if access is enabled from selected network.

    resources
    | where type == 'microsoft.storage/storageaccounts'
    | project name, properties.networkAcls.defaultAction
    
    

    If we want to show the three different status then we need to check if there are any values in the IPRules or Network Rules arrays and then use this to build the status.

    resources
    | where type == 'microsoft.storage/storageaccounts'
    | extend networkRules = properties.networkAcls.virtualNetworkRules
    | extend ipRules = properties.networkAcls.ipRules
    | extend defaultAction = properties.networkAcls.defaultAction
    | extend hasNetworkAccessRules = iif(array_length(networkRules) >0 or array_length(ipRules) >0, true, false)
    | extend firewallStatus = iif(defaultAction == "Deny" and hasNetworkAccessRules, "Selected Virtual Networks and IPs", defaultAction)
    | project id, name, firewallStatus
    

    This will output the ID and name of the storage account and a status of either allow, deny or selected virtual networks and IPs.

    2 people found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Sven van Achthoven 16 Reputation points
    2024-10-09T10:54:53.95+00:00

    Thank you Sam - I have expanded on your code to find all other resource types in Azure using the below in Graph Explorer.

    Note: the property field for Public Access is not always the same such as Storage Accounts.

    resources
    | project name, properties.publicNetworkAccess
    | where properties_publicNetworkAccess has 'Enabled'
    
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.