The easiest way to get this sort of data is using resource graph queries. You can run this directly in the portal using resource graph explorer, or if you really want to use PowerShell you can run them using the Search-AzGraph command.
What you are after is a little tricky to search for as the three options you mention are not acutally discrete options, they are a combination of a few things. First, the default action is defined on the storage account:
- Allow - this means public access is allowed
- Deny - this means either all public access is blocked, or if there are any items in the IP or vNet array then it is enabled from selected networks.
This query will get you the state of the default action, but it won't tell you if access is enabled from selected network.
resources
| where type == 'microsoft.storage/storageaccounts'
| project name, properties.networkAcls.defaultAction
If we want to show the three different status then we need to check if there are any values in the IPRules or Network Rules arrays and then use this to build the status.
resources
| where type == 'microsoft.storage/storageaccounts'
| extend networkRules = properties.networkAcls.virtualNetworkRules
| extend ipRules = properties.networkAcls.ipRules
| extend defaultAction = properties.networkAcls.defaultAction
| extend hasNetworkAccessRules = iif(array_length(networkRules) >0 or array_length(ipRules) >0, true, false)
| extend firewallStatus = iif(defaultAction == "Deny" and hasNetworkAccessRules, "Selected Virtual Networks and IPs", defaultAction)
| project id, name, firewallStatus
This will output the ID and name of the storage account and a status of either allow, deny or selected virtual networks and IPs.