I have similar request but with different approach
In my opinion publicBlobAccess should be always disabled by default for databricks managed storage account to match best practices and to match a new(=still preview) ASC rule. Built-in deny rule of the managed resource group disables changing content of the RG and ASC alerts cannot be manually fixed by changing resource settings.
Azure Databricks creates safe in managed RG but created resources should not cause any bogus alerts in ASC and force users to add resources into exemption list.
refs:
- https://learn.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-configure?tabs=portal
- https://azure.microsoft.com/en-au/updates/choose-to-allow-or-disallow-blob-public-access-on-azure-storage-accounts/
- ASC: "Storage account public access should be disallowed" and "Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data, but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it."
I hope this will be considered and this would solve half of the OP's problem.