More Info:
Some Microsoft services that interact with storage accounts operate from networks that can’t be granted access through network rules. To help this type of service work as intended allow the set of trusted Microsoft services to bypass the network rules. These services will then use strong authentication to access the storage account. If the Allow trusted Microsoft services exception is enabled the following services are granted access to the storage account: Azure Backup, Azure Site Recovery, Azure DevTest Labs, Azure Event Grid, Azure Event Hubs, Azure Networking, Azure Monitor, Azure SQL Data Warehouse (when registered in the subscription)Risk Level
MediumAddress
SecurityCompliance Standards
CISAZURE, CBPTriage and Remediation
Remediation
Using Console
Using Console
To remediate the “Trusted Microsoft Services Enabled” misconfiguration in Azure using the Azure console, follow these steps:
- Log in to the Azure portal at https://portal.azure.com/
- Navigate to the Azure Security Center.
- Click on “Security policy” on the left-hand side of the screen.
- Click on the policy that you want to modify.
- Click on the “Edit” button at the top of the screen.
- Scroll down to the “Trusted Microsoft Services” section.
- Toggle the switch to “Off” to disable Trusted Microsoft Services.
- Click “Save” to apply the changes.
Using CLI
Using CLI
To remediate the Trusted Microsoft Services Enabled misconfiguration in Azure using Azure CLI, follow these steps:
- Open the Azure CLI and log in to your Azure account.
-
Run the following command to check if Trusted Microsoft Services are enabled or not:
az security setting show --name 'TrustedMicrosoftServices'
If the output shows “false” for the “isEnabled” parameter, it means that Trusted Microsoft Services are not enabled. -
To remediate this misconfiguration, run the following command to enable Trusted Microsoft Services:
az security setting set --name 'TrustedMicrosoftServices' --enabled true
- After running the command, the output should show “true” for the “isEnabled” parameter, indicating that Trusted Microsoft Services have been enabled.
-
Verify that the remediation is successful by running the first command again to check if Trusted Microsoft Services are now enabled.
az security setting show --name 'TrustedMicrosoftServices'
The output should show “true” for the “isEnabled” parameter.
Using Python
Using Python
To remediate the “Trusted Microsoft Services Enabled” misconfiguration in Azure using Python, you can use the Azure SDK for Python. Follow these steps:This will deploy a policy assignment to disable the “Trusted Microsoft Services” feature in your Azure subscription. Note that it may take a few minutes for the policy to take effect.
- Install the Azure SDK for Python using pip:
- Import the required modules:
- Create a Service Principal and assign it the
Contributor
role for the subscription:
- Define the remediation template to disable the “Trusted Microsoft Services” feature:
- Deploy the remediation template: