Trusted Microsoft Services Enabled

More Info:

Some Microsoft services that interact with storage accounts operate from networks that can’t be granted access through network rules. To help this type of service work as intended allow the set of trusted Microsoft services to bypass the network rules. These services will then use strong authentication to access the storage account. If the Allow trusted Microsoft services exception is enabled the following services are granted access to the storage account: Azure Backup, Azure Site Recovery, Azure DevTest Labs, Azure Event Grid, Azure Event Hubs, Azure Networking, Azure Monitor, Azure SQL Data Warehouse (when registered in the subscription)

Risk Level

Medium

Address

Security

Compliance Standards

CISAZURE, CBP

Triage and Remediation

Remediation

Using Console

Using CLI

Using Python

To remediate the “Trusted Microsoft Services Enabled” misconfiguration in Azure using Python, you can use the Azure SDK for Python. Follow these steps:

Install the Azure SDK for Python using pip:

pip install azure-mgmt-resource

Import the required modules:

from azure.common.credentials import ServicePrincipalCredentials
from azure.mgmt.resource import ResourceManagementClient
from azure.mgmt.resource.resources.models import DeploymentMode

Create a Service Principal and assign it the Contributor role for the subscription:

credentials = ServicePrincipalCredentials(
    client_id='<your-client-id>',
    secret='<your-client-secret>',
    tenant='<your-tenant-id>'
)

client = ResourceManagementClient(credentials, '<your-subscription-id>')
client.providers.register('Microsoft.Authorization')

Define the remediation template to disable the “Trusted Microsoft Services” feature:

template = {
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "resources": [
        {
            "type": "Microsoft.Authorization/policyAssignments",
            "name": "DisableTrustedMicrosoftServices",
            "apiVersion": "2019-09-01",
            "properties": {
                "displayName": "Disable Trusted Microsoft Services",
                "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4e079ed2-211c-42c5-9c5c-8f9e9c9e4c74",
                "parameters": {},
                "enforcementMode": "Default",
                "scope": "/subscriptions/<your-subscription-id>"
            }
        }
    ]
}

Deploy the remediation template:

deployment_properties = {
    'mode': DeploymentMode.incremental,
    'template': template,
}

deployment_async_operation = client.deployments.create_or_update(
    '<your-resource-group>',
    'DisableTrustedMicrosoftServices',
    deployment_properties,
)

deployment_async_operation.wait()

This will deploy a policy assignment to disable the “Trusted Microsoft Services” feature in your Azure subscription. Note that it may take a few minutes for the policy to take effect.

Additional Reading:

https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security

Azure Introduction

Azure Pricing

Azure Threats

Azure Misconfigurations

Trusted Microsoft Services Enabled

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

Azure Introduction

Azure Pricing

Azure Threats

Azure Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: