More Info:

Some Microsoft services that interact with storage accounts operate from networks that can’t be granted access through network rules. To help this type of service work as intended allow the set of trusted Microsoft services to bypass the network rules. These services will then use strong authentication to access the storage account. If the Allow trusted Microsoft services exception is enabled the following services are granted access to the storage account: Azure Backup, Azure Site Recovery, Azure DevTest Labs, Azure Event Grid, Azure Event Hubs, Azure Networking, Azure Monitor, Azure SQL Data Warehouse (when registered in the subscription)

Risk Level

Medium

Address

Security

Compliance Standards

CISAZURE, CBP

Triage and Remediation

Remediation

Using Console

To remediate the “Trusted Microsoft Services Enabled” misconfiguration in Azure using the Azure console, follow these steps:
  1. Log in to the Azure portal at https://portal.azure.com/
  2. Navigate to the Azure Security Center.
  3. Click on “Security policy” on the left-hand side of the screen.
  4. Click on the policy that you want to modify.
  5. Click on the “Edit” button at the top of the screen.
  6. Scroll down to the “Trusted Microsoft Services” section.
  7. Toggle the switch to “Off” to disable Trusted Microsoft Services.
  8. Click “Save” to apply the changes.
Once you have completed these steps, Trusted Microsoft Services will be disabled, and you will have remediated the misconfiguration. It’s important to note that this may impact some functionality in your Azure environment, so be sure to test thoroughly before making any changes in production.

To remediate the Trusted Microsoft Services Enabled misconfiguration in Azure using Azure CLI, follow these steps:
  1. Open the Azure CLI and log in to your Azure account.
  2. Run the following command to check if Trusted Microsoft Services are enabled or not: az security setting show --name 'TrustedMicrosoftServices' If the output shows “false” for the “isEnabled” parameter, it means that Trusted Microsoft Services are not enabled.
  3. To remediate this misconfiguration, run the following command to enable Trusted Microsoft Services: az security setting set --name 'TrustedMicrosoftServices' --enabled true
  4. After running the command, the output should show “true” for the “isEnabled” parameter, indicating that Trusted Microsoft Services have been enabled.
  5. Verify that the remediation is successful by running the first command again to check if Trusted Microsoft Services are now enabled. az security setting show --name 'TrustedMicrosoftServices' The output should show “true” for the “isEnabled” parameter.
By following the above steps, you can successfully remediate the Trusted Microsoft Services Enabled misconfiguration in Azure using Azure CLI.
To remediate the “Trusted Microsoft Services Enabled” misconfiguration in Azure using Python, you can use the Azure SDK for Python. Follow these steps:
  1. Install the Azure SDK for Python using pip:
pip install azure-mgmt-resource
  1. Import the required modules:
from azure.common.credentials import ServicePrincipalCredentials
from azure.mgmt.resource import ResourceManagementClient
from azure.mgmt.resource.resources.models import DeploymentMode
  1. Create a Service Principal and assign it the Contributor role for the subscription:
credentials = ServicePrincipalCredentials(
    client_id='<your-client-id>',
    secret='<your-client-secret>',
    tenant='<your-tenant-id>'
)

client = ResourceManagementClient(credentials, '<your-subscription-id>')
client.providers.register('Microsoft.Authorization')
  1. Define the remediation template to disable the “Trusted Microsoft Services” feature:
template = {
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "resources": [
        {
            "type": "Microsoft.Authorization/policyAssignments",
            "name": "DisableTrustedMicrosoftServices",
            "apiVersion": "2019-09-01",
            "properties": {
                "displayName": "Disable Trusted Microsoft Services",
                "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4e079ed2-211c-42c5-9c5c-8f9e9c9e4c74",
                "parameters": {},
                "enforcementMode": "Default",
                "scope": "/subscriptions/<your-subscription-id>"
            }
        }
    ]
}
  1. Deploy the remediation template:
deployment_properties = {
    'mode': DeploymentMode.incremental,
    'template': template,
}

deployment_async_operation = client.deployments.create_or_update(
    '<your-resource-group>',
    'DisableTrustedMicrosoftServices',
    deployment_properties,
)

deployment_async_operation.wait()
This will deploy a policy assignment to disable the “Trusted Microsoft Services” feature in your Azure subscription. Note that it may take a few minutes for the policy to take effect.

Additional Reading: