A storage account that is created as part of an Azure Function App out of the box has some configuration tradeoffs that can be considered vulnerabilities. Let’s look at what can be changed to improve the security of the storage account without affecting the functionality of the Azure Function App.
Public (anonymous) Access
Storage account blob anonymous (public ) access should be disallowed. Though having this Enabled does not allow anonymous access to blobs automatically, it is recommended to disable public access unless the scenario requires it. Storage account that support Azure Function App is not supposed to be shared anonymously.
Navigate to your Storage Account at Azure portal, Settings/Configuration, then
for “Allow Blob anonymous access” select “Disabled”:
MS: “When allow blob anonymous access is enabled, one is permitted to configure container ACLs to allow anonymous access to blobs within the storage account. When disabled, no anonymous access to blobs within the storage account is permitted, regardless of underlying ACL configurations. Learn more about allowing blob anonymous access“.
Storage account key access
This is also considered as vulnerability and it is recommended to disable Storage account key access.
NB: (Jan 2025) It is not possible to Set “Allow storage account key access” to Disabled if you are using Consumption or Elastic Premium plans on both Windows and Linux without breaking the function app. For other plans – it’s possible but requires some work.
Set “Allow storage account key access” to Disabled:
MS: “When Allow storage account key access is disabled, any requests to the account that are authorized with Shared Key, including shared access signatures (SAS), will be denied. Client applications that currently access the storage account using Shared Key will no longer work. Learn more about Allow storage account key access“
The problem is it seems like the function app ootb is configured to use key access, so just disabling storage account key access breaks the function app.
For the function app to adopt this new setting, you’d need:
- provide access for the function app to the storage account
- reconfigure the function app for authorization via Microsoft Entra credentials
Here is the separate article “Function app to access Storage via Microsoft Entra credentials” with the detailed step-by-step guide