You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/storage/blobs/object-replication-prevent-cross-tenant-policies.md
+10-10Lines changed: 10 additions & 10 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -23,9 +23,9 @@ For more information on how to configure object replication policies, including
23
23
24
24
## Remediate cross-tenant object replication
25
25
26
-
To prevent object replication across Microsoft Entra tenants, set the **AllowCrossTenantReplication** property for the storage account to **false**. If a storage account does not currently participate in any cross-tenant object replication policies, then setting the **AllowCrossTenantReplication** property to *false* prevents future configuration of cross-tenant object replication policies with this storage account as the source or destination. However, if a storage account currently participates in one or more cross-tenant object replication policies, then setting the **AllowCrossTenantReplication** property to *false*is not permitted until you delete the existing cross-tenant policies.
26
+
To prevent object replication across Microsoft Entra tenants, set the **AllowCrossTenantReplication** property for the storage account to **false**. If a storage account doesn't currently participate in any cross-tenant object replication policies, then setting the **AllowCrossTenantReplication** property to *false* prevents future configuration of cross-tenant object replication policies with this storage account as the source or destination. However, if a storage account currently participates in one or more cross-tenant object replication policies, then setting the **AllowCrossTenantReplication** property to *false*isn't permitted until you delete the existing cross-tenant policies.
27
27
28
-
Cross-tenant policies are not permitted by default for a storage account created after Dec 15, 2023. However, the **AllowCrossTenantReplication** property was not set by default for an existing storage account created before Dec 15, 2023, and does not return a value until you had explicitly set it. The storage account can participate in object replication policies across tenants when the property value is either **null** or **true** for accounts created prior to Dev 15, 2023. For accounts created after that time, the property needs to be set to true. Setting the **AllowCrossTenantReplication** property does not incur any downtime on the storage account.
28
+
Cross-tenant policies aren't permitted by default for a storage account created after Dec 15, 2023. However, the **AllowCrossTenantReplication** property wasn't set by default for an existing storage account created before Dec 15, 2023, and doesn't return a value until you had explicitly set it. The storage account can participate in object replication policies across tenants when the property value is either **null** or **true** for accounts created prior to Dev 15, 2023. For accounts created after that time, the property needs to be set to true. Setting the **AllowCrossTenantReplication** property doesn't incur any downtime on the storage account.
29
29
30
30
### Remediate cross-tenant replication for a new account
31
31
@@ -94,7 +94,7 @@ To disallow cross-tenant replication for an existing storage account, use the Az
94
94
95
95
#### [Azure portal](#tab/portal)
96
96
97
-
To disallow cross-tenant object replication for an existing storage account that is not currently participating in any cross-tenant policies, follow these steps:
97
+
To disallow cross-tenant object replication for an existing storage account that isn't currently participating in any cross-tenant policies, follow these steps:
98
98
99
99
1. Navigate to your storage account in the Azure portal.
100
100
1. Under **Data management**, select **Object replication**.
@@ -111,7 +111,7 @@ If the storage account is currently participating in one or more cross-tenant re
111
111
112
112
#### [PowerShell](#tab/azure-powershell)
113
113
114
-
To disallow cross-tenant object replication for an existing storage account that is not currently participating in any cross-tenant policies, first install the [Az.Storage PowerShell module](https://www.powershellgallery.com/packages/Az.Storage)\, version 3.7.0 or later. Next, configure the **AllowCrossTenantReplication** property for the storage account.
114
+
To disallow cross-tenant object replication for an existing storage account that isn't currently participating in any cross-tenant policies, first install the [Az.Storage PowerShell module](https://www.powershellgallery.com/packages/Az.Storage)\, version 3.7.0 or later. Next, configure the **AllowCrossTenantReplication** property for the storage account.
115
115
116
116
The following example shows how to disallow cross-tenant object replication for an existing storage account with PowerShell. Remember to replace the placeholder values in brackets with your own values:
117
117
@@ -128,7 +128,7 @@ If the storage account is currently participating in one or more cross-tenant re
128
128
129
129
#### [Azure CLI](#tab/azure-cli)
130
130
131
-
To disallow cross-tenant object replication for an existing storage account that is not currently participating in any cross-tenant policies, first install Azure CLI version 2.24.0 or later. For more information, see [Install the Azure CLI](/cli/azure/install-azure-cli). Next, configure the **allowCrossTenantReplication** property for a new or existing storage account.
131
+
To disallow cross-tenant object replication for an existing storage account that isn't currently participating in any cross-tenant policies, first install Azure CLI version 2.24.0 or later. For more information, see [Install the Azure CLI](/cli/azure/install-azure-cli). Next, configure the **allowCrossTenantReplication** property for a new or existing storage account.
132
132
133
133
The following example shows how to disallow cross-tenant object replication for an existing storage account with Azure CLI. Remember to replace the placeholder values in brackets with your own values:
134
134
@@ -143,7 +143,7 @@ If the storage account is currently participating in one or more cross-tenant re
143
143
144
144
---
145
145
146
-
After you disallow cross-tenant replication, attempting to configure a cross-tenant policy with the storage account as the source or destination fails. Azure Storage returns an error indicating that cross-tenant object replication is not permitted for the storage account.
146
+
After you disallow cross-tenant replication, attempting to configure a cross-tenant policy with the storage account as the source or destination fails. Azure Storage returns an error indicating that cross-tenant object replication isn't permitted for the storage account.
147
147
148
148
When cross-tenant object replication is disallowed for a storage account, then any new object replication policies that you create with that account must include the full Azure Resource Manager IDs for the source and destination account. Azure Storage requires the full resource ID to verify whether the source and destination accounts reside within the same tenant. For more information, see [Specify full resource IDs for the source and destination accounts](object-replication-overview.md#specify-full-resource-ids-for-the-source-and-destination-accounts).
149
149
@@ -172,7 +172,7 @@ If you have a large number of storage accounts, you may want to perform an audit
172
172
173
173
### Create a policy with an Audit effect
174
174
175
-
Azure Policy supports effects that determine what happens when a policy rule is evaluated against a resource. The Audit effect creates a warning when a resource is not in compliance, but does not stop the request. For more information about effects, see [Understand Azure Policy effects](../../governance/policy/concepts/effects.md).
175
+
Azure Policy supports effects that determine what happens when a policy rule is evaluated against a resource. The Audit effect creates a warning when a resource isn't in compliance, but doesn't stop the request. For more information about effects, see [Understand Azure Policy effects](../../governance/policy/concepts/effects.md).
176
176
177
177
To create a policy with an Audit effect for the cross-tenant object replication setting for a storage account with the Azure portal, follow these steps:
178
178
@@ -232,14 +232,14 @@ To view the compliance report in the Azure portal, follow these steps:
232
232
233
233
1. In the Azure portal, navigate to the Azure Policy service.
234
234
1. Select **Compliance**.
235
-
1. Filter the results for the name of the policy assignment that you created in the previous step. The report shows resources that are not in compliance with the policy.
236
-
1. You can drill down into the report for additional details, including a list of storage accounts that are not in compliance.
235
+
1. Filter the results for the name of the policy assignment that you created in the previous step. The report shows resources that aren't in compliance with the policy.
236
+
1. You can drill down into the report for additional details, including a list of storage accounts that aren't in compliance.
237
237
238
238
:::image type="content" source="media/object-replication-prevent-cross-tenant-policies/compliance-report-cross-tenant-audit-effect-policy.png" alt-text="Screenshot showing compliance report for audit policy for blob cross-tenant object replication":::
239
239
240
240
## Use Azure Policy to enforce same-tenant replication policies
241
241
242
-
Azure Policy supports cloud governance by ensuring that Azure resources adhere to requirements and standards. To ensure that storage accounts in your organization disallow cross-tenant replication, you can create a policy that prevents the creation of a new storage account that allows cross-tenant object replication policies. The enforcement policy uses the Deny effect to prevent a request that would create or modify a storage account to allow cross-tenant object replication. The Deny policy will also prevent all configuration changes to an existing account if the cross-tenant object replication setting for that account is not compliant with the policy. For more information about the Deny effect, see [Understand Azure Policy effects](../../governance/policy/concepts/effects.md).
242
+
Azure Policy supports cloud governance by ensuring that Azure resources adhere to requirements and standards. To ensure that storage accounts in your organization disallow cross-tenant replication, you can create a policy that prevents the creation of a new storage account that allows cross-tenant object replication policies. The enforcement policy uses the Deny effect to prevent a request that would create or modify a storage account to allow cross-tenant object replication. The Deny policy will also prevent all configuration changes to an existing account if the cross-tenant object replication setting for that account isn't compliant with the policy. For more information about the Deny effect, see [Understand Azure Policy effects](../../governance/policy/concepts/effects.md).
243
243
244
244
To create a policy with a Deny effect for cross-tenant object replication, follow the same steps described in [Use Azure Policy to audit for compliance](#use-azure-policy-to-audit-for-compliance), but provide the following JSON in the **policyRule** section of the policy definition:
0 commit comments