What it is
A storage account whose networkAcls.defaultAction is set to Allow instead of Deny. The default action decides what happens to traffic that doesn't match your explicit IP and virtual-network rules, so with it set to Allow the account accepts connections from every network, and the allow-list entries you configured stop doing anything.
Why it happens
A storage firewall only works one way: deny everything by default, then allow specific IP ranges and subnets. With defaultAction set to Allow, the logic inverts — everything is already permitted, so the allow-list is redundant by definition.
Azure makes this the easy state to end up in. Creating a storage account in the portal with the default networking choice ("Enable public access from all networks") produces exactly this configuration, so an account created down the default path is born with a firewall whose default action is Allow. And when someone debugging a connectivity failure flips an existing firewall from Deny to Allow to "just make it work," nothing errors, nothing nags, and the change quietly survives.
This is a different switch from publicNetworkAccess (see AZF-0025). That property decides whether the account's endpoints are reachable off private networks at all; this one decides whether the firewall that guards the public path actually filters anything. An account can pass a "public access is intentional" review and still be wide open because the firewall behind it defaults to Allow.
What it costs / blast radius
The firewall becomes decorative. (Azure behavior; authored assessment.) Every blob, file share, queue, and table in the account is reachable from any network, gated only by authentication — keys, SAS tokens, and identity. The dangerous part is how it reads in a review: the IP rules and VNet rules are still sitting in the configuration, so the account looks locked down to anyone who checks "are there network rules?" without checking what the default action does with everything else.
See it
resource sa 'Microsoft.Storage/storageAccounts@2023-05-01' = {
name: 'corpdata002'
location: location
sku: { name: 'Standard_LRS' }
kind: 'StorageV2'
properties: {
networkAcls: {
defaultAction: 'Allow' // every network gets through; the rules are moot
bypass: 'AzureServices'
ipRules: [ { value: '203.0.113.10' } ]
virtualNetworkRules: [ { id: appSubnet.id } ]
}
}
}resource sa 'Microsoft.Storage/storageAccounts@2023-05-01' = {
name: 'corpdata002'
location: location
sku: { name: 'Standard_LRS' }
kind: 'StorageV2'
properties: {
networkAcls: {
defaultAction: 'Deny' // deny by default; the rules now actually gate traffic
bypass: 'AzureServices'
ipRules: [ { value: '203.0.113.10' } ]
virtualNetworkRules: [ { id: appSubnet.id } ]
}
}
}How StratoLens helps
StratoLens flags storage accounts whose firewall default action is Allow automatically, continuously, across every subscription in your tenant — including the ones that drifted from Deny to Allow during an incident and never got flipped back. The account that looks firewalled but isn't gets surfaced instead of passing another review.