What it is
A storage account whose publicNetworkAccess property is set to Enabled rather than Disabled. The account's data-plane endpoints (blob, file, queue, table) resolve and accept connections from any network, so the only thing standing between the internet and your data is authentication and any account-level firewall rules you remembered to configure.
Why it happens
publicNetworkAccess is the account-wide switch that decides whether the endpoints are reachable off your private network at all. A private endpoint does not turn it off: you can stand up Private Link and still have the public path wide open, because the two settings are independent. When the switch was locked to Disabled and later drifts back to Enabled, the account silently rejoins the public internet.
The flip usually isn't malicious. A support ticket needs "just temporary" public access, a Terraform or Bicep default reintroduces it, or a portal click during troubleshooting never gets reverted. Azure treats Enabled as a valid state, so nothing errors and nothing nags. The account keeps working exactly as before, which is why the change survives review.
What it costs / blast radius
The blast radius is the entire account: every container, share, queue, and table it holds is now addressable from anywhere. Public network access does not authenticate anyone by itself, but it moves your data from "unreachable off the private network" to "reachable by the world, protected only by keys, SAS tokens, and identity." A leaked SAS URL, an over-broad shared key, or a container left open to anonymous reads becomes internet-wide instead of network-scoped. (This is a control-plane exposure assessment, not a measured breach probability; your account firewall and RBAC still matter.)
See it
resource sa 'Microsoft.Storage/storageAccounts@2023-05-01' = {
name: 'corpdata001'
location: location
sku: { name: 'Standard_LRS' }
kind: 'StorageV2'
properties: {
publicNetworkAccess: 'Enabled' // the whole internet can reach the endpoints
}
}resource sa 'Microsoft.Storage/storageAccounts@2023-05-01' = {
name: 'corpdata001'
location: location
sku: { name: 'Standard_LRS' }
kind: 'StorageV2'
properties: {
publicNetworkAccess: 'Disabled' // only private endpoints / trusted access reach it
networkAcls: {
defaultAction: 'Deny' // deny by default even if the switch is flipped later
}
}
}How StratoLens helps
StratoLens watches this property across every storage account in every subscription and flags the moment it drifts from Disabled to Enabled, with the change captured in history so you can see when it happened and what else moved with it. You don't have to schedule the audit or remember which accounts were supposed to be private; the check runs continuously inside your own tenant.