Skip to main content
Back to the Azure Footguns Database
SecurityHighCommonAZF-0026

Blob public access turns containers into an anonymous, unauthenticated download link

Setting allowBlobPublicAccess to true lets any container or blob be configured for anonymous reads, so data can be pulled over plain HTTPS with no credentials at all.

Footgun ID
AZF-0026 (Azure Footgun No. 26)
Azure service
Azure Storage
Resource type
Microsoft.Storage/storageAccounts
Updated
July 1, 2026

What it is

A storage account with allowBlobPublicAccess set to true. This account-level switch is what permits individual containers to be marked for anonymous access. Once it's on, a container set to Blob or Container access level serves its contents to anyone with the URL, with no shared key, no SAS token, and no identity involved.

Impact (security)
Blob data readable with no key, no token, and no identity
Basis: Azure behavior (authored assessment). Figures are estimates, not measurements.

Why it happens

This is distinct from the network-level switch (see AZF-0025). Public network access controls whether the endpoint is reachable; allowBlobPublicAccess controls whether reaching it can succeed without authenticating at all. The account switch is the master gate: with it false, no container can be anonymous no matter how it's configured; with it true, a single mis-set container leaks.

It gets turned on for ordinary-looking reasons. Someone hosts static assets or a public download, a legacy app expects anonymous blob URLs, or a default in an older template leaves it enabled. Newer accounts default it to false, but the flag is easy to flip back and easy to inherit from copied infrastructure code. Because the account keeps working, the change rarely gets a second look.

What it costs / blast radius

The blast radius is any container on the account that is (or later gets) set to an anonymous access level. Anonymous reads bypass keys and RBAC entirely, so a container holding backups, exports, logs, or customer files becomes a public, unauthenticated download endpoint. Search engines and blob-URL scanners routinely find these. The exposure is not measured breach data; it is the plainly documented Azure behavior that anonymous access requires this flag to be on, which is exactly why turning it off account-wide is the durable fix.

See it

Footgun: account allows anonymous blob access (containers can be public)
resource sa 'Microsoft.Storage/storageAccounts@2023-05-01' = {
  name: 'corpassets001'
  location: location
  sku: { name: 'Standard_LRS' }
  kind: 'StorageV2'
  properties: {
    allowBlobPublicAccess: true   // any container may be set to anonymous reads
  }
}
Fix: forbid anonymous access account-wide; use SAS or private endpoints instead
resource sa 'Microsoft.Storage/storageAccounts@2023-05-01' = {
  name: 'corpassets001'
  location: location
  sku: { name: 'Standard_LRS' }
  kind: 'StorageV2'
  properties: {
    allowBlobPublicAccess: false  // no container can be anonymous, whatever its ACL says
  }
}

How StratoLens helps

StratoLens flags accounts where blob public access is enabled and catches the moment the flag drifts from false to true, so an account that was meant to stay locked can't quietly reopen the anonymous path. The check runs automatically and continuously across every subscription in your tenant, without you tracking which accounts are supposed to be private.

Start Your 28-Day Free Trial

Every feature unlocked. Deploys to your Azure tenant. No data leaves your tenant.

Available now on the Azure Marketplace.

Built for Azure infrastructure teams who need complete visibility across their entire estate.