What it is
A storage account whose allowCrossTenantReplication property is set to true. Object replication asynchronously copies block blobs from one storage account to another, and with this switch on, the destination account is allowed to live in a different Microsoft Entra tenant — one your organization doesn't control and your reviews don't see.
Why it happens
Object replication is a legitimate feature: it copies create, update, and delete operations from a source container to a destination container, continuously and automatically. The cross-tenant question is whether the two accounts must belong to the same Entra tenant. Historically Azure said no by default — accounts created before December 15, 2023 permit cross-tenant policies whenever the property is unset or true, and accounts default to disallowing it only after that date.
That history is why the setting lingers. Older accounts carried the permissive behavior for years, and anywhere the property was explicitly set to true — in a template someone copied, or to make a one-time migration work — it stays true until someone turns it off. Nothing about a storage account's day-to-day operation surfaces the fact that it's willing to replicate across a tenant boundary.
The risk isn't the flag by itself; it's what the flag permits. Anyone with sufficient rights on the account can create a replication policy whose destination is an account in an unrelated tenant, and from then on Azure faithfully ships every new and updated blob there. It's quiet, ongoing, and uses first-party machinery, which is exactly the shape a deliberate exfiltration channel wants.
What it costs / blast radius
There is no direct cost — this is a risk and hygiene finding. (Azure behavior; authored assessment.) The blast radius is the blob data in any container a replication policy can be pointed at: once a cross-tenant policy exists, copies accumulate in an account outside your tenant, beyond your RBAC, your logging, and your delete key. If the account never participates in cross-tenant replication by design, the switch is pure unused attack surface, and turning it off costs nothing. (Azure blocks the change only if a cross-tenant policy already exists — which is itself worth knowing about.)
See it
resource sa 'Microsoft.Storage/storageAccounts@2023-05-01' = {
name: 'corpdata004'
location: location
sku: { name: 'Standard_LRS' }
kind: 'StorageV2'
properties: {
allowCrossTenantReplication: true // policies may target accounts in other tenants
}
}resource sa 'Microsoft.Storage/storageAccounts@2023-05-01' = {
name: 'corpdata004'
location: location
sku: { name: 'Standard_LRS' }
kind: 'StorageV2'
properties: {
allowCrossTenantReplication: false // replication source/destination must share your tenant
}
}
// If Azure rejects the change, a cross-tenant replication policy
// already exists on this account — review it before deleting it.How StratoLens helps
StratoLens flags storage accounts that still allow cross-tenant replication, automatically and continuously across every subscription, so a permissive default from an account's 2021 creation date doesn't outlive three team reorgs. The scan runs inside your own tenant.