Skip to main content
Back to the Azure Footguns Database
SecurityLowCommonAZF-0061

Cross-tenant replication left enabled lets a storage account copy blobs into someone else's tenant

With allowCrossTenantReplication enabled, an object replication policy can name a destination account in a completely different Entra tenant — a data-movement channel that looks like a legitimate Azure feature because it is one.

Footgun ID
AZF-0061 (Azure Footgun No. 61)
Azure service
Azure Storage
Resource type
Microsoft.Storage/storageAccounts
Updated
July 9, 2026

What it is

A storage account whose allowCrossTenantReplication property is set to true. Object replication asynchronously copies block blobs from one storage account to another, and with this switch on, the destination account is allowed to live in a different Microsoft Entra tenant — one your organization doesn't control and your reviews don't see.

Impact (security)
Replication policies may continuously copy blobs to a storage account in another Entra tenant
Basis: Azure behavior (authored assessment). Figures are estimates, not measurements.

Why it happens

Object replication is a legitimate feature: it copies create, update, and delete operations from a source container to a destination container, continuously and automatically. The cross-tenant question is whether the two accounts must belong to the same Entra tenant. Historically Azure said no by default — accounts created before December 15, 2023 permit cross-tenant policies whenever the property is unset or true, and accounts default to disallowing it only after that date.

That history is why the setting lingers. Older accounts carried the permissive behavior for years, and anywhere the property was explicitly set to true — in a template someone copied, or to make a one-time migration work — it stays true until someone turns it off. Nothing about a storage account's day-to-day operation surfaces the fact that it's willing to replicate across a tenant boundary.

The risk isn't the flag by itself; it's what the flag permits. Anyone with sufficient rights on the account can create a replication policy whose destination is an account in an unrelated tenant, and from then on Azure faithfully ships every new and updated blob there. It's quiet, ongoing, and uses first-party machinery, which is exactly the shape a deliberate exfiltration channel wants.

What it costs / blast radius

There is no direct cost — this is a risk and hygiene finding. (Azure behavior; authored assessment.) The blast radius is the blob data in any container a replication policy can be pointed at: once a cross-tenant policy exists, copies accumulate in an account outside your tenant, beyond your RBAC, your logging, and your delete key. If the account never participates in cross-tenant replication by design, the switch is pure unused attack surface, and turning it off costs nothing. (Azure blocks the change only if a cross-tenant policy already exists — which is itself worth knowing about.)

See it

Footgun: cross-tenant replication allowed (older accounts behave this way even when unset)
resource sa 'Microsoft.Storage/storageAccounts@2023-05-01' = {
  name: 'corpdata004'
  location: location
  sku: { name: 'Standard_LRS' }
  kind: 'StorageV2'
  properties: {
    allowCrossTenantReplication: true   // policies may target accounts in other tenants
  }
}
Fix: disallow cross-tenant replication unless it's a deliberate design decision
resource sa 'Microsoft.Storage/storageAccounts@2023-05-01' = {
  name: 'corpdata004'
  location: location
  sku: { name: 'Standard_LRS' }
  kind: 'StorageV2'
  properties: {
    allowCrossTenantReplication: false  // replication source/destination must share your tenant
  }
}
// If Azure rejects the change, a cross-tenant replication policy
// already exists on this account — review it before deleting it.

How StratoLens helps

StratoLens flags storage accounts that still allow cross-tenant replication, automatically and continuously across every subscription, so a permissive default from an account's 2021 creation date doesn't outlive three team reorgs. The scan runs inside your own tenant.

Start Your 28-Day Free Trial

Every feature unlocked. Deploys to your Azure tenant. No data leaves your tenant.

Available now on the Azure Marketplace.

Not ready to install anything? Browse the Azure Footguns Database: 55+ documented ways Azure quietly costs money or creates risk.

Request a demo

StratoLens catches the cost waste, access risk, and config drift across your whole Azure estate, from inside your own tenant, so your data never leaves it.