Feature Request Modify Policy for Storage accounts should prevent cross tenant object replication

[timmoh]

For the Policy "Storage accounts should prevent cross tenant object replication Azure BuiltIn Policy definition" should exist a Modify rule.

There is no BuiltIn Policy at the moment

Audit restriction of object replication for your storage account. By default, users can configure object replication with a source storage account in one Azure AD tenant and a destination account in a different tenant. It is a security concern because customer's data can be replicated to a storage account that is owned by the customer. By setting allowCrossTenantReplication to false, objects replication can be configured only if both source and destination accounts are in the same Azure AD tenant.

[Springstone]

@timmoh thanks for sharing, we'll investigate options and feedback.

[timmoh]

This should work

{
  "properties": {
    "displayName": "Azure Storage Deploy Storage Cross Tenant Object Replication",
    "policyType": "Custom",
    "mode": "Indexed",
    "description": "Deploy config for Azure Storage Account Cross Tenant Object Replication. By setting allowCrossTenantReplication to false, objects replication can be configured only if both source and destination accounts are in the same Azure AD tenant",
    "metadata": {
      "version": "1.0.0",
      "category": "Storage"
    },
    "version": "1.0.0",
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect Azure Storage",
          "description": "Enable or disable the execution of the policy Storage Cross Tenant Object Replication version Azure STorage"
        },
        "allowedValues": [
          "Modify",
          "Disabled"
        ],
        "defaultValue": "Modify"
      },
      "allowCrossTenantReplication": {
        "type": "Boolean",
        "metadata": {
          "displayName": "Select Cross Tenant Object Replication Option",
          "description": "Select Storage Cross Tenant Object Replication"
        },
        "allowedValues": [
          true,
          false
        ],
        "defaultValue": false
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Storage/storageAccounts"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.Storage/storageAccounts/allowCrossTenantReplication",
                "notEquals": "[parameters('allowCrossTenantReplication')]"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "conflictEffect": "deny",
          "operations": [
            {
              "operation": "addOrReplace",
              "field": "Microsoft.Storage/storageAccounts/allowCrossTenantReplication",
              "value": "[parameters('allowCrossTenantReplication')]"
            }
          ]
        }
      }
    },
    "versions": [
      "1.0.0"
    ]
  },
  "id": "/providers/Microsoft.Management/managementGroups/Evonik_Industries_AG/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-Cross-Tenant-Replication",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy-Storage-Cross-Tenant-Replication",
}