# How to resolve Sprinto check for configuring default network access rule to deny on the Azure storage accounts

### About

Sprinto check: Ensure Default Network Access Rule for Storage Accounts is Set to Deny

The **Ensure Default Network Access Rule for Storage Accounts is Set to Deny** check verifies that your Azure storage accounts do not allow unrestricted public network access.

Configuring the default network access rule to **Deny** ensures that storage accounts are not accessible from all networks by default. Only explicitly allowed networks, IP ranges, or Azure resources can access the storage account. This helps reduce the risk of unauthorised access and improves the overall security posture of your Azure infrastructure.

### Prerequisites

Before you begin, ensure that:

* You have **administrator privileges** to manage Azure storage account configuration.

***

## Procedure

### Step 1: Configure network access in the Azure portal

1. Sign in to the **Azure Portal** using your credentials.
2. Navigate to **Storage Accounts**.
3. Select the **storage account** you want to secure.

<figure><img src="https://3220032727-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEsyn5VMU6e0OyGjRtKgx%2Fuploads%2Fc49lpKmNuepxftHvwZac%2Fimage%20(51).png?alt=media&#x26;token=20741549-a220-462b-bf81-a252e3a73f40" alt="" width="563"><figcaption></figcaption></figure>

4. In the left navigation pane, under **Security + networking**, select **Networking**.
5. Next to **Public network access**, click **Manage**.

<figure><img src="https://3220032727-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEsyn5VMU6e0OyGjRtKgx%2Fuploads%2Fowoye7N9Su5RUzcdlASU%2Fimage%20(50).png?alt=media&#x26;token=bb9f0b48-6a35-49b3-8707-6c94d8df70d8" alt="" width="563"><figcaption></figcaption></figure>

6. Configure the network access setting using one of the following options:

#### Option 1 (Recommended): Restrict access to selected networks

1. Select **Enable → Enabled from selected networks**.
2. This configuration:
   * Sets the **default network access rule to Deny**.
   * Allows you to explicitly permit access from:
     * trusted **virtual networks**
     * specific **IP address ranges**
     * selected **Azure resource instances**

<figure><img src="https://3220032727-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEsyn5VMU6e0OyGjRtKgx%2Fuploads%2FcN0GGl8rrBsVLFvS7q2b%2Fimage%20(52).png?alt=media&#x26;token=8bcbdf14-b714-410c-a1ee-a4ea2d6c70a9" alt="" width="563"><figcaption></figcaption></figure>

3. Add any required **IP ranges or virtual networks** that should retain access to the storage account.

#### Option 2: Disable public network access

1. Select **Disable**.
2. This blocks **all public network traffic** to the storage account.
3. Only **private endpoints** will be able to access the storage account.

<figure><img src="https://3220032727-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEsyn5VMU6e0OyGjRtKgx%2Fuploads%2FZUr9Muc49N4atPRqaJPP%2Fimage%20(53).png?alt=media&#x26;token=3b4e2d94-6ec8-4f9e-b659-cdf4ab71bf20" alt="" width="563"><figcaption></figcaption></figure>

4. Click **Save** to apply the changes.

***

### Step 2: Verify the check in Sprinto

1. Log in to the **Sprinto dashboard**.
2. Navigate to **Cloud Infrastructure → Azure**.
3. Locate the failing monitor:

   **Ensure Default Network Access Rule for Storage Accounts is Set to Deny**
4. Click **Refresh** to fetch the latest configuration.

Sprinto will detect the updated configuration and automatically update the check status to **Passing**.

***

### Key Notes

* Setting **Enabled from selected networks** automatically sets the **default network access rule to Deny**.
* Only networks explicitly added to the allow list will be able to access the storage account.
* Choosing **Disable** blocks all public network access and allows access only through **private endpoints**.
* After updating the configuration in Azure, it may take a few minutes for Sprinto to detect the change.