Scenario
Many times, we receive requests for a quick and reliable way to check which Azure Storage features are enabled across subscriptions—such as SFTP, Hierarchical Namespace (HNS), or default access tiers. For such scenarios, customers can use PowerShell, Azure CLI, or REST APIs; however, these approaches can be time‑consuming due to module setup, frequent updates, and script maintenance. Azure Resource Graph Explorer provides a faster and simpler alternative by allowing customers to directly query storage account configurations at scale using Kusto Query Language (KQL), without the need to write or maintain scripts.
Azure Resource Graph Explorer
Azure Resource Graph Explorer enables you to run KQL queries directly from the Azure Portal to inspect resource configurations across subscriptions at scale. All queries in this blog use the Resources table, filter on the resource type
microsoft.storage/storageaccounts, and retrieve specific configuration properties defined in the Microsoft.Storage/storageAccounts resource schema.
How to Open Azure Resource Graph Explorer (Quick Steps)
- Sign in to the Azure Portal
- In the global search bar, search for Resource Graph Explorer
- Open Resource Graph Explorer
- Paste the KQL query and click Run query
Following queries can be used to quickly analyse and validate Azure Storage account configurations across subscriptions:
1. Storage Accounts with SFTP Enabled
Find all storage accounts that have Secure File Transfer Protocol (SFTP) turned on
|
Resources | where type =~ "microsoft.storage/storageaccounts" | where properties.isSftpEnabled == true | project name, resourceGroup, location |
Find all storage accounts that have Secure File Transfer Protocol (SFTP) turned on in a specific subscription
|
Resources | where type =~ "microsoft.storage/storageaccounts" and subscriptionId =~ "XXXXXXXXXXXXXXXXXXXX" | where properties.isSftpEnabled == true | project name, resourceGroup, location |
Explanation: The isSftpEnabled property is a boolean under properties that, when set to true, enables Secure File Transfer Protocol on the storage account. This query filters for accounts where SFTP is active and returns the account name, resource group, and location.
2. Minimum TLS Version per Storage Account
List each storage account alongside its configured minimum TLS version.
|
Resources | where type =~ "microsoft.storage/storageaccounts" | project StorageAccount = name, resourceGroup, location, MinimumTLS = properties.minimumTlsVersion |
Explanation: Every storage account exposes a minimumTlsVersion string property that specifies the minimal TLS protocol version permitted for incoming requests.
3. Storage Accounts with Hierarchical Namespace (HNS) Enabled
Find all storage accounts that have Hierarchical Namespace enabled (Azure Data Lake Storage Gen2).
|
Resources | where type =~ "microsoft.storage/storageaccounts" | where properties.isHnsEnabled == true | project name, resourceGroup, location |
Explanation: The isHnsEnabled boolean indicates whether the account has the Hierarchical Namespace feature turned on.
4. Storage Accounts That Do NOT Allow Public Blob Access
Identify storage accounts where anonymous public read access to blobs is disallowed.
|
Resources | where type =~ "microsoft.storage/storageaccounts" | where properties.allowBlobPublicAccess == false | project name, resourceGroup, location |
Explanation: The allowBlobPublicAccess boolean controls whether anonymous public read access to blob data is permitted at the account level.
5. Storage Accounts with NFS 3.0 Support Enabled
Find all storage accounts that have NFS 3.0 protocol support turned on.
|
Resources | where type =~ "microsoft.storage/storageaccounts" | where properties.isNfsV3Enabled == true | project name, resourceGroup, location |
Explanation: The isNfsV3Enabled property is a boolean described in the resource schema as: "NFS 3.0 protocol support enabled if set to true". NFS 3.0 support allows Linux clients to mount Azure Blob Storage using the NFS protocol, which is useful for high-performance computing and large-scale analytics workloads.
6. Storage Accounts with Default Access Tier
Find all storage accounts and check their default access tier (Hot / Cool).
|
Resources | where type =~ "microsoft.storage/storageaccounts" | extend defaultAccessTier = tostring(properties.accessTier) | project name, resourceGroup, location, kind, sku.name, defaultAccessTier |
Explanation:
The properties.accessTier property indicates the default access tier configured for the storage account (for supported account kinds).
7. Storage Accounts Open to All Network Traffic (No Firewall Restrictions)
Find storage accounts that are accessible from any network without virtual network or IP-based firewall rules.
|
Resources | where type =~ "microsoft.storage/storageaccounts" | where (properties.publicNetworkAccess == "Enabled" or isnull(properties.publicNetworkAccess)) and properties.networkAcls.defaultAction == "Allow" | project name, resourceGroup, location |
This query helps identify storage accounts that are fully open to public network access, with no firewall or network restrictions in place, which may pose security risks during audits or compliance reviews.
Reference
- Overview of Azure Resource Graph - Azure Resource Graph | Microsoft Learn
- Quickstart: Run Resource Graph query using Azure portal - Azure Resource Graph | Microsoft Learn
- Microsoft.Storage/storageAccounts - Bicep, ARM template & Terraform AzAPI reference | Microsoft Learn
Kindly note this blog is focused on Azure Storage, the same approach can be leveraged for other Azure resource types in a similar way by querying their respective resource schemas using Azure Resource Graph.
Hope this helps!
Microsoft