The Azure Storage account allows authentication using the legacy Shared Key mechanism because shared_access_key_enabled is not explicitly set to false. This permits any party with access to the storage account key to authenticate directly against the storage account, bypassing Azure AD-based authentication, RBAC, Conditional Access, Privileged Identity Management, and other identity-governed controls. If the account key is leaked, exposed in deployment output, stored insecurely, or shared too broadly, an attacker may gain broad access to storage resources without requiring a valid Azure AD identity.

Remediation

Explicitly disable Shared Key authentication by setting shared_access_key_enabled = false on the storage account. Use Azure AD authentication with least-privilege RBAC roles for all access to storage resources. Rotate existing storage account keys after disabling legacy key-based access, and review any applications or services that may still depend on Shared Key authentication.