MGDC for SharePoint FAQ: How to restrict public access to storage accounts?

  • Thread starter Thread starter Jose Barreto
  • Start date Start date
J

Jose Barreto

In this post, I’ll cover some details on how to configure the network access for the storage account used by the Microsoft Graph Data Connect (MGDC). If you’re not familiar with the MGDC for SharePoint scenarios, start at Links about Microsoft Graph Data Connect for SharePoint.



Is public access required?



In the basic instructions for setting up MGDC in general (see guide) and in the specific instructions for MGDC for SharePoint step-by-step (see guide), you see the recommendation to set the network access setting for storage accounts to “Enable public access from all networks”. This is part of the configuration of the Azure storage account you need to use to sink the data coming from MGDC.



large?v=v2&px=999.png





Using the "Enable public access from all networks" option is fine for many tenants, particular for Dev, Test and QA environments. To be clear, even with “public access from all networks”, you still need credentials and proper permissions to access the storage account.



However, several customers ask questions about further securing network access for MGDC storage accounts. That is possible, but you will need to a few additional configuration steps. This is something that might be required by your tenant, given the sensitive nature of this data.



Instructions for configuring restricted public access



While it is not possible to completely “disable public access” (third option under network access), there is guidance on how to “Enable public access from selected Microsoft networks and IP addresses” (second option in in network access). You can find it in the page for Troubleshoot Microsoft Graph Data Connect, in the topic for “Issues adding network IP address to allow list with Azure integration runtime”.



The document linked above explains that if the destination storage account needs further security, you can allow access only from a particular set of Azure service IP addresses.



In that article, note that some of the Azure regions cannot be used for hosting the storage account if you plan to use private access. Those Azure regions are marked with a “*” on the table mapping Office regions to Azure regions. For instance, that includes the “East US” Azure region for the “North America” office region, or the “West Europe” Azure region for the “Europe” office region.



Conclusion



I hope this clarifies that you can use the option to “Enable public access from selected virtual networks and IP Addresses” for your storage account networking when using the Microsoft Graph Data Connect. Be sure to read the detailed instructions and proceed with care. If you bump into any issues, do not hesitate to contact Microsoft Support.

Continue reading...
 
Back
Top