Microsoft public IP addresses from other countries

Hi @ Todd, Peter,

Welcome to Microsoft Q&A Platform.

Yes — seeing a small number of Microsoft public IP addresses from other countries accessing your Azure Storage account can be normal, depending on the storage features and services you are using.

1. Microsoft’s own services (geo-replication, backups, diagnostics/monitoring, Azure Backup, etc.) often run from multiple datacenters around the world.
2. When you have the Storage Firewall enabled, “Trusted Microsoft Services” still bypass your rules to deliver logs and metrics. Those calls can come from any region where Azure runs those background tasks.
3. If you’re using features like geo-redundant storage (GRS/ZRS), cross-region replication traffic will show up with source IPs in the secondary region.

What you can do next:

• Check your Storage Analytics logs to see if those requests are tagged as replication/diagnostic operations.
• If you want to lock down access more tightly, switch from IP-based rules to Virtual Network rules or Private Endpoints—this way only your VNet can reach the account, regardless of which IP the service uses.
• Optionally, review the specific Request IDs in your logs to confirm these requests map to Azure background services.

Reference documentation:

• View public IP address consumption in Azure Stack https://docs.microsoft.com/azure-stack/operator/azure-stack-viewing-public-ip-address-consumption?view=azs-1908#view-public-ip-address-consumption-in-azure-stack
• Azure Storage virtual network rules https://learn.microsoft.com/azure/storage/common/storage-network-security-virtual-networks
• Create and configure a public IP address in the Azure portal https://docs.microsoft.com/azure/virtual-network/public-ip-addresses#create-a-public-ip-address
• Assign the public IP address to your resource https://docs.microsoft.com/azure/virtual-network/public-ip-addresses#assign-a-public-ip-address-to-a-resource

Pleaseand “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Yes, this can be normal, depending on how the storage account is exposed and which services are accessing it.

Key points from the provided information:

1. Microsoft services and security monitoring can access storage from public IPs
   • Defender for Storage alerts explicitly distinguish between access from external (public) IP addresses and access from private IP addresses. For example:
     • "Suspicious external access to an Azure storage account with overly permissive SAS token" is raised when someone with an external public IP uses a SAS token that is normally expected only from internal/private IPs.
     • "Access from an unusual location to a storage account" is raised when an IP/location is unfamiliar compared to recent activity.
   • These alerts exist because access from public IPs (including from other countries) is possible and expected in many scenarios; the system focuses on whether the pattern is unusual or risky, not just foreign.
2. IP-based restrictions and firewalls can cause or prevent access
   • If the storage account firewall is configured to allow only specific IPs or ranges, then any access from other Microsoft or non-Microsoft public IPs should be blocked unless explicitly allowed.
   • One of the sample issues shows that access failed until the correct proxy/public IP was added to the storage firewall, confirming that traffic can legitimately originate from IPs that differ from the end user’s apparent address (for example, proxies or intermediate services).
3. When foreign Microsoft IPs may be expected
   • If SAS tokens are used without tight IP restrictions, or if the storage firewall allows broad ranges (for example, “Allow Azure services on the trusted services list”), then Microsoft-owned public IPs from other regions or services can legitimately appear in logs.
   • If a SAS token is overly permissive and long-lived, Defender for Storage may flag external access as suspicious, but the mere presence of foreign Microsoft IPs does not automatically mean compromise.
4. When to treat it as suspicious
   • Defender for Storage raises alerts such as:
     • "Suspicious external access to an Azure storage account with overly permissive SAS token"
     • "Suspicious external operation to an Azure storage account with overly permissive SAS token"
     • "Access from an unusual location to a storage account"
   • These alerts indicate that the pattern of access (permissions, duration, geography, or operation type) is abnormal and may require investigation.

Summary:

Microsoft public IP addresses from other countries can be normal, especially when using SAS tokens, proxies, or broad firewall rules. It becomes a concern when:

• Access comes from unfamiliar locations compared to normal usage, and
• SAS tokens are overly permissive or long-lived, or
• Defender for Storage raises alerts about suspicious external or unusual access.

In that case, review SAS scope/expiry, tighten firewall rules, and investigate any Defender for Storage alerts associated with those IPs.

References:

• Alerts for Azure Storage