As soon as I provision the Teams App, several Azure Resources are automatically created. One of them is a storage account, that holds the static web page and all my custom sites.
That storage account seems to have the "Allow Blob public access" Option set to Enabled by default. At least ,I cannot recall changing anything on the default Teams Toolkit "Deploy to the cloud" function behavior.
Now that Microsoft has announced to change this option by August of this year, I am wondering if my Teams Apps will still work when I disable this after the App has been installed? Azure Storage Update August 2023
In the description Anonymous Read Access Configure I found the passage:
Disallowing public access for a storage account does not affect any static websites hosted in that storage account. The $web container is always publicly accessible.
So what about the "azure-webjobs-hosts" and "azure-webjobs-secrets" folder in that container, does anything in here need the public access by default ?
I did disable the Option and did a brief test, so far it seems to still work, but I would really like to know if this is just configured by "accident" in the TeamsFX deploy to cloud function, or if this has some deeper connections ?
I just created a new Teams app with latest Teams Toolkit(v5.0) and found my Storage Account's containers are all private (no anonymous access), even for $web container. The $web container is always public and anyone can access its blob through the static website's endpoint. But anonymous access through the blob endpoint should be blocked.
https://xxx.z13.web.core.windows.net/hello.png √ ok
https://xxx.blob.core.windows.net/$web/hello.png × blocked
So I think you should disable the anonymous access for your Storage Account. As for why it is configured, I cannot tell but it's possibly caused by careless design of old version Teams Toolkit.
