Securing your Azure Storage Account: a guide to enabling Business Central-only access using Network Security Perimeter.

I think that everyone of you know that you can access an Azure Storage Account for managing blobs and files directly from Dynamics 365 Business Central (via AL code). This provides a nice (and often recommended) way of managing blobs and files in a cloud environment (and in many scenario it also permits you to save storage space, alias ).

Here is a basic example on how to create a blob in a storage account (blob container) from AL:

var
    procedure CreateMyBlob()
    var
        ABSContainerClient: Codeunit "ABS Container Client";
        ABSBlobClient: Codeunit "ABS Blob Client";
        StorageServiceAuthorization: Codeunit "Storage Service Authorization";
        Response: Codeunit "ABS Operation Response";
        Authorization: Interface "Storage Service Authorization";
    begin
        Authorization := StorageServiceAuthorization.CreateSharedKey('<my shared key>');

        ABSContainerClient.Initialize('<storage account name>', Authorization);
        ABSContainerClient.CreateContainer('<my blob container>');

        ABSBlobClient.Initialize('<storage account name>', '<my blob container>', Authorization);
        ABSBlobClient.PutBlobBlockBlobText('<my blob>', 'This is the content of my BLOB in Azure Blob Storage!')
    end;

In this scenario, the Azure Storage Account is protected by a security key but it’s publicly accessible (everyone with the key can access it).

Securing access to Azure Storage Accounts is a critical part of any enterprise cloud architecture, especially when integrating with Business Central. Traditionally, organizations have relied on Private Endpoints, IP whitelisting, or complex Virtual Network configurations to restrict storage access. However, these approaches can be time-consuming to implement, expensive to maintain, and difficult to scale across multiple resources.

Azure Network Security Perimeter (NSP) offers a modern alternative, a logical network boundary that allows you to centrally manage access to PaaS resources like Azure Storage without the overhead of traditional networking infrastructure.

Why Restrict Azure Storage Access for Business Central?

Dynamics 365 Business Central frequently integrates with Azure Storage for various scenarios:

• File storage: Using Azure Blob Storage or Azure File Shares for document management
• Data export: Exporting Business Central data to Azure Data Lake for analytics
• Attachment management: Storing Business Central attachments in Azure Blob Storage instead of the database
• Integration pipelines: Supporting ETL processes between Business Central and other Azure services

Without proper access controls, your storage accounts remain exposed to the public internet, creating security risks including unauthorized data access, exfiltration, and compliance violations. NSP provides a way to create a secure perimeter around your storage accounts, allowing only authorized requests—in this case, those originating from Business Central.

What is an NSP?

Network Security Perimeter (NSP) creates a logical network isolation boundary for PaaS resources deployed outside your virtual networks. Unlike traditional networking solutions that operate at the subnet level, NSP applies security policies at the individual resource level, making it simpler and more flexible.

By default, NSP denies all public access to protected resources. You explicitly allow access through inbound rules, supporting:

• IP-based access: Allow traffic from specific IP addresses or CIDR ranges
• Subscription-based access: Allow access from resources in specific Azure subscriptions using managed identities
• Outbound rules: Control where your protected resources can communicate

How to create a NSP for a Storage Account

To create a Network Security Perimeter, go to the Azure Portal, search for Network Security Perimeters and click on Create.

Click Next and in the Resources tab select the storage account (1 or many) you want to add to your NSP:

Click on Next again and in the Inbound access rules section you can specify your inbound rule. This will be the access rule that allow Business Central to communicate with the storage account and here you need to create a rule to restrict access to only the IP addresses of Dynamics 365 Business Central.

Dynamics 365 Business Central has its own Service Tag (Dynamics365BusinessCentral). A service tag in Azure represents a group of IP address prefixes from a given Azure service. Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change, minimizing the complexity of frequent updates to network security rules. More info in my post here.

Unfortunately at the time of writing this post NSP supports incoming rules only using IP addresses, but Service Tag support is coming very soon. This means that for now you need to create an inbound rule using the IP addresses associated to the Dynamics365BusinessCentral service tag.

To retrieve them, you have different methods:

Method 1: Azure Powershell

Execute the following script:

$serviceTags = Get-AzNetworkServiceTag -Location westeurope
$serviceTag = $serviceTags.Values | Where-Object { $_.Name -eq "Dynamics365BusinessCentral" }
Write-Host "Change Number: $($serviceTag.properties.ChangeNumber)"
$serviceTag.Properties.AddressPrefixes | Format-List

Method 2: Azure Management API

Execute the following REST call to the Azure Management API:

GET https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Network/locations/{location}/serviceTags?api-version=2025-03-01

Method 3: Downloadable JSON file

You can download the details of each service tag IP addresses downloading a JSON file definition from here: https://learn.microsoft.com/en-us/azure/virtual-network/service-tags-overview#discover-service-tags-by-using-downloadable-json-files

Here is the inbound rule created:

Now click on Review + Create.

Your Network Security Perimeter (NSP) will be provisioned.

Now go to your NSP instance and click on Associated resources. Here you can see the list of resources that are members of the profile associated with this network security perimeter.

As you can see, my selected storage account has Access mode = Transition:

NSP has two access modes:

• Transition mode: Learning mode that logs access attempts without blocking them, allowing you to understand current traffic patterns. In this situation, the NSP is active but traffic is not blocked (the security rule is not enforced).
• Enforced mode: Actively blocks unauthorized access based on defined rules.

To change the access mode, click on the 3 dots and click on Change access mode:

Here select Enforced:

Now the public network access will be disabled and the access to this storage account will be available only from Dynamics 365 Business Central:

Creating NSP using Azure CLI

Obviously, you can do all these steps also via Azure CLI.

Step 1 – Create the NSP:

az network perimeter create 
  --name "BusinessCentralStoragePerimeter" 
  --resource-group "your-resource-group" 
  --location "westeurope"

Step 2 – Create a Profile Within the Perimeter. Profiles organize access rules within your NSP. Each profile can be associated with one or more resources:

az network perimeter profile create 
  --name "BCAccessProfile" 
  --perimeter-name "BusinessCentralStoragePerimeter" 
  --resource-group "your-resource-group"

Step 3 – Define the inbound access rule:

az network perimeter profile access-rule create 
  --name "AllowBCIPs" 
  --profile-name "BCAccessProfile" 
  --perimeter-name "BusinessCentralStoragePerimeter" 
  --resource-group "your-resource-group" 
  --direction Inbound 
  --access-rules-version "2024-01-01" 
  --address-prefixes "["4.194.227.0/25", "20.18.6.128/25", "ADD LIST OF BC SERVICE TAG IP ADDRESSES HERE"]"

Step 4: Get your Storage Account Resource ID:

az storage account show 
  --name "your-storage-account" 
  --resource-group "your-resource-group" 
  --query id

Step 5: Associate the Storage Account with the Profile:

az network perimeter association create 
  --name "StorageAccountAssociation" 
  --perimeter-name "BusinessCentralStoragePerimeter" 
  --resource-group "your-resource-group" 
  --access-mode "Transition" 
  --private-link-resource id=/subscriptions/your-subscription-id/resourceGroups/your-resource-group/providers/Microsoft.Storage/storageAccounts/your-storage-account 
  --profile id=/subscriptions/your-subscription-id/resourceGroups/your-resource-group/providers/Microsoft.Network/networkSecurityPerimeters/BusinessCent
ralStoragePerimeter/profiles/BCAccessProfile

Note: Using Transition mode allows NSP to log access attempts without blocking them initially.

Step 6: Set the storage account to restrict public access:

az storage account update 
  --name "your-storage-account" 
  --resource-group "your-resource-group" 
  --public-network-access "SecuredByPerimeter"

The SecuredByPerimeter setting ensures access is only allowed through the NSP rules you’ve defined.

Step 7: Set up logging to capture NSP access attempts:

az monitor diagnostic-settings create 
  --name "NSPDiagnostics" 
  --resource /subscriptions/your-subscription-id/resourceGroups/your-resource-group/providers/Microsoft.Network/networkSecurityPerimeters/BusinessCentralStoragePerimeter 
  --logs '[{"category": "NetworkSecurityPerimeterAccessLog", "enabled": true}]' 
  --workspace /subscriptions/your-subscription-id/resourceGroups/your-resource-group/providers/microsoft.operationalinsights/workspaces/your-log-analytics-workspace

In this way you can query your associated Log Analytics workspace to see access attempts with the following KQL query:

NetworkSecurityPerimeterAccessLogs
| where TimeGenerated > ago(1h)
| summarize by SourceSubscriptionId, Action, ResourceId

Step 8 – Switch to Enforced mode:

Once you’ve validated that legitimate Business Central traffic is allowed and you’re confident in your access rules, switch the association to Enforced mode to actively block unauthorized access:

az network perimeter association update 
  --name "StorageAccountAssociation" 
  --perimeter-name "BusinessCentralStoragePerimeter" 
  --resource-group "your-resource-group" 
  --access-mode "Enforced"

Conclusion

Azure Network Security Perimeter provides a modern, centralized approach to securing PaaS resources (like Azure Storage) for Business Central integrations. By establishing clear access boundaries and explicitly allowing only authorized traffic, you reduce security risks, simplify compliance, and maintain visibility into storage access patterns.

In this post I’ve used Azure Storage as an example of a resource to secure access, but this is also valid for other resources (like Azure SQL or Azure KeyVault). NSP is a critical component of the underlying infrastructure of Business Central online (it restricts access to storage and SQL database).

When working with NSP, recommendation is to start with Transition mode to understand your access patterns, gradually refine your rules, and then move to Enforced mode for production protection.

Original Post https://demiliani.com/2025/12/22/securing-your-azure-storage-account-a-guide-to-enabling-business-central-only-access-using-network-security-perimeter/