Description:
The storage account container containing the activity log export should not be publicly accessible.
Rationale:
Allowing public access to activity log content may aid an adversary in identifying weaknesses in the affected account's use or configuration.
Configuring container 'Access policy' to 'private' will remove access from the container for everyone except owners of the storage account. Access policy needs to be set explicitly in order to allow access to other desired users.
From Azure Portal
From Azure CLI
az storage container set-permission --name insights-activity-logs --account-name --sas-token --public-access off
From PowerShell
Create a new storage account context for the storage account holding the 'insight-activity-logs' container making sure to use a valid 'Shared Access Signature (SAS)' token.
$context = New-AzStorageContext -StorageAccountName -SasToken ""
Change the 'insights-activity-logs' container public access to 'off'
Set-AzStorageContainerAcl -Context $context -Name "insights-activity-logs" -Permission Off -PassThru