I will show a new storage account feature which can help you to prevent data breach. This feature will help you to restrict the copy operations at the storage account level.
Three options are available:
- From any storage accounts (default value)
- From storage accounts in the same Azure AD tenant
- From storage accounts that have a private endpoint to the same virtual network
I will recommend you to protect all your storage account with a custom Azure Policy which uses the alias parameter: allowedCopyScope