Configuring the storage account to use BYOK (Use Your Own Key) provides additional confidentiality controls on data as a given user must have read permission on the corresponding storage account and must be granted decrypt permission by the CMK.
Recommended Mitigation
Configure Customer-Managed Keys encryption for your storage account - {AzureStorageAccount}.