diff --git a/infrastructure/modules/container-app/main.tf b/infrastructure/modules/container-app/main.tf
index 131f8324..c0703816 100644
--- a/infrastructure/modules/container-app/main.tf
+++ b/infrastructure/modules/container-app/main.tf
@@ -81,7 +81,6 @@ resource "azurerm_container_app" "main" {
     }
   }
 
-
   dynamic "secret" {
     for_each = var.secret_variables
     content {
diff --git a/infrastructure/modules/storage/main.tf b/infrastructure/modules/storage/main.tf
index 26ad4000..67cad697 100644
--- a/infrastructure/modules/storage/main.tf
+++ b/infrastructure/modules/storage/main.tf
@@ -10,6 +10,9 @@ resource "azurerm_storage_account" "storage_account" {
   access_tier                   = var.access_tier
   shared_access_key_enabled     = var.shared_access_key_enabled
 
+  # Public access controls
+  allow_nested_items_to_be_public = var.allow_nested_items_to_be_public
+
   tags = var.tags
 
   blob_properties {
diff --git a/infrastructure/modules/storage/tfdocs.md b/infrastructure/modules/storage/tfdocs.md
index 5ae92187..99460b0e 100644
--- a/infrastructure/modules/storage/tfdocs.md
+++ b/infrastructure/modules/storage/tfdocs.md
@@ -126,6 +126,14 @@ Type: `string`
 
 Default: `"PT5M"`
 
+### <a name="input_allow_nested_items_to_be_public"></a> [allow\_nested\_items\_to\_be\_public](#input\_allow\_nested\_items\_to\_be\_public)
+
+Description: Allows or disallows public access to nested items within a container, such as blobs, when the container itself is public. Defaults to false.
+
+Type: `bool`
+
+Default: `false`
+
 ### <a name="input_availability_low_threshold"></a> [availability\_low\_threshold](#input\_availability\_low\_threshold)
 
 Description: This will alert of storage queue transactions is higher that given value, default will be 99.
@@ -238,7 +246,7 @@ Default: `null`
 
 ### <a name="input_shared_access_key_enabled"></a> [shared\_access\_key\_enabled](#input\_shared\_access\_key\_enabled)
 
-Description: Enables or disables Shared Key authorization for the storage account, defaults will be true.
+Description: Enables or disables Shared Key authorization for the storage account. Defaults to true. If set to false, access must be authenticated using Microsoft Entra ID (Azure AD). Terraform deployments should configure the AzureRM provider with `storage_use_azuread = true` to allow storage data-plane operations without using storage account access keys.
 
 Type: `bool`
 
diff --git a/infrastructure/modules/storage/variables.tf b/infrastructure/modules/storage/variables.tf
index 2b5a9160..477c2ac9 100644
--- a/infrastructure/modules/storage/variables.tf
+++ b/infrastructure/modules/storage/variables.tf
@@ -220,10 +220,16 @@ variable "share_properties_retention_policy_days" {
 
 variable "shared_access_key_enabled" {
   type        = bool
-  description = "Enables or disables Shared Key authorization for the storage account, defaults will be true."
+  description = "Enables or disables Shared Key authorization for the storage account. Defaults to true. If set to false, access must be authenticated using Microsoft Entra ID (Azure AD). Terraform deployments should configure the AzureRM provider with `storage_use_azuread = true` to allow storage data-plane operations without using storage account access keys."
   default     = true
 }
 
+variable "allow_nested_items_to_be_public" {
+  type        = bool
+  description = "Allows or disallows public access to nested items within a container, such as blobs, when the container itself is public. Defaults to false."
+  default     = false
+}
+
 locals {
   alert_frequency_map = {
     PT5M  = "PT1M"