SMB (tcp/445) should be blocked to external resources

You may test if SMB (tcp/445) is open to external servers if you open powershell and enter this command

Test-NetConnection mystorageaccount.file.core.windows.net -Port 445

The result should be

PS C:\Users> Test-NetConnection mystorageaccount.file.core.windows.net -Port 445
WARNUNG: TCP connect to (52.239.141.200 : 445) failed
WARNUNG: Ping to 52.239.141.200 failed with status: TimedOut

ComputerName : mystorageaccount.file.core.windows.net
RemoteAddress : 52.239.141.200
RemotePort : 445
InterfaceAlias : WLAN 2
SourceAddress : 192.168.3.12
PingSucceeded : False
PingReplyDetails (RTT) : 0 ms
TcpTestSucceeded : False

The result should not be

PS C:\Users> Test-NetConnection mystorageaccount.file.core.windows.net -Port 445

ComputerName : mystorageaccount.file.core.windows.net
RemoteAddress : 52.239.141.200
RemotePort : 445
InterfaceAlias : WLAN 2
SourceAddress : 192.168.3.12
TcpTestSucceeded : True

If you should need to access external resources through SMB configure a dedicated Firewall policy to this one trusted destination.

Best Practice: Block all unnecessary ports.