Allow access from trusted microsoft services one by one
When configuring firewall for use with Azure Storage resources,
and trying to allow access from "Trusted Microsoft Services", we only have to allow access from all of them, not a "Trusted Microsoft service " one by one.
I think that It's better to allow access one by one on the security's perspective - allowing only necessary access from PaaS services in terms of system design.
Subodh Patil commented
More to that access to other services should be allowed only from the same tenant. Today e.g. if I know the connection string of SQL server then I can create power-bi service in any tenant and get all data from the SQL, there is no 2nd factor of protection layer due to this.