The recommendation for storage access restriction has been retired
Updated: July 25, 2019
Some Microsoft services, that interact with storage accounts, operate from networks that can't be granted access through network rules. To allow these services to work properly, there is a list of trusted Microsoft services that bypass the network rules. Currently, not all Azure services are included in this trusted Microsoft services list, and therefore, would not be able to access the storage if you follow this recommendation.
Even though the recommendation is no longer being used, the policy, to implement restricting access to storage accounts with firewall and virtual network configurations, is still available. Therefore, if you want to enable this restriction, you can go to the ASC default assignment in Azure policy, search for the Audit unrestricted network access to storage accounts parameter assignment in the policy and change it to Audit.