Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Bicep resource definition
The storageAccounts/encryptionScopes resource type can be deployed with operations that target:
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Storage/storageAccounts/encryptionScopes resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.Storage/storageAccounts/encryptionScopes@2026-04-01' = {
parent: resourceSymbolicName
name: 'string'
properties: {
keyVaultProperties: {
keyUri: 'string'
}
requireInfrastructureEncryption: bool
source: 'string'
state: 'string'
}
}
Property Values
Microsoft.Storage/storageAccounts/encryptionScopes
| Name | Description | Value |
|---|---|---|
| name | The resource name | string Constraints: Min length = 3 Max length = 63 (required) |
| parent | In Bicep, you can specify the parent resource for a child resource. You only need to add this property when the child resource is declared outside of the parent resource. For more information, see Child resource outside parent resource. |
Symbolic name for resource of type: storageAccounts |
| properties | Properties of the encryption scope. | EncryptionScopeProperties |
EncryptionScopeKeyVaultProperties
| Name | Description | Value |
|---|---|---|
| keyUri | The object identifier for a key vault key object. When applied, the encryption scope will use the key referenced by the identifier to enable customer-managed key support on this encryption scope. | string |
EncryptionScopeProperties
| Name | Description | Value |
|---|---|---|
| keyVaultProperties | The key vault properties for the encryption scope. This is a required field if encryption scope 'source' attribute is set to 'Microsoft.KeyVault'. | EncryptionScopeKeyVaultProperties |
| requireInfrastructureEncryption | A boolean indicating whether or not the service applies a secondary layer of encryption with platform managed keys for data at rest. | bool |
| source | The provider for the encryption scope. Possible values (case-insensitive): Microsoft.Storage, Microsoft.KeyVault. | 'Microsoft.KeyVault' 'Microsoft.Storage' |
| state | The state of the encryption scope. Possible values (case-insensitive): Enabled, Disabled. | 'Disabled' 'Enabled' |
Usage Examples
Bicep Samples
A basic example of deploying Storage Encryption Scope.
param resourceName string = 'acctest0001'
param location string = 'westus'
resource storageAccount 'Microsoft.Storage/storageAccounts@2023-05-01' = {
name: '${resourceName}sa'
location: location
sku: {
name: 'Standard_LRS'
}
kind: 'StorageV2'
properties: {
accessTier: 'Hot'
allowBlobPublicAccess: true
allowCrossTenantReplication: false
allowSharedKeyAccess: true
defaultToOAuthAuthentication: false
dnsEndpointType: 'Standard'
encryption: {
keySource: 'Microsoft.Storage'
services: {
queue: {
keyType: 'Service'
}
table: {
keyType: 'Service'
}
}
}
isHnsEnabled: false
isLocalUserEnabled: true
isNfsV3Enabled: false
isSftpEnabled: false
minimumTlsVersion: 'TLS1_2'
networkAcls: {
bypass: 'AzureServices'
defaultAction: 'Allow'
ipRules: []
resourceAccessRules: []
virtualNetworkRules: []
}
publicNetworkAccess: 'Enabled'
supportsHttpsTrafficOnly: true
}
}
resource vault 'Microsoft.KeyVault/vaults@2023-02-01' = {
name: '${resourceName}-kv'
location: location
dependsOn: [
storageAccount
]
properties: {
accessPolicies: [
{
objectId: deployer().objectId
permissions: {
certificates: []
keys: [
'Get'
'Create'
'Delete'
'List'
'Restore'
'Recover'
'UnwrapKey'
'WrapKey'
'Purge'
'Encrypt'
'Decrypt'
'Sign'
'Verify'
'GetRotationPolicy'
]
secrets: []
storage: []
}
tenantId: tenant().tenantId
}
{
objectId: storageAccount.identity.principalId
permissions: {
certificates: []
keys: [
'Get'
'UnwrapKey'
'WrapKey'
]
secrets: []
storage: []
}
tenantId: tenant().tenantId
}
]
createMode: 'default'
enablePurgeProtection: true
enableRbacAuthorization: false
enableSoftDelete: true
enabledForDeployment: false
enabledForDiskEncryption: false
enabledForTemplateDeployment: false
publicNetworkAccess: 'Enabled'
sku: {
family: 'A'
name: 'standard'
}
tenantId: tenant().tenantId
}
}
resource encryptionScope 'Microsoft.Storage/storageAccounts/encryptionScopes@2023-05-01' = {
name: '${resourceName}-scope'
parent: storageAccount
dependsOn: [
vault
]
properties: {
keyVaultProperties: {
keyUri: key.properties.keyUriWithVersion
}
source: 'Microsoft.KeyVault'
state: 'Enabled'
}
}
resource key 'Microsoft.KeyVault/vaults/keys@2023-02-01' = {
name: '${resourceName}-key'
parent: vault
properties: {
keyOps: [
'encrypt'
'decrypt'
'sign'
'verify'
'wrapKey'
'unwrapKey'
]
keySize: 2048
kty: 'RSA'
}
}
ARM template resource definition
The storageAccounts/encryptionScopes resource type can be deployed with operations that target:
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Storage/storageAccounts/encryptionScopes resource, add the following JSON to your template.
{
"type": "Microsoft.Storage/storageAccounts/encryptionScopes",
"apiVersion": "2026-04-01",
"name": "string",
"properties": {
"keyVaultProperties": {
"keyUri": "string"
},
"requireInfrastructureEncryption": "bool",
"source": "string",
"state": "string"
}
}
Property Values
Microsoft.Storage/storageAccounts/encryptionScopes
| Name | Description | Value |
|---|---|---|
| apiVersion | The api version | '2026-04-01' |
| name | The resource name | string Constraints: Min length = 3 Max length = 63 (required) |
| properties | Properties of the encryption scope. | EncryptionScopeProperties |
| type | The resource type | 'Microsoft.Storage/storageAccounts/encryptionScopes' |
EncryptionScopeKeyVaultProperties
| Name | Description | Value |
|---|---|---|
| keyUri | The object identifier for a key vault key object. When applied, the encryption scope will use the key referenced by the identifier to enable customer-managed key support on this encryption scope. | string |
EncryptionScopeProperties
| Name | Description | Value |
|---|---|---|
| keyVaultProperties | The key vault properties for the encryption scope. This is a required field if encryption scope 'source' attribute is set to 'Microsoft.KeyVault'. | EncryptionScopeKeyVaultProperties |
| requireInfrastructureEncryption | A boolean indicating whether or not the service applies a secondary layer of encryption with platform managed keys for data at rest. | bool |
| source | The provider for the encryption scope. Possible values (case-insensitive): Microsoft.Storage, Microsoft.KeyVault. | 'Microsoft.KeyVault' 'Microsoft.Storage' |
| state | The state of the encryption scope. Possible values (case-insensitive): Enabled, Disabled. | 'Disabled' 'Enabled' |
Usage Examples
Terraform (AzAPI provider) resource definition
The storageAccounts/encryptionScopes resource type can be deployed with operations that target:
- Resource groups
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Storage/storageAccounts/encryptionScopes resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
type = "Microsoft.Storage/storageAccounts/encryptionScopes@2026-04-01"
name = "string"
parent_id = "string"
body = {
properties = {
keyVaultProperties = {
keyUri = "string"
}
requireInfrastructureEncryption = bool
source = "string"
state = "string"
}
}
}
Property Values
Microsoft.Storage/storageAccounts/encryptionScopes
| Name | Description | Value |
|---|---|---|
| name | The resource name | string Constraints: Min length = 3 Max length = 63 (required) |
| parent_id | The ID of the resource that is the parent for this resource. | ID for resource of type: storageAccounts |
| properties | Properties of the encryption scope. | EncryptionScopeProperties |
| type | The resource type | "Microsoft.Storage/storageAccounts/encryptionScopes@2026-04-01" |
EncryptionScopeKeyVaultProperties
| Name | Description | Value |
|---|---|---|
| keyUri | The object identifier for a key vault key object. When applied, the encryption scope will use the key referenced by the identifier to enable customer-managed key support on this encryption scope. | string |
EncryptionScopeProperties
| Name | Description | Value |
|---|---|---|
| keyVaultProperties | The key vault properties for the encryption scope. This is a required field if encryption scope 'source' attribute is set to 'Microsoft.KeyVault'. | EncryptionScopeKeyVaultProperties |
| requireInfrastructureEncryption | A boolean indicating whether or not the service applies a secondary layer of encryption with platform managed keys for data at rest. | bool |
| source | The provider for the encryption scope. Possible values (case-insensitive): Microsoft.Storage, Microsoft.KeyVault. | 'Microsoft.KeyVault' 'Microsoft.Storage' |
| state | The state of the encryption scope. Possible values (case-insensitive): Enabled, Disabled. | 'Disabled' 'Enabled' |
Usage Examples
Terraform Samples
A basic example of deploying Storage Encryption Scope.
terraform {
required_providers {
azapi = {
source = "Azure/azapi"
}
}
}
provider "azapi" {
skip_provider_registration = false
}
data "azapi_client_config" "current" {}
variable "resource_name" {
type = string
default = "acctest0001"
}
variable "location" {
type = string
default = "westus"
}
resource "azapi_resource" "resourceGroup" {
type = "Microsoft.Resources/resourceGroups@2020-06-01"
name = var.resource_name
location = var.location
}
resource "azapi_resource" "vault" {
type = "Microsoft.KeyVault/vaults@2023-02-01"
parent_id = azapi_resource.resourceGroup.id
name = "${var.resource_name}-kv"
location = var.location
body = {
properties = {
accessPolicies = [
{
objectId = data.azapi_client_config.current.object_id
permissions = {
certificates = []
keys = ["Get", "Create", "Delete", "List", "Restore", "Recover", "UnwrapKey", "WrapKey", "Purge", "Encrypt", "Decrypt", "Sign", "Verify", "GetRotationPolicy"]
secrets = []
storage = []
}
tenantId = data.azapi_client_config.current.tenant_id
},
{
objectId = azapi_resource.storageAccount.identity[0].principal_id
permissions = {
certificates = []
keys = ["Get", "UnwrapKey", "WrapKey"]
secrets = []
storage = []
}
tenantId = data.azapi_client_config.current.tenant_id
}
]
createMode = "default"
enablePurgeProtection = true
enableRbacAuthorization = false
enableSoftDelete = true
enabledForDeployment = false
enabledForDiskEncryption = false
enabledForTemplateDeployment = false
publicNetworkAccess = "Enabled"
sku = {
family = "A"
name = "standard"
}
tenantId = data.azapi_client_config.current.tenant_id
}
}
depends_on = [azapi_resource.storageAccount]
}
resource "azapi_resource" "storageAccount" {
type = "Microsoft.Storage/storageAccounts@2023-05-01"
parent_id = azapi_resource.resourceGroup.id
name = "${var.resource_name}sa"
location = var.location
identity {
type = "SystemAssigned"
identity_ids = []
}
body = {
kind = "StorageV2"
properties = {
accessTier = "Hot"
allowBlobPublicAccess = true
allowCrossTenantReplication = false
allowSharedKeyAccess = true
defaultToOAuthAuthentication = false
dnsEndpointType = "Standard"
encryption = {
keySource = "Microsoft.Storage"
services = {
queue = {
keyType = "Service"
}
table = {
keyType = "Service"
}
}
}
isHnsEnabled = false
isLocalUserEnabled = true
isNfsV3Enabled = false
isSftpEnabled = false
minimumTlsVersion = "TLS1_2"
networkAcls = {
bypass = "AzureServices"
defaultAction = "Allow"
ipRules = []
resourceAccessRules = []
virtualNetworkRules = []
}
publicNetworkAccess = "Enabled"
supportsHttpsTrafficOnly = true
}
sku = {
name = "Standard_LRS"
}
}
}
# Commenting out first access policy due to provider state tracking issues
# resource "azapi_resource" "accessPolicy" {
# type = "Microsoft.KeyVault/vaults/accessPolicies@2023-02-01"
# parent_id = azapi_resource.vault.id
# name = "add"
# body = {
# properties = {
# accessPolicies = [{
# objectId = data.azapi_client_config.current.object_id
# permissions = {
# certificates = []
# keys = ["Get", "Create", "Delete", "List", "Restore", "Recover", "UnwrapKey", "WrapKey", "Purge", "Encrypt", "Decrypt", "Sign", "Verify", "GetRotationPolicy"]
# secrets = []
# storage = []
# }
# tenantId = data.azapi_client_config.current.tenant_id
# }]
# }
# }
# }
# Commenting out storage account access policy due to provider state tracking issues
# resource "azapi_resource" "accessPolicy_1" {
# type = "Microsoft.KeyVault/vaults/accessPolicies@2023-02-01"
# parent_id = azapi_resource.vault.id
# name = "add"
# body = {
# properties = {
# accessPolicies = [{
# objectId = azapi_resource.storageAccount.identity[0].principal_id
# permissions = {
# certificates = []
# keys = ["Get", "UnwrapKey", "WrapKey"]
# secrets = []
# storage = []
# }
# tenantId = data.azapi_client_config.current.tenant_id
# }]
# }
# }
# }
resource "azapi_resource" "key" {
type = "Microsoft.KeyVault/vaults/keys@2023-02-01"
parent_id = azapi_resource.vault.id
name = "${var.resource_name}-key"
body = {
properties = {
kty = "RSA"
keySize = 2048
keyOps = ["encrypt", "decrypt", "sign", "verify", "wrapKey", "unwrapKey"]
}
}
}
resource "azapi_resource" "encryptionScope" {
type = "Microsoft.Storage/storageAccounts/encryptionScopes@2023-05-01"
parent_id = azapi_resource.storageAccount.id
name = "${var.resource_name}-scope"
body = {
properties = {
keyVaultProperties = {
keyUri = azapi_resource.key.output.properties.keyUriWithVersion
}
source = "Microsoft.KeyVault"
state = "Enabled"
}
}
depends_on = [azapi_resource.vault]
}