Create an Azure storage account

An Azure storage account contains all of your Azure Storage data objects: blobs, files, queues, and tables. The storage account provides a unique namespace for your Azure Storage data that is accessible from anywhere in the world over HTTP or HTTPS. For more information about Azure storage accounts, see Storage account overview.

In this how-to article, you learn to create a storage account using the Azure portal, Azure PowerShell, Azure CLI, or an Azure Resource Manager template.

Prerequisites

If you don't have an Azure subscription, create a free account before you begin.

None.

Next, sign in to Azure.

Sign in to the Azure portal.

Create a storage account

A storage account is an Azure Resource Manager resource. Resource Manager is the deployment and management service for Azure. For more information, see Azure Resource Manager overview.

Every Resource Manager resource, including an Azure storage account, must belong to an Azure resource group. A resource group is a logical container for grouping your Azure services. When you create a storage account, you have the option to either create a new resource group, or use an existing resource group. This how-to shows how to create a new resource group.

Storage account type parameters

When you create a storage account using PowerShell, the Azure CLI, Bicep, Azure Templates, or the Azure Developer CLI, the storage account type is specified by the kind parameter (for example, StorageV2). The performance tier and redundancy configuration are specified together by the sku or SkuName parameter (for example, Standard_GRS). The following table shows which values to use for the kind parameter and the sku or SkuName parameter to create a particular type of storage account with the desired redundancy configuration.

Type of storage account Supported redundancy configurations Supported values for the kind parameter Supported values for the sku or SkuName parameter Supports hierarchical namespace
Standard general-purpose v2 LRS / GRS / RA-GRS / ZRS / GZRS / RA-GZRS StorageV2 Standard_LRS / Standard_GRS / Standard_RAGRS/ Standard_ZRS / Standard_GZRS / Standard_RAGZRS Yes
Premium block blobs LRS / ZRS BlockBlobStorage Premium_LRS / Premium_ZRS Yes
Premium file shares LRS / ZRS FileStorage Premium_LRS / Premium_ZRS No
Premium page blobs LRS StorageV2 Premium_LRS No
Legacy standard general-purpose v1 LRS / GRS / RA-GRS Storage Standard_LRS / Standard_GRS / Standard_RAGRS No
Legacy blob storage LRS / GRS / RA-GRS BlobStorage Standard_LRS / Standard_GRS / Standard_RAGRS No

To create an Azure storage account with the Azure portal, follow these steps:

  1. From the left portal menu, select Storage accounts to display a list of your storage accounts. If the portal menu isn't visible, select the menu button to toggle it on.

    Image of the Azure portal homepage showing the location of the Menu button near the top left corner of the browser.

  2. On the Storage accounts page, select Create.

    Image showing the location of the create button within the Azure portal Storage Accounts page.

Options for your new storage account are organized into tabs in the Create a storage account page. The following sections describe each of the tabs and their options.

Basics tab

On the Basics tab, provide the essential information for your storage account. After you complete the Basics tab, you can choose to further customize your new storage account by setting options on the other tabs, or you can select Review + create to accept the default options and proceed to validate and create the account.

The following table describes the fields on the Basics tab.

Section Field Required or optional Description
Project details Subscription Required Select the subscription for the new storage account.
Project details Resource group Required Create a new resource group for this storage account, or select an existing one. For more information, see Resource groups.
Instance details Storage account name Required Choose a unique name for your storage account. Storage account names must be between 3 and 24 characters in length and might contain numbers and lowercase letters only.
Instance details Region Required Select the appropriate region for your storage account. For more information, see Regions and Availability Zones in Azure.

Not all regions are supported for all types of storage accounts or redundancy configurations. For more information, see Azure Storage redundancy.

The choice of region can have a billing impact. For more information, see Storage account billing.
Instance details Performance Required Select Standard performance for general-purpose v2 storage accounts (default). This type of account is recommended by Microsoft for most scenarios. For more information, see Types of storage accounts.

Select Premium for scenarios requiring low latency. After selecting Premium, select the type of premium storage account to create. The following types of premium storage accounts are available:
Instance details Redundancy Required Select your desired redundancy configuration. Not all redundancy options are available for all types of storage accounts in all regions. For more information about redundancy configurations, see Azure Storage redundancy.

If you select a geo-redundant configuration (GRS or GZRS), your data is replicated to a data center in a different region. For read access to data in the secondary region, select Make read access to data available in the event of regional unavailability.

The following image shows a standard configuration of the basic properties for a new storage account.

Screenshot showing a standard configuration for a new storage account - Basics tab.

Advanced tab

On the Advanced tab, you can configure additional options and modify default settings for your new storage account. Some of these options can also be configured after the storage account is created, while others must be configured at the time of creation.

The following table describes the fields on the Advanced tab.

Section Field Required or optional Description
Security Require secure transfer for REST API operations Optional Require secure transfer to ensure that incoming requests to this storage account are made only via HTTPS (default). Recommended for optimal security. For more information, see Require secure transfer to ensure secure connections.
Security Allow enabling anonymous access on individual containers Optional When enabled, this setting allows a user with the appropriate permissions to enable anonymous access to a container in the storage account (default). Disabling this setting prevents all anonymous access to the storage account. Microsoft recommends disabling this setting for optimal security.

For more information, see Prevent anonymous read access to containers and blobs.

Enabling anonymous access does not make blob data available for anonymous access unless the user takes the additional step to explicitly configure the container's anonymous access setting.
Security Enable storage account key access Optional When enabled, this setting allows clients to authorize requests to the storage account using either the account access keys or a Microsoft Entra account (default). Disabling this setting prevents authorization with the account access keys. For more information, see Prevent Shared Key authorization for an Azure Storage account.
Security Default to Microsoft Entra authorization in the Azure portal Optional When enabled, the Azure portal authorizes data operations with the user's Microsoft Entra credentials by default. If the user does not have the appropriate permissions assigned via Azure role-based access control (Azure RBAC) to perform data operations, then the portal will use the account access keys for data access instead. The user can also choose to switch to using the account access keys. For more information, see Default to Microsoft Entra authorization in the Azure portal.
Security Minimum TLS version Required Select the minimum version of Transport Layer Security (TLS) for incoming requests to the storage account. The default value is TLS version 1.2. When set to the default value, incoming requests made using TLS 1.0 or TLS 1.1 are rejected. For more information, see Enforce a minimum required version of Transport Layer Security (TLS) for requests to a storage account.
Security Permitted scope for copy operations (preview) Required Select the scope of storage accounts from which data can be copied to the new account. The default value is From any storage account. When set to the default value, users with the appropriate permissions can copy data from any storage account to the new account.

Select From storage accounts in the same Azure AD tenant to only allow copy operations from storage accounts within the same Microsoft Entra tenant.
Select From storage accounts that have a private endpoint to the same virtual network to only allow copy operations from storage accounts with private endpoints on the same virtual network.

For more information, see Restrict the source of copy operations to a storage account.
Data Lake Storage Enable hierarchical namespace Optional To use this storage account for Azure Data Lake Storage workloads, configure a hierarchical namespace. For more information, see Introduction to Azure Data Lake Storage.
Blob storage Enable SFTP Optional Enable the use of Secure File Transfer Protocol (SFTP) to securely transfer of data over the internet. For more information, see Secure File Transfer (SFTP) protocol support in Azure Blob Storage.
Blob storage Enable network file system (NFS) v3 Optional NFS v3 provides Linux file system compatibility at object storage scale enables Linux clients to mount a container in Blob storage from an Azure Virtual Machine (VM) or a computer on-premises. For more information, see Network File System (NFS) 3.0 protocol support in Azure Blob Storage.
Blob storage Allow cross-tenant replication Required By default, users with appropriate permissions can configure object replication across Microsoft Entra tenants. To prevent replication across tenants, deselect this option. For more information, see Prevent replication across Microsoft Entra tenants.
Blob storage Access tier Required Blob access tiers enable you to store blob data in the most cost-effective manner, based on usage. Select the hot tier (default) for frequently accessed data. Select the cool tier for infrequently accessed data. For more information, see Hot, Cool, and Archive access tiers for blob data.

The following image shows a standard configuration of the advanced properties for a new storage account.

Screenshot showing a standard configuration for a new storage account - Advanced tab.

Networking tab

On the Networking tab, you can configure network connectivity and routing preference settings for your new storage account. These options can also be configured after the storage account is created.

The following table describes the fields on the Networking tab.

Section Field Required or optional Description
Network connectivity Network access Required By default, incoming network traffic is routed to the public endpoint for your storage account. You can specify that traffic must be routed to the public endpoint through an Azure virtual network. You can also configure private endpoints for your storage account. For more information, see Use private endpoints for Azure Storage.
Network connectivity Endpoint type Required Azure Storage supports two types of endpoints: standard endpoints (the default) and Azure DNS zone endpoints (preview). Within a given subscription, you can create up to 2501 accounts with standard endpoints per region, and up to 5000 accounts with Azure DNS zone endpoints per region, for a total of 5250 storage accounts. To register for the preview, see About the preview.
Network routing Routing preference Required The network routing preference specifies how network traffic is routed to the public endpoint of your storage account from clients over the internet. By default, a new storage account uses Microsoft network routing. You can also choose to route network traffic through the POP closest to the storage account, which might lower networking costs. For more information, see Network routing preference for Azure Storage.

1 With a quota increase, you can create up to 500 storage accounts with standard endpoints per region in a given subscription, for a total of 5500 storage accounts per region. For more information, see Increase Azure Storage account quotas.

The following image shows a standard configuration of the networking properties for a new storage account.

Screenshot showing a standard configuration for a new storage account - Networking tab.

Important

Azure DNS zone endpoints are currently in PREVIEW. See the Supplemental Terms of Use for Microsoft Azure Previews for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Data protection tab

On the Data protection tab, you can configure data protection options for blob data in your new storage account. These options can also be configured after the storage account is created. For an overview of data protection options in Azure Storage, see Data protection overview.

The following table describes the fields on the Data protection tab.

Section Field Required or optional Description
Recovery Enable point-in-time restore for containers Optional Point-in-time restore provides protection against accidental deletion or corruption by enabling you to restore block blob data to an earlier state. For more information, see Point-in-time restore for block blobs.

Enabling point-in-time restore also enables blob versioning, blob soft delete, and blob change feed. These prerequisite features might have a cost impact. For more information, see Pricing and billing for point-in-time restore.
Recovery Enable soft delete for blobs Optional Blob soft delete protects an individual blob, snapshot, or version from accidental deletes or overwrites by maintaining the deleted data in the system for a specified retention period. During the retention period, you can restore a soft-deleted object to its state at the time it was deleted. For more information, see Soft delete for blobs.

Microsoft recommends enabling blob soft delete for your storage accounts and setting a minimum retention period of seven days.
Recovery Enable soft delete for containers Optional Container soft delete protects a container and its contents from accidental deletes by maintaining the deleted data in the system for a specified retention period. During the retention period, you can restore a soft-deleted container to its state at the time it was deleted. For more information, see Soft delete for containers.

Microsoft recommends enabling container soft delete for your storage accounts and setting a minimum retention period of seven days.
Recovery Enable soft delete for file shares Optional Soft delete for file shares protects a file share and its contents from accidental deletes by maintaining the deleted data in the system for a specified retention period. During the retention period, you can restore a soft-deleted file share to its state at the time it was deleted. For more information, see Prevent accidental deletion of Azure file shares.

Microsoft recommends enabling soft delete for file shares for Azure Files workloads and setting a minimum retention period of seven days.
Tracking Enable versioning for blobs Optional Blob versioning automatically saves the state of a blob in a previous version when the blob is overwritten. For more information, see Blob versioning.

Microsoft recommends enabling blob versioning for optimal data protection for the storage account.
Tracking Enable blob change feed Optional The blob change feed provides transaction logs of all changes to all blobs in your storage account, as well as to their metadata. For more information, see Change feed support in Azure Blob Storage.
Access control Enable version-level immutability support Optional Enable support for immutability policies that are scoped to the blob version. If this option is selected, then after you create the storage account, you can configure a default time-based retention policy for the account or for the container, which blob versions within the account or container will inherit by default. For more information, see Enable version-level immutability support on a storage account.

The following image shows a standard configuration of the data protection properties for a new storage account.

Screenshot showing a standard configuration for a new storage account - Data Protection tab.

Encryption tab

On the Encryption tab, you can configure options that relate to how your data is encrypted when it is persisted to the cloud. Some of these options can be configured only when you create the storage account.

Field Required or optional Description
Encryption type Required By default, data in the storage account is encrypted by using Microsoft-managed keys. You can rely on Microsoft-managed keys for the encryption of your data, or you can manage encryption with your own keys. For more information, see Azure Storage encryption for data at rest.
Enable support for customer-managed keys Required By default, customer managed keys can be used to encrypt only blobs and files. Set this option to All service types (blobs, files, tables, and queues) to enable support for customer-managed keys for all services. You are not required to use customer-managed keys if you choose this option. For more information, see Customer-managed keys for Azure Storage encryption.
Encryption key Required if Encryption type field is set to Customer-managed keys. If you choose Select a key vault and key, you are presented with the option to navigate to the key vault and key that you wish to use. If you choose Enter key from URI, then you are presented with a field to enter the key URI and the subscription.
User-assigned identity Required if Encryption type field is set to Customer-managed keys. If you are configuring customer-managed keys at create time for the storage account, you must provide a user-assigned identity to use for authorizing access to the key vault.
Enable infrastructure encryption Optional By default, infrastructure encryption is not enabled. Enable infrastructure encryption to encrypt your data at both the service level and the infrastructure level. For more information, see Create a storage account with infrastructure encryption enabled for double encryption of data.

The following image shows a standard configuration of the encryption properties for a new storage account.

Screenshot showing a standard configuration for a new storage account - Encryption tab.

Tags tab

On the Tags tab, you can specify Resource Manager tags to help organize your Azure resources. For more information, see Tag resources, resource groups, and subscriptions for logical organization.

The following image shows a standard configuration of the index tag properties for a new storage account.

Screenshot showing a standard configuration for a new storage account - Tags tab.

Review + create tab

When you navigate to the Review + create tab, Azure runs validation on the storage account settings that you have chosen. If validation passes, you can proceed to create the storage account.

If validation fails, then the portal indicates which settings need to be modified.

The following image shows the Review tab data prior to the creation of a new storage account.

Screenshot showing a standard configuration for a new storage account - Review tab.

Delete a storage account

Deleting a storage account deletes the entire account, including all data in the account. Be sure to back up any data you want to save before you delete the account.

Under certain circumstances, a deleted storage account might be recovered, but recovery is not guaranteed. For more information, see Recover a deleted storage account.

If you try to delete a storage account associated with an Azure virtual machine, you might get an error about the storage account still being in use. For help with troubleshooting this error, see Troubleshoot errors when you delete storage accounts.

  1. Navigate to the storage account in the Azure portal.
  2. Select Delete.

Alternately, you can delete the resource group, which deletes the storage account and any other resources in that resource group. For more information about deleting a resource group, see Delete resource group and resources.

Create a general purpose v1 storage account

Note

Although Microsoft recommends general-purpose v2 accounts for most scenarios, Microsoft will continue to support general-purpose v1 accounts for new and existing customers. You can create general-purpose v1 storage accounts in new regions whenever Azure Storage is available in those regions. Microsoft does not currently have a plan to deprecate support for general-purpose v1 accounts and will provide at least one year's advance notice before deprecating any Azure Storage feature. Microsoft will continue to provide security updates for general-purpose v1 accounts, but no new feature development is expected for this account type.

For new Azure regions that have come online after October 1, 2020, pricing for general-purpose v1 accounts has changed and is equivalent to pricing for general-purpose v2 accounts in those regions. Pricing for general-purpose v1 accounts in Azure regions that existed prior to October 1, 2020 has not changed. For pricing details for general-purpose v1 accounts in a specific region, see the Azure Storage pricing page. Choose your region, and then next to Pricing offers, select Other.

General purpose v1 (GPv1) storage accounts can no longer be created from the Azure portal. If you need to create a GPv1 storage account, follow the steps in section Create a storage account for PowerShell, the Azure CLI, Bicep, or Azure Templates. For the kind parameter, specify Storage, and choose a sku or SkuName from the table of supported values.

Next steps