Microsoft.Storage storageAccounts 2018-07-01

Bicep resource definition

The storageAccounts resource type can be deployed to:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Storage/storageAccounts resource, add the following Bicep to your template.

resource symbolicname 'Microsoft.Storage/storageAccounts@2018-07-01' = {
  name: 'string'
  location: 'string'
  tags: {
    tagName1: 'tagValue1'
    tagName2: 'tagValue2'
  }
  sku: {
    name: 'string'
    restrictions: [
      {
        reasonCode: 'string'
      }
    ]
  }
  kind: 'string'
  identity: {
    type: 'SystemAssigned'
  }
  properties: {
    accessTier: 'string'
    azureFilesAadIntegration: bool
    customDomain: {
      name: 'string'
      useSubDomainName: bool
    }
    encryption: {
      keySource: 'string'
      keyvaultproperties: {
        keyname: 'string'
        keyvaulturi: 'string'
        keyversion: 'string'
      }
      services: {
        blob: {
          enabled: bool
        }
        file: {
          enabled: bool
        }
      }
    }
    isHnsEnabled: bool
    networkAcls: {
      bypass: 'string'
      defaultAction: 'string'
      ipRules: [
        {
          action: 'Allow'
          value: 'string'
        }
      ]
      virtualNetworkRules: [
        {
          action: 'Allow'
          id: 'string'
          state: 'string'
        }
      ]
    }
    supportsHttpsTrafficOnly: bool
  }
}

Property values

storageAccounts

Name Description Value
name The resource name string (required)

Character limit: 3-24

Valid characters:
Lowercase letters and numbers.

Resource name must be unique across Azure.
location Required. Gets or sets the location of the resource. This will be one of the supported and registered Azure Geo Regions (e.g. West US, East US, Southeast Asia, etc.). The geo region of a resource cannot be changed once it is created, but if an identical geo region is specified on update, the request will succeed. string (required)
tags Gets or sets a list of key value pairs that describe the resource. These tags can be used for viewing and grouping this resource (across resource groups). A maximum of 15 tags can be provided for a resource. Each tag must have a key with a length no greater than 128 characters and a value with a length no greater than 256 characters. Dictionary of tag names and values. See Tags in templates
sku Required. Gets or sets the SKU name. Sku (required)
kind Required. Indicates the type of storage account. 'BlobStorage'
'BlockBlobStorage'
'FileStorage'
'Storage'
'StorageV2' (required)
identity The identity of the resource. Identity
properties The parameters used to create the storage account. StorageAccountPropertiesCreateParametersOrStorageAcc...

Identity

Name Description Value
type The identity type. 'SystemAssigned' (required)

StorageAccountPropertiesCreateParametersOrStorageAccountProperties

Name Description Value
accessTier Required for storage accounts where kind = BlobStorage. The access tier used for billing. 'Cool'
'Hot'
azureFilesAadIntegration Enables Azure Files AAD Integration for SMB if sets to true. bool
customDomain User domain assigned to the storage account. Name is the CNAME source. Only one custom domain is supported per storage account at this time. To clear the existing custom domain, use an empty string for the custom domain name property. CustomDomain
encryption Provides the encryption settings on the account. If left unspecified the account encryption settings will remain the same. The default setting is unencrypted. Encryption
isHnsEnabled Account HierarchicalNamespace enabled if sets to true. bool
networkAcls Network rule set NetworkRuleSet
supportsHttpsTrafficOnly Allows https traffic only to storage service if sets to true. bool

CustomDomain

Name Description Value
name Gets or sets the custom domain name assigned to the storage account. Name is the CNAME source. string (required)
useSubDomainName Indicates whether indirect CName validation is enabled. Default value is false. This should only be set on updates. bool

Encryption

Name Description Value
keySource The encryption keySource (provider). Possible values (case-insensitive): Microsoft.Storage, Microsoft.Keyvault 'Microsoft.Keyvault'
'Microsoft.Storage' (required)
keyvaultproperties Properties provided by key vault. KeyVaultProperties
services List of services which support encryption. EncryptionServices

KeyVaultProperties

Name Description Value
keyname The name of KeyVault key. string
keyvaulturi The Uri of KeyVault. string
keyversion The version of KeyVault key. string

EncryptionServices

Name Description Value
blob The encryption function of the blob storage service. EncryptionService
file The encryption function of the file storage service. EncryptionService

EncryptionService

Name Description Value
enabled A boolean indicating whether or not the service encrypts the data as it is stored. bool

NetworkRuleSet

Name Description Value
bypass Specifies whether traffic is bypassed for Logging/Metrics/AzureServices. Possible values are any combination of Logging,Metrics,AzureServices (For example, "Logging, Metrics"), or None to bypass none of those traffics. 'AzureServices'
'Logging'
'Metrics'
'None'
defaultAction Specifies the default action of allow or deny when no other rules match. 'Allow'
'Deny' (required)
ipRules Sets the IP ACL rules IPRule[]
virtualNetworkRules Sets the virtual network rules VirtualNetworkRule[]

IPRule

Name Description Value
action The action of IP ACL rule. 'Allow'
value Specifies the IP or IP range in CIDR format. Only IPV4 address is allowed. string (required)

VirtualNetworkRule

Name Description Value
action The action of virtual network rule. 'Allow'
id Resource ID of a subnet, for example: /subscriptions/{subscriptionId}/resourceGroups/{groupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}. string (required)
state Gets the state of virtual network rule. 'deprovisioning'
'failed'
'networkSourceDeleted'
'provisioning'
'succeeded'

Sku

Name Description Value
name Gets or sets the SKU name. Required for account creation; optional for update. Note that in older versions, SKU name was called accountType. 'Premium_LRS'
'Premium_ZRS'
'Standard_GRS'
'Standard_LRS'
'Standard_RAGRS'
'Standard_ZRS' (required)
restrictions The restrictions because of which SKU cannot be used. This is empty if there are no restrictions. Restriction[]

Restriction

Name Description Value
reasonCode The reason for the restriction. As of now this can be "QuotaId" or "NotAvailableForSubscription". Quota Id is set when the SKU has requiredQuotas parameter as the subscription does not belong to that quota. The "NotAvailableForSubscription" is related to capacity at DC. 'NotAvailableForSubscription'
'QuotaId'

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
Connect to a storage account from a VM via private endpoint

Deploy to Azure
This sample shows how to use connect a virtual network to access a blob storage account via private endpoint.
Connect to an Azure File Share via a Private Endpoint

Deploy to Azure
This sample shows how to use configure a virtual network and private DNS zone to access an Azure File Share via a private endpoint.
Create a Standard Storage Account

Deploy to Azure
This template creates a Standard Storage Account
Create a Storage Account with SSE

Deploy to Azure
This template creates a Storage Account with Storage Service Encryption for Data at Rest
Storage account with Advanced Threat Protection

Deploy to Azure
This template allows you to deploy an Azure Storage account with Advanced Threat Protection enabled.
Create an Azure Storage Account and Blob Container on Azure

Deploy to Azure
This template creates an Azure Storage account and a blob container.
Storage Account with SSE and blob deletion retention policy

Deploy to Azure
This template creates a Storage Account with Storage Service Encryption and a blob deletion retention policy
Azure Storage Account Encryption with customer-managed key

Deploy to Azure
This template deploys a Storage Account with a customer-managed key for encryption that's generated and placed inside a Key Vault.
Create a storage account with file share

Deploy to Azure
This template creates an Azure storage account and file share.
Create a storage account with multiple Blob containers

Deploy to Azure
Creates an Azure storage account and multiple blob containers.
Create a storage account with multiple file shares

Deploy to Azure
Creates an Azure storage account and multiple file shares.
Create Storage Account with SFTP enabled

Deploy to Azure
Creates an Azure Storage account and a blob container that can be accessed using SFTP protocol. Access can be password or public-key based.
Deploys a static website

Deploy to Azure
Deploys a static website with a backing storage account

ARM template resource definition

The storageAccounts resource type can be deployed to:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Storage/storageAccounts resource, add the following JSON to your template.

{
  "type": "Microsoft.Storage/storageAccounts",
  "apiVersion": "2018-07-01",
  "name": "string",
  "location": "string",
  "tags": {
    "tagName1": "tagValue1",
    "tagName2": "tagValue2"
  },
  "sku": {
    "name": "string",
    "restrictions": [
      {
        "reasonCode": "string"
      }
    ]
  },
  "kind": "string",
  "identity": {
    "type": "SystemAssigned"
  },
  "properties": {
    "accessTier": "string",
    "azureFilesAadIntegration": "bool",
    "customDomain": {
      "name": "string",
      "useSubDomainName": "bool"
    },
    "encryption": {
      "keySource": "string",
      "keyvaultproperties": {
        "keyname": "string",
        "keyvaulturi": "string",
        "keyversion": "string"
      },
      "services": {
        "blob": {
          "enabled": "bool"
        },
        "file": {
          "enabled": "bool"
        }
      }
    },
    "isHnsEnabled": "bool",
    "networkAcls": {
      "bypass": "string",
      "defaultAction": "string",
      "ipRules": [
        {
          "action": "Allow",
          "value": "string"
        }
      ],
      "virtualNetworkRules": [
        {
          "action": "Allow",
          "id": "string",
          "state": "string"
        }
      ]
    },
    "supportsHttpsTrafficOnly": "bool"
  }
}

Property values

storageAccounts

Name Description Value
type The resource type 'Microsoft.Storage/storageAccounts'
apiVersion The resource api version '2018-07-01'
name The resource name string (required)

Character limit: 3-24

Valid characters:
Lowercase letters and numbers.

Resource name must be unique across Azure.
location Required. Gets or sets the location of the resource. This will be one of the supported and registered Azure Geo Regions (e.g. West US, East US, Southeast Asia, etc.). The geo region of a resource cannot be changed once it is created, but if an identical geo region is specified on update, the request will succeed. string (required)
tags Gets or sets a list of key value pairs that describe the resource. These tags can be used for viewing and grouping this resource (across resource groups). A maximum of 15 tags can be provided for a resource. Each tag must have a key with a length no greater than 128 characters and a value with a length no greater than 256 characters. Dictionary of tag names and values. See Tags in templates
sku Required. Gets or sets the SKU name. Sku (required)
kind Required. Indicates the type of storage account. 'BlobStorage'
'BlockBlobStorage'
'FileStorage'
'Storage'
'StorageV2' (required)
identity The identity of the resource. Identity
properties The parameters used to create the storage account. StorageAccountPropertiesCreateParametersOrStorageAcc...

Identity

Name Description Value
type The identity type. 'SystemAssigned' (required)

StorageAccountPropertiesCreateParametersOrStorageAccountProperties

Name Description Value
accessTier Required for storage accounts where kind = BlobStorage. The access tier used for billing. 'Cool'
'Hot'
azureFilesAadIntegration Enables Azure Files AAD Integration for SMB if sets to true. bool
customDomain User domain assigned to the storage account. Name is the CNAME source. Only one custom domain is supported per storage account at this time. To clear the existing custom domain, use an empty string for the custom domain name property. CustomDomain
encryption Provides the encryption settings on the account. If left unspecified the account encryption settings will remain the same. The default setting is unencrypted. Encryption
isHnsEnabled Account HierarchicalNamespace enabled if sets to true. bool
networkAcls Network rule set NetworkRuleSet
supportsHttpsTrafficOnly Allows https traffic only to storage service if sets to true. bool

CustomDomain

Name Description Value
name Gets or sets the custom domain name assigned to the storage account. Name is the CNAME source. string (required)
useSubDomainName Indicates whether indirect CName validation is enabled. Default value is false. This should only be set on updates. bool

Encryption

Name Description Value
keySource The encryption keySource (provider). Possible values (case-insensitive): Microsoft.Storage, Microsoft.Keyvault 'Microsoft.Keyvault'
'Microsoft.Storage' (required)
keyvaultproperties Properties provided by key vault. KeyVaultProperties
services List of services which support encryption. EncryptionServices

KeyVaultProperties

Name Description Value
keyname The name of KeyVault key. string
keyvaulturi The Uri of KeyVault. string
keyversion The version of KeyVault key. string

EncryptionServices

Name Description Value
blob The encryption function of the blob storage service. EncryptionService
file The encryption function of the file storage service. EncryptionService

EncryptionService

Name Description Value
enabled A boolean indicating whether or not the service encrypts the data as it is stored. bool

NetworkRuleSet

Name Description Value
bypass Specifies whether traffic is bypassed for Logging/Metrics/AzureServices. Possible values are any combination of Logging,Metrics,AzureServices (For example, "Logging, Metrics"), or None to bypass none of those traffics. 'AzureServices'
'Logging'
'Metrics'
'None'
defaultAction Specifies the default action of allow or deny when no other rules match. 'Allow'
'Deny' (required)
ipRules Sets the IP ACL rules IPRule[]
virtualNetworkRules Sets the virtual network rules VirtualNetworkRule[]

IPRule

Name Description Value
action The action of IP ACL rule. 'Allow'
value Specifies the IP or IP range in CIDR format. Only IPV4 address is allowed. string (required)

VirtualNetworkRule

Name Description Value
action The action of virtual network rule. 'Allow'
id Resource ID of a subnet, for example: /subscriptions/{subscriptionId}/resourceGroups/{groupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}. string (required)
state Gets the state of virtual network rule. 'deprovisioning'
'failed'
'networkSourceDeleted'
'provisioning'
'succeeded'

Sku

Name Description Value
name Gets or sets the SKU name. Required for account creation; optional for update. Note that in older versions, SKU name was called accountType. 'Premium_LRS'
'Premium_ZRS'
'Standard_GRS'
'Standard_LRS'
'Standard_RAGRS'
'Standard_ZRS' (required)
restrictions The restrictions because of which SKU cannot be used. This is empty if there are no restrictions. Restriction[]

Restriction

Name Description Value
reasonCode The reason for the restriction. As of now this can be "QuotaId" or "NotAvailableForSubscription". Quota Id is set when the SKU has requiredQuotas parameter as the subscription does not belong to that quota. The "NotAvailableForSubscription" is related to capacity at DC. 'NotAvailableForSubscription'
'QuotaId'

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
Connect to a storage account from a VM via private endpoint

Deploy to Azure
This sample shows how to use connect a virtual network to access a blob storage account via private endpoint.
Connect to an Azure File Share via a Private Endpoint

Deploy to Azure
This sample shows how to use configure a virtual network and private DNS zone to access an Azure File Share via a private endpoint.
Create a Standard Storage Account

Deploy to Azure
This template creates a Standard Storage Account
Create a Storage Account with SSE

Deploy to Azure
This template creates a Storage Account with Storage Service Encryption for Data at Rest
Storage account with Advanced Threat Protection

Deploy to Azure
This template allows you to deploy an Azure Storage account with Advanced Threat Protection enabled.
Create an Azure Storage Account and Blob Container on Azure

Deploy to Azure
This template creates an Azure Storage account and a blob container.
Storage Account with SSE and blob deletion retention policy

Deploy to Azure
This template creates a Storage Account with Storage Service Encryption and a blob deletion retention policy
Azure Storage Account Encryption with customer-managed key

Deploy to Azure
This template deploys a Storage Account with a customer-managed key for encryption that's generated and placed inside a Key Vault.
Create a storage account with file share

Deploy to Azure
This template creates an Azure storage account and file share.
Create a storage account with multiple Blob containers

Deploy to Azure
Creates an Azure storage account and multiple blob containers.
Create a storage account with multiple file shares

Deploy to Azure
Creates an Azure storage account and multiple file shares.
Create Storage Account with SFTP enabled

Deploy to Azure
Creates an Azure Storage account and a blob container that can be accessed using SFTP protocol. Access can be password or public-key based.
Deploys a static website

Deploy to Azure
Deploys a static website with a backing storage account

Terraform (AzAPI provider) resource definition

The storageAccounts resource type can be deployed to:

  • Resource groups

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Storage/storageAccounts resource, add the following Terraform to your template.

resource "azapi_resource" "symbolicname" {
  type = "Microsoft.Storage/storageAccounts@2018-07-01"
  name = "string"
  location = "string"
  parent_id = "string"
  tags = {
    tagName1 = "tagValue1"
    tagName2 = "tagValue2"
  }
  identity {
    type = "SystemAssigned"
  }
  body = jsonencode({
    properties = {
      accessTier = "string"
      azureFilesAadIntegration = bool
      customDomain = {
        name = "string"
        useSubDomainName = bool
      }
      encryption = {
        keySource = "string"
        keyvaultproperties = {
          keyname = "string"
          keyvaulturi = "string"
          keyversion = "string"
        }
        services = {
          blob = {
            enabled = bool
          }
          file = {
            enabled = bool
          }
        }
      }
      isHnsEnabled = bool
      networkAcls = {
        bypass = "string"
        defaultAction = "string"
        ipRules = [
          {
            action = "Allow"
            value = "string"
          }
        ]
        virtualNetworkRules = [
          {
            action = "Allow"
            id = "string"
            state = "string"
          }
        ]
      }
      supportsHttpsTrafficOnly = bool
    }
    sku = {
      name = "string"
      restrictions = [
        {
          reasonCode = "string"
        }
      ]
    }
    kind = "string"
  })
}

Property values

storageAccounts

Name Description Value
type The resource type "Microsoft.Storage/storageAccounts@2018-07-01"
name The resource name string (required)

Character limit: 3-24

Valid characters:
Lowercase letters and numbers.

Resource name must be unique across Azure.
location Required. Gets or sets the location of the resource. This will be one of the supported and registered Azure Geo Regions (e.g. West US, East US, Southeast Asia, etc.). The geo region of a resource cannot be changed once it is created, but if an identical geo region is specified on update, the request will succeed. string (required)
parent_id To deploy to a resource group, use the ID of that resource group. string (required)
tags Gets or sets a list of key value pairs that describe the resource. These tags can be used for viewing and grouping this resource (across resource groups). A maximum of 15 tags can be provided for a resource. Each tag must have a key with a length no greater than 128 characters and a value with a length no greater than 256 characters. Dictionary of tag names and values.
sku Required. Gets or sets the SKU name. Sku (required)
kind Required. Indicates the type of storage account. "BlobStorage"
"BlockBlobStorage"
"FileStorage"
"Storage"
"StorageV2" (required)
identity The identity of the resource. Identity
properties The parameters used to create the storage account. StorageAccountPropertiesCreateParametersOrStorageAcc...

Identity

Name Description Value
type The identity type. "SystemAssigned" (required)

StorageAccountPropertiesCreateParametersOrStorageAccountProperties

Name Description Value
accessTier Required for storage accounts where kind = BlobStorage. The access tier used for billing. "Cool"
"Hot"
azureFilesAadIntegration Enables Azure Files AAD Integration for SMB if sets to true. bool
customDomain User domain assigned to the storage account. Name is the CNAME source. Only one custom domain is supported per storage account at this time. To clear the existing custom domain, use an empty string for the custom domain name property. CustomDomain
encryption Provides the encryption settings on the account. If left unspecified the account encryption settings will remain the same. The default setting is unencrypted. Encryption
isHnsEnabled Account HierarchicalNamespace enabled if sets to true. bool
networkAcls Network rule set NetworkRuleSet
supportsHttpsTrafficOnly Allows https traffic only to storage service if sets to true. bool

CustomDomain

Name Description Value
name Gets or sets the custom domain name assigned to the storage account. Name is the CNAME source. string (required)
useSubDomainName Indicates whether indirect CName validation is enabled. Default value is false. This should only be set on updates. bool

Encryption

Name Description Value
keySource The encryption keySource (provider). Possible values (case-insensitive): Microsoft.Storage, Microsoft.Keyvault "Microsoft.Keyvault"
"Microsoft.Storage" (required)
keyvaultproperties Properties provided by key vault. KeyVaultProperties
services List of services which support encryption. EncryptionServices

KeyVaultProperties

Name Description Value
keyname The name of KeyVault key. string
keyvaulturi The Uri of KeyVault. string
keyversion The version of KeyVault key. string

EncryptionServices

Name Description Value
blob The encryption function of the blob storage service. EncryptionService
file The encryption function of the file storage service. EncryptionService

EncryptionService

Name Description Value
enabled A boolean indicating whether or not the service encrypts the data as it is stored. bool

NetworkRuleSet

Name Description Value
bypass Specifies whether traffic is bypassed for Logging/Metrics/AzureServices. Possible values are any combination of Logging,Metrics,AzureServices (For example, "Logging, Metrics"), or None to bypass none of those traffics. "AzureServices"
"Logging"
"Metrics"
"None"
defaultAction Specifies the default action of allow or deny when no other rules match. "Allow"
"Deny" (required)
ipRules Sets the IP ACL rules IPRule[]
virtualNetworkRules Sets the virtual network rules VirtualNetworkRule[]

IPRule

Name Description Value
action The action of IP ACL rule. "Allow"
value Specifies the IP or IP range in CIDR format. Only IPV4 address is allowed. string (required)

VirtualNetworkRule

Name Description Value
action The action of virtual network rule. "Allow"
id Resource ID of a subnet, for example: /subscriptions/{subscriptionId}/resourceGroups/{groupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}. string (required)
state Gets the state of virtual network rule. "deprovisioning"
"failed"
"networkSourceDeleted"
"provisioning"
"succeeded"

Sku

Name Description Value
name Gets or sets the SKU name. Required for account creation; optional for update. Note that in older versions, SKU name was called accountType. "Premium_LRS"
"Premium_ZRS"
"Standard_GRS"
"Standard_LRS"
"Standard_RAGRS"
"Standard_ZRS" (required)
restrictions The restrictions because of which SKU cannot be used. This is empty if there are no restrictions. Restriction[]

Restriction

Name Description Value
reasonCode The reason for the restriction. As of now this can be "QuotaId" or "NotAvailableForSubscription". Quota Id is set when the SKU has requiredQuotas parameter as the subscription does not belong to that quota. The "NotAvailableForSubscription" is related to capacity at DC. "NotAvailableForSubscription"
"QuotaId"