Microsoft.Storage storageAccounts

Bicep resource definition

The storageAccounts resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Storage/storageAccounts resource, add the following Bicep to your template.

resource symbolicname 'Microsoft.Storage/storageAccounts@2023-05-01' = {
  name: 'string'
  location: 'string'
  tags: {
    tagName1: 'tagValue1'
    tagName2: 'tagValue2'
  }
  sku: {
    name: 'string'
  }
  kind: 'string'
  extendedLocation: {
    name: 'string'
    type: 'EdgeZone'
  }
  identity: {
    type: 'string'
    userAssignedIdentities: {
      {customized property}: {}
    }
  }
  properties: {
    accessTier: 'string'
    allowBlobPublicAccess: bool
    allowCrossTenantReplication: bool
    allowedCopyScope: 'string'
    allowSharedKeyAccess: bool
    azureFilesIdentityBasedAuthentication: {
      activeDirectoryProperties: {
        accountType: 'string'
        azureStorageSid: 'string'
        domainGuid: 'string'
        domainName: 'string'
        domainSid: 'string'
        forestName: 'string'
        netBiosDomainName: 'string'
        samAccountName: 'string'
      }
      defaultSharePermission: 'string'
      directoryServiceOptions: 'string'
    }
    customDomain: {
      name: 'string'
      useSubDomainName: bool
    }
    defaultToOAuthAuthentication: bool
    dnsEndpointType: 'string'
    enableExtendedGroups: bool
    encryption: {
      identity: {
        federatedIdentityClientId: 'string'
        userAssignedIdentity: 'string'
      }
      keySource: 'string'
      keyvaultproperties: {
        keyname: 'string'
        keyvaulturi: 'string'
        keyversion: 'string'
      }
      requireInfrastructureEncryption: bool
      services: {
        blob: {
          enabled: bool
          keyType: 'string'
        }
        file: {
          enabled: bool
          keyType: 'string'
        }
        queue: {
          enabled: bool
          keyType: 'string'
        }
        table: {
          enabled: bool
          keyType: 'string'
        }
      }
    }
    immutableStorageWithVersioning: {
      enabled: bool
      immutabilityPolicy: {
        allowProtectedAppendWrites: bool
        immutabilityPeriodSinceCreationInDays: int
        state: 'string'
      }
    }
    isHnsEnabled: bool
    isLocalUserEnabled: bool
    isNfsV3Enabled: bool
    isSftpEnabled: bool
    keyPolicy: {
      keyExpirationPeriodInDays: int
    }
    largeFileSharesState: 'string'
    minimumTlsVersion: 'string'
    networkAcls: {
      bypass: 'string'
      defaultAction: 'string'
      ipRules: [
        {
          action: 'Allow'
          value: 'string'
        }
      ]
      resourceAccessRules: [
        {
          resourceId: 'string'
          tenantId: 'string'
        }
      ]
      virtualNetworkRules: [
        {
          action: 'Allow'
          id: 'string'
          state: 'string'
        }
      ]
    }
    publicNetworkAccess: 'string'
    routingPreference: {
      publishInternetEndpoints: bool
      publishMicrosoftEndpoints: bool
      routingChoice: 'string'
    }
    sasPolicy: {
      expirationAction: 'string'
      sasExpirationPeriod: 'string'
    }
    supportsHttpsTrafficOnly: bool
  }
}

Property values

storageAccounts

Name Description Value
name The resource name string (required)

Character limit: 3-24

Valid characters:
Lowercase letters and numbers.

Resource name must be unique across Azure.
location Required. Gets or sets the location of the resource. This will be one of the supported and registered Azure Geo Regions (e.g. West US, East US, Southeast Asia, etc.). The geo region of a resource cannot be changed once it is created, but if an identical geo region is specified on update, the request will succeed. string (required)
tags Gets or sets a list of key value pairs that describe the resource. These tags can be used for viewing and grouping this resource (across resource groups). A maximum of 15 tags can be provided for a resource. Each tag must have a key with a length no greater than 128 characters and a value with a length no greater than 256 characters. Dictionary of tag names and values. See Tags in templates
sku Required. Gets or sets the SKU name. Sku (required)
kind Required. Indicates the type of storage account. 'BlobStorage'
'BlockBlobStorage'
'FileStorage'
'Storage'
'StorageV2' (required)
extendedLocation Optional. Set the extended location of the resource. If not set, the storage account will be created in Azure main region. Otherwise it will be created in the specified extended location ExtendedLocation
identity The identity of the resource. Identity
properties The parameters used to create the storage account. StorageAccountPropertiesCreateParametersOrStorageAcc...

ExtendedLocation

Name Description Value
name The name of the extended location. string
type The type of the extended location. 'EdgeZone'

Identity

Name Description Value
type The identity type. 'None'
'SystemAssigned'
'SystemAssigned,UserAssigned'
'UserAssigned' (required)
userAssignedIdentities Gets or sets a list of key value pairs that describe the set of User Assigned identities that will be used with this storage account. The key is the ARM resource identifier of the identity. Only 1 User Assigned identity is permitted here. IdentityUserAssignedIdentities

IdentityUserAssignedIdentities

Name Description Value
{customized property} UserAssignedIdentity

UserAssignedIdentity

This object doesn't contain any properties to set during deployment. All properties are ReadOnly.

StorageAccountPropertiesCreateParametersOrStorageAcc...

Name Description Value
accessTier Required for storage accounts where kind = BlobStorage. The access tier is used for billing. The 'Premium' access tier is the default value for premium block blobs storage account type and it cannot be changed for the premium block blobs storage account type. 'Cold'
'Cool'
'Hot'
'Premium'
allowBlobPublicAccess Allow or disallow public access to all blobs or containers in the storage account. The default interpretation is false for this property. bool
allowCrossTenantReplication Allow or disallow cross AAD tenant object replication. Set this property to true for new or existing accounts only if object replication policies will involve storage accounts in different AAD tenants. The default interpretation is false for new accounts to follow best security practices by default. bool
allowedCopyScope Restrict copy to and from Storage Accounts within an AAD tenant or with Private Links to the same VNet. 'AAD'
'PrivateLink'
allowSharedKeyAccess Indicates whether the storage account permits requests to be authorized with the account access key via Shared Key. If false, then all requests, including shared access signatures, must be authorized with Azure Active Directory (Azure AD). The default value is null, which is equivalent to true. bool
azureFilesIdentityBasedAuthentication Provides the identity based authentication settings for Azure Files. AzureFilesIdentityBasedAuthentication
customDomain User domain assigned to the storage account. Name is the CNAME source. Only one custom domain is supported per storage account at this time. To clear the existing custom domain, use an empty string for the custom domain name property. CustomDomain
defaultToOAuthAuthentication A boolean flag which indicates whether the default authentication is OAuth or not. The default interpretation is false for this property. bool
dnsEndpointType Allows you to specify the type of endpoint. Set this to AzureDNSZone to create a large number of accounts in a single subscription, which creates accounts in an Azure DNS Zone and the endpoint URL will have an alphanumeric DNS Zone identifier. 'AzureDnsZone'
'Standard'
enableExtendedGroups Enables extended group support with local users feature, if set to true bool
encryption Encryption settings to be used for server-side encryption for the storage account. Encryption
immutableStorageWithVersioning The property is immutable and can only be set to true at the account creation time. When set to true, it enables object level immutability for all the new containers in the account by default. ImmutableStorageAccount
isHnsEnabled Account HierarchicalNamespace enabled if sets to true. bool
isLocalUserEnabled Enables local users feature, if set to true bool
isNfsV3Enabled NFS 3.0 protocol support enabled if set to true. bool
isSftpEnabled Enables Secure File Transfer Protocol, if set to true bool
keyPolicy KeyPolicy assigned to the storage account. KeyPolicy
largeFileSharesState Allow large file shares if sets to Enabled. It cannot be disabled once it is enabled. 'Disabled'
'Enabled'
minimumTlsVersion Set the minimum TLS version to be permitted on requests to storage. The default interpretation is TLS 1.0 for this property. 'TLS1_0'
'TLS1_1'
'TLS1_2'
'TLS1_3'
networkAcls Network rule set NetworkRuleSet
publicNetworkAccess Allow, disallow, or let Network Security Perimeter configuration to evaluate public network access to Storage Account. Value is optional but if passed in, must be 'Enabled', 'Disabled' or 'SecuredByPerimeter'. 'Disabled'
'Enabled'
'SecuredByPerimeter'
routingPreference Maintains information about the network routing choice opted by the user for data transfer RoutingPreference
sasPolicy SasPolicy assigned to the storage account. SasPolicy
supportsHttpsTrafficOnly Allows https traffic only to storage service if sets to true. The default value is true since API version 2019-04-01. bool

AzureFilesIdentityBasedAuthentication

Name Description Value
activeDirectoryProperties Required if directoryServiceOptions are AD, optional if they are AADKERB. ActiveDirectoryProperties
defaultSharePermission Default share permission for users using Kerberos authentication if RBAC role is not assigned. 'None'
'StorageFileDataSmbShareContributor'
'StorageFileDataSmbShareElevatedContributor'
'StorageFileDataSmbShareReader'
directoryServiceOptions Indicates the directory service used. Note that this enum may be extended in the future. 'AADDS'
'AADKERB'
'AD'
'None' (required)

ActiveDirectoryProperties

Name Description Value
accountType Specifies the Active Directory account type for Azure Storage. 'Computer'
'User'
azureStorageSid Specifies the security identifier (SID) for Azure Storage. string
domainGuid Specifies the domain GUID. string (required)
domainName Specifies the primary domain that the AD DNS server is authoritative for. string (required)
domainSid Specifies the security identifier (SID). string
forestName Specifies the Active Directory forest to get. string
netBiosDomainName Specifies the NetBIOS domain name. string
samAccountName Specifies the Active Directory SAMAccountName for Azure Storage. string

CustomDomain

Name Description Value
name Gets or sets the custom domain name assigned to the storage account. Name is the CNAME source. string (required)
useSubDomainName Indicates whether indirect CName validation is enabled. Default value is false. This should only be set on updates. bool

Encryption

Name Description Value
identity The identity to be used with service-side encryption at rest. EncryptionIdentity
keySource The encryption keySource (provider). Possible values (case-insensitive): Microsoft.Storage, Microsoft.Keyvault 'Microsoft.Keyvault'
'Microsoft.Storage'
keyvaultproperties Properties provided by key vault. KeyVaultProperties
requireInfrastructureEncryption A boolean indicating whether or not the service applies a secondary layer of encryption with platform managed keys for data at rest. bool
services List of services which support encryption. EncryptionServices

EncryptionIdentity

Name Description Value
federatedIdentityClientId ClientId of the multi-tenant application to be used in conjunction with the user-assigned identity for cross-tenant customer-managed-keys server-side encryption on the storage account. string
userAssignedIdentity Resource identifier of the UserAssigned identity to be associated with server-side encryption on the storage account. string

KeyVaultProperties

Name Description Value
keyname The name of KeyVault key. string
keyvaulturi The Uri of KeyVault. string
keyversion The version of KeyVault key. string

EncryptionServices

Name Description Value
blob The encryption function of the blob storage service. EncryptionService
file The encryption function of the file storage service. EncryptionService
queue The encryption function of the queue storage service. EncryptionService
table The encryption function of the table storage service. EncryptionService

EncryptionService

Name Description Value
enabled A boolean indicating whether or not the service encrypts the data as it is stored. Encryption at rest is enabled by default today and cannot be disabled. bool
keyType Encryption key type to be used for the encryption service. 'Account' key type implies that an account-scoped encryption key will be used. 'Service' key type implies that a default service key is used. 'Account'
'Service'

ImmutableStorageAccount

Name Description Value
enabled A boolean flag which enables account-level immutability. All the containers under such an account have object-level immutability enabled by default. bool
immutabilityPolicy Specifies the default account-level immutability policy which is inherited and applied to objects that do not possess an explicit immutability policy at the object level. The object-level immutability policy has higher precedence than the container-level immutability policy, which has a higher precedence than the account-level immutability policy. AccountImmutabilityPolicyProperties

AccountImmutabilityPolicyProperties

Name Description Value
allowProtectedAppendWrites This property can only be changed for disabled and unlocked time-based retention policies. When enabled, new blocks can be written to an append blob while maintaining immutability protection and compliance. Only new blocks can be added and any existing blocks cannot be modified or deleted. bool
immutabilityPeriodSinceCreationInDays The immutability period for the blobs in the container since the policy creation, in days. int

Constraints:
Min value = 1
Max value = 146000
state The ImmutabilityPolicy state defines the mode of the policy. Disabled state disables the policy, Unlocked state allows increase and decrease of immutability retention time and also allows toggling allowProtectedAppendWrites property, Locked state only allows the increase of the immutability retention time. A policy can only be created in a Disabled or Unlocked state and can be toggled between the two states. Only a policy in an Unlocked state can transition to a Locked state which cannot be reverted. 'Disabled'
'Locked'
'Unlocked'

KeyPolicy

Name Description Value
keyExpirationPeriodInDays The key expiration period in days. int (required)

NetworkRuleSet

Name Description Value
bypass Specifies whether traffic is bypassed for Logging/Metrics/AzureServices. Possible values are any combination of Logging,Metrics,AzureServices (For example, "Logging, Metrics"), or None to bypass none of those traffics. 'AzureServices'
'Logging'
'Metrics'
'None'
defaultAction Specifies the default action of allow or deny when no other rules match. 'Allow'
'Deny' (required)
ipRules Sets the IP ACL rules IPRule[]
resourceAccessRules Sets the resource access rules ResourceAccessRule[]
virtualNetworkRules Sets the virtual network rules VirtualNetworkRule[]

IPRule

Name Description Value
action The action of IP ACL rule. 'Allow'
value Specifies the IP or IP range in CIDR format. Only IPV4 address is allowed. string (required)

ResourceAccessRule

Name Description Value
resourceId Resource Id string
tenantId Tenant Id string

VirtualNetworkRule

Name Description Value
action The action of virtual network rule. 'Allow'
id Resource ID of a subnet, for example: /subscriptions/{subscriptionId}/resourceGroups/{groupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}. string (required)
state Gets the state of virtual network rule. 'Deprovisioning'
'Failed'
'NetworkSourceDeleted'
'Provisioning'
'Succeeded'

RoutingPreference

Name Description Value
publishInternetEndpoints A boolean flag which indicates whether internet routing storage endpoints are to be published bool
publishMicrosoftEndpoints A boolean flag which indicates whether microsoft routing storage endpoints are to be published bool
routingChoice Routing Choice defines the kind of network routing opted by the user. 'InternetRouting'
'MicrosoftRouting'

SasPolicy

Name Description Value
expirationAction The SAS Expiration Action defines the action to be performed when sasPolicy.sasExpirationPeriod is violated. The 'Log' action can be used for audit purposes and the 'Block' action can be used to block and deny the usage of SAS tokens that do not adhere to the sas policy expiration period. 'Block'
'Log' (required)
sasExpirationPeriod The SAS expiration period, DD.HH:MM:SS. string (required)

Sku

Name Description Value
name The SKU name. Required for account creation; optional for update. Note that in older versions, SKU name was called accountType. 'Premium_LRS'
'Premium_ZRS'
'Standard_GRS'
'Standard_GZRS'
'Standard_LRS'
'Standard_RAGRS'
'Standard_RAGZRS'
'Standard_ZRS' (required)

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
Connect to a storage account from a VM via private endpoint

Deploy to Azure
This sample shows how to use connect a virtual network to access a blob storage account via private endpoint.
Connect to an Azure File Share via a Private Endpoint

Deploy to Azure
This sample shows how to use configure a virtual network and private DNS zone to access an Azure File Share via a private endpoint.
Create a Standard Storage Account

Deploy to Azure
This template creates a Standard Storage Account
Create a Storage Account with SSE

Deploy to Azure
This template creates a Storage Account with Storage Service Encryption for Data at Rest
Storage account with Advanced Threat Protection

Deploy to Azure
This template allows you to deploy an Azure Storage account with Advanced Threat Protection enabled.
Create an Azure Storage Account and Blob Container on Azure

Deploy to Azure
This template creates an Azure Storage account and a blob container.
Storage Account with SSE and blob deletion retention policy

Deploy to Azure
This template creates a Storage Account with Storage Service Encryption and a blob deletion retention policy
Azure Storage Account Encryption with customer-managed key

Deploy to Azure
This template deploys a Storage Account with a customer-managed key for encryption that's generated and placed inside a Key Vault.
Create a storage account with file share

Deploy to Azure
This template creates an Azure storage account and file share.
Create a storage account with multiple Blob containers

Deploy to Azure
Creates an Azure storage account and multiple blob containers.
Create a storage account with multiple file shares

Deploy to Azure
Creates an Azure storage account and multiple file shares.
Create Storage Account with SFTP enabled

Deploy to Azure
Creates an Azure Storage account and a blob container that can be accessed using SFTP protocol. Access can be password or public-key based.
Deploys a static website

Deploy to Azure
Deploys a static website with a backing storage account

ARM template resource definition

The storageAccounts resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Storage/storageAccounts resource, add the following JSON to your template.

{
  "type": "Microsoft.Storage/storageAccounts",
  "apiVersion": "2023-05-01",
  "name": "string",
  "location": "string",
  "tags": {
    "tagName1": "tagValue1",
    "tagName2": "tagValue2"
  },
  "sku": {
    "name": "string"
  },
  "kind": "string",
  "extendedLocation": {
    "name": "string",
    "type": "EdgeZone"
  },
  "identity": {
    "type": "string",
    "userAssignedIdentities": {
      "{customized property}": {}
    }
  },
  "properties": {
    "accessTier": "string",
    "allowBlobPublicAccess": "bool",
    "allowCrossTenantReplication": "bool",
    "allowedCopyScope": "string",
    "allowSharedKeyAccess": "bool",
    "azureFilesIdentityBasedAuthentication": {
      "activeDirectoryProperties": {
        "accountType": "string",
        "azureStorageSid": "string",
        "domainGuid": "string",
        "domainName": "string",
        "domainSid": "string",
        "forestName": "string",
        "netBiosDomainName": "string",
        "samAccountName": "string"
      },
      "defaultSharePermission": "string",
      "directoryServiceOptions": "string"
    },
    "customDomain": {
      "name": "string",
      "useSubDomainName": "bool"
    },
    "defaultToOAuthAuthentication": "bool",
    "dnsEndpointType": "string",
    "enableExtendedGroups": "bool",
    "encryption": {
      "identity": {
        "federatedIdentityClientId": "string",
        "userAssignedIdentity": "string"
      },
      "keySource": "string",
      "keyvaultproperties": {
        "keyname": "string",
        "keyvaulturi": "string",
        "keyversion": "string"
      },
      "requireInfrastructureEncryption": "bool",
      "services": {
        "blob": {
          "enabled": "bool",
          "keyType": "string"
        },
        "file": {
          "enabled": "bool",
          "keyType": "string"
        },
        "queue": {
          "enabled": "bool",
          "keyType": "string"
        },
        "table": {
          "enabled": "bool",
          "keyType": "string"
        }
      }
    },
    "immutableStorageWithVersioning": {
      "enabled": "bool",
      "immutabilityPolicy": {
        "allowProtectedAppendWrites": "bool",
        "immutabilityPeriodSinceCreationInDays": "int",
        "state": "string"
      }
    },
    "isHnsEnabled": "bool",
    "isLocalUserEnabled": "bool",
    "isNfsV3Enabled": "bool",
    "isSftpEnabled": "bool",
    "keyPolicy": {
      "keyExpirationPeriodInDays": "int"
    },
    "largeFileSharesState": "string",
    "minimumTlsVersion": "string",
    "networkAcls": {
      "bypass": "string",
      "defaultAction": "string",
      "ipRules": [
        {
          "action": "Allow",
          "value": "string"
        }
      ],
      "resourceAccessRules": [
        {
          "resourceId": "string",
          "tenantId": "string"
        }
      ],
      "virtualNetworkRules": [
        {
          "action": "Allow",
          "id": "string",
          "state": "string"
        }
      ]
    },
    "publicNetworkAccess": "string",
    "routingPreference": {
      "publishInternetEndpoints": "bool",
      "publishMicrosoftEndpoints": "bool",
      "routingChoice": "string"
    },
    "sasPolicy": {
      "expirationAction": "string",
      "sasExpirationPeriod": "string"
    },
    "supportsHttpsTrafficOnly": "bool"
  }
}

Property values

storageAccounts

Name Description Value
type The resource type 'Microsoft.Storage/storageAccounts'
apiVersion The resource api version '2023-05-01'
name The resource name string (required)

Character limit: 3-24

Valid characters:
Lowercase letters and numbers.

Resource name must be unique across Azure.
location Required. Gets or sets the location of the resource. This will be one of the supported and registered Azure Geo Regions (e.g. West US, East US, Southeast Asia, etc.). The geo region of a resource cannot be changed once it is created, but if an identical geo region is specified on update, the request will succeed. string (required)
tags Gets or sets a list of key value pairs that describe the resource. These tags can be used for viewing and grouping this resource (across resource groups). A maximum of 15 tags can be provided for a resource. Each tag must have a key with a length no greater than 128 characters and a value with a length no greater than 256 characters. Dictionary of tag names and values. See Tags in templates
sku Required. Gets or sets the SKU name. Sku (required)
kind Required. Indicates the type of storage account. 'BlobStorage'
'BlockBlobStorage'
'FileStorage'
'Storage'
'StorageV2' (required)
extendedLocation Optional. Set the extended location of the resource. If not set, the storage account will be created in Azure main region. Otherwise it will be created in the specified extended location ExtendedLocation
identity The identity of the resource. Identity
properties The parameters used to create the storage account. StorageAccountPropertiesCreateParametersOrStorageAcc...

ExtendedLocation

Name Description Value
name The name of the extended location. string
type The type of the extended location. 'EdgeZone'

Identity

Name Description Value
type The identity type. 'None'
'SystemAssigned'
'SystemAssigned,UserAssigned'
'UserAssigned' (required)
userAssignedIdentities Gets or sets a list of key value pairs that describe the set of User Assigned identities that will be used with this storage account. The key is the ARM resource identifier of the identity. Only 1 User Assigned identity is permitted here. IdentityUserAssignedIdentities

IdentityUserAssignedIdentities

Name Description Value
{customized property} UserAssignedIdentity

UserAssignedIdentity

This object doesn't contain any properties to set during deployment. All properties are ReadOnly.

StorageAccountPropertiesCreateParametersOrStorageAcc...

Name Description Value
accessTier Required for storage accounts where kind = BlobStorage. The access tier is used for billing. The 'Premium' access tier is the default value for premium block blobs storage account type and it cannot be changed for the premium block blobs storage account type. 'Cold'
'Cool'
'Hot'
'Premium'
allowBlobPublicAccess Allow or disallow public access to all blobs or containers in the storage account. The default interpretation is false for this property. bool
allowCrossTenantReplication Allow or disallow cross AAD tenant object replication. Set this property to true for new or existing accounts only if object replication policies will involve storage accounts in different AAD tenants. The default interpretation is false for new accounts to follow best security practices by default. bool
allowedCopyScope Restrict copy to and from Storage Accounts within an AAD tenant or with Private Links to the same VNet. 'AAD'
'PrivateLink'
allowSharedKeyAccess Indicates whether the storage account permits requests to be authorized with the account access key via Shared Key. If false, then all requests, including shared access signatures, must be authorized with Azure Active Directory (Azure AD). The default value is null, which is equivalent to true. bool
azureFilesIdentityBasedAuthentication Provides the identity based authentication settings for Azure Files. AzureFilesIdentityBasedAuthentication
customDomain User domain assigned to the storage account. Name is the CNAME source. Only one custom domain is supported per storage account at this time. To clear the existing custom domain, use an empty string for the custom domain name property. CustomDomain
defaultToOAuthAuthentication A boolean flag which indicates whether the default authentication is OAuth or not. The default interpretation is false for this property. bool
dnsEndpointType Allows you to specify the type of endpoint. Set this to AzureDNSZone to create a large number of accounts in a single subscription, which creates accounts in an Azure DNS Zone and the endpoint URL will have an alphanumeric DNS Zone identifier. 'AzureDnsZone'
'Standard'
enableExtendedGroups Enables extended group support with local users feature, if set to true bool
encryption Encryption settings to be used for server-side encryption for the storage account. Encryption
immutableStorageWithVersioning The property is immutable and can only be set to true at the account creation time. When set to true, it enables object level immutability for all the new containers in the account by default. ImmutableStorageAccount
isHnsEnabled Account HierarchicalNamespace enabled if sets to true. bool
isLocalUserEnabled Enables local users feature, if set to true bool
isNfsV3Enabled NFS 3.0 protocol support enabled if set to true. bool
isSftpEnabled Enables Secure File Transfer Protocol, if set to true bool
keyPolicy KeyPolicy assigned to the storage account. KeyPolicy
largeFileSharesState Allow large file shares if sets to Enabled. It cannot be disabled once it is enabled. 'Disabled'
'Enabled'
minimumTlsVersion Set the minimum TLS version to be permitted on requests to storage. The default interpretation is TLS 1.0 for this property. 'TLS1_0'
'TLS1_1'
'TLS1_2'
'TLS1_3'
networkAcls Network rule set NetworkRuleSet
publicNetworkAccess Allow, disallow, or let Network Security Perimeter configuration to evaluate public network access to Storage Account. Value is optional but if passed in, must be 'Enabled', 'Disabled' or 'SecuredByPerimeter'. 'Disabled'
'Enabled'
'SecuredByPerimeter'
routingPreference Maintains information about the network routing choice opted by the user for data transfer RoutingPreference
sasPolicy SasPolicy assigned to the storage account. SasPolicy
supportsHttpsTrafficOnly Allows https traffic only to storage service if sets to true. The default value is true since API version 2019-04-01. bool

AzureFilesIdentityBasedAuthentication

Name Description Value
activeDirectoryProperties Required if directoryServiceOptions are AD, optional if they are AADKERB. ActiveDirectoryProperties
defaultSharePermission Default share permission for users using Kerberos authentication if RBAC role is not assigned. 'None'
'StorageFileDataSmbShareContributor'
'StorageFileDataSmbShareElevatedContributor'
'StorageFileDataSmbShareReader'
directoryServiceOptions Indicates the directory service used. Note that this enum may be extended in the future. 'AADDS'
'AADKERB'
'AD'
'None' (required)

ActiveDirectoryProperties

Name Description Value
accountType Specifies the Active Directory account type for Azure Storage. 'Computer'
'User'
azureStorageSid Specifies the security identifier (SID) for Azure Storage. string
domainGuid Specifies the domain GUID. string (required)
domainName Specifies the primary domain that the AD DNS server is authoritative for. string (required)
domainSid Specifies the security identifier (SID). string
forestName Specifies the Active Directory forest to get. string
netBiosDomainName Specifies the NetBIOS domain name. string
samAccountName Specifies the Active Directory SAMAccountName for Azure Storage. string

CustomDomain

Name Description Value
name Gets or sets the custom domain name assigned to the storage account. Name is the CNAME source. string (required)
useSubDomainName Indicates whether indirect CName validation is enabled. Default value is false. This should only be set on updates. bool

Encryption

Name Description Value
identity The identity to be used with service-side encryption at rest. EncryptionIdentity
keySource The encryption keySource (provider). Possible values (case-insensitive): Microsoft.Storage, Microsoft.Keyvault 'Microsoft.Keyvault'
'Microsoft.Storage'
keyvaultproperties Properties provided by key vault. KeyVaultProperties
requireInfrastructureEncryption A boolean indicating whether or not the service applies a secondary layer of encryption with platform managed keys for data at rest. bool
services List of services which support encryption. EncryptionServices

EncryptionIdentity

Name Description Value
federatedIdentityClientId ClientId of the multi-tenant application to be used in conjunction with the user-assigned identity for cross-tenant customer-managed-keys server-side encryption on the storage account. string
userAssignedIdentity Resource identifier of the UserAssigned identity to be associated with server-side encryption on the storage account. string

KeyVaultProperties

Name Description Value
keyname The name of KeyVault key. string
keyvaulturi The Uri of KeyVault. string
keyversion The version of KeyVault key. string

EncryptionServices

Name Description Value
blob The encryption function of the blob storage service. EncryptionService
file The encryption function of the file storage service. EncryptionService
queue The encryption function of the queue storage service. EncryptionService
table The encryption function of the table storage service. EncryptionService

EncryptionService

Name Description Value
enabled A boolean indicating whether or not the service encrypts the data as it is stored. Encryption at rest is enabled by default today and cannot be disabled. bool
keyType Encryption key type to be used for the encryption service. 'Account' key type implies that an account-scoped encryption key will be used. 'Service' key type implies that a default service key is used. 'Account'
'Service'

ImmutableStorageAccount

Name Description Value
enabled A boolean flag which enables account-level immutability. All the containers under such an account have object-level immutability enabled by default. bool
immutabilityPolicy Specifies the default account-level immutability policy which is inherited and applied to objects that do not possess an explicit immutability policy at the object level. The object-level immutability policy has higher precedence than the container-level immutability policy, which has a higher precedence than the account-level immutability policy. AccountImmutabilityPolicyProperties

AccountImmutabilityPolicyProperties

Name Description Value
allowProtectedAppendWrites This property can only be changed for disabled and unlocked time-based retention policies. When enabled, new blocks can be written to an append blob while maintaining immutability protection and compliance. Only new blocks can be added and any existing blocks cannot be modified or deleted. bool
immutabilityPeriodSinceCreationInDays The immutability period for the blobs in the container since the policy creation, in days. int

Constraints:
Min value = 1
Max value = 146000
state The ImmutabilityPolicy state defines the mode of the policy. Disabled state disables the policy, Unlocked state allows increase and decrease of immutability retention time and also allows toggling allowProtectedAppendWrites property, Locked state only allows the increase of the immutability retention time. A policy can only be created in a Disabled or Unlocked state and can be toggled between the two states. Only a policy in an Unlocked state can transition to a Locked state which cannot be reverted. 'Disabled'
'Locked'
'Unlocked'

KeyPolicy

Name Description Value
keyExpirationPeriodInDays The key expiration period in days. int (required)

NetworkRuleSet

Name Description Value
bypass Specifies whether traffic is bypassed for Logging/Metrics/AzureServices. Possible values are any combination of Logging,Metrics,AzureServices (For example, "Logging, Metrics"), or None to bypass none of those traffics. 'AzureServices'
'Logging'
'Metrics'
'None'
defaultAction Specifies the default action of allow or deny when no other rules match. 'Allow'
'Deny' (required)
ipRules Sets the IP ACL rules IPRule[]
resourceAccessRules Sets the resource access rules ResourceAccessRule[]
virtualNetworkRules Sets the virtual network rules VirtualNetworkRule[]

IPRule

Name Description Value
action The action of IP ACL rule. 'Allow'
value Specifies the IP or IP range in CIDR format. Only IPV4 address is allowed. string (required)

ResourceAccessRule

Name Description Value
resourceId Resource Id string
tenantId Tenant Id string

VirtualNetworkRule

Name Description Value
action The action of virtual network rule. 'Allow'
id Resource ID of a subnet, for example: /subscriptions/{subscriptionId}/resourceGroups/{groupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}. string (required)
state Gets the state of virtual network rule. 'Deprovisioning'
'Failed'
'NetworkSourceDeleted'
'Provisioning'
'Succeeded'

RoutingPreference

Name Description Value
publishInternetEndpoints A boolean flag which indicates whether internet routing storage endpoints are to be published bool
publishMicrosoftEndpoints A boolean flag which indicates whether microsoft routing storage endpoints are to be published bool
routingChoice Routing Choice defines the kind of network routing opted by the user. 'InternetRouting'
'MicrosoftRouting'

SasPolicy

Name Description Value
expirationAction The SAS Expiration Action defines the action to be performed when sasPolicy.sasExpirationPeriod is violated. The 'Log' action can be used for audit purposes and the 'Block' action can be used to block and deny the usage of SAS tokens that do not adhere to the sas policy expiration period. 'Block'
'Log' (required)
sasExpirationPeriod The SAS expiration period, DD.HH:MM:SS. string (required)

Sku

Name Description Value
name The SKU name. Required for account creation; optional for update. Note that in older versions, SKU name was called accountType. 'Premium_LRS'
'Premium_ZRS'
'Standard_GRS'
'Standard_GZRS'
'Standard_LRS'
'Standard_RAGRS'
'Standard_RAGZRS'
'Standard_ZRS' (required)

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
Connect to a storage account from a VM via private endpoint

Deploy to Azure
This sample shows how to use connect a virtual network to access a blob storage account via private endpoint.
Connect to an Azure File Share via a Private Endpoint

Deploy to Azure
This sample shows how to use configure a virtual network and private DNS zone to access an Azure File Share via a private endpoint.
Create a Standard Storage Account

Deploy to Azure
This template creates a Standard Storage Account
Create a Storage Account with SSE

Deploy to Azure
This template creates a Storage Account with Storage Service Encryption for Data at Rest
Storage account with Advanced Threat Protection

Deploy to Azure
This template allows you to deploy an Azure Storage account with Advanced Threat Protection enabled.
Create an Azure Storage Account and Blob Container on Azure

Deploy to Azure
This template creates an Azure Storage account and a blob container.
Storage Account with SSE and blob deletion retention policy

Deploy to Azure
This template creates a Storage Account with Storage Service Encryption and a blob deletion retention policy
Azure Storage Account Encryption with customer-managed key

Deploy to Azure
This template deploys a Storage Account with a customer-managed key for encryption that's generated and placed inside a Key Vault.
Create a storage account with file share

Deploy to Azure
This template creates an Azure storage account and file share.
Create a storage account with multiple Blob containers

Deploy to Azure
Creates an Azure storage account and multiple blob containers.
Create a storage account with multiple file shares

Deploy to Azure
Creates an Azure storage account and multiple file shares.
Create Storage Account with SFTP enabled

Deploy to Azure
Creates an Azure Storage account and a blob container that can be accessed using SFTP protocol. Access can be password or public-key based.
Deploys a static website

Deploy to Azure
Deploys a static website with a backing storage account

Terraform (AzAPI provider) resource definition

The storageAccounts resource type can be deployed with operations that target:

  • Resource groups

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Storage/storageAccounts resource, add the following Terraform to your template.

resource "azapi_resource" "symbolicname" {
  type = "Microsoft.Storage/storageAccounts@2023-05-01"
  name = "string"
  location = "string"
  parent_id = "string"
  tags = {
    tagName1 = "tagValue1"
    tagName2 = "tagValue2"
  }
  identity {
    type = "string"
    identity_ids = []
  }
  body = jsonencode({
    properties = {
      accessTier = "string"
      allowBlobPublicAccess = bool
      allowCrossTenantReplication = bool
      allowedCopyScope = "string"
      allowSharedKeyAccess = bool
      azureFilesIdentityBasedAuthentication = {
        activeDirectoryProperties = {
          accountType = "string"
          azureStorageSid = "string"
          domainGuid = "string"
          domainName = "string"
          domainSid = "string"
          forestName = "string"
          netBiosDomainName = "string"
          samAccountName = "string"
        }
        defaultSharePermission = "string"
        directoryServiceOptions = "string"
      }
      customDomain = {
        name = "string"
        useSubDomainName = bool
      }
      defaultToOAuthAuthentication = bool
      dnsEndpointType = "string"
      enableExtendedGroups = bool
      encryption = {
        identity = {
          federatedIdentityClientId = "string"
          userAssignedIdentity = "string"
        }
        keySource = "string"
        keyvaultproperties = {
          keyname = "string"
          keyvaulturi = "string"
          keyversion = "string"
        }
        requireInfrastructureEncryption = bool
        services = {
          blob = {
            enabled = bool
            keyType = "string"
          }
          file = {
            enabled = bool
            keyType = "string"
          }
          queue = {
            enabled = bool
            keyType = "string"
          }
          table = {
            enabled = bool
            keyType = "string"
          }
        }
      }
      immutableStorageWithVersioning = {
        enabled = bool
        immutabilityPolicy = {
          allowProtectedAppendWrites = bool
          immutabilityPeriodSinceCreationInDays = int
          state = "string"
        }
      }
      isHnsEnabled = bool
      isLocalUserEnabled = bool
      isNfsV3Enabled = bool
      isSftpEnabled = bool
      keyPolicy = {
        keyExpirationPeriodInDays = int
      }
      largeFileSharesState = "string"
      minimumTlsVersion = "string"
      networkAcls = {
        bypass = "string"
        defaultAction = "string"
        ipRules = [
          {
            action = "Allow"
            value = "string"
          }
        ]
        resourceAccessRules = [
          {
            resourceId = "string"
            tenantId = "string"
          }
        ]
        virtualNetworkRules = [
          {
            action = "Allow"
            id = "string"
            state = "string"
          }
        ]
      }
      publicNetworkAccess = "string"
      routingPreference = {
        publishInternetEndpoints = bool
        publishMicrosoftEndpoints = bool
        routingChoice = "string"
      }
      sasPolicy = {
        expirationAction = "string"
        sasExpirationPeriod = "string"
      }
      supportsHttpsTrafficOnly = bool
    }
    sku = {
      name = "string"
    }
    kind = "string"
    extendedLocation = {
      name = "string"
      type = "EdgeZone"
    }
  })
}

Property values

storageAccounts

Name Description Value
type The resource type "Microsoft.Storage/storageAccounts@2023-05-01"
name The resource name string (required)

Character limit: 3-24

Valid characters:
Lowercase letters and numbers.

Resource name must be unique across Azure.
location Required. Gets or sets the location of the resource. This will be one of the supported and registered Azure Geo Regions (e.g. West US, East US, Southeast Asia, etc.). The geo region of a resource cannot be changed once it is created, but if an identical geo region is specified on update, the request will succeed. string (required)
parent_id To deploy to a resource group, use the ID of that resource group. string (required)
tags Gets or sets a list of key value pairs that describe the resource. These tags can be used for viewing and grouping this resource (across resource groups). A maximum of 15 tags can be provided for a resource. Each tag must have a key with a length no greater than 128 characters and a value with a length no greater than 256 characters. Dictionary of tag names and values.
sku Required. Gets or sets the SKU name. Sku (required)
kind Required. Indicates the type of storage account. "BlobStorage"
"BlockBlobStorage"
"FileStorage"
"Storage"
"StorageV2" (required)
extendedLocation Optional. Set the extended location of the resource. If not set, the storage account will be created in Azure main region. Otherwise it will be created in the specified extended location ExtendedLocation
identity The identity of the resource. Identity
properties The parameters used to create the storage account. StorageAccountPropertiesCreateParametersOrStorageAcc...

ExtendedLocation

Name Description Value
name The name of the extended location. string
type The type of the extended location. "EdgeZone"

Identity

Name Description Value
type The identity type. "SystemAssigned"
"SystemAssigned,UserAssigned"
"UserAssigned" (required)
identity_ids Gets or sets a list of key value pairs that describe the set of User Assigned identities that will be used with this storage account. The key is the ARM resource identifier of the identity. Only 1 User Assigned identity is permitted here. Array of user identity IDs.

IdentityUserAssignedIdentities

Name Description Value
{customized property} UserAssignedIdentity

UserAssignedIdentity

This object doesn't contain any properties to set during deployment. All properties are ReadOnly.

StorageAccountPropertiesCreateParametersOrStorageAcc...

Name Description Value
accessTier Required for storage accounts where kind = BlobStorage. The access tier is used for billing. The 'Premium' access tier is the default value for premium block blobs storage account type and it cannot be changed for the premium block blobs storage account type. "Cold"
"Cool"
"Hot"
"Premium"
allowBlobPublicAccess Allow or disallow public access to all blobs or containers in the storage account. The default interpretation is false for this property. bool
allowCrossTenantReplication Allow or disallow cross AAD tenant object replication. Set this property to true for new or existing accounts only if object replication policies will involve storage accounts in different AAD tenants. The default interpretation is false for new accounts to follow best security practices by default. bool
allowedCopyScope Restrict copy to and from Storage Accounts within an AAD tenant or with Private Links to the same VNet. "AAD"
"PrivateLink"
allowSharedKeyAccess Indicates whether the storage account permits requests to be authorized with the account access key via Shared Key. If false, then all requests, including shared access signatures, must be authorized with Azure Active Directory (Azure AD). The default value is null, which is equivalent to true. bool
azureFilesIdentityBasedAuthentication Provides the identity based authentication settings for Azure Files. AzureFilesIdentityBasedAuthentication
customDomain User domain assigned to the storage account. Name is the CNAME source. Only one custom domain is supported per storage account at this time. To clear the existing custom domain, use an empty string for the custom domain name property. CustomDomain
defaultToOAuthAuthentication A boolean flag which indicates whether the default authentication is OAuth or not. The default interpretation is false for this property. bool
dnsEndpointType Allows you to specify the type of endpoint. Set this to AzureDNSZone to create a large number of accounts in a single subscription, which creates accounts in an Azure DNS Zone and the endpoint URL will have an alphanumeric DNS Zone identifier. "AzureDnsZone"
"Standard"
enableExtendedGroups Enables extended group support with local users feature, if set to true bool
encryption Encryption settings to be used for server-side encryption for the storage account. Encryption
immutableStorageWithVersioning The property is immutable and can only be set to true at the account creation time. When set to true, it enables object level immutability for all the new containers in the account by default. ImmutableStorageAccount
isHnsEnabled Account HierarchicalNamespace enabled if sets to true. bool
isLocalUserEnabled Enables local users feature, if set to true bool
isNfsV3Enabled NFS 3.0 protocol support enabled if set to true. bool
isSftpEnabled Enables Secure File Transfer Protocol, if set to true bool
keyPolicy KeyPolicy assigned to the storage account. KeyPolicy
largeFileSharesState Allow large file shares if sets to Enabled. It cannot be disabled once it is enabled. "Disabled"
"Enabled"
minimumTlsVersion Set the minimum TLS version to be permitted on requests to storage. The default interpretation is TLS 1.0 for this property. "TLS1_0"
"TLS1_1"
"TLS1_2"
"TLS1_3"
networkAcls Network rule set NetworkRuleSet
publicNetworkAccess Allow, disallow, or let Network Security Perimeter configuration to evaluate public network access to Storage Account. Value is optional but if passed in, must be 'Enabled', 'Disabled' or 'SecuredByPerimeter'. "Disabled"
"Enabled"
"SecuredByPerimeter"
routingPreference Maintains information about the network routing choice opted by the user for data transfer RoutingPreference
sasPolicy SasPolicy assigned to the storage account. SasPolicy
supportsHttpsTrafficOnly Allows https traffic only to storage service if sets to true. The default value is true since API version 2019-04-01. bool

AzureFilesIdentityBasedAuthentication

Name Description Value
activeDirectoryProperties Required if directoryServiceOptions are AD, optional if they are AADKERB. ActiveDirectoryProperties
defaultSharePermission Default share permission for users using Kerberos authentication if RBAC role is not assigned. "None"
"StorageFileDataSmbShareContributor"
"StorageFileDataSmbShareElevatedContributor"
"StorageFileDataSmbShareReader"
directoryServiceOptions Indicates the directory service used. Note that this enum may be extended in the future. "AADDS"
"AADKERB"
"AD"
"None" (required)

ActiveDirectoryProperties

Name Description Value
accountType Specifies the Active Directory account type for Azure Storage. "Computer"
"User"
azureStorageSid Specifies the security identifier (SID) for Azure Storage. string
domainGuid Specifies the domain GUID. string (required)
domainName Specifies the primary domain that the AD DNS server is authoritative for. string (required)
domainSid Specifies the security identifier (SID). string
forestName Specifies the Active Directory forest to get. string
netBiosDomainName Specifies the NetBIOS domain name. string
samAccountName Specifies the Active Directory SAMAccountName for Azure Storage. string

CustomDomain

Name Description Value
name Gets or sets the custom domain name assigned to the storage account. Name is the CNAME source. string (required)
useSubDomainName Indicates whether indirect CName validation is enabled. Default value is false. This should only be set on updates. bool

Encryption

Name Description Value
identity The identity to be used with service-side encryption at rest. EncryptionIdentity
keySource The encryption keySource (provider). Possible values (case-insensitive): Microsoft.Storage, Microsoft.Keyvault "Microsoft.Keyvault"
"Microsoft.Storage"
keyvaultproperties Properties provided by key vault. KeyVaultProperties
requireInfrastructureEncryption A boolean indicating whether or not the service applies a secondary layer of encryption with platform managed keys for data at rest. bool
services List of services which support encryption. EncryptionServices

EncryptionIdentity

Name Description Value
federatedIdentityClientId ClientId of the multi-tenant application to be used in conjunction with the user-assigned identity for cross-tenant customer-managed-keys server-side encryption on the storage account. string
userAssignedIdentity Resource identifier of the UserAssigned identity to be associated with server-side encryption on the storage account. string

KeyVaultProperties

Name Description Value
keyname The name of KeyVault key. string
keyvaulturi The Uri of KeyVault. string
keyversion The version of KeyVault key. string

EncryptionServices

Name Description Value
blob The encryption function of the blob storage service. EncryptionService
file The encryption function of the file storage service. EncryptionService
queue The encryption function of the queue storage service. EncryptionService
table The encryption function of the table storage service. EncryptionService

EncryptionService

Name Description Value
enabled A boolean indicating whether or not the service encrypts the data as it is stored. Encryption at rest is enabled by default today and cannot be disabled. bool
keyType Encryption key type to be used for the encryption service. 'Account' key type implies that an account-scoped encryption key will be used. 'Service' key type implies that a default service key is used. "Account"
"Service"

ImmutableStorageAccount

Name Description Value
enabled A boolean flag which enables account-level immutability. All the containers under such an account have object-level immutability enabled by default. bool
immutabilityPolicy Specifies the default account-level immutability policy which is inherited and applied to objects that do not possess an explicit immutability policy at the object level. The object-level immutability policy has higher precedence than the container-level immutability policy, which has a higher precedence than the account-level immutability policy. AccountImmutabilityPolicyProperties

AccountImmutabilityPolicyProperties

Name Description Value
allowProtectedAppendWrites This property can only be changed for disabled and unlocked time-based retention policies. When enabled, new blocks can be written to an append blob while maintaining immutability protection and compliance. Only new blocks can be added and any existing blocks cannot be modified or deleted. bool
immutabilityPeriodSinceCreationInDays The immutability period for the blobs in the container since the policy creation, in days. int

Constraints:
Min value = 1
Max value = 146000
state The ImmutabilityPolicy state defines the mode of the policy. Disabled state disables the policy, Unlocked state allows increase and decrease of immutability retention time and also allows toggling allowProtectedAppendWrites property, Locked state only allows the increase of the immutability retention time. A policy can only be created in a Disabled or Unlocked state and can be toggled between the two states. Only a policy in an Unlocked state can transition to a Locked state which cannot be reverted. "Disabled"
"Locked"
"Unlocked"

KeyPolicy

Name Description Value
keyExpirationPeriodInDays The key expiration period in days. int (required)

NetworkRuleSet

Name Description Value
bypass Specifies whether traffic is bypassed for Logging/Metrics/AzureServices. Possible values are any combination of Logging,Metrics,AzureServices (For example, "Logging, Metrics"), or None to bypass none of those traffics. "AzureServices"
"Logging"
"Metrics"
"None"
defaultAction Specifies the default action of allow or deny when no other rules match. "Allow"
"Deny" (required)
ipRules Sets the IP ACL rules IPRule[]
resourceAccessRules Sets the resource access rules ResourceAccessRule[]
virtualNetworkRules Sets the virtual network rules VirtualNetworkRule[]

IPRule

Name Description Value
action The action of IP ACL rule. "Allow"
value Specifies the IP or IP range in CIDR format. Only IPV4 address is allowed. string (required)

ResourceAccessRule

Name Description Value
resourceId Resource Id string
tenantId Tenant Id string

VirtualNetworkRule

Name Description Value
action The action of virtual network rule. "Allow"
id Resource ID of a subnet, for example: /subscriptions/{subscriptionId}/resourceGroups/{groupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}. string (required)
state Gets the state of virtual network rule. "Deprovisioning"
"Failed"
"NetworkSourceDeleted"
"Provisioning"
"Succeeded"

RoutingPreference

Name Description Value
publishInternetEndpoints A boolean flag which indicates whether internet routing storage endpoints are to be published bool
publishMicrosoftEndpoints A boolean flag which indicates whether microsoft routing storage endpoints are to be published bool
routingChoice Routing Choice defines the kind of network routing opted by the user. "InternetRouting"
"MicrosoftRouting"

SasPolicy

Name Description Value
expirationAction The SAS Expiration Action defines the action to be performed when sasPolicy.sasExpirationPeriod is violated. The 'Log' action can be used for audit purposes and the 'Block' action can be used to block and deny the usage of SAS tokens that do not adhere to the sas policy expiration period. "Block"
"Log" (required)
sasExpirationPeriod The SAS expiration period, DD.HH:MM:SS. string (required)

Sku

Name Description Value
name The SKU name. Required for account creation; optional for update. Note that in older versions, SKU name was called accountType. "Premium_LRS"
"Premium_ZRS"
"Standard_GRS"
"Standard_GZRS"
"Standard_LRS"
"Standard_RAGRS"
"Standard_RAGZRS"
"Standard_ZRS" (required)