az storage account

Manage storage accounts.

Commands

az storage account blob-inventory-policy

Manage storage account Blob Inventory Policy.

az storage account blob-inventory-policy create

Create Blob Inventory Policy for storage account.

az storage account blob-inventory-policy delete

Delete Blob Inventory Policy associated with the specified storage account.

az storage account blob-inventory-policy show

Show Blob Inventory Policy properties associated with the specified storage account.

az storage account blob-inventory-policy update

Update Blob Inventory Policy associated with the specified storage account.

az storage account blob-service-properties

Manage the properties of a storage account's blob service.

az storage account blob-service-properties show

Show the properties of a storage account's blob service.

az storage account blob-service-properties update

Update the properties of a storage account's blob service.

az storage account check-name

Check that the storage account name is valid and is not already in use.

az storage account create

Create a storage account.

az storage account delete

Delete a storage account.

az storage account encryption-scope

Manage encryption scope for a storage account.

az storage account encryption-scope create

Create an encryption scope within storage account.

az storage account encryption-scope list

List encryption scopes within storage account.

az storage account encryption-scope show

Show properties for specified encryption scope within storage account.

az storage account encryption-scope update

Update properties for specified encryption scope within storage account.

az storage account failover

Failover request can be triggered for a storage account in case of availability issues.

az storage account file-service-properties

Manage the properties of file service in storage account.

az storage account file-service-properties show

Show the properties of file service in storage account.

az storage account file-service-properties update

Update the properties of file service in storage account.

az storage account generate-sas

Generate a shared access signature for the storage account.

az storage account hns-migration

Manage storage account migration to enable hierarchical namespace.

az storage account hns-migration start

Validate/Begin migrating a storage account to enable hierarchical namespace.

az storage account hns-migration stop

Stop the enabling hierarchical namespace migration of a storage account.

az storage account keys

Manage storage account keys.

az storage account keys list

List the access keys or Kerberos keys (if active directory enabled) for a storage account.

az storage account keys renew

Regenerate one of the access keys or Kerberos keys (if active directory enabled) for a storage account.

az storage account list

List storage accounts.

az storage account local-user

Manage storage account local users.

az storage account local-user create

Create a local user for a given storage account.

az storage account local-user delete

Delete a local user.

az storage account local-user list

List local users for a storage account.

az storage account local-user list-keys

List sharedkeys and sshAuthorizedKeys for a local user.

az storage account local-user regenerate-password

Regenerate sshPassword for a local user.

az storage account local-user show

Show info for a local user.

az storage account local-user update

Update properties for a local user.

az storage account management-policy

Manage storage account management policies.

az storage account management-policy create

Create the data policy rules associated with the specified storage account.

az storage account management-policy delete

Delete the data policy rules associated with the specified storage account.

az storage account management-policy show

Get the data policy rules associated with the specified storage account.

az storage account management-policy update

Update the data policy rules associated with the specified storage account.

az storage account network-rule

Manage network rules.

az storage account network-rule add

Add a network rule.

az storage account network-rule list

List network rules.

az storage account network-rule remove

Remove a network rule.

az storage account or-policy

Manage storage account Object Replication Policy.

az storage account or-policy create

Create Object Replication Service Policy for storage account.

az storage account or-policy delete

Delete specified Object Replication Service Policy associated with the specified storage account.

az storage account or-policy list

List Object Replication Service Policies associated with the specified storage account.

az storage account or-policy rule

Manage Object Replication Service Policy Rules.

az storage account or-policy rule add

Add rule to the specified Object Replication Service Policy.

az storage account or-policy rule list

List all the rules in the specified Object Replication Service Policy.

az storage account or-policy rule remove

Remove the specified rule from the specified Object Replication Service Policy.

az storage account or-policy rule show

Show the properties of specified rule in Object Replication Service Policy.

az storage account or-policy rule update

Update rule properties to Object Replication Service Policy.

az storage account or-policy show

Show the properties of specified Object Replication Service Policy for storage account.

az storage account or-policy update

Update Object Replication Service Policy properties for storage account.

az storage account private-endpoint-connection

Manage storage account private endpoint connection.

az storage account private-endpoint-connection approve

Approve a private endpoint connection request for storage account.

az storage account private-endpoint-connection delete

Delete a private endpoint connection request for storage account.

az storage account private-endpoint-connection reject

Reject a private endpoint connection request for storage account.

az storage account private-endpoint-connection show

Show details of a private endpoint connection request for storage account.

az storage account private-link-resource

Manage storage account private link resources.

az storage account private-link-resource list

Get the private link resources that need to be created for a storage account.

az storage account revoke-delegation-keys

Revoke all user delegation keys for a storage account.

az storage account show

Show storage account properties.

az storage account show-connection-string

Get the connection string for a storage account.

az storage account show-usage

Show the current count and limit of the storage accounts under the subscription.

az storage account update

Update the properties of a storage account.

az storage account check-name

Check that the storage account name is valid and is not already in use.

az storage account check-name --name

Required Parameters

--name -n

The name of the storage account within the specified resource group.

az storage account create

Create a storage account.

The SKU of the storage account defaults to 'Standard_RAGRS'.

az storage account create --name
                          --resource-group
                          [--access-tier {Cool, Hot, Premium}]
                          [--account-type]
                          [--action]
                          [--allow-append {false, true}]
                          [--allow-blob-public-access {false, true}]
                          [--allow-cross-tenant-replication {false, true}]
                          [--allow-shared-key-access {false, true}]
                          [--assign-identity]
                          [--azure-storage-sid]
                          [--bypass {AzureServices, Logging, Metrics, None}]
                          [--custom-domain]
                          [--default-action {Allow, Deny}]
                          [--default-share-permission {None, StorageFileDataSmbShareContributor, StorageFileDataSmbShareElevatedContributor, StorageFileDataSmbShareReader}]
                          [--domain-guid]
                          [--domain-name]
                          [--domain-sid]
                          [--edge-zone]
                          [--enable-alw {false, true}]
                          [--enable-files-aadds {false, true}]
                          [--enable-files-aadkerb {false, true}]
                          [--enable-files-adds {false, true}]
                          [--enable-hierarchical-namespace {false, true}]
                          [--enable-large-file-share]
                          [--enable-local-user {false, true}]
                          [--enable-nfs-v3 {false, true}]
                          [--enable-sftp {false, true}]
                          [--encryption-key-name]
                          [--encryption-key-source {Microsoft.Keyvault, Microsoft.Storage}]
                          [--encryption-key-type-for-queue {Account, Service}]
                          [--encryption-key-type-for-table {Account, Service}]
                          [--encryption-key-vault]
                          [--encryption-key-version]
                          [--encryption-services {blob, file, queue, table}]
                          [--forest-name]
                          [--https-only {false, true}]
                          [--identity-type {None, SystemAssigned, SystemAssigned,UserAssigned, UserAssigned}]
                          [--immutability-period]
                          [--immutability-state {Disabled, Locked, Unlocked}]
                          [--key-exp-days]
                          [--key-vault-federated-client-id]
                          [--key-vault-user-identity-id]
                          [--kind {BlobStorage, BlockBlobStorage, FileStorage, Storage, StorageV2}]
                          [--location]
                          [--min-tls-version {TLS1_0, TLS1_1, TLS1_2}]
                          [--net-bios-domain-name]
                          [--public-network-access {Disabled, Enabled}]
                          [--publish-internet-endpoints {false, true}]
                          [--publish-microsoft-endpoints {false, true}]
                          [--require-infrastructure-encryption {false, true}]
                          [--routing-choice {InternetRouting, MicrosoftRouting}]
                          [--sam-account-name]
                          [--sas-exp]
                          [--sku {Premium_LRS, Premium_ZRS, Standard_GRS, Standard_GZRS, Standard_LRS, Standard_RAGRS, Standard_RAGZRS, Standard_ZRS}]
                          [--subnet]
                          [--tags]
                          [--user-identity-id]
                          [--vnet-name]

Examples

Create a storage account 'mystorageaccount' in resource group 'MyResourceGroup' in the West US region with locally redundant storage.

az storage account create -n mystorageaccount -g MyResourceGroup -l westus --sku Standard_LRS

Create a storage account 'mystorageaccount' in resource group 'MyResourceGroup' in the eastus2euap region with account-scoped encryption key enabled for Table Service.

az storage account create -n mystorageaccount -g MyResourceGroup --kind StorageV2 -l eastus2euap -t Account

Required Parameters

--name -n

The storage account name.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--access-tier

The access tier used for billing StandardBlob accounts. Cannot be set for StandardLRS, StandardGRS, StandardRAGRS, or PremiumLRS account types. It is required for StandardBlob accounts during creation.

accepted values: Cool, Hot, Premium
--account-type

Specify the Active Directory account type for Azure Storage.

--action

The action of virtual network rule. Possible value is Allow.

default value: Allow
--allow-append --allow-protected-append-writes -w

This property can only be changed for disabled and unlocked time-based retention policies. When enabled, new blocks can be written to an append blob while maintaining immutability protection and compliance. Only new blocks can be added and any existing blocks cannot be modified or deleted.

accepted values: false, true
--allow-blob-public-access

Allow or disallow public access to all blobs or containers in the storage account. The default value for this property is null, which is equivalent to true. When true, containers in the account may be configured for public access. Note that setting this property to true does not enable anonymous access to any data in the account. The additional step of configuring the public access setting for a container is required to enable anonymous access.

accepted values: false, true
--allow-cross-tenant-replication -r

Allow or disallow cross AAD tenant object replication. The default interpretation is true for this property.

accepted values: false, true
--allow-shared-key-access -k

Indicate whether the storage account permits requests to be authorized with the account access key via Shared Key. If false, then all requests, including shared access signatures, must be authorized with Azure Active Directory (Azure AD). The default value is null, which is equivalent to true.

accepted values: false, true
--assign-identity

Generate and assign a new Storage Account Identity for this storage account for use with key management services like Azure KeyVault.

--azure-storage-sid

Specify the security identifier (SID) for Azure Storage. Required when --enable-files-adds is set to True.

--bypass

Bypass traffic for space-separated uses.

accepted values: AzureServices, Logging, Metrics, None
--custom-domain

User domain assigned to the storage account. Name is the CNAME source.

--default-action

Default action to apply when no rule matches.

accepted values: Allow, Deny
--default-share-permission -d

Default share permission for users using Kerberos authentication if RBAC role is not assigned.

accepted values: None, StorageFileDataSmbShareContributor, StorageFileDataSmbShareElevatedContributor, StorageFileDataSmbShareReader
--domain-guid

Specify the domain GUID. Required when --enable-files-adds is set to True.

--domain-name

Specify the primary domain that the AD DNS server is authoritative for. Required when --enable-files-adds is set to True.

--domain-sid

Specify the security identifier (SID). Required when --enable-files-adds is set to True.

--edge-zone

The name of edge zone.

--enable-alw

The account level immutability property. The property is immutable and can only be set to true at the account creation time. When set to true, it enables object level immutability for all the containers in the account by default.

accepted values: false, true
--enable-files-aadds

Enable Azure Active Directory Domain Services authentication for Azure Files.

accepted values: false, true
--enable-files-aadkerb

Enable Azure Files Active Directory Domain Service Kerberos Authentication for the storage account.

accepted values: false, true
--enable-files-adds

Enable Azure Files Active Directory Domain Service Authentication for storage account. When --enable-files-adds is set to true, Azure Active Directory Properties arguments must be provided.

accepted values: false, true
--enable-hierarchical-namespace --hns

Allow the blob service to exhibit filesystem semantics. This property can be enabled only when storage account kind is StorageV2.

accepted values: false, true
--enable-large-file-share

Enable the capability to support large file shares with more than 5 TiB capacity for storage account.Once the property is enabled, the feature cannot be disabled. Currently only supported for LRS and ZRS replication types, hence account conversions to geo-redundant accounts would not be possible. For more information, please refer to https://go.microsoft.com/fwlink/?linkid=2086047.

--enable-local-user

Enable local user features.

accepted values: false, true
--enable-nfs-v3

NFS 3.0 protocol support enabled if sets to true.

accepted values: false, true
--enable-sftp

Enable Secure File Transfer Protocol.

accepted values: false, true
--encryption-key-name

The name of the KeyVault key.

--encryption-key-source

The default encryption key source.

accepted values: Microsoft.Keyvault, Microsoft.Storage
--encryption-key-type-for-queue -q

Set the encryption key type for Queue service. "Account": Queue will be encrypted with account-scoped encryption key. "Service": Queue will always be encrypted with service-scoped keys. Currently the default encryption key type is "Service".

accepted values: Account, Service
--encryption-key-type-for-table -t

Set the encryption key type for Table service. "Account": Table will be encrypted with account-scoped encryption key. "Service": Table will always be encrypted with service-scoped keys. Currently the default encryption key type is "Service".

accepted values: Account, Service
--encryption-key-vault

The Uri of the KeyVault.

--encryption-key-version

The version of the KeyVault key to use, which will opt out of implicit key rotation. Please use "" to opt in key auto-rotation again.

--encryption-services

Specifies which service(s) to encrypt.

accepted values: blob, file, queue, table
--forest-name

Specify the Active Directory forest to get. Required when --enable-files-adds is set to True.

--https-only

Allow https traffic only to storage service if set to true. The default value is true.

accepted values: false, true
--identity-type

The identity type.

accepted values: None, SystemAssigned, SystemAssigned,UserAssigned, UserAssigned
--immutability-period --immutability-period-in-days

The immutability period for the blobs in the container since the policy creation, in days.

--immutability-state

Defines the mode of the policy. Disabled state disables the policy, Unlocked state allows increase and decrease of immutability retention time and also allows toggling allow-protected-append-write property, Locked state only allows the increase of the immutability retention time. A policy can only be created in a Disabled or Unlocked state and can be toggled between the two states. Only a policy in an Unlocked state can transition to a Locked state which cannot be reverted.

accepted values: Disabled, Locked, Unlocked
--key-exp-days --key-expiration-period-in-days

Expiration period in days of the Key Policy assigned to the storage account.

--key-vault-federated-client-id -f

ClientId of the multi-tenant application to be used in conjunction with the user-assigned identity for cross-tenant customer-managed-keys server-side encryption on the storage account.

--key-vault-user-identity-id -u

Resource identifier of the UserAssigned identity to be associated with server-side encryption on the storage account.

--kind

Indicate the type of storage account.

accepted values: BlobStorage, BlockBlobStorage, FileStorage, Storage, StorageV2
default value: StorageV2
--location -l

Location. Values from: az account list-locations. You can configure the default location using az configure --defaults location=<location>.

--min-tls-version

The minimum TLS version to be permitted on requests to storage. The default interpretation is TLS 1.0 for this property.

accepted values: TLS1_0, TLS1_1, TLS1_2
--net-bios-domain-name

Specify the NetBIOS domain name. Required when --enable-files-adds is set to True.

--public-network-access

Enable or disable public network access to the storage account.

accepted values: Disabled, Enabled
--publish-internet-endpoints

A boolean flag which indicates whether internet routing storage endpoints are to be published.

accepted values: false, true
--publish-microsoft-endpoints

A boolean flag which indicates whether microsoft routing storage endpoints are to be published.

accepted values: false, true
--require-infrastructure-encryption -i

A boolean indicating whether or not the service applies a secondary layer of encryption with platform managed keys for data at rest.

accepted values: false, true
--routing-choice

Routing Choice defines the kind of network routing opted by the user.

accepted values: InternetRouting, MicrosoftRouting
--sam-account-name

Specify the Active Directory SAMAccountName for Azure Storage.

--sas-exp --sas-expiration-period

Expiration period of the SAS Policy assigned to the storage account, DD.HH:MM:SS.

--sku

The storage account SKU.

accepted values: Premium_LRS, Premium_ZRS, Standard_GRS, Standard_GZRS, Standard_LRS, Standard_RAGRS, Standard_RAGZRS, Standard_ZRS
default value: Standard_RAGRS
--subnet

Name or ID of subnet. If name is supplied, --vnet-name must be supplied.

--tags

Space-separated tags: key[=value] [key[=value] ...]. Use "" to clear existing tags.

--user-identity-id

The key is the ARM resource identifier of the identity. Only 1 User Assigned identity is permitted here.

--vnet-name

Name of a virtual network.

az storage account delete

Delete a storage account.

az storage account delete [--ids]
                          [--name]
                          [--resource-group]
                          [--yes]

Examples

Delete a storage account using a resource ID.

az storage account delete --ids /subscriptions/{SubID}/resourceGroups/{ResourceGroup}/providers/Microsoft.Storage/storageAccounts/{StorageAccount}

Delete a storage account using an account name and resource group.

az storage account delete -n MyStorageAccount -g MyResourceGroup

Optional Parameters

--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

--name -n

The storage account name.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--yes -y

Do not prompt for confirmation.

az storage account failover

Failover request can be triggered for a storage account in case of availability issues.

The failover occurs from the storage account's primary cluster to secondary cluster for (RA-)GRS/GZRS accounts. The secondary cluster will become primary after failover. For more information, please refer to https://docs.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance.

az storage account failover [--ids]
                            [--name]
                            [--no-wait]
                            [--resource-group]
                            [--yes]

Examples

Failover a storage account.

az storage account failover -n mystorageaccount -g MyResourceGroup

Failover a storage account without waiting for complete.

az storage account failover -n mystorageaccount -g MyResourceGroup --no-wait
az storage account show -n mystorageaccount --expand geoReplicationStats

Optional Parameters

--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

--name -n

The storage account name.

--no-wait

Do not wait for the long-running operation to finish.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--yes -y

Do not prompt for confirmation.

az storage account generate-sas

Generate a shared access signature for the storage account.

az storage account generate-sas --expiry
                                --permissions
                                --resource-types
                                --services
                                [--account-key]
                                [--account-name]
                                [--blob-endpoint]
                                [--connection-string]
                                [--encryption-scope]
                                [--https-only]
                                [--ids]
                                [--ip]
                                [--start]

Examples

Generate a sas token for the account that is valid for queue and table services on Linux.

end=`date -u -d "30 minutes" '+%Y-%m-%dT%H:%MZ'`
az storage account generate-sas --permissions cdlruwap --account-name MyStorageAccount --services qt --resource-types sco --expiry $end -o tsv

Generate a sas token for the account that is valid for queue and table services on MacOS.

end=`date -v+30M '+%Y-%m-%dT%H:%MZ'`
az storage account generate-sas --permissions cdlruwap --account-name MyStorageAccount --services qt --resource-types sco --expiry $end -o tsv

Generate a shared access signature for the account (autogenerated)

az storage account generate-sas --account-key 00000000 --account-name MyStorageAccount --expiry 2020-01-01 --https-only --permissions acuw --resource-types co --services bfqt

Required Parameters

--expiry

Specifies the UTC datetime (Y-m-d'T'H:M'Z') at which the SAS becomes invalid.

--permissions

The permissions the SAS grants. Allowed values: (a)dd (c)reate (d)elete (f)ilter_by_tags (i)set_immutability_policy (l)ist (p)rocess (r)ead (t)ag (u)pdate (w)rite (x)delete_previous_version (y)permanent_delete. Can be combined.

--resource-types

The resource types the SAS is applicable for. Allowed values: (s)ervice (c)ontainer (o)bject. Can be combined.

--services

The storage services the SAS is applicable for. Allowed values: (b)lob (f)ile (q)ueue (t)able. Can be combined.

Optional Parameters

--account-key

Storage account key. Must be used in conjunction with storage account name or service endpoint. Environment variable: AZURE_STORAGE_KEY.

--account-name

Storage account name. Must be used in conjunction with either storage account key or a SAS token. Environment Variable: AZURE_STORAGE_ACCOUNT.

--blob-endpoint

Storage data service endpoint. Must be used in conjunction with either storage account key or a SAS token. You can find each service primary endpoint with az storage account show. Environment variable: AZURE_STORAGE_SERVICE_ENDPOINT.

--connection-string

Storage account connection string. Environment variable: AZURE_STORAGE_CONNECTION_STRING.

--encryption-scope

A predefined encryption scope used to encrypt the data on the service.

--https-only

Only permit requests made with the HTTPS protocol. If omitted, requests from both the HTTP and HTTPS protocol are permitted.

--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

--ip

Specifies the IP address or range of IP addresses from which to accept requests. Supports only IPv4 style addresses.

--start

Specifies the UTC datetime (Y-m-d'T'H:M'Z') at which the SAS becomes valid. Defaults to the time of the request.

az storage account list

List storage accounts.

az storage account list [--resource-group]

Examples

List all storage accounts in a subscription.

az storage account list

List all storage accounts in a resource group.

az storage account list -g MyResourceGroup

Optional Parameters

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

az storage account revoke-delegation-keys

Revoke all user delegation keys for a storage account.

az storage account revoke-delegation-keys [--ids]
                                          [--name]
                                          [--resource-group]

Examples

Revoke all user delegation keys for a storage account by resource ID.

az storage account revoke-delegation-keys --ids /subscriptions/{SubID}/resourceGroups/{ResourceGroup}/providers/Microsoft.Storage/storageAccounts/{StorageAccount}

Revoke all user delegation keys for a storage account 'mystorageaccount' in resource group 'MyResourceGroup' in the West US region with locally redundant storage.

az storage account revoke-delegation-keys -n mystorageaccount -g MyResourceGroup

Optional Parameters

--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

--name -n

The storage account name.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

az storage account show

Show storage account properties.

az storage account show [--expand]
                        [--ids]
                        [--name]
                        [--resource-group]

Examples

Show properties for a storage account by resource ID.

az storage account show --ids /subscriptions/{SubID}/resourceGroups/{ResourceGroup}/providers/Microsoft.Storage/storageAccounts/{StorageAccount}

Show properties for a storage account using an account name and resource group.

az storage account show -g MyResourceGroup -n MyStorageAccount

Optional Parameters

--expand

May be used to expand the properties within account's properties. By default, data is not included when fetching properties. Currently we only support geoReplicationStats and blobRestoreStatus. Default value is None.

--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

--name -n

The storage account name.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

az storage account show-connection-string

Get the connection string for a storage account.

az storage account show-connection-string [--blob-endpoint]
                                          [--file-endpoint]
                                          [--ids]
                                          [--key {key1, key2, primary, secondary}]
                                          [--name]
                                          [--protocol {http, https}]
                                          [--queue-endpoint]
                                          [--resource-group]
                                          [--sas-token]
                                          [--table-endpoint]

Examples

Get a connection string for a storage account.

az storage account show-connection-string -g MyResourceGroup -n MyStorageAccount

Get the connection string for a storage account. (autogenerated)

az storage account show-connection-string --name MyStorageAccount --resource-group MyResourceGroup --subscription MySubscription

Optional Parameters

--blob-endpoint

Custom endpoint for blobs.

--file-endpoint

Custom endpoint for files.

--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

--key

The key to use.

accepted values: key1, key2, primary, secondary
default value: key1
--name -n

The storage account name.

--protocol

The default endpoint protocol.

accepted values: http, https
default value: https
--queue-endpoint

Custom endpoint for queues.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--sas-token

The SAS token to be used in the connection-string.

--table-endpoint

Custom endpoint for tables.

az storage account show-usage

Show the current count and limit of the storage accounts under the subscription.

az storage account show-usage --location

Examples

Show the current count and limit of the storage accounts under the subscription. (autogenerated)

az storage account show-usage --location westus2

Required Parameters

--location -l

Location. Values from: az account list-locations. You can configure the default location using az configure --defaults location=<location>.

az storage account update

Update the properties of a storage account.

az storage account update [--access-tier {Cool, Hot, Premium}]
                          [--account-type]
                          [--add]
                          [--allow-append {false, true}]
                          [--allow-blob-public-access {false, true}]
                          [--allow-cross-tenant-replication {false, true}]
                          [--allow-shared-key-access {false, true}]
                          [--assign-identity]
                          [--azure-storage-sid]
                          [--bypass {AzureServices, Logging, Metrics, None}]
                          [--custom-domain]
                          [--default-action {Allow, Deny}]
                          [--default-share-permission {None, StorageFileDataSmbShareContributor, StorageFileDataSmbShareElevatedContributor, StorageFileDataSmbShareReader}]
                          [--domain-guid]
                          [--domain-name]
                          [--domain-sid]
                          [--enable-files-aadds {false, true}]
                          [--enable-files-aadkerb {false, true}]
                          [--enable-files-adds {false, true}]
                          [--enable-large-file-share]
                          [--enable-local-user {false, true}]
                          [--enable-sftp {false, true}]
                          [--encryption-key-name]
                          [--encryption-key-source {Microsoft.Keyvault, Microsoft.Storage}]
                          [--encryption-key-vault]
                          [--encryption-key-version]
                          [--encryption-services {blob, file, queue, table}]
                          [--force-string]
                          [--forest-name]
                          [--https-only {false, true}]
                          [--identity-type {None, SystemAssigned, SystemAssigned,UserAssigned, UserAssigned}]
                          [--ids]
                          [--immutability-period]
                          [--immutability-state {Disabled, Locked, Unlocked}]
                          [--key-exp-days]
                          [--key-vault-federated-client-id]
                          [--key-vault-user-identity-id]
                          [--min-tls-version {TLS1_0, TLS1_1, TLS1_2}]
                          [--name]
                          [--net-bios-domain-name]
                          [--public-network-access {Disabled, Enabled}]
                          [--publish-internet-endpoints {false, true}]
                          [--publish-microsoft-endpoints {false, true}]
                          [--remove]
                          [--resource-group]
                          [--routing-choice {InternetRouting, MicrosoftRouting}]
                          [--sam-account-name]
                          [--sas-exp]
                          [--set]
                          [--sku {Premium_LRS, Premium_ZRS, Standard_GRS, Standard_GZRS, Standard_LRS, Standard_RAGRS, Standard_RAGZRS, Standard_ZRS}]
                          [--tags]
                          [--use-subdomain {false, true}]
                          [--user-identity-id]

Examples

Update the properties of a storage account. (autogenerated)

az storage account update --default-action Allow --name MyStorageAccount --resource-group MyResourceGroup

Optional Parameters

--access-tier

The access tier used for billing StandardBlob accounts. Cannot be set for StandardLRS, StandardGRS, StandardRAGRS, or PremiumLRS account types. It is required for StandardBlob accounts during creation.

accepted values: Cool, Hot, Premium
--account-type

Specify the Active Directory account type for Azure Storage.

--add

Add an object to a list of objects by specifying a path and key value pairs. Example: --add property.listProperty <key=value, string or JSON string>.

--allow-append --allow-protected-append-writes -w

This property can only be changed for disabled and unlocked time-based retention policies. When enabled, new blocks can be written to an append blob while maintaining immutability protection and compliance. Only new blocks can be added and any existing blocks cannot be modified or deleted.

accepted values: false, true
--allow-blob-public-access

Allow or disallow public access to all blobs or containers in the storage account. The default value for this property is null, which is equivalent to true. When true, containers in the account may be configured for public access. Note that setting this property to true does not enable anonymous access to any data in the account. The additional step of configuring the public access setting for a container is required to enable anonymous access.

accepted values: false, true
--allow-cross-tenant-replication -r

Allow or disallow cross AAD tenant object replication. The default interpretation is true for this property.

accepted values: false, true
--allow-shared-key-access -k

Indicate whether the storage account permits requests to be authorized with the account access key via Shared Key. If false, then all requests, including shared access signatures, must be authorized with Azure Active Directory (Azure AD). The default value is null, which is equivalent to true.

accepted values: false, true
--assign-identity

Generate and assign a new Storage Account Identity for this storage account for use with key management services like Azure KeyVault.

--azure-storage-sid

Specify the security identifier (SID) for Azure Storage. Required when --enable-files-adds is set to True.

--bypass

Bypass traffic for space-separated uses.

accepted values: AzureServices, Logging, Metrics, None
--custom-domain

User domain assigned to the storage account. Name is the CNAME source. Use "" to clear existing value.

--default-action

Default action to apply when no rule matches.

accepted values: Allow, Deny
--default-share-permission -d

Default share permission for users using Kerberos authentication if RBAC role is not assigned.

accepted values: None, StorageFileDataSmbShareContributor, StorageFileDataSmbShareElevatedContributor, StorageFileDataSmbShareReader
--domain-guid

Specify the domain GUID. Required when --enable-files-adds is set to True.

--domain-name

Specify the primary domain that the AD DNS server is authoritative for. Required when --enable-files-adds is set to True.

--domain-sid

Specify the security identifier (SID). Required when --enable-files-adds is set to True.

--enable-files-aadds

Enable Azure Active Directory Domain Services authentication for Azure Files.

accepted values: false, true
--enable-files-aadkerb

Enable Azure Files Active Directory Domain Service Kerberos Authentication for the storage account.

accepted values: false, true
--enable-files-adds

Enable Azure Files Active Directory Domain Service Authentication for storage account. When --enable-files-adds is set to true, Azure Active Directory Properties arguments must be provided.

accepted values: false, true
--enable-large-file-share

Enable the capability to support large file shares with more than 5 TiB capacity for storage account.Once the property is enabled, the feature cannot be disabled. Currently only supported for LRS and ZRS replication types, hence account conversions to geo-redundant accounts would not be possible. For more information, please refer to https://go.microsoft.com/fwlink/?linkid=2086047.

--enable-local-user

Enable local user features.

accepted values: false, true
--enable-sftp

Enable Secure File Transfer Protocol.

accepted values: false, true
--encryption-key-name

The name of the KeyVault key.

--encryption-key-source

The default encryption key source.

accepted values: Microsoft.Keyvault, Microsoft.Storage
--encryption-key-vault

The Uri of the KeyVault.

--encryption-key-version

The version of the KeyVault key to use, which will opt out of implicit key rotation. Please use "" to opt in key auto-rotation again.

--encryption-services

Specifies which service(s) to encrypt.

accepted values: blob, file, queue, table
--force-string

When using 'set' or 'add', preserve string literals instead of attempting to convert to JSON.

--forest-name

Specify the Active Directory forest to get. Required when --enable-files-adds is set to True.

--https-only

Allows https traffic only to storage service.

accepted values: false, true
--identity-type

The identity type.

accepted values: None, SystemAssigned, SystemAssigned,UserAssigned, UserAssigned
--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

--immutability-period --immutability-period-in-days

The immutability period for the blobs in the container since the policy creation, in days.

--immutability-state

Defines the mode of the policy. Disabled state disables the policy, Unlocked state allows increase and decrease of immutability retention time and also allows toggling allow-protected-append-write property, Locked state only allows the increase of the immutability retention time. A policy can only be created in a Disabled or Unlocked state and can be toggled between the two states. Only a policy in an Unlocked state can transition to a Locked state which cannot be reverted.

accepted values: Disabled, Locked, Unlocked
--key-exp-days --key-expiration-period-in-days

Expiration period in days of the Key Policy assigned to the storage account.

--key-vault-federated-client-id -f

ClientId of the multi-tenant application to be used in conjunction with the user-assigned identity for cross-tenant customer-managed-keys server-side encryption on the storage account.

--key-vault-user-identity-id -u

Resource identifier of the UserAssigned identity to be associated with server-side encryption on the storage account.

--min-tls-version

The minimum TLS version to be permitted on requests to storage. The default interpretation is TLS 1.0 for this property.

accepted values: TLS1_0, TLS1_1, TLS1_2
--name -n

The storage account name.

--net-bios-domain-name

Specify the NetBIOS domain name. Required when --enable-files-adds is set to True.

--public-network-access

Enable or disable public network access to the storage account.

accepted values: Disabled, Enabled
--publish-internet-endpoints

A boolean flag which indicates whether internet routing storage endpoints are to be published.

accepted values: false, true
--publish-microsoft-endpoints

A boolean flag which indicates whether microsoft routing storage endpoints are to be published.

accepted values: false, true
--remove

Remove a property or an element from a list. Example: --remove property.list OR --remove propertyToRemove.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--routing-choice

Routing Choice defines the kind of network routing opted by the user.

accepted values: InternetRouting, MicrosoftRouting
--sam-account-name

Specify the Active Directory SAMAccountName for Azure Storage.

--sas-exp --sas-expiration-period

Expiration period of the SAS Policy assigned to the storage account, DD.HH:MM:SS.

--set

Update an object by specifying a property path and value to set. Example: --set property1.property2=.

--sku

Note that the SKU name cannot be updated to Standard_ZRS, Premium_LRS or Premium_ZRS, nor can accounts of those SKU names be updated to any other value.

accepted values: Premium_LRS, Premium_ZRS, Standard_GRS, Standard_GZRS, Standard_LRS, Standard_RAGRS, Standard_RAGZRS, Standard_ZRS
--tags

Space-separated tags: key[=value] [key[=value] ...]. Use "" to clear existing tags.

--use-subdomain

Specify whether to use indirect CNAME validation.

accepted values: false, true
--user-identity-id

The key is the ARM resource identifier of the identity. Only 1 User Assigned identity is permitted here.