az storage account

Note

This command group has commands that are defined in both Azure CLI and at least one extension. Install each extension to benefit from its extended capabilities. Learn more about extensions.

Manage storage accounts.

Commands

Name Description Type Status
az storage account blob-inventory-policy

Manage storage account Blob Inventory Policy.

Core Preview
az storage account blob-inventory-policy create

Create Blob Inventory Policy for storage account.

Core Preview
az storage account blob-inventory-policy delete

Delete Blob Inventory Policy associated with the specified storage account.

Core Preview
az storage account blob-inventory-policy show

Show Blob Inventory Policy properties associated with the specified storage account.

Core Preview
az storage account blob-inventory-policy update

Update Blob Inventory Policy associated with the specified storage account.

Core Preview
az storage account blob-service-properties

Manage the properties of a storage account's blob service.

Core GA
az storage account blob-service-properties cors-rule

Manage the Cross-Origin Resource Sharing (CORS) rules of a storage account's blob service properties.

Core GA
az storage account blob-service-properties cors-rule add

Add a CORS rule for a storage account.

Core GA
az storage account blob-service-properties cors-rule clear

Clear all CORS rules for a storage account.

Core GA
az storage account blob-service-properties cors-rule list

List all CORS rules of a storage account's blob service properties.

Core GA
az storage account blob-service-properties show

Show the properties of a storage account's blob service.

Core GA
az storage account blob-service-properties update

Update the properties of a storage account's blob service.

Core GA
az storage account check-name

Check that the storage account name is valid and is not already in use.

Core GA
az storage account create

Create a storage account.

Core GA
az storage account create (storage-preview extension)

Create a storage account.

Extension Preview
az storage account delete

Delete a storage account.

Core GA
az storage account encryption-scope

Manage encryption scope for a storage account.

Core GA
az storage account encryption-scope create

Create an encryption scope within storage account.

Core GA
az storage account encryption-scope list

List encryption scopes within storage account.

Core GA
az storage account encryption-scope show

Show properties for specified encryption scope within storage account.

Core GA
az storage account encryption-scope update

Update properties for specified encryption scope within storage account.

Core GA
az storage account failover

Failover request can be triggered for a storage account in case of availability issues.

Core Preview
az storage account file-service-properties

Manage the properties of file service in storage account.

Core GA
az storage account file-service-properties show

Show the properties of file service in storage account.

Core GA
az storage account file-service-properties update

Update the properties of file service in storage account.

Core GA
az storage account generate-sas

Generate a shared access signature for the storage account.

Core GA
az storage account hns-migration

Manage storage account migration to enable hierarchical namespace.

Core GA
az storage account hns-migration start

Validate/Begin migrating a storage account to enable hierarchical namespace.

Core GA
az storage account hns-migration stop

Stop the enabling hierarchical namespace migration of a storage account.

Core GA
az storage account keys

Manage storage account keys.

Core GA
az storage account keys list

List the access keys or Kerberos keys (if active directory enabled) for a storage account.

Core GA
az storage account keys renew

Regenerate one of the access keys or Kerberos keys (if active directory enabled) for a storage account.

Core GA
az storage account list

List storage accounts.

Core GA
az storage account local-user

Manage storage account local users.

Core GA
az storage account local-user create

Create a local user for a given storage account.

Core GA
az storage account local-user delete

Delete a local user.

Core GA
az storage account local-user list

List local users for a storage account.

Core GA
az storage account local-user list-keys

List sharedkeys and sshAuthorizedKeys for a local user.

Core GA
az storage account local-user regenerate-password

Regenerate sshPassword for a local user.

Core GA
az storage account local-user show

Show info for a local user.

Core GA
az storage account local-user update

Update properties for a local user.

Core GA
az storage account management-policy

Manage storage account management policies.

Core GA
az storage account management-policy create

Create the data policy rules associated with the specified storage account.

Core GA
az storage account management-policy delete

Delete the data policy rules associated with the specified storage account.

Core GA
az storage account management-policy show

Get the data policy rules associated with the specified storage account.

Core GA
az storage account management-policy update

Update the data policy rules associated with the specified storage account.

Core GA
az storage account migration

Manage Storage Account Migration.

Core and Extension GA
az storage account migration show

Get the status of the ongoing migration for the specified storage account.

Core GA
az storage account migration show (storage-preview extension)

Get the status of the ongoing migration for the specified storage account.

Extension Preview
az storage account migration start

Account Migration request can be triggered for a storage account to change its redundancy level. The migration updates the non-zonal redundant storage account to a zonal redundant account or vice-versa in order to have better reliability and availability. Zone-redundant storage (ZRS) replicates your storage account synchronously across three Azure availability zones in the primary region.

Core GA
az storage account migration start (storage-preview extension)

Account Migration request can be triggered for a storage account to change its redundancy level. The migration updates the non-zonal redundant storage account to a zonal redundant account or vice-versa in order to have better reliability and availability. Zone-redundant storage (ZRS) replicates your storage account synchronously across three Azure availability zones in the primary region.

Extension Preview
az storage account network-rule

Manage network rules.

Core GA
az storage account network-rule add

Add a network rule.

Core GA
az storage account network-rule list

List network rules.

Core GA
az storage account network-rule remove

Remove a network rule.

Core GA
az storage account or-policy

Manage storage account Object Replication Policy.

Core Preview
az storage account or-policy create

Create Object Replication Service Policy for storage account.

Core Preview
az storage account or-policy delete

Delete specified Object Replication Service Policy associated with the specified storage account.

Core Preview
az storage account or-policy list

List Object Replication Service Policies associated with the specified storage account.

Core Preview
az storage account or-policy rule

Manage Object Replication Service Policy Rules.

Core Preview
az storage account or-policy rule add

Add rule to the specified Object Replication Service Policy.

Core Preview
az storage account or-policy rule list

List all the rules in the specified Object Replication Service Policy.

Core Preview
az storage account or-policy rule remove

Remove the specified rule from the specified Object Replication Service Policy.

Core Preview
az storage account or-policy rule show

Show the properties of specified rule in Object Replication Service Policy.

Core Preview
az storage account or-policy rule update

Update rule properties to Object Replication Service Policy.

Core Preview
az storage account or-policy show

Show the properties of specified Object Replication Service Policy for storage account.

Core Preview
az storage account or-policy update

Update Object Replication Service Policy properties for storage account.

Core Preview
az storage account private-endpoint-connection

Manage storage account private endpoint connection.

Core Preview
az storage account private-endpoint-connection approve

Approve a private endpoint connection request for storage account.

Core Preview
az storage account private-endpoint-connection delete

Delete a private endpoint connection request for storage account.

Core Preview
az storage account private-endpoint-connection reject

Reject a private endpoint connection request for storage account.

Core Preview
az storage account private-endpoint-connection show

Show details of a private endpoint connection request for storage account.

Core Preview
az storage account private-link-resource

Manage storage account private link resources.

Core GA
az storage account private-link-resource list

Get the private link resources that need to be created for a storage account.

Core Preview
az storage account revoke-delegation-keys

Revoke all user delegation keys for a storage account.

Core GA
az storage account show

Show storage account properties.

Core GA
az storage account show-connection-string

Get the connection string for a storage account.

Core GA
az storage account show-usage

Show the current count and limit of the storage accounts under the subscription.

Core GA
az storage account update

Update the properties of a storage account.

Core GA
az storage account update (storage-preview extension)

Update the properties of a storage account.

Extension Preview

az storage account check-name

Check that the storage account name is valid and is not already in use.

az storage account check-name --name

Required Parameters

--name -n

The name of the storage account within the specified resource group.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

accepted values: json, jsonc, none, table, tsv, yaml, yamlc
default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az storage account create

Create a storage account.

The SKU of the storage account defaults to 'Standard_RAGRS'.

az storage account create --name
                          --resource-group
                          [--access-tier {Cool, Hot, Premium}]
                          [--account-type]
                          [--action]
                          [--allow-append {false, true}]
                          [--allow-blob-public-access {false, true}]
                          [--allow-cross-tenant-replication {false, true}]
                          [--allow-shared-key-access {false, true}]
                          [--assign-identity]
                          [--azure-storage-sid]
                          [--bypass {AzureServices, Logging, Metrics, None}]
                          [--custom-domain]
                          [--default-action {Allow, Deny}]
                          [--default-share-permission {None, StorageFileDataSmbShareContributor, StorageFileDataSmbShareElevatedContributor, StorageFileDataSmbShareReader}]
                          [--dns-endpoint-type {AzureDnsZone, Standard}]
                          [--domain-guid]
                          [--domain-name]
                          [--domain-sid]
                          [--edge-zone]
                          [--enable-alw {false, true}]
                          [--enable-files-aadds {false, true}]
                          [--enable-files-aadkerb {false, true}]
                          [--enable-files-adds {false, true}]
                          [--enable-hierarchical-namespace {false, true}]
                          [--enable-large-file-share]
                          [--enable-local-user {false, true}]
                          [--enable-nfs-v3 {false, true}]
                          [--enable-sftp {false, true}]
                          [--encryption-key-name]
                          [--encryption-key-source {Microsoft.Keyvault, Microsoft.Storage}]
                          [--encryption-key-type-for-queue {Account, Service}]
                          [--encryption-key-type-for-table {Account, Service}]
                          [--encryption-key-vault]
                          [--encryption-key-version]
                          [--encryption-services {blob, file, queue, table}]
                          [--forest-name]
                          [--https-only {false, true}]
                          [--identity-type {None, SystemAssigned, SystemAssigned,UserAssigned, UserAssigned}]
                          [--immutability-period]
                          [--immutability-state {Disabled, Locked, Unlocked}]
                          [--key-exp-days]
                          [--key-vault-federated-client-id]
                          [--key-vault-user-identity-id]
                          [--kind {BlobStorage, BlockBlobStorage, FileStorage, Storage, StorageV2}]
                          [--location]
                          [--min-tls-version {TLS1_0, TLS1_1, TLS1_2}]
                          [--net-bios-domain-name]
                          [--public-network-access {Disabled, Enabled}]
                          [--publish-internet-endpoints {false, true}]
                          [--publish-microsoft-endpoints {false, true}]
                          [--require-infrastructure-encryption {false, true}]
                          [--routing-choice {InternetRouting, MicrosoftRouting}]
                          [--sam-account-name]
                          [--sas-exp]
                          [--sku {Premium_LRS, Premium_ZRS, Standard_GRS, Standard_GZRS, Standard_LRS, Standard_RAGRS, Standard_RAGZRS, Standard_ZRS}]
                          [--subnet]
                          [--tags]
                          [--user-identity-id]
                          [--vnet-name]

Examples

Create a storage account 'mystorageaccount' in resource group 'MyResourceGroup' in the West US region with locally redundant storage.

az storage account create -n mystorageaccount -g MyResourceGroup -l westus --sku Standard_LRS

Create a storage account 'mystorageaccount' in resource group 'MyResourceGroup' in the eastus2euap region with account-scoped encryption key enabled for Table Service.

az storage account create -n mystorageaccount -g MyResourceGroup --kind StorageV2 -l eastus2euap -t Account

Required Parameters

--name -n

The storage account name.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--access-tier

Required for storage accounts where kind = BlobStorage. The access tier is used for billing. The "Premium" access tier is the default value for premium block blobs storage account type and it cannot be changed for the premium block blobs storage account type.

accepted values: Cool, Hot, Premium
--account-type

Specify the Active Directory account type for Azure Storage.

--action

The action of virtual network rule. Possible value is Allow.

default value: Allow
--allow-append --allow-protected-append-writes -w

This property can only be changed for disabled and unlocked time-based retention policies. When enabled, new blocks can be written to an append blob while maintaining immutability protection and compliance. Only new blocks can be added and any existing blocks cannot be modified or deleted.

accepted values: false, true
--allow-blob-public-access

Allow or disallow public access to all blobs or containers in the storage account. If not specified, the default value is false for new accounts to follow best security practices. When true, containers in the account may be configured for public access. Note that setting this property to true does not enable anonymous access to any data in the account. The additional step of configuring the public access setting for a container is required to enable anonymous access.

accepted values: false, true
--allow-cross-tenant-replication -r

Allow or disallow cross AAD tenant object replication. Set this property to true for new or existing accounts only if object replication policies will involve storage accounts in different AAD tenants. If not specified, the default value is false for new accounts to follow best security practices.

accepted values: false, true
--allow-shared-key-access -k

Indicate whether the storage account permits requests to be authorized with the account access key via Shared Key. If false, then all requests, including shared access signatures, must be authorized with Azure Active Directory (Azure AD). The default value is null, which is equivalent to true.

accepted values: false, true
--assign-identity

Generate and assign a new Storage Account Identity for this storage account for use with key management services like Azure KeyVault.

default value: False
--azure-storage-sid

Specify the security identifier (SID) for Azure Storage. Required when --enable-files-adds is set to True.

--bypass

Bypass traffic for space-separated uses.

accepted values: AzureServices, Logging, Metrics, None
--custom-domain

User domain assigned to the storage account. Name is the CNAME source.

--default-action

Default action to apply when no rule matches.

accepted values: Allow, Deny
--default-share-permission -d

Default share permission for users using Kerberos authentication if RBAC role is not assigned.

accepted values: None, StorageFileDataSmbShareContributor, StorageFileDataSmbShareElevatedContributor, StorageFileDataSmbShareReader
--dns-endpoint-type --endpoint

Allow you to specify the type of endpoint. Set this to AzureDNSZone to create a large number of accounts in a single subscription, which creates accounts in an Azure DNS Zone and the endpoint URL will have an alphanumeric DNS Zone identifier.

accepted values: AzureDnsZone, Standard
--domain-guid

Specify the domain GUID. Required when --enable-files-adds is set to True.

--domain-name

Specify the primary domain that the AD DNS server is authoritative for. Required when --enable-files-adds is set to True.

--domain-sid

Specify the security identifier (SID). Required when --enable-files-adds is set to True.

--edge-zone

The name of edge zone.

--enable-alw

The account level immutability property. The property is immutable and can only be set to true at the account creation time. When set to true, it enables object level immutability for all the containers in the account by default.

accepted values: false, true
--enable-files-aadds

Enable Azure Active Directory Domain Services authentication for Azure Files.

accepted values: false, true
--enable-files-aadkerb

Enable Azure Files Active Directory Domain Service Kerberos Authentication for the storage account.

accepted values: false, true
--enable-files-adds

Enable Azure Files Active Directory Domain Service Authentication for storage account. When --enable-files-adds is set to true, Azure Active Directory Properties arguments must be provided.

accepted values: false, true
--enable-hierarchical-namespace --hns

Allow the blob service to exhibit filesystem semantics. This property can be enabled only when storage account kind is StorageV2.

accepted values: false, true
--enable-large-file-share

Enable the capability to support large file shares with more than 5 TiB capacity for storage account.Once the property is enabled, the feature cannot be disabled. Currently only supported for LRS and ZRS replication types, hence account conversions to geo-redundant accounts would not be possible. For more information, please refer to https://go.microsoft.com/fwlink/?linkid=2086047.

--enable-local-user

Enable local user features.

accepted values: false, true
--enable-nfs-v3
Preview

NFS 3.0 protocol support enabled if sets to true.

accepted values: false, true
--enable-sftp

Enable Secure File Transfer Protocol.

accepted values: false, true
--encryption-key-name

The name of the KeyVault key.

--encryption-key-source

The default encryption key source.

accepted values: Microsoft.Keyvault, Microsoft.Storage
--encryption-key-type-for-queue -q

Set the encryption key type for Queue service. "Account": Queue will be encrypted with account-scoped encryption key. "Service": Queue will always be encrypted with service-scoped keys. Currently the default encryption key type is "Service".

accepted values: Account, Service
--encryption-key-type-for-table -t

Set the encryption key type for Table service. "Account": Table will be encrypted with account-scoped encryption key. "Service": Table will always be encrypted with service-scoped keys. Currently the default encryption key type is "Service".

accepted values: Account, Service
--encryption-key-vault

The Uri of the KeyVault.

--encryption-key-version

The version of the KeyVault key to use, which will opt out of implicit key rotation. Please use "" to opt in key auto-rotation again.

--encryption-services

Specifies which service(s) to encrypt.

accepted values: blob, file, queue, table
--forest-name

Specify the Active Directory forest to get. Required when --enable-files-adds is set to True.

--https-only

Allow https traffic only to storage service if set to true. The default value is true.

accepted values: false, true
--identity-type

The identity type.

accepted values: None, SystemAssigned, SystemAssigned,UserAssigned, UserAssigned
--immutability-period --immutability-period-in-days

The immutability period for the blobs in the container since the policy creation, in days.

--immutability-state

Defines the mode of the policy. Disabled state disables the policy, Unlocked state allows increase and decrease of immutability retention time and also allows toggling allow-protected-append-write property, Locked state only allows the increase of the immutability retention time. A policy can only be created in a Disabled or Unlocked state and can be toggled between the two states. Only a policy in an Unlocked state can transition to a Locked state which cannot be reverted.

accepted values: Disabled, Locked, Unlocked
--key-exp-days --key-expiration-period-in-days
Preview

Expiration period in days of the Key Policy assigned to the storage account.

--key-vault-federated-client-id -f

ClientId of the multi-tenant application to be used in conjunction with the user-assigned identity for cross-tenant customer-managed-keys server-side encryption on the storage account.

--key-vault-user-identity-id -u

Resource identifier of the UserAssigned identity to be associated with server-side encryption on the storage account.

--kind

Indicate the type of storage account.

accepted values: BlobStorage, BlockBlobStorage, FileStorage, Storage, StorageV2
default value: StorageV2
--location -l

Location. Values from: az account list-locations. You can configure the default location using az configure --defaults location=<location>.

--min-tls-version

The minimum TLS version to be permitted on requests to storage. The default interpretation is TLS 1.0 for this property.

accepted values: TLS1_0, TLS1_1, TLS1_2
--net-bios-domain-name

Specify the NetBIOS domain name. Required when --enable-files-adds is set to True.

--public-network-access

Enable or disable public network access to the storage account. Possible values include: Enabled or Disabled.

accepted values: Disabled, Enabled
--publish-internet-endpoints

A boolean flag which indicates whether internet routing storage endpoints are to be published.

accepted values: false, true
--publish-microsoft-endpoints

A boolean flag which indicates whether microsoft routing storage endpoints are to be published.

accepted values: false, true
--require-infrastructure-encryption -i

A boolean indicating whether or not the service applies a secondary layer of encryption with platform managed keys for data at rest.

accepted values: false, true
--routing-choice

Routing Choice defines the kind of network routing opted by the user.

accepted values: InternetRouting, MicrosoftRouting
--sam-account-name

Specify the Active Directory SAMAccountName for Azure Storage.

--sas-exp --sas-expiration-period
Preview

Expiration period of the SAS Policy assigned to the storage account, DD.HH:MM:SS.

--sku

The storage account SKU.

accepted values: Premium_LRS, Premium_ZRS, Standard_GRS, Standard_GZRS, Standard_LRS, Standard_RAGRS, Standard_RAGZRS, Standard_ZRS
default value: Standard_RAGRS
--subnet

Name or ID of subnet. If name is supplied, --vnet-name must be supplied.

--tags

Space-separated tags: key[=value] [key[=value] ...]. Use "" to clear existing tags.

--user-identity-id

The key is the ARM resource identifier of the identity. Only 1 User Assigned identity is permitted here.

--vnet-name

Name of a virtual network.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

accepted values: json, jsonc, none, table, tsv, yaml, yamlc
default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az storage account create (storage-preview extension)

Preview

Command group 'az storage' is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus

Create a storage account.

The SKU of the storage account defaults to 'Standard_RAGRS'.

az storage account create --name
                          --resource-group
                          [--access-tier {Cool, Hot, Premium}]
                          [--account-type]
                          [--action]
                          [--allow-append {false, true}]
                          [--allow-blob-public-access {false, true}]
                          [--allow-cross-tenant-replication {false, true}]
                          [--allow-shared-key-access {false, true}]
                          [--allowed-copy-scope {AAD, PrivateLink}]
                          [--assign-identity]
                          [--azure-storage-sid]
                          [--bypass {AzureServices, Logging, Metrics, None}]
                          [--custom-domain]
                          [--default-action {Allow, Deny}]
                          [--default-share-permission {None, StorageFileDataSmbShareContributor, StorageFileDataSmbShareElevatedContributor, StorageFileDataSmbShareReader}]
                          [--dns-endpoint-type {AzureDnsZone, Standard}]
                          [--domain-guid]
                          [--domain-name]
                          [--domain-sid]
                          [--edge-zone]
                          [--enable-alw {false, true}]
                          [--enable-files-aadds {false, true}]
                          [--enable-files-aadkerb {false, true}]
                          [--enable-files-adds {false, true}]
                          [--enable-hierarchical-namespace {false, true}]
                          [--enable-large-file-share]
                          [--enable-local-user {false, true}]
                          [--enable-nfs-v3 {false, true}]
                          [--enable-sftp {false, true}]
                          [--encryption-key-name]
                          [--encryption-key-source {Microsoft.Keyvault, Microsoft.Storage}]
                          [--encryption-key-type-for-queue {Account, Service}]
                          [--encryption-key-type-for-table {Account, Service}]
                          [--encryption-key-vault]
                          [--encryption-key-version]
                          [--encryption-services {blob, file, queue, table}]
                          [--forest-name]
                          [--https-only {false, true}]
                          [--identity-type {None, SystemAssigned, SystemAssigned,UserAssigned, UserAssigned}]
                          [--immutability-period]
                          [--immutability-state {Disabled, Locked, Unlocked}]
                          [--key-exp-days]
                          [--key-vault-federated-client-id]
                          [--key-vault-user-identity-id]
                          [--kind {BlobStorage, BlockBlobStorage, FileStorage, Storage, StorageV2}]
                          [--location]
                          [--min-tls-version {TLS1_0, TLS1_1, TLS1_2}]
                          [--net-bios-domain-name]
                          [--public-network-access {Disabled, Enabled}]
                          [--publish-internet-endpoints {false, true}]
                          [--publish-microsoft-endpoints {false, true}]
                          [--require-infrastructure-encryption {false, true}]
                          [--routing-choice {InternetRouting, MicrosoftRouting}]
                          [--sam-account-name]
                          [--sas-exp]
                          [--sku {Premium_LRS, Premium_ZRS, Standard_GRS, Standard_GZRS, Standard_LRS, Standard_RAGRS, Standard_RAGZRS, Standard_ZRS}]
                          [--subnet]
                          [--tags]
                          [--user-identity-id]
                          [--vnet-name]

Examples

Create a storage account 'mystorageaccount' in resource group 'MyResourceGroup' in the West US region with locally redundant storage.

az storage account create -n mystorageaccount -g MyResourceGroup -l westus --sku Standard_LRS

Required Parameters

--name -n

The storage account name.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--access-tier

Required for storage accounts where kind = BlobStorage. The access tier is used for billing. The "Premium" access tier is the default value for premium block blobs storage account type and it cannot be changed for the premium block blobs storage account type.

accepted values: Cool, Hot, Premium
--account-type
Preview

Specify the Active Directory account type for Azure Storage.

--action

The action of virtual network rule. Possible value is Allow.

default value: Allow
--allow-append --allow-protected-append-writes -w

This property can only be changed for disabled and unlocked time-based retention policies. When enabled, new blocks can be written to an append blob while maintaining immutability protection and compliance. Only new blocks can be added and any existing blocks cannot be modified or deleted.

accepted values: false, true
--allow-blob-public-access

Allow or disallow public access to all blobs or containers in the storage account. The default value for this property is null, which is equivalent to true. When true, containers in the account may be configured for public access. Note that setting this property to true does not enable anonymous access to any data in the account. The additional step of configuring the public access setting for a container is required to enable anonymous access.

accepted values: false, true
--allow-cross-tenant-replication -r

Allow or disallow cross AAD tenant object replication. The default interpretation is true for this property.

accepted values: false, true
--allow-shared-key-access -k

Indicate whether the storage account permits requests to be authorized with the account access key via Shared Key. If false, then all requests, including shared access signatures, must be authorized with Azure Active Directory (Azure AD). The default value is null, which is equivalent to true.

accepted values: false, true
--allowed-copy-scope -s

Restrict copy to and from Storage Accounts within an AAD tenant or with Private Links to the same VNet.

accepted values: AAD, PrivateLink
--assign-identity

Generate and assign a new Storage Account Identity for this storage account for use with key management services like Azure KeyVault.

default value: False
--azure-storage-sid

Specify the security identifier (SID) for Azure Storage. Required when --enable-files-adds is set to True.

--bypass

Bypass traffic for space-separated uses.

accepted values: AzureServices, Logging, Metrics, None
--custom-domain

User domain assigned to the storage account. Name is the CNAME source.

--default-action

Default action to apply when no rule matches.

accepted values: Allow, Deny
--default-share-permission -d

Default share permission for users using Kerberos authentication if RBAC role is not assigned.

accepted values: None, StorageFileDataSmbShareContributor, StorageFileDataSmbShareElevatedContributor, StorageFileDataSmbShareReader
--dns-endpoint-type --endpoint
Preview

Allow you to specify the type of endpoint. Set this to AzureDNSZone to create a large number of accounts in a single subscription, which creates accounts in an Azure DNS Zone and the endpoint URL will have an alphanumeric DNS Zone identifier.

accepted values: AzureDnsZone, Standard
--domain-guid

Specify the domain GUID. Required when --enable-files-adds is set to True.

--domain-name

Specify the primary domain that the AD DNS server is authoritative for. Required when --enable-files-adds is set to True.

--domain-sid

Specify the security identifier (SID). Required when --enable-files-adds is set to True.

--edge-zone

The name of edge zone.

--enable-alw

The account level immutability property. The property is immutable and can only be set to true at the account creation time. When set to true, it enables object level immutability for all the containers in the account by default.

accepted values: false, true
--enable-files-aadds

Enable Azure Active Directory Domain Services authentication for Azure Files.

accepted values: false, true
--enable-files-aadkerb

Enable Azure Files Active Directory Domain Service Kerberos Authentication for the storage account.

accepted values: false, true
--enable-files-adds

Enable Azure Files Active Directory Domain Service Authentication for storage account. When --enable-files-adds is set to true, Azure Active Directory Properties arguments must be provided.

accepted values: false, true
--enable-hierarchical-namespace --hns

Allow the blob service to exhibit filesystem semantics. This property can be enabled only when storage account kind is StorageV2.

accepted values: false, true
--enable-large-file-share

Enable the capability to support large file shares with more than 5 TiB capacity for storage account.Once the property is enabled, the feature cannot be disabled. Currently only supported for LRS and ZRS replication types, hence account conversions to geo-redundant accounts would not be possible. For more information, please refer to https://go.microsoft.com/fwlink/?linkid=2086047.

--enable-local-user
Preview

Enable local user features.

accepted values: false, true
--enable-nfs-v3
Preview

NFS 3.0 protocol support enabled if sets to true.

accepted values: false, true
--enable-sftp
Preview

Enable Secure File Transfer Protocol.

accepted values: false, true
--encryption-key-name

The name of the KeyVault key.

--encryption-key-source

The default encryption key source.

accepted values: Microsoft.Keyvault, Microsoft.Storage
--encryption-key-type-for-queue -q

Set the encryption key type for Queue service. "Account": Queue will be encrypted with account-scoped encryption key. "Service": Queue will always be encrypted with service-scoped keys. Currently the default encryption key type is "Service".

accepted values: Account, Service
--encryption-key-type-for-table -t

Set the encryption key type for Table service. "Account": Table will be encrypted with account-scoped encryption key. "Service": Table will always be encrypted with service-scoped keys. Currently the default encryption key type is "Service".

accepted values: Account, Service
--encryption-key-vault

The Uri of the KeyVault.

--encryption-key-version

The version of the KeyVault key to use, which will opt out of implicit key rotation. Please use "" to opt in key auto-rotation again.

--encryption-services

Specifies which service(s) to encrypt.

accepted values: blob, file, queue, table
--forest-name

Specify the Active Directory forest to get. Required when --enable-files-adds is set to True.

--https-only

Allow https traffic only to storage service if set to true. The default value is true.

accepted values: false, true
--identity-type

The identity type.

accepted values: None, SystemAssigned, SystemAssigned,UserAssigned, UserAssigned
--immutability-period --immutability-period-in-days

The immutability period for the blobs in the container since the policy creation, in days.

--immutability-state

Defines the mode of the policy. Disabled state disables the policy, Unlocked state allows increase and decrease of immutability retention time and also allows toggling allow-protected-append-write property, Locked state only allows the increase of the immutability retention time. A policy can only be created in a Disabled or Unlocked state and can be toggled between the two states. Only a policy in an Unlocked state can transition to a Locked state which cannot be reverted.

accepted values: Disabled, Locked, Unlocked
--key-exp-days --key-expiration-period-in-days
Preview

Expiration period in days of the Key Policy assigned to the storage account.

--key-vault-federated-client-id -f

ClientId of the multi-tenant application to be used in conjunction with the user-assigned identity for cross-tenant customer-managed-keys server-side encryption on the storage account.

--key-vault-user-identity-id -u

Resource identifier of the UserAssigned identity to be associated with server-side encryption on the storage account.

--kind

Indicate the type of storage account.

accepted values: BlobStorage, BlockBlobStorage, FileStorage, Storage, StorageV2
default value: StorageV2
--location -l

Location. Values from: az account list-locations. You can configure the default location using az configure --defaults location=<location>.

--min-tls-version

The minimum TLS version to be permitted on requests to storage. The default interpretation is TLS 1.0 for this property.

accepted values: TLS1_0, TLS1_1, TLS1_2
--net-bios-domain-name

Specify the NetBIOS domain name. Required when --enable-files-adds is set to True.

--public-network-access

Enable or disable public network access to the storage account. Possible values include: Enabled or Disabled.

accepted values: Disabled, Enabled
--publish-internet-endpoints

A boolean flag which indicates whether internet routing storage endpoints are to be published.

accepted values: false, true
--publish-microsoft-endpoints

A boolean flag which indicates whether microsoft routing storage endpoints are to be published.

accepted values: false, true
--require-infrastructure-encryption -i

A boolean indicating whether or not the service applies a secondary layer of encryption with platform managed keys for data at rest.

accepted values: false, true
--routing-choice

Routing Choice defines the kind of network routing opted by the user.

accepted values: InternetRouting, MicrosoftRouting
--sam-account-name
Preview

Specify the Active Directory SAMAccountName for Azure Storage.

--sas-exp --sas-expiration-period
Preview

Expiration period of the SAS Policy assigned to the storage account, DD.HH:MM:SS.

--sku

The storage account SKU.

accepted values: Premium_LRS, Premium_ZRS, Standard_GRS, Standard_GZRS, Standard_LRS, Standard_RAGRS, Standard_RAGZRS, Standard_ZRS
default value: Standard_RAGRS
--subnet

Name or ID of subnet. If name is supplied, --vnet-name must be supplied.

--tags

Space-separated tags: key[=value] [key[=value] ...]. Use "" to clear existing tags.

--user-identity-id

The key is the ARM resource identifier of the identity. Only 1 User Assigned identity is permitted here.

--vnet-name

Name of a virtual network.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

accepted values: json, jsonc, none, table, tsv, yaml, yamlc
default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az storage account delete

Delete a storage account.

az storage account delete [--ids]
                          [--name]
                          [--resource-group]
                          [--subscription]
                          [--yes]

Examples

Delete a storage account using a resource ID.

az storage account delete --ids /subscriptions/{SubID}/resourceGroups/{ResourceGroup}/providers/Microsoft.Storage/storageAccounts/{StorageAccount}

Delete a storage account using an account name and resource group.

az storage account delete -n MyStorageAccount -g MyResourceGroup

Optional Parameters

--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

--name -n

The storage account name.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--yes -y

Do not prompt for confirmation.

default value: False
Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

accepted values: json, jsonc, none, table, tsv, yaml, yamlc
default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az storage account failover

Preview

This command is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus

Failover request can be triggered for a storage account in case of availability issues.

The failover occurs from the storage account's primary cluster to secondary cluster for (RA-)GRS/GZRS accounts. The secondary cluster will become primary after failover. For more information, please refer to https://docs.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance.

az storage account failover [--failover-type]
                            [--ids]
                            [--name]
                            [--no-wait]
                            [--resource-group]
                            [--subscription]
                            [--yes]

Examples

Failover a storage account.

az storage account failover -n mystorageaccount -g MyResourceGroup

Failover a storage account without waiting for complete.

az storage account failover -n mystorageaccount -g MyResourceGroup --no-wait
az storage account show -n mystorageaccount --expand geoReplicationStats

Optional Parameters

--failover-type --type
Preview

The parameter is set to 'Planned' to indicate whether a Planned failover is requested.

--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

--name -n

The storage account name.

--no-wait

Do not wait for the long-running operation to finish.

default value: False
--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--yes -y

Do not prompt for confirmation.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

accepted values: json, jsonc, none, table, tsv, yaml, yamlc
default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az storage account generate-sas

Generate a shared access signature for the storage account.

az storage account generate-sas --expiry
                                --permissions
                                --resource-types
                                --services
                                [--account-key]
                                [--account-name]
                                [--blob-endpoint]
                                [--connection-string]
                                [--encryption-scope]
                                [--https-only]
                                [--ids]
                                [--ip]
                                [--start]
                                [--subscription]

Examples

Generate a sas token for the account that is valid for queue and table services on Linux.

end=`date -u -d "30 minutes" '+%Y-%m-%dT%H:%MZ'`
az storage account generate-sas --permissions cdlruwap --account-name MyStorageAccount --services qt --resource-types sco --expiry $end -o tsv

Generate a sas token for the account that is valid for queue and table services on MacOS.

end=`date -v+30M '+%Y-%m-%dT%H:%MZ'`
az storage account generate-sas --permissions cdlruwap --account-name MyStorageAccount --services qt --resource-types sco --expiry $end -o tsv

Generate a shared access signature for the account (autogenerated)

az storage account generate-sas --account-key 00000000 --account-name MyStorageAccount --expiry 2020-01-01 --https-only --permissions acuw --resource-types co --services bfqt

Required Parameters

--expiry

Specifies the UTC datetime (Y-m-d'T'H:M'Z') at which the SAS becomes invalid.

--permissions

The permissions the SAS grants. Allowed values: (a)dd (c)reate (d)elete (f)ilter_by_tags (i)set_immutability_policy (l)ist (p)rocess (r)ead (t)ag (u)pdate (w)rite (x)delete_previous_version (y)permanent_delete. Can be combined.

--resource-types

The resource types the SAS is applicable for. Allowed values: (s)ervice (c)ontainer (o)bject. Can be combined.

--services

The storage services the SAS is applicable for. Allowed values: (b)lob (f)ile (q)ueue (t)able. Can be combined.

Optional Parameters

--account-key

Storage account key. Must be used in conjunction with storage account name or service endpoint. Environment variable: AZURE_STORAGE_KEY.

--account-name

Storage account name. Must be used in conjunction with either storage account key or a SAS token. Environment Variable: AZURE_STORAGE_ACCOUNT.

--blob-endpoint

Storage data service endpoint. Must be used in conjunction with either storage account key or a SAS token. You can find each service primary endpoint with az storage account show. Environment variable: AZURE_STORAGE_SERVICE_ENDPOINT.

--connection-string

Storage account connection string. Environment variable: AZURE_STORAGE_CONNECTION_STRING.

--encryption-scope

A predefined encryption scope used to encrypt the data on the service.

--https-only

Only permit requests made with the HTTPS protocol. If omitted, requests from both the HTTP and HTTPS protocol are permitted.

--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

--ip

Specifies the IP address or range of IP addresses from which to accept requests. Supports only IPv4 style addresses.

--start

Specifies the UTC datetime (Y-m-d'T'H:M'Z') at which the SAS becomes valid. Defaults to the time of the request.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

accepted values: json, jsonc, none, table, tsv, yaml, yamlc
default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az storage account list

List storage accounts.

az storage account list [--resource-group]

Examples

List all storage accounts in a subscription.

az storage account list

List all storage accounts in a resource group.

az storage account list -g MyResourceGroup

Optional Parameters

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

accepted values: json, jsonc, none, table, tsv, yaml, yamlc
default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az storage account revoke-delegation-keys

Revoke all user delegation keys for a storage account.

az storage account revoke-delegation-keys [--ids]
                                          [--name]
                                          [--resource-group]
                                          [--subscription]

Examples

Revoke all user delegation keys for a storage account by resource ID.

az storage account revoke-delegation-keys --ids /subscriptions/{SubID}/resourceGroups/{ResourceGroup}/providers/Microsoft.Storage/storageAccounts/{StorageAccount}

Revoke all user delegation keys for a storage account 'mystorageaccount' in resource group 'MyResourceGroup' in the West US region with locally redundant storage.

az storage account revoke-delegation-keys -n mystorageaccount -g MyResourceGroup

Optional Parameters

--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

--name -n

The storage account name.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

accepted values: json, jsonc, none, table, tsv, yaml, yamlc
default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az storage account show

Show storage account properties.

az storage account show [--expand]
                        [--ids]
                        [--name]
                        [--resource-group]
                        [--subscription]

Examples

Show properties for a storage account by resource ID.

az storage account show --ids /subscriptions/{SubID}/resourceGroups/{ResourceGroup}/providers/Microsoft.Storage/storageAccounts/{StorageAccount}

Show properties for a storage account using an account name and resource group.

az storage account show -g MyResourceGroup -n MyStorageAccount

Optional Parameters

--expand

May be used to expand the properties within account's properties. By default, data is not included when fetching properties. Currently we only support geoReplicationStats and blobRestoreStatus. Known values are: "geoReplicationStats" and "blobRestoreStatus". Default value is None.

--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

--name -n

The storage account name.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

accepted values: json, jsonc, none, table, tsv, yaml, yamlc
default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az storage account show-connection-string

Get the connection string for a storage account.

az storage account show-connection-string [--blob-endpoint]
                                          [--file-endpoint]
                                          [--ids]
                                          [--key {key1, key2, primary, secondary}]
                                          [--name]
                                          [--protocol {http, https}]
                                          [--queue-endpoint]
                                          [--resource-group]
                                          [--sas-token]
                                          [--subscription]
                                          [--table-endpoint]

Examples

Get a connection string for a storage account.

az storage account show-connection-string -g MyResourceGroup -n MyStorageAccount

Get the connection string for a storage account. (autogenerated)

az storage account show-connection-string --name MyStorageAccount --resource-group MyResourceGroup --subscription MySubscription

Optional Parameters

--blob-endpoint

Custom endpoint for blobs.

--file-endpoint

Custom endpoint for files.

--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

--key

The key to use.

accepted values: key1, key2, primary, secondary
default value: key1
--name -n

The storage account name.

--protocol

The default endpoint protocol.

accepted values: http, https
default value: https
--queue-endpoint

Custom endpoint for queues.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--sas-token

The SAS token to be used in the connection-string.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--table-endpoint

Custom endpoint for tables.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

accepted values: json, jsonc, none, table, tsv, yaml, yamlc
default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az storage account show-usage

Show the current count and limit of the storage accounts under the subscription.

az storage account show-usage --location

Examples

Show the current count and limit of the storage accounts under the subscription. (autogenerated)

az storage account show-usage --location westus2

Required Parameters

--location -l

Location. Values from: az account list-locations. You can configure the default location using az configure --defaults location=<location>.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

accepted values: json, jsonc, none, table, tsv, yaml, yamlc
default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az storage account update

Update the properties of a storage account.

az storage account update [--access-tier {Cool, Hot, Premium}]
                          [--account-type]
                          [--add]
                          [--allow-append {false, true}]
                          [--allow-blob-public-access {false, true}]
                          [--allow-cross-tenant-replication {false, true}]
                          [--allow-shared-key-access {false, true}]
                          [--assign-identity]
                          [--azure-storage-sid]
                          [--bypass {AzureServices, Logging, Metrics, None}]
                          [--custom-domain]
                          [--default-action {Allow, Deny}]
                          [--default-share-permission {None, StorageFileDataSmbShareContributor, StorageFileDataSmbShareElevatedContributor, StorageFileDataSmbShareReader}]
                          [--domain-guid]
                          [--domain-name]
                          [--domain-sid]
                          [--enable-files-aadds {false, true}]
                          [--enable-files-aadkerb {false, true}]
                          [--enable-files-adds {false, true}]
                          [--enable-large-file-share]
                          [--enable-local-user {false, true}]
                          [--enable-sftp {false, true}]
                          [--encryption-key-name]
                          [--encryption-key-source {Microsoft.Keyvault, Microsoft.Storage}]
                          [--encryption-key-vault]
                          [--encryption-key-version]
                          [--encryption-services {blob, file, queue, table}]
                          [--force-string]
                          [--forest-name]
                          [--https-only {false, true}]
                          [--identity-type {None, SystemAssigned, SystemAssigned,UserAssigned, UserAssigned}]
                          [--ids]
                          [--immutability-period]
                          [--immutability-state {Disabled, Locked, Unlocked}]
                          [--key-exp-days]
                          [--key-vault-federated-client-id]
                          [--key-vault-user-identity-id]
                          [--min-tls-version {TLS1_0, TLS1_1, TLS1_2}]
                          [--name]
                          [--net-bios-domain-name]
                          [--public-network-access {Disabled, Enabled}]
                          [--publish-internet-endpoints {false, true}]
                          [--publish-microsoft-endpoints {false, true}]
                          [--remove]
                          [--resource-group]
                          [--routing-choice {InternetRouting, MicrosoftRouting}]
                          [--sam-account-name]
                          [--sas-exp]
                          [--set]
                          [--sku {Premium_LRS, Premium_ZRS, Standard_GRS, Standard_GZRS, Standard_LRS, Standard_RAGRS, Standard_RAGZRS, Standard_ZRS}]
                          [--subscription]
                          [--tags]
                          [--use-subdomain {false, true}]
                          [--user-identity-id]

Examples

Update the properties of a storage account. (autogenerated)

az storage account update --default-action Allow --name MyStorageAccount --resource-group MyResourceGroup

Use a user-assigned managed identity instead of system-assigned managed identity

az storage account update --name <storage-account-name> --resource-group <resource-group-name> --encryption-key-vault <keyvault-uri> --encryption-key-name <key-name-in-keyvault> --encryption-key-source Microsoft.Keyvault --key-vault-user-identity-id <user-assigned-identity-id> --identity-type UserAssigned --user-identity-id <user-assigned-identity-id>`

Optional Parameters

--access-tier

Required for storage accounts where kind = BlobStorage. The access tier is used for billing. The "Premium" access tier is the default value for premium block blobs storage account type and it cannot be changed for the premium block blobs storage account type.

accepted values: Cool, Hot, Premium
--account-type

Specify the Active Directory account type for Azure Storage.

--add

Add an object to a list of objects by specifying a path and key value pairs. Example: --add property.listProperty <key=value, string or JSON string>.

default value: []
--allow-append --allow-protected-append-writes -w

This property can only be changed for disabled and unlocked time-based retention policies. When enabled, new blocks can be written to an append blob while maintaining immutability protection and compliance. Only new blocks can be added and any existing blocks cannot be modified or deleted.

accepted values: false, true
--allow-blob-public-access

Allow or disallow public access to all blobs or containers in the storage account. If not specified, the default value is false for new account to follow best security practices. When true, containers in the account may be configured for public access. Note that setting this property to true does not enable anonymous access to any data in the account. The additional step of configuring the public access setting for a container is required to enable anonymous access.

accepted values: false, true
--allow-cross-tenant-replication -r

Allow or disallow cross AAD tenant object replication. Set this property to true for new or existing accounts only if object replication policies will involve storage accounts in different AAD tenants. If not specified, the default value is false for new accounts to follow best security practices.

accepted values: false, true
--allow-shared-key-access -k

Indicate whether the storage account permits requests to be authorized with the account access key via Shared Key. If false, then all requests, including shared access signatures, must be authorized with Azure Active Directory (Azure AD). The default value is null, which is equivalent to true.

accepted values: false, true
--assign-identity

Generate and assign a new Storage Account Identity for this storage account for use with key management services like Azure KeyVault.

default value: False
--azure-storage-sid

Specify the security identifier (SID) for Azure Storage. Required when --enable-files-adds is set to True.

--bypass

Bypass traffic for space-separated uses.

accepted values: AzureServices, Logging, Metrics, None
--custom-domain

User domain assigned to the storage account. Name is the CNAME source. Use "" to clear existing value.

--default-action

Default action to apply when no rule matches.

accepted values: Allow, Deny
--default-share-permission -d

Default share permission for users using Kerberos authentication if RBAC role is not assigned.

accepted values: None, StorageFileDataSmbShareContributor, StorageFileDataSmbShareElevatedContributor, StorageFileDataSmbShareReader
--domain-guid

Specify the domain GUID. Required when --enable-files-adds is set to True.

--domain-name

Specify the primary domain that the AD DNS server is authoritative for. Required when --enable-files-adds is set to True.

--domain-sid

Specify the security identifier (SID). Required when --enable-files-adds is set to True.

--enable-files-aadds

Enable Azure Active Directory Domain Services authentication for Azure Files.

accepted values: false, true
--enable-files-aadkerb

Enable Azure Files Active Directory Domain Service Kerberos Authentication for the storage account.

accepted values: false, true
--enable-files-adds

Enable Azure Files Active Directory Domain Service Authentication for storage account. When --enable-files-adds is set to true, Azure Active Directory Properties arguments must be provided.

accepted values: false, true
--enable-large-file-share

Enable the capability to support large file shares with more than 5 TiB capacity for storage account.Once the property is enabled, the feature cannot be disabled. Currently only supported for LRS and ZRS replication types, hence account conversions to geo-redundant accounts would not be possible. For more information, please refer to https://go.microsoft.com/fwlink/?linkid=2086047.

--enable-local-user

Enable local user features.

accepted values: false, true
--enable-sftp

Enable Secure File Transfer Protocol.

accepted values: false, true
--encryption-key-name

The name of the KeyVault key.

--encryption-key-source

The default encryption key source.

accepted values: Microsoft.Keyvault, Microsoft.Storage
--encryption-key-vault

The Uri of the KeyVault.

--encryption-key-version

The version of the KeyVault key to use, which will opt out of implicit key rotation. Please use "" to opt in key auto-rotation again.

--encryption-services

Specifies which service(s) to encrypt.

accepted values: blob, file, queue, table
--force-string

When using 'set' or 'add', preserve string literals instead of attempting to convert to JSON.

default value: False
--forest-name

Specify the Active Directory forest to get. Required when --enable-files-adds is set to True.

--https-only

Allows https traffic only to storage service.

accepted values: false, true
--identity-type

The identity type.

accepted values: None, SystemAssigned, SystemAssigned,UserAssigned, UserAssigned
--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

--immutability-period --immutability-period-in-days

The immutability period for the blobs in the container since the policy creation, in days.

--immutability-state

Defines the mode of the policy. Disabled state disables the policy, Unlocked state allows increase and decrease of immutability retention time and also allows toggling allow-protected-append-write property, Locked state only allows the increase of the immutability retention time. A policy can only be created in a Disabled or Unlocked state and can be toggled between the two states. Only a policy in an Unlocked state can transition to a Locked state which cannot be reverted.

accepted values: Disabled, Locked, Unlocked
--key-exp-days --key-expiration-period-in-days
Preview

Expiration period in days of the Key Policy assigned to the storage account.

--key-vault-federated-client-id -f

ClientId of the multi-tenant application to be used in conjunction with the user-assigned identity for cross-tenant customer-managed-keys server-side encryption on the storage account.

--key-vault-user-identity-id -u

Resource identifier of the UserAssigned identity to be associated with server-side encryption on the storage account.

--min-tls-version

The minimum TLS version to be permitted on requests to storage. The default interpretation is TLS 1.0 for this property.

accepted values: TLS1_0, TLS1_1, TLS1_2
--name -n

The storage account name.

--net-bios-domain-name

Specify the NetBIOS domain name. Required when --enable-files-adds is set to True.

--public-network-access

Enable or disable public network access to the storage account. Possible values include: Enabled or Disabled.

accepted values: Disabled, Enabled
--publish-internet-endpoints

A boolean flag which indicates whether internet routing storage endpoints are to be published.

accepted values: false, true
--publish-microsoft-endpoints

A boolean flag which indicates whether microsoft routing storage endpoints are to be published.

accepted values: false, true
--remove

Remove a property or an element from a list. Example: --remove property.list <indexToRemove> OR --remove propertyToRemove.

default value: []
--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--routing-choice

Routing Choice defines the kind of network routing opted by the user.

accepted values: InternetRouting, MicrosoftRouting
--sam-account-name

Specify the Active Directory SAMAccountName for Azure Storage.

--sas-exp --sas-expiration-period
Preview

Expiration period of the SAS Policy assigned to the storage account, DD.HH:MM:SS.

--set

Update an object by specifying a property path and value to set. Example: --set property1.property2=<value>.

default value: []
--sku

Note that the SKU name cannot be updated to Standard_ZRS, Premium_LRS or Premium_ZRS, nor can accounts of those SKU names be updated to any other value.

accepted values: Premium_LRS, Premium_ZRS, Standard_GRS, Standard_GZRS, Standard_LRS, Standard_RAGRS, Standard_RAGZRS, Standard_ZRS
--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--tags

Space-separated tags: key[=value] [key[=value] ...]. Use "" to clear existing tags.

--use-subdomain

Specify whether to use indirect CNAME validation.

accepted values: false, true
--user-identity-id

The key is the ARM resource identifier of the identity. Only 1 User Assigned identity is permitted here.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

accepted values: json, jsonc, none, table, tsv, yaml, yamlc
default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az storage account update (storage-preview extension)

Preview

Command group 'az storage' is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus

Update the properties of a storage account.

az storage account update [--access-tier {Cool, Hot, Premium}]
                          [--account-type]
                          [--add]
                          [--allow-append {false, true}]
                          [--allow-blob-public-access {false, true}]
                          [--allow-cross-tenant-replication {false, true}]
                          [--allow-shared-key-access {false, true}]
                          [--allowed-copy-scope {AAD, PrivateLink}]
                          [--assign-identity]
                          [--azure-storage-sid]
                          [--bypass {AzureServices, Logging, Metrics, None}]
                          [--custom-domain]
                          [--default-action {Allow, Deny}]
                          [--default-share-permission {None, StorageFileDataSmbShareContributor, StorageFileDataSmbShareElevatedContributor, StorageFileDataSmbShareReader}]
                          [--domain-guid]
                          [--domain-name]
                          [--domain-sid]
                          [--enable-files-aadds {false, true}]
                          [--enable-files-aadkerb {false, true}]
                          [--enable-files-adds {false, true}]
                          [--enable-large-file-share]
                          [--enable-local-user {false, true}]
                          [--enable-sftp {false, true}]
                          [--encryption-key-name]
                          [--encryption-key-source {Microsoft.Keyvault, Microsoft.Storage}]
                          [--encryption-key-vault]
                          [--encryption-key-version]
                          [--encryption-services {blob, file, queue, table}]
                          [--force-string]
                          [--forest-name]
                          [--https-only {false, true}]
                          [--identity-type {None, SystemAssigned, SystemAssigned,UserAssigned, UserAssigned}]
                          [--ids]
                          [--immutability-period]
                          [--immutability-state {Disabled, Locked, Unlocked}]
                          [--key-exp-days]
                          [--key-vault-federated-client-id]
                          [--key-vault-user-identity-id]
                          [--min-tls-version {TLS1_0, TLS1_1, TLS1_2}]
                          [--name]
                          [--net-bios-domain-name]
                          [--public-network-access {Disabled, Enabled}]
                          [--publish-internet-endpoints {false, true}]
                          [--publish-microsoft-endpoints {false, true}]
                          [--remove]
                          [--resource-group]
                          [--routing-choice {InternetRouting, MicrosoftRouting}]
                          [--sam-account-name]
                          [--sas-exp]
                          [--set]
                          [--sku {Premium_LRS, Premium_ZRS, Standard_GRS, Standard_GZRS, Standard_LRS, Standard_RAGRS, Standard_RAGZRS, Standard_ZRS}]
                          [--subscription]
                          [--tags]
                          [--use-subdomain {false, true}]
                          [--user-identity-id]

Optional Parameters

--access-tier

Required for storage accounts where kind = BlobStorage. The access tier is used for billing. The "Premium" access tier is the default value for premium block blobs storage account type and it cannot be changed for the premium block blobs storage account type.

accepted values: Cool, Hot, Premium
--account-type
Preview

Specify the Active Directory account type for Azure Storage.

--add

Add an object to a list of objects by specifying a path and key value pairs. Example: --add property.listProperty <key=value, string or JSON string>.

default value: []
--allow-append --allow-protected-append-writes -w

This property can only be changed for disabled and unlocked time-based retention policies. When enabled, new blocks can be written to an append blob while maintaining immutability protection and compliance. Only new blocks can be added and any existing blocks cannot be modified or deleted.

accepted values: false, true
--allow-blob-public-access

Allow or disallow public access to all blobs or containers in the storage account. The default value for this property is null, which is equivalent to true. When true, containers in the account may be configured for public access. Note that setting this property to true does not enable anonymous access to any data in the account. The additional step of configuring the public access setting for a container is required to enable anonymous access.

accepted values: false, true
--allow-cross-tenant-replication -r

Allow or disallow cross AAD tenant object replication. The default interpretation is true for this property.

accepted values: false, true
--allow-shared-key-access -k

Indicate whether the storage account permits requests to be authorized with the account access key via Shared Key. If false, then all requests, including shared access signatures, must be authorized with Azure Active Directory (Azure AD). The default value is null, which is equivalent to true.

accepted values: false, true
--allowed-copy-scope -s

Restrict copy to and from Storage Accounts within an AAD tenant or with Private Links to the same VNet.

accepted values: AAD, PrivateLink
--assign-identity

Generate and assign a new Storage Account Identity for this storage account for use with key management services like Azure KeyVault.

default value: False
--azure-storage-sid

Specify the security identifier (SID) for Azure Storage. Required when --enable-files-adds is set to True.

--bypass

Bypass traffic for space-separated uses.

accepted values: AzureServices, Logging, Metrics, None
--custom-domain

User domain assigned to the storage account. Name is the CNAME source. Use "" to clear existing value.

--default-action

Default action to apply when no rule matches.

accepted values: Allow, Deny
--default-share-permission -d

Default share permission for users using Kerberos authentication if RBAC role is not assigned.

accepted values: None, StorageFileDataSmbShareContributor, StorageFileDataSmbShareElevatedContributor, StorageFileDataSmbShareReader
--domain-guid

Specify the domain GUID. Required when --enable-files-adds is set to True.

--domain-name

Specify the primary domain that the AD DNS server is authoritative for. Required when --enable-files-adds is set to True.

--domain-sid

Specify the security identifier (SID). Required when --enable-files-adds is set to True.

--enable-files-aadds

Enable Azure Active Directory Domain Services authentication for Azure Files.

accepted values: false, true
--enable-files-aadkerb

Enable Azure Files Active Directory Domain Service Kerberos Authentication for the storage account.

accepted values: false, true
--enable-files-adds

Enable Azure Files Active Directory Domain Service Authentication for storage account. When --enable-files-adds is set to true, Azure Active Directory Properties arguments must be provided.

accepted values: false, true
--enable-large-file-share

Enable the capability to support large file shares with more than 5 TiB capacity for storage account.Once the property is enabled, the feature cannot be disabled. Currently only supported for LRS and ZRS replication types, hence account conversions to geo-redundant accounts would not be possible. For more information, please refer to https://go.microsoft.com/fwlink/?linkid=2086047.

--enable-local-user
Preview

Enable local user features.

accepted values: false, true
--enable-sftp
Preview

Enable Secure File Transfer Protocol.

accepted values: false, true
--encryption-key-name

The name of the KeyVault key.

--encryption-key-source

The default encryption key source.

accepted values: Microsoft.Keyvault, Microsoft.Storage
--encryption-key-vault

The Uri of the KeyVault.

--encryption-key-version

The version of the KeyVault key to use, which will opt out of implicit key rotation. Please use "" to opt in key auto-rotation again.

--encryption-services

Specifies which service(s) to encrypt.

accepted values: blob, file, queue, table
--force-string

When using 'set' or 'add', preserve string literals instead of attempting to convert to JSON.

default value: False
--forest-name

Specify the Active Directory forest to get. Required when --enable-files-adds is set to True.

--https-only

Allows https traffic only to storage service.

accepted values: false, true
--identity-type

The identity type.

accepted values: None, SystemAssigned, SystemAssigned,UserAssigned, UserAssigned
--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

--immutability-period --immutability-period-in-days

The immutability period for the blobs in the container since the policy creation, in days.

--immutability-state

Defines the mode of the policy. Disabled state disables the policy, Unlocked state allows increase and decrease of immutability retention time and also allows toggling allow-protected-append-write property, Locked state only allows the increase of the immutability retention time. A policy can only be created in a Disabled or Unlocked state and can be toggled between the two states. Only a policy in an Unlocked state can transition to a Locked state which cannot be reverted.

accepted values: Disabled, Locked, Unlocked
--key-exp-days --key-expiration-period-in-days
Preview

Expiration period in days of the Key Policy assigned to the storage account.

--key-vault-federated-client-id -f

ClientId of the multi-tenant application to be used in conjunction with the user-assigned identity for cross-tenant customer-managed-keys server-side encryption on the storage account.

--key-vault-user-identity-id -u

Resource identifier of the UserAssigned identity to be associated with server-side encryption on the storage account.

--min-tls-version

The minimum TLS version to be permitted on requests to storage. The default interpretation is TLS 1.0 for this property.

accepted values: TLS1_0, TLS1_1, TLS1_2
--name -n

The storage account name.

--net-bios-domain-name

Specify the NetBIOS domain name. Required when --enable-files-adds is set to True.

--public-network-access

Enable or disable public network access to the storage account. Possible values include: Enabled or Disabled.

accepted values: Disabled, Enabled
--publish-internet-endpoints

A boolean flag which indicates whether internet routing storage endpoints are to be published.

accepted values: false, true
--publish-microsoft-endpoints

A boolean flag which indicates whether microsoft routing storage endpoints are to be published.

accepted values: false, true
--remove

Remove a property or an element from a list. Example: --remove property.list <indexToRemove> OR --remove propertyToRemove.

default value: []
--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--routing-choice

Routing Choice defines the kind of network routing opted by the user.

accepted values: InternetRouting, MicrosoftRouting
--sam-account-name
Preview

Specify the Active Directory SAMAccountName for Azure Storage.

--sas-exp --sas-expiration-period
Preview

Expiration period of the SAS Policy assigned to the storage account, DD.HH:MM:SS.

--set

Update an object by specifying a property path and value to set. Example: --set property1.property2=<value>.

default value: []
--sku

Note that the SKU name cannot be updated to Standard_ZRS, Premium_LRS or Premium_ZRS, nor can accounts of those SKU names be updated to any other value.

accepted values: Premium_LRS, Premium_ZRS, Standard_GRS, Standard_GZRS, Standard_LRS, Standard_RAGRS, Standard_RAGZRS, Standard_ZRS
--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--tags

Space-separated tags: key[=value] [key[=value] ...]. Use "" to clear existing tags.

--use-subdomain

Specify whether to use indirect CNAME validation.

accepted values: false, true
--user-identity-id

The key is the ARM resource identifier of the identity. Only 1 User Assigned identity is permitted here.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

accepted values: json, jsonc, none, table, tsv, yaml, yamlc
default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.