Encryption Scopes - Put

Service:

Storage Resource Provider

API Version:

2026-04-01

Synchronously creates or updates an encryption scope under the specified storage account. If an encryption scope is already created and a subsequent request is issued with different properties, the encryption scope properties will be updated per the specified request.

PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Storage/storageAccounts/{accountName}/encryptionScopes/{encryptionScopeName}?api-version=2026-04-01

URI Parameters

Name	In	Required	Type	Description
accountName	path	True	string minLength: 3 maxLength: 24 pattern: ^[a-z0-9]+$	The name of the storage account within the specified resource group. Storage account names must be between 3 and 24 characters in length and use numbers and lower-case letters only.
encryptionScopeName	path	True	string minLength: 3 maxLength: 63	The name of the encryption scope within the specified storage account. Encryption scope names must be between 3 and 63 characters in length and use numbers, lower-case letters and dash (-) only. Every dash (-) character must be immediately preceded and followed by a letter or number.
resourceGroupName	path	True	string minLength: 1 maxLength: 90	The name of the resource group. The name is case insensitive.
subscriptionId	path	True	string (uuid)	The ID of the target subscription. The value must be an UUID.
api-version	query	True	string minLength: 1	The API version to use for this operation.

Request Body

Name	Type	Description
properties.keyVaultProperties	EncryptionScopeKeyVaultProperties	The key vault properties for the encryption scope. This is a required field if encryption scope 'source' attribute is set to 'Microsoft.KeyVault'.
properties.requireInfrastructureEncryption	boolean	A boolean indicating whether or not the service applies a secondary layer of encryption with platform managed keys for data at rest.
properties.source	EncryptionScopeSource	The provider for the encryption scope. Possible values (case-insensitive): Microsoft.Storage, Microsoft.KeyVault.
properties.state	EncryptionScopeState	The state of the encryption scope. Possible values (case-insensitive): Enabled, Disabled.

Responses

Name	Type	Description
200 OK	EncryptionScope	Resource 'EncryptionScope' update operation succeeded
201 Created	EncryptionScope	Resource 'EncryptionScope' create operation succeeded
Other Status Codes	ErrorResponse	An unexpected error response.

Security

azure_auth

Azure Active Directory OAuth2 Flow.

Type: oauth2
Flow: implicit
Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize

Scopes

Name	Description
user_impersonation	impersonate your user account

Examples

StorageAccountPutEncryptionScope

StorageAccountPutEncryptionScopeWithInfrastructureEncryption

StorageAccountPutEncryptionScope

Sample request

HTTP

PUT https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resource-group-name/providers/Microsoft.Storage/storageAccounts/accountname/encryptionScopes/{encryption-scope-name}?api-version=2026-04-01

{}

Sample response

Status code:

200

{
  "name": "{encryption-scope-name}",
  "type": "Microsoft.Storage/storageAccounts/encryptionScopes",
  "id": "/subscriptions/{subscription-id}/resourceGroups/resource-group-name/providers/Microsoft.Storage/storageAccounts/accountname/encryptionScopes/{encryption-scope-name}",
  "properties": {
    "creationTime": "2018-10-16T02:42:41.7633306Z",
    "lastModifiedTime": "2018-10-16T02:42:41.7633306Z",
    "source": "Microsoft.Storage",
    "state": "Enabled"
  }
}

Status code:

201

{
  "name": "{encryption-scope-name}",
  "type": "Microsoft.Storage/storageAccounts/encryptionScopes",
  "id": "/subscriptions/{subscription-id}/resourceGroups/resource-group-name/providers/Microsoft.Storage/storageAccounts/accountname/encryptionScopes/{encryption-scope-name}",
  "properties": {
    "creationTime": "2018-10-16T02:42:41.7633306Z",
    "lastModifiedTime": "2018-10-16T02:42:41.7633306Z",
    "source": "Microsoft.Storage",
    "state": "Enabled"
  }
}

StorageAccountPutEncryptionScopeWithInfrastructureEncryption

Sample request

HTTP

PUT https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resource-group-name/providers/Microsoft.Storage/storageAccounts/accountname/encryptionScopes/{encryption-scope-name}?api-version=2026-04-01

{
  "properties": {
    "requireInfrastructureEncryption": true
  }
}

Sample response

Status code:

200

{
  "name": "{encryption-scope-name}",
  "type": "Microsoft.Storage/storageAccounts/encryptionScopes",
  "id": "/subscriptions/{subscription-id}/resourceGroups/resource-group-name/providers/Microsoft.Storage/storageAccounts/accountname/encryptionScopes/{encryption-scope-name}",
  "properties": {
    "creationTime": "2018-10-16T02:42:41.7633306Z",
    "lastModifiedTime": "2018-10-16T02:42:41.7633306Z",
    "requireInfrastructureEncryption": true,
    "source": "Microsoft.Storage",
    "state": "Enabled"
  }
}

Status code:

201

{
  "name": "{encryption-scope-name}",
  "type": "Microsoft.Storage/storageAccounts/encryptionScopes",
  "id": "/subscriptions/{subscription-id}/resourceGroups/resource-group-name/providers/Microsoft.Storage/storageAccounts/accountname/encryptionScopes/{encryption-scope-name}",
  "properties": {
    "creationTime": "2018-10-16T02:42:41.7633306Z",
    "lastModifiedTime": "2018-10-16T02:42:41.7633306Z",
    "requireInfrastructureEncryption": true,
    "source": "Microsoft.Storage",
    "state": "Enabled"
  }
}

Definitions

Name	Description
createdByType	The type of identity that created the resource.
EncryptionScope	The Encryption Scope resource.
EncryptionScopeKeyVaultProperties	The key vault properties for the encryption scope. This is a required field if encryption scope 'source' attribute is set to 'Microsoft.KeyVault'.
EncryptionScopeSource	The provider for the encryption scope. Possible values (case-insensitive): Microsoft.Storage, Microsoft.KeyVault.
EncryptionScopeState	The state of the encryption scope. Possible values (case-insensitive): Enabled, Disabled.
ErrorResponse	An error response from the storage resource provider.
ErrorResponseBody	Error response body contract.
systemData	Metadata pertaining to creation and last modification of the resource.

createdByType

Enumeration

The type of identity that created the resource.

Value	Description
User
Application
ManagedIdentity
Key

EncryptionScope

Object

The Encryption Scope resource.

Name	Type	Description
id	string (arm-id)	Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}"
name	string	The name of the resource
properties.creationTime	string (date-time)	Gets the creation date and time of the encryption scope in UTC.
properties.keyVaultProperties	EncryptionScopeKeyVaultProperties	The key vault properties for the encryption scope. This is a required field if encryption scope 'source' attribute is set to 'Microsoft.KeyVault'.
properties.lastModifiedTime	string (date-time)	Gets the last modification date and time of the encryption scope in UTC.
properties.requireInfrastructureEncryption	boolean	A boolean indicating whether or not the service applies a secondary layer of encryption with platform managed keys for data at rest.
properties.source	EncryptionScopeSource	The provider for the encryption scope. Possible values (case-insensitive): Microsoft.Storage, Microsoft.KeyVault.
properties.state	EncryptionScopeState	The state of the encryption scope. Possible values (case-insensitive): Enabled, Disabled.
systemData	systemData	Azure Resource Manager metadata containing createdBy and modifiedBy information.
type	string	The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"

EncryptionScopeKeyVaultProperties

Object

The key vault properties for the encryption scope. This is a required field if encryption scope 'source' attribute is set to 'Microsoft.KeyVault'.

Name	Type	Description
currentVersionedKeyIdentifier	string	The object identifier of the current versioned Key Vault Key in use.
keyUri	string	The object identifier for a key vault key object. When applied, the encryption scope will use the key referenced by the identifier to enable customer-managed key support on this encryption scope.
lastKeyRotationTimestamp	string (date-time)	Timestamp of last rotation of the Key Vault Key.

EncryptionScopeSource

Enumeration

The provider for the encryption scope. Possible values (case-insensitive): Microsoft.Storage, Microsoft.KeyVault.

Value	Description
Microsoft.Storage
Microsoft.KeyVault

EncryptionScopeState

Enumeration

The state of the encryption scope. Possible values (case-insensitive): Enabled, Disabled.

Value	Description
Enabled
Disabled

ErrorResponse

Object

An error response from the storage resource provider.

Name	Type	Description
error	ErrorResponseBody	Azure Storage Resource Provider error response body.

ErrorResponseBody

Object

Error response body contract.

Name	Type	Description
code	string	An identifier for the error. Codes are invariant and are intended to be consumed programmatically.
message	string	A message describing the error, intended to be suitable for display in a user interface.

systemData

Object

Metadata pertaining to creation and last modification of the resource.

Name	Type	Description
createdAt	string (date-time)	The timestamp of resource creation (UTC).
createdBy	string	The identity that created the resource.
createdByType	createdByType	The type of identity that created the resource.
lastModifiedAt	string (date-time)	The timestamp of resource last modification (UTC)
lastModifiedBy	string	The identity that last modified the resource.
lastModifiedByType	createdByType	The type of identity that last modified the resource.