Partager via


Storage Accounts - Update

The update operation can be used to update the SKU, encryption, access tier, or tags for a storage account. It can also be used to map the account to a custom domain. Only one custom domain is supported per storage account; the replacement/change of custom domain is not supported. In order to replace an old custom domain, the old value must be cleared/unregistered before a new value can be set. The update of multiple properties is supported. This call does not change the storage keys for the account. If you want to change the storage account keys, use the regenerate keys operation. The location and name of the storage account cannot be changed after creation.

PATCH https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Storage/storageAccounts/{accountName}?api-version=2023-05-01

URI Parameters

Name In Required Type Description
accountName
path True

string

The name of the storage account within the specified resource group. Storage account names must be between 3 and 24 characters in length and use numbers and lower-case letters only.

Regex pattern: ^[a-z0-9]+$

resourceGroupName
path True

string

The name of the resource group within the user's subscription. The name is case insensitive.

Regex pattern: ^[-\w\._\(\)]+$

subscriptionId
path True

string

The ID of the target subscription.

api-version
query True

string

The API version to use for this operation.

Request Body

Name Type Description
identity

Identity

The identity of the resource.

kind

Kind

Optional. Indicates the type of storage account. Currently only StorageV2 value supported by server.

properties.accessTier

AccessTier

Required for storage accounts where kind = BlobStorage. The access tier is used for billing. The 'Premium' access tier is the default value for premium block blobs storage account type and it cannot be changed for the premium block blobs storage account type.

properties.allowBlobPublicAccess

boolean

Allow or disallow public access to all blobs or containers in the storage account. The default interpretation is false for this property.

properties.allowCrossTenantReplication

boolean

Allow or disallow cross AAD tenant object replication. Set this property to true for new or existing accounts only if object replication policies will involve storage accounts in different AAD tenants. The default interpretation is false for new accounts to follow best security practices by default.

properties.allowSharedKeyAccess

boolean

Indicates whether the storage account permits requests to be authorized with the account access key via Shared Key. If false, then all requests, including shared access signatures, must be authorized with Azure Active Directory (Azure AD). The default value is null, which is equivalent to true.

properties.allowedCopyScope

AllowedCopyScope

Restrict copy to and from Storage Accounts within an AAD tenant or with Private Links to the same VNet.

properties.azureFilesIdentityBasedAuthentication

AzureFilesIdentityBasedAuthentication

Provides the identity based authentication settings for Azure Files.

properties.customDomain

CustomDomain

Custom domain assigned to the storage account by the user. Name is the CNAME source. Only one custom domain is supported per storage account at this time. To clear the existing custom domain, use an empty string for the custom domain name property.

properties.defaultToOAuthAuthentication

boolean

A boolean flag which indicates whether the default authentication is OAuth or not. The default interpretation is false for this property.

properties.dnsEndpointType

DnsEndpointType

Allows you to specify the type of endpoint. Set this to AzureDNSZone to create a large number of accounts in a single subscription, which creates accounts in an Azure DNS Zone and the endpoint URL will have an alphanumeric DNS Zone identifier.

properties.enableExtendedGroups

boolean

Enables extended group support with local users feature, if set to true

properties.encryption

Encryption

Not applicable. Azure Storage encryption at rest is enabled by default for all storage accounts and cannot be disabled.

properties.immutableStorageWithVersioning

ImmutableStorageAccount

The property is immutable and can only be set to true at the account creation time. When set to true, it enables object level immutability for all the containers in the account by default.

properties.isLocalUserEnabled

boolean

Enables local users feature, if set to true

properties.isSftpEnabled

boolean

Enables Secure File Transfer Protocol, if set to true

properties.keyPolicy

KeyPolicy

KeyPolicy assigned to the storage account.

properties.largeFileSharesState

LargeFileSharesState

Allow large file shares if sets to Enabled. It cannot be disabled once it is enabled.

properties.minimumTlsVersion

MinimumTlsVersion

Set the minimum TLS version to be permitted on requests to storage. The default interpretation is TLS 1.0 for this property.

properties.networkAcls

NetworkRuleSet

Network rule set

properties.publicNetworkAccess

PublicNetworkAccess

Allow, disallow, or let Network Security Perimeter configuration to evaluate public network access to Storage Account. Value is optional but if passed in, must be 'Enabled', 'Disabled' or 'SecuredByPerimeter'.

properties.routingPreference

RoutingPreference

Maintains information about the network routing choice opted by the user for data transfer

properties.sasPolicy

SasPolicy

SasPolicy assigned to the storage account.

properties.supportsHttpsTrafficOnly

boolean

Allows https traffic only to storage service if sets to true.

sku

Sku

Gets or sets the SKU name. Note that the SKU name cannot be updated to Standard_ZRS, Premium_LRS or Premium_ZRS, nor can accounts of those SKU names be updated to any other value.

tags

object

Gets or sets a list of key value pairs that describe the resource. These tags can be used in viewing and grouping this resource (across resource groups). A maximum of 15 tags can be provided for a resource. Each tag must have a key no greater in length than 128 characters and a value no greater in length than 256 characters.

Responses

Name Type Description
200 OK

StorageAccount

OK -- storage account properties updated successfully.

Security

azure_auth

Azure Active Directory OAuth2 Flow

Type: oauth2
Flow: implicit
Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize

Scopes

Name Description
user_impersonation impersonate your user account

Examples

StorageAccountEnableAD
StorageAccountEnableCMK
StorageAccountUpdate
StorageAccountUpdateAllowedCopyScopeToAAD
StorageAccountUpdateDisablePublicNetworkAccess
StorageAccountUpdateUserAssignedEncryptionIdentityWithCMK
StorageAccountUpdateUserAssignedIdentityWithFederatedIdentityClientId
StorageAccountUpdateWithImmutabilityPolicy

StorageAccountEnableAD

Sample request

PATCH https://management.azure.com/subscriptions/{subscription-id}/resourceGroups/res9407/providers/Microsoft.Storage/storageAccounts/sto8596?api-version=2023-05-01

{
  "properties": {
    "azureFilesIdentityBasedAuthentication": {
      "directoryServiceOptions": "AD",
      "activeDirectoryProperties": {
        "domainName": "adtest.com",
        "netBiosDomainName": "adtest.com",
        "forestName": "adtest.com",
        "domainGuid": "aebfc118-9fa9-4732-a21f-d98e41a77ae1",
        "domainSid": "S-1-5-21-2400535526-2334094090-2402026252",
        "azureStorageSid": "S-1-5-21-2400535526-2334094090-2402026252-0012",
        "samAccountName": "sam12498",
        "accountType": "User"
      }
    }
  }
}

Sample response

{
  "id": "/subscriptions/{subscription-id}/resourceGroups/res9407/providers/Microsoft.Storage/storageAccounts/sto8596",
  "kind": "Storage",
  "location": "eastus2(stage)",
  "name": "sto8596",
  "properties": {
    "creationTime": "2017-06-01T02:42:41.7633306Z",
    "azureFilesIdentityBasedAuthentication": {
      "directoryServiceOptions": "AD",
      "activeDirectoryProperties": {
        "domainName": "adtest.com",
        "netBiosDomainName": "adtest.com",
        "forestName": "adtest.com",
        "domainGuid": "aebfc118-9fa9-4732-a21f-d98e41a77ae1",
        "domainSid": "S-1-5-21-2400535526-2334094090-2402026252",
        "azureStorageSid": "S-1-5-21-2400535526-2334094090-2402026252-0012",
        "samAccountName": "sam12498",
        "accountType": "User"
      }
    },
    "primaryEndpoints": {
      "web": "https://sto8596.web.core.windows.net/",
      "dfs": "https://sto8596.dfs.core.windows.net/",
      "blob": "https://sto8596.blob.core.windows.net/",
      "file": "https://sto8596.file.core.windows.net/",
      "queue": "https://sto8596.queue.core.windows.net/",
      "table": "https://sto8596.table.core.windows.net/"
    },
    "primaryLocation": "eastus2(stage)",
    "provisioningState": "Succeeded",
    "secondaryLocation": "northcentralus(stage)",
    "statusOfPrimary": "available",
    "statusOfSecondary": "available",
    "supportsHttpsTrafficOnly": false
  },
  "sku": {
    "name": "Standard_GRS",
    "tier": "Standard"
  },
  "tags": {
    "key1": "value1",
    "key2": "value2"
  },
  "type": "Microsoft.Storage/storageAccounts"
}

StorageAccountEnableCMK

Sample request

PATCH https://management.azure.com/subscriptions/{subscription-id}/resourceGroups/res9407/providers/Microsoft.Storage/storageAccounts/sto8596?api-version=2023-05-01

{
  "properties": {
    "encryption": {
      "services": {
        "file": {
          "keyType": "Account",
          "enabled": true
        },
        "blob": {
          "keyType": "Account",
          "enabled": true
        }
      },
      "keySource": "Microsoft.Keyvault",
      "keyvaultproperties": {
        "keyvaulturi": "https://myvault8569.vault.azure.net",
        "keyname": "wrappingKey",
        "keyversion": ""
      }
    }
  }
}

Sample response

{
  "id": "/subscriptions/{subscription-id}/resourceGroups/res9407/providers/Microsoft.Storage/storageAccounts/sto8596",
  "identity": {
    "principalId": "911871cc-ffd1-4fc4-ac11-7a316433ea66",
    "tenantId": "72f988bf-86f1-41af-91ab-2d7cd011db47",
    "type": "SystemAssigned"
  },
  "kind": "Storage",
  "location": "eastus2(stage)",
  "name": "sto8596",
  "properties": {
    "creationTime": "2017-06-01T02:42:41.7633306Z",
    "encryption": {
      "services": {
        "file": {
          "keyType": "Account",
          "enabled": true,
          "lastEnabledTime": "2019-12-11T20:49:31.7036140Z"
        },
        "blob": {
          "keyType": "Account",
          "enabled": true,
          "lastEnabledTime": "2019-12-11T20:49:31.7036140Z"
        }
      },
      "keySource": "Microsoft.Keyvault",
      "keyvaultproperties": {
        "keyvaulturi": "https://myvault8569.vault.azure.net",
        "keyname": "wrappingKey",
        "keyversion": "",
        "currentVersionedKeyIdentifier": "https://myvault8569.vault.azure.net/keys/wrappingKey/0682afdd9c104f4285df20107e956cad",
        "lastKeyRotationTimestamp": "2019-12-13T20:36:23.7023290Z"
      }
    },
    "primaryEndpoints": {
      "web": "https://sto8596.web.core.windows.net/",
      "dfs": "https://sto8596.dfs.core.windows.net/",
      "blob": "https://sto8596.blob.core.windows.net/",
      "file": "https://sto8596.file.core.windows.net/",
      "queue": "https://sto8596.queue.core.windows.net/",
      "table": "https://sto8596.table.core.windows.net/"
    },
    "primaryLocation": "eastus2(stage)",
    "provisioningState": "Succeeded",
    "secondaryLocation": "northcentralus(stage)",
    "statusOfPrimary": "available",
    "statusOfSecondary": "available",
    "supportsHttpsTrafficOnly": false
  },
  "sku": {
    "name": "Standard_GRS",
    "tier": "Standard"
  },
  "tags": {
    "key1": "value1",
    "key2": "value2"
  },
  "type": "Microsoft.Storage/storageAccounts"
}

StorageAccountUpdate

Sample request

PATCH https://management.azure.com/subscriptions/{subscription-id}/resourceGroups/res9407/providers/Microsoft.Storage/storageAccounts/sto8596?api-version=2023-05-01

{
  "properties": {
    "keyPolicy": {
      "keyExpirationPeriodInDays": 20
    },
    "sasPolicy": {
      "sasExpirationPeriod": "1.15:59:59",
      "expirationAction": "Log"
    },
    "allowBlobPublicAccess": false,
    "isSftpEnabled": true,
    "isLocalUserEnabled": true,
    "enableExtendedGroups": true,
    "defaultToOAuthAuthentication": false,
    "minimumTlsVersion": "TLS1_2",
    "allowSharedKeyAccess": true,
    "networkAcls": {
      "resourceAccessRules": [
        {
          "tenantId": "72f988bf-86f1-41af-91ab-2d7cd011db47",
          "resourceId": "/subscriptions/a7e99807-abbf-4642-bdec-2c809a96a8bc/resourceGroups/res9407/providers/Microsoft.Synapse/workspaces/testworkspace"
        }
      ],
      "defaultAction": "Allow"
    },
    "routingPreference": {
      "routingChoice": "MicrosoftRouting",
      "publishMicrosoftEndpoints": true,
      "publishInternetEndpoints": true
    },
    "encryption": {
      "services": {
        "file": {
          "keyType": "Account",
          "enabled": true
        },
        "blob": {
          "keyType": "Account",
          "enabled": true
        }
      },
      "keySource": "Microsoft.Storage"
    }
  }
}

Sample response

{
  "id": "/subscriptions/{subscription-id}/resourceGroups/res9407/providers/Microsoft.Storage/storageAccounts/sto8596",
  "kind": "Storage",
  "location": "eastus2(stage)",
  "name": "sto8596",
  "properties": {
    "keyPolicy": {
      "keyExpirationPeriodInDays": 20
    },
    "sasPolicy": {
      "sasExpirationPeriod": "1.15:59:59",
      "expirationAction": "Log"
    },
    "keyCreationTime": {
      "key1": "2021-03-18T04:42:22.4322836Z",
      "key2": "2021-03-18T04:42:22.4322836Z"
    },
    "isHnsEnabled": true,
    "allowBlobPublicAccess": false,
    "isSftpEnabled": true,
    "isLocalUserEnabled": true,
    "enableExtendedGroups": true,
    "minimumTlsVersion": "TLS1_2",
    "allowSharedKeyAccess": true,
    "creationTime": "2017-06-01T02:42:41.7633306Z",
    "networkAcls": {
      "resourceAccessRules": [
        {
          "tenantId": "72f988bf-86f1-41af-91ab-2d7cd011db47",
          "resourceId": "/subscriptions/a7e99807-abbf-4642-bdec-2c809a96a8bc/resourceGroups/res9407/providers/Microsoft.Synapse/workspaces/testworkspace"
        }
      ],
      "bypass": "AzureServices",
      "defaultAction": "Allow",
      "ipRules": [],
      "virtualNetworkRules": []
    },
    "primaryEndpoints": {
      "web": "https://sto8596.web.core.windows.net/",
      "dfs": "https://sto8596.dfs.core.windows.net/",
      "blob": "https://sto8596.blob.core.windows.net/",
      "file": "https://sto8596.file.core.windows.net/",
      "queue": "https://sto8596.queue.core.windows.net/",
      "table": "https://sto8596.table.core.windows.net/",
      "microsoftEndpoints": {
        "web": "https://sto8596-microsoftrouting.web.core.windows.net/",
        "dfs": "https://sto8596-microsoftrouting.dfs.core.windows.net/",
        "blob": "https://sto8596-microsoftrouting.blob.core.windows.net/",
        "file": "https://sto8596-microsoftrouting.file.core.windows.net/",
        "queue": "https://sto8596-microsoftrouting.queue.core.windows.net/",
        "table": "https://sto8596-microsoftrouting.table.core.windows.net/"
      },
      "internetEndpoints": {
        "web": "https://sto8596-internetrouting.web.core.windows.net/",
        "dfs": "https://sto8596-internetrouting.dfs.core.windows.net/",
        "blob": "https://sto8596-internetrouting.blob.core.windows.net/",
        "file": "https://sto8596-internetrouting.file.core.windows.net/"
      }
    },
    "primaryLocation": "eastus2(stage)",
    "provisioningState": "Succeeded",
    "routingPreference": {
      "routingChoice": "MicrosoftRouting",
      "publishMicrosoftEndpoints": true,
      "publishInternetEndpoints": true
    },
    "encryption": {
      "services": {
        "file": {
          "keyType": "Account",
          "enabled": true,
          "lastEnabledTime": "2019-12-11T20:49:31.7036140Z"
        },
        "blob": {
          "keyType": "Account",
          "enabled": true,
          "lastEnabledTime": "2019-12-11T20:49:31.7036140Z"
        }
      },
      "keySource": "Microsoft.Storage"
    },
    "secondaryLocation": "northcentralus(stage)",
    "statusOfPrimary": "available",
    "statusOfSecondary": "available",
    "supportsHttpsTrafficOnly": false
  },
  "sku": {
    "name": "Standard_GRS",
    "tier": "Standard"
  },
  "tags": {
    "key1": "value1",
    "key2": "value2"
  },
  "type": "Microsoft.Storage/storageAccounts"
}

StorageAccountUpdateAllowedCopyScopeToAAD

Sample request

PATCH https://management.azure.com/subscriptions/{subscription-id}/resourceGroups/res9407/providers/Microsoft.Storage/storageAccounts/sto8596?api-version=2023-05-01

{
  "properties": {
    "keyPolicy": {
      "keyExpirationPeriodInDays": 20
    },
    "sasPolicy": {
      "sasExpirationPeriod": "1.15:59:59",
      "expirationAction": "Log"
    },
    "allowBlobPublicAccess": false,
    "minimumTlsVersion": "TLS1_2",
    "allowSharedKeyAccess": true,
    "networkAcls": {
      "resourceAccessRules": [
        {
          "tenantId": "72f988bf-86f1-41af-91ab-2d7cd011db47",
          "resourceId": "/subscriptions/a7e99807-abbf-4642-bdec-2c809a96a8bc/resourceGroups/res9407/providers/Microsoft.Synapse/workspaces/testworkspace"
        }
      ],
      "defaultAction": "Allow"
    },
    "routingPreference": {
      "routingChoice": "MicrosoftRouting",
      "publishMicrosoftEndpoints": true,
      "publishInternetEndpoints": true
    },
    "encryption": {
      "services": {
        "file": {
          "keyType": "Account",
          "enabled": true
        },
        "blob": {
          "keyType": "Account",
          "enabled": true
        }
      },
      "keySource": "Microsoft.Storage"
    },
    "allowedCopyScope": "AAD"
  }
}

Sample response

{
  "id": "/subscriptions/{subscription-id}/resourceGroups/res9407/providers/Microsoft.Storage/storageAccounts/sto8596",
  "kind": "Storage",
  "location": "eastus2(stage)",
  "name": "sto8596",
  "properties": {
    "keyPolicy": {
      "keyExpirationPeriodInDays": 20
    },
    "sasPolicy": {
      "sasExpirationPeriod": "1.15:59:59",
      "expirationAction": "Log"
    },
    "keyCreationTime": {
      "key1": "2021-03-18T04:42:22.4322836Z",
      "key2": "2021-03-18T04:42:22.4322836Z"
    },
    "isHnsEnabled": true,
    "allowBlobPublicAccess": false,
    "minimumTlsVersion": "TLS1_2",
    "allowSharedKeyAccess": true,
    "creationTime": "2017-06-01T02:42:41.7633306Z",
    "networkAcls": {
      "resourceAccessRules": [
        {
          "tenantId": "72f988bf-86f1-41af-91ab-2d7cd011db47",
          "resourceId": "/subscriptions/a7e99807-abbf-4642-bdec-2c809a96a8bc/resourceGroups/res9407/providers/Microsoft.Synapse/workspaces/testworkspace"
        }
      ],
      "bypass": "AzureServices",
      "defaultAction": "Allow",
      "ipRules": [],
      "virtualNetworkRules": []
    },
    "primaryEndpoints": {
      "web": "https://sto8596.web.core.windows.net/",
      "dfs": "https://sto8596.dfs.core.windows.net/",
      "blob": "https://sto8596.blob.core.windows.net/",
      "file": "https://sto8596.file.core.windows.net/",
      "queue": "https://sto8596.queue.core.windows.net/",
      "table": "https://sto8596.table.core.windows.net/",
      "microsoftEndpoints": {
        "web": "https://sto8596-microsoftrouting.web.core.windows.net/",
        "dfs": "https://sto8596-microsoftrouting.dfs.core.windows.net/",
        "blob": "https://sto8596-microsoftrouting.blob.core.windows.net/",
        "file": "https://sto8596-microsoftrouting.file.core.windows.net/",
        "queue": "https://sto8596-microsoftrouting.queue.core.windows.net/",
        "table": "https://sto8596-microsoftrouting.table.core.windows.net/"
      },
      "internetEndpoints": {
        "web": "https://sto8596-internetrouting.web.core.windows.net/",
        "dfs": "https://sto8596-internetrouting.dfs.core.windows.net/",
        "blob": "https://sto8596-internetrouting.blob.core.windows.net/",
        "file": "https://sto8596-internetrouting.file.core.windows.net/"
      }
    },
    "primaryLocation": "eastus2(stage)",
    "provisioningState": "Succeeded",
    "routingPreference": {
      "routingChoice": "MicrosoftRouting",
      "publishMicrosoftEndpoints": true,
      "publishInternetEndpoints": true
    },
    "encryption": {
      "services": {
        "file": {
          "keyType": "Account",
          "enabled": true,
          "lastEnabledTime": "2019-12-11T20:49:31.7036140Z"
        },
        "blob": {
          "keyType": "Account",
          "enabled": true,
          "lastEnabledTime": "2019-12-11T20:49:31.7036140Z"
        }
      },
      "keySource": "Microsoft.Storage"
    },
    "allowedCopyScope": "AAD",
    "secondaryLocation": "northcentralus(stage)",
    "statusOfPrimary": "available",
    "statusOfSecondary": "available",
    "supportsHttpsTrafficOnly": false
  },
  "sku": {
    "name": "Standard_GRS",
    "tier": "Standard"
  },
  "tags": {
    "key1": "value1",
    "key2": "value2"
  },
  "type": "Microsoft.Storage/storageAccounts"
}

StorageAccountUpdateDisablePublicNetworkAccess

Sample request

PATCH https://management.azure.com/subscriptions/{subscription-id}/resourceGroups/res9407/providers/Microsoft.Storage/storageAccounts/sto8596?api-version=2023-05-01

{
  "properties": {
    "keyPolicy": {
      "keyExpirationPeriodInDays": 20
    },
    "sasPolicy": {
      "sasExpirationPeriod": "1.15:59:59",
      "expirationAction": "Log"
    },
    "allowBlobPublicAccess": false,
    "minimumTlsVersion": "TLS1_2",
    "allowSharedKeyAccess": true,
    "networkAcls": {
      "resourceAccessRules": [
        {
          "tenantId": "72f988bf-86f1-41af-91ab-2d7cd011db47",
          "resourceId": "/subscriptions/a7e99807-abbf-4642-bdec-2c809a96a8bc/resourceGroups/res9407/providers/Microsoft.Synapse/workspaces/testworkspace"
        }
      ],
      "defaultAction": "Allow"
    },
    "routingPreference": {
      "routingChoice": "MicrosoftRouting",
      "publishMicrosoftEndpoints": true,
      "publishInternetEndpoints": true
    },
    "encryption": {
      "services": {
        "file": {
          "keyType": "Account",
          "enabled": true
        },
        "blob": {
          "keyType": "Account",
          "enabled": true
        }
      },
      "keySource": "Microsoft.Storage"
    },
    "publicNetworkAccess": "Disabled"
  }
}

Sample response

{
  "id": "/subscriptions/{subscription-id}/resourceGroups/res9407/providers/Microsoft.Storage/storageAccounts/sto8596",
  "kind": "Storage",
  "location": "eastus2(stage)",
  "name": "sto8596",
  "properties": {
    "keyPolicy": {
      "keyExpirationPeriodInDays": 20
    },
    "sasPolicy": {
      "sasExpirationPeriod": "1.15:59:59",
      "expirationAction": "Log"
    },
    "keyCreationTime": {
      "key1": "2021-03-18T04:42:22.4322836Z",
      "key2": "2021-03-18T04:42:22.4322836Z"
    },
    "isHnsEnabled": true,
    "allowBlobPublicAccess": false,
    "minimumTlsVersion": "TLS1_2",
    "allowSharedKeyAccess": true,
    "creationTime": "2017-06-01T02:42:41.7633306Z",
    "networkAcls": {
      "resourceAccessRules": [
        {
          "tenantId": "72f988bf-86f1-41af-91ab-2d7cd011db47",
          "resourceId": "/subscriptions/a7e99807-abbf-4642-bdec-2c809a96a8bc/resourceGroups/res9407/providers/Microsoft.Synapse/workspaces/testworkspace"
        }
      ],
      "bypass": "AzureServices",
      "defaultAction": "Allow",
      "ipRules": [],
      "virtualNetworkRules": []
    },
    "primaryEndpoints": {
      "web": "https://sto8596.web.core.windows.net/",
      "dfs": "https://sto8596.dfs.core.windows.net/",
      "blob": "https://sto8596.blob.core.windows.net/",
      "file": "https://sto8596.file.core.windows.net/",
      "queue": "https://sto8596.queue.core.windows.net/",
      "table": "https://sto8596.table.core.windows.net/",
      "microsoftEndpoints": {
        "web": "https://sto8596-microsoftrouting.web.core.windows.net/",
        "dfs": "https://sto8596-microsoftrouting.dfs.core.windows.net/",
        "blob": "https://sto8596-microsoftrouting.blob.core.windows.net/",
        "file": "https://sto8596-microsoftrouting.file.core.windows.net/",
        "queue": "https://sto8596-microsoftrouting.queue.core.windows.net/",
        "table": "https://sto8596-microsoftrouting.table.core.windows.net/"
      },
      "internetEndpoints": {
        "web": "https://sto8596-internetrouting.web.core.windows.net/",
        "dfs": "https://sto8596-internetrouting.dfs.core.windows.net/",
        "blob": "https://sto8596-internetrouting.blob.core.windows.net/",
        "file": "https://sto8596-internetrouting.file.core.windows.net/"
      }
    },
    "primaryLocation": "eastus2(stage)",
    "provisioningState": "Succeeded",
    "routingPreference": {
      "routingChoice": "MicrosoftRouting",
      "publishMicrosoftEndpoints": true,
      "publishInternetEndpoints": true
    },
    "encryption": {
      "services": {
        "file": {
          "keyType": "Account",
          "enabled": true,
          "lastEnabledTime": "2019-12-11T20:49:31.7036140Z"
        },
        "blob": {
          "keyType": "Account",
          "enabled": true,
          "lastEnabledTime": "2019-12-11T20:49:31.7036140Z"
        }
      },
      "keySource": "Microsoft.Storage"
    },
    "publicNetworkAccess": "Disabled",
    "secondaryLocation": "northcentralus(stage)",
    "statusOfPrimary": "available",
    "statusOfSecondary": "available",
    "supportsHttpsTrafficOnly": false
  },
  "sku": {
    "name": "Standard_GRS",
    "tier": "Standard"
  },
  "tags": {
    "key1": "value1",
    "key2": "value2"
  },
  "type": "Microsoft.Storage/storageAccounts"
}

StorageAccountUpdateUserAssignedEncryptionIdentityWithCMK

Sample request

PATCH https://management.azure.com/subscriptions/{subscription-id}/resourceGroups/res9101/providers/Microsoft.Storage/storageAccounts/sto4445?api-version=2023-05-01

{
  "identity": {
    "type": "UserAssigned",
    "userAssignedIdentities": {
      "/subscriptions/{subscription-id}/resourceGroups/res9101/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{managed-identity-name}": {}
    }
  },
  "sku": {
    "name": "Standard_LRS"
  },
  "kind": "Storage",
  "properties": {
    "encryption": {
      "services": {
        "file": {
          "keyType": "Account",
          "enabled": true
        },
        "blob": {
          "keyType": "Account",
          "enabled": true
        }
      },
      "keyvaultproperties": {
        "keyvaulturi": "https://myvault8569.vault.azure.net",
        "keyname": "wrappingKey",
        "keyversion": ""
      },
      "keySource": "Microsoft.Keyvault",
      "identity": {
        "userAssignedIdentity": "/subscriptions/{subscription-id}/resourceGroups/res9101/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{managed-identity-name}"
      }
    }
  }
}

Sample response

{
  "identity": {
    "userAssignedIdentities": {
      "/subscriptions/{subscription-id}/resourceGroups/res9101/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{managed-identity-name}": {
        "principalId": "8d823284-1060-42a5-9ec4-ed3d831e24d7",
        "clientId": "fbaa6278-1ecc-415c-819f-6e2058d3acb5"
      }
    },
    "type": "UserAssigned"
  },
  "sku": {
    "name": "Standard_LRS",
    "tier": "Standard"
  },
  "kind": "StorageV2",
  "id": "/subscriptions/{subscription-id}/resourceGroups/res9101/providers/Microsoft.Storage/storageAccounts/sto4445",
  "name": "sto4445",
  "type": "Microsoft.Storage/storageAccounts",
  "location": "eastus",
  "tags": {},
  "properties": {
    "privateEndpointConnections": [],
    "networkAcls": {
      "bypass": "AzureServices",
      "virtualNetworkRules": [],
      "ipRules": [],
      "defaultAction": "Allow"
    },
    "supportsHttpsTrafficOnly": true,
    "encryption": {
      "identity": {
        "userAssignedIdentity": "/subscriptions/{subscription-id}/resourcegroups/res9101/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{managed-identity-name}"
      },
      "keyvaultproperties": {
        "keyvaulturi": "https://myvault8569.vault.azure.net",
        "keyname": "wrappingKey",
        "keyversion": "",
        "currentVersionedKeyIdentifier": "https://myvault8569.vault.azure.net/keys/wrappingKey/0682afdd9c104f4285df20107e956cad",
        "lastKeyRotationTimestamp": "2019-12-13T20:36:23.7023290Z"
      },
      "services": {
        "file": {
          "keyType": "Account",
          "enabled": true,
          "lastEnabledTime": "2020-12-15T00:43:14.1739587Z"
        },
        "blob": {
          "keyType": "Account",
          "enabled": true,
          "lastEnabledTime": "2020-12-15T00:43:14.1739587Z"
        }
      },
      "keySource": "Microsoft.Keyvault"
    },
    "accessTier": "Hot",
    "provisioningState": "Succeeded",
    "creationTime": "2020-12-15T00:43:14.0839093Z",
    "primaryEndpoints": {
      "web": "https://sto4445.web.core.windows.net/",
      "dfs": "https://sto4445.dfs.core.windows.net/",
      "blob": "https://sto4445.blob.core.windows.net/",
      "file": "https://sto4445.file.core.windows.net/",
      "queue": "https://sto4445.queue.core.windows.net/",
      "table": "https://sto4445.table.core.windows.net/"
    },
    "primaryLocation": "eastus",
    "statusOfPrimary": "available"
  }
}

StorageAccountUpdateUserAssignedIdentityWithFederatedIdentityClientId

Sample request

PATCH https://management.azure.com/subscriptions/{subscription-id}/resourceGroups/res131918/providers/Microsoft.Storage/storageAccounts/sto131918?api-version=2023-05-01

{
  "identity": {
    "type": "UserAssigned",
    "userAssignedIdentities": {
      "/subscriptions/{subscription-id}/resourceGroups/res9101/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{managed-identity-name}": {}
    }
  },
  "sku": {
    "name": "Standard_LRS"
  },
  "kind": "Storage",
  "properties": {
    "encryption": {
      "services": {
        "file": {
          "keyType": "Account",
          "enabled": true
        },
        "blob": {
          "keyType": "Account",
          "enabled": true
        }
      },
      "keyvaultproperties": {
        "keyvaulturi": "https://myvault8569.vault.azure.net",
        "keyname": "wrappingKey",
        "keyversion": ""
      },
      "keySource": "Microsoft.Keyvault",
      "identity": {
        "userAssignedIdentity": "/subscriptions/{subscription-id}/resourceGroups/res9101/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{managed-identity-name}",
        "federatedIdentityClientId": "3109d1c4-a5de-4d84-8832-feabb916a4b6"
      }
    }
  }
}

Sample response

{
  "identity": {
    "userAssignedIdentities": {
      "/subscriptions/{subscription-id}/resourceGroups/res9101/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{managed-identity-name}": {
        "principalId": "8d823284-1060-42a5-9ec4-ed3d831e24d7",
        "clientId": "fbaa6278-1ecc-415c-819f-6e2058d3acb5"
      }
    },
    "type": "UserAssigned"
  },
  "sku": {
    "name": "Standard_LRS",
    "tier": "Standard"
  },
  "kind": "StorageV2",
  "id": "/subscriptions/{subscription-id}/resourceGroups/res9101/providers/Microsoft.Storage/storageAccounts/sto4445",
  "name": "sto4445",
  "type": "Microsoft.Storage/storageAccounts",
  "location": "eastus",
  "tags": {},
  "properties": {
    "privateEndpointConnections": [],
    "networkAcls": {
      "bypass": "AzureServices",
      "virtualNetworkRules": [],
      "ipRules": [],
      "defaultAction": "Allow"
    },
    "supportsHttpsTrafficOnly": true,
    "encryption": {
      "identity": {
        "userAssignedIdentity": "/subscriptions/{subscription-id}/resourcegroups/res9101/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{managed-identity-name}",
        "federatedIdentityClientId": "3109d1c4-a5de-4d84-8832-feabb916a4b6"
      },
      "keyvaultproperties": {
        "keyvaulturi": "https://myvault8569.vault.azure.net",
        "keyname": "wrappingKey",
        "keyversion": "",
        "currentVersionedKeyIdentifier": "https://myvault8569.vault.azure.net/keys/wrappingKey/0682afdd9c104f4285df20107e956cad",
        "lastKeyRotationTimestamp": "2019-12-13T20:36:23.7023290Z"
      },
      "services": {
        "file": {
          "keyType": "Account",
          "enabled": true,
          "lastEnabledTime": "2020-12-15T00:43:14.1739587Z"
        },
        "blob": {
          "keyType": "Account",
          "enabled": true,
          "lastEnabledTime": "2020-12-15T00:43:14.1739587Z"
        }
      },
      "keySource": "Microsoft.Keyvault"
    },
    "accessTier": "Hot",
    "provisioningState": "Succeeded",
    "creationTime": "2020-12-15T00:43:14.0839093Z",
    "primaryEndpoints": {
      "web": "https://sto4445.web.core.windows.net/",
      "dfs": "https://sto4445.dfs.core.windows.net/",
      "blob": "https://sto4445.blob.core.windows.net/",
      "file": "https://sto4445.file.core.windows.net/",
      "queue": "https://sto4445.queue.core.windows.net/",
      "table": "https://sto4445.table.core.windows.net/"
    },
    "primaryLocation": "eastus",
    "statusOfPrimary": "available"
  }
}

StorageAccountUpdateWithImmutabilityPolicy

Sample request

PATCH https://management.azure.com/subscriptions/{subscription-id}/resourceGroups/res9407/providers/Microsoft.Storage/storageAccounts/sto8596?api-version=2023-05-01

{
  "properties": {
    "immutableStorageWithVersioning": {
      "immutabilityPolicy": {
        "immutabilityPeriodSinceCreationInDays": 15,
        "allowProtectedAppendWrites": true,
        "state": "Locked"
      },
      "enabled": true
    }
  }
}

Sample response

{
  "id": "/subscriptions/{subscription-id}/resourceGroups/res9407/providers/Microsoft.Storage/storageAccounts/sto8596",
  "kind": "Storage",
  "location": "eastus2(stage)",
  "name": "sto8596",
  "properties": {
    "immutableStorageWithVersioning": {
      "immutabilityPolicy": {
        "immutabilityPeriodSinceCreationInDays": 15,
        "allowProtectedAppendWrites": true,
        "state": "Locked"
      },
      "enabled": true
    }
  },
  "sku": {
    "name": "Standard_GRS",
    "tier": "Standard"
  },
  "tags": {
    "key1": "value1",
    "key2": "value2"
  },
  "type": "Microsoft.Storage/storageAccounts"
}

Definitions

Name Description
AccessTier

Required for storage accounts where kind = BlobStorage. The access tier is used for billing. The 'Premium' access tier is the default value for premium block blobs storage account type and it cannot be changed for the premium block blobs storage account type.

AccountImmutabilityPolicyProperties

This defines account-level immutability policy properties.

AccountImmutabilityPolicyState

The ImmutabilityPolicy state defines the mode of the policy. Disabled state disables the policy, Unlocked state allows increase and decrease of immutability retention time and also allows toggling allowProtectedAppendWrites property, Locked state only allows the increase of the immutability retention time. A policy can only be created in a Disabled or Unlocked state and can be toggled between the two states. Only a policy in an Unlocked state can transition to a Locked state which cannot be reverted.

AccountStatus

Gets the status indicating whether the primary location of the storage account is available or unavailable.

AccountType

Specifies the Active Directory account type for Azure Storage.

Action

The action of virtual network rule.

ActiveDirectoryProperties

Settings properties for Active Directory (AD).

AllowedCopyScope

Restrict copy to and from Storage Accounts within an AAD tenant or with Private Links to the same VNet.

AzureFilesIdentityBasedAuthentication

Settings for Azure Files identity based authentication.

BlobRestoreParameters

Blob restore parameters

BlobRestoreProgressStatus

The status of blob restore progress. Possible values are: - InProgress: Indicates that blob restore is ongoing. - Complete: Indicates that blob restore has been completed successfully. - Failed: Indicates that blob restore is failed.

BlobRestoreRange

Blob range

BlobRestoreStatus

Blob restore status.

Bypass

Specifies whether traffic is bypassed for Logging/Metrics/AzureServices. Possible values are any combination of Logging|Metrics|AzureServices (For example, "Logging, Metrics"), or None to bypass none of those traffics.

CustomDomain

The custom domain assigned to this storage account. This can be set via Update.

DefaultAction

Specifies the default action of allow or deny when no other rules match.

DefaultSharePermission

Default share permission for users using Kerberos authentication if RBAC role is not assigned.

DirectoryServiceOptions

Indicates the directory service used. Note that this enum may be extended in the future.

DnsEndpointType

Allows you to specify the type of endpoint. Set this to AzureDNSZone to create a large number of accounts in a single subscription, which creates accounts in an Azure DNS Zone and the endpoint URL will have an alphanumeric DNS Zone identifier.

Encryption

The encryption settings on the storage account.

EncryptionIdentity

Encryption identity for the storage account.

EncryptionService

A service that allows server-side encryption to be used.

EncryptionServices

A list of services that support encryption.

Endpoints

The URIs that are used to perform a retrieval of a public blob, queue, table, web or dfs object.

ExpirationAction

The SAS Expiration Action defines the action to be performed when sasPolicy.sasExpirationPeriod is violated. The 'Log' action can be used for audit purposes and the 'Block' action can be used to block and deny the usage of SAS tokens that do not adhere to the sas policy expiration period.

ExtendedLocation

The complex type of the extended location.

ExtendedLocationTypes

The type of the extended location.

GeoReplicationStats

Statistics related to replication for storage account's Blob, Table, Queue and File services. It is only available when geo-redundant replication is enabled for the storage account.

GeoReplicationStatus

The status of the secondary location. Possible values are: - Live: Indicates that the secondary location is active and operational. - Bootstrap: Indicates initial synchronization from the primary location to the secondary location is in progress.This typically occurs when replication is first enabled. - Unavailable: Indicates that the secondary location is temporarily unavailable.

Identity

Identity for the resource.

IdentityType

The identity type.

ImmutableStorageAccount

This property enables and defines account-level immutability. Enabling the feature auto-enables Blob Versioning.

IPRule

IP rule with specific IP or IP range in CIDR format.

KeyCreationTime

Storage account keys creation time.

KeyPolicy

KeyPolicy assigned to the storage account.

KeySource

The encryption keySource (provider). Possible values (case-insensitive): Microsoft.Storage, Microsoft.Keyvault

KeyType

Encryption key type to be used for the encryption service. 'Account' key type implies that an account-scoped encryption key will be used. 'Service' key type implies that a default service key is used.

KeyVaultProperties

Properties of key vault.

Kind

Indicates the type of storage account.

LargeFileSharesState

Allow large file shares if sets to Enabled. It cannot be disabled once it is enabled.

MinimumTlsVersion

Set the minimum TLS version to be permitted on requests to storage. The default interpretation is TLS 1.0 for this property.

NetworkRuleSet

Network rule set

postFailoverRedundancy

The redundancy type of the account after an account failover is performed.

postPlannedFailoverRedundancy

The redundancy type of the account after a planned account failover is performed.

PrivateEndpoint

The Private Endpoint resource.

PrivateEndpointConnection

The Private Endpoint Connection resource.

PrivateEndpointConnectionProvisioningState

The current provisioning state.

PrivateEndpointServiceConnectionStatus

The private endpoint connection status.

PrivateLinkServiceConnectionState

A collection of information about the state of the connection between service consumer and provider.

ProvisioningState

Gets the status of the storage account at the time the operation was called.

PublicNetworkAccess

Allow, disallow, or let Network Security Perimeter configuration to evaluate public network access to Storage Account. Value is optional but if passed in, must be 'Enabled', 'Disabled' or 'SecuredByPerimeter'.

ResourceAccessRule

Resource Access Rule.

RoutingChoice

Routing Choice defines the kind of network routing opted by the user.

RoutingPreference

Routing preference defines the type of network, either microsoft or internet routing to be used to deliver the user data, the default option is microsoft routing

SasPolicy

SasPolicy assigned to the storage account.

Sku

The SKU of the storage account.

SkuConversionStatus

This property indicates the current sku conversion status.

SkuName

The SKU name. Required for account creation; optional for update. Note that in older versions, SKU name was called accountType.

SkuTier

The SKU tier. This is based on the SKU name.

State

Gets the state of virtual network rule.

StorageAccount

The storage account.

StorageAccountInternetEndpoints

The URIs that are used to perform a retrieval of a public blob, file, web or dfs object via a internet routing endpoint.

StorageAccountMicrosoftEndpoints

The URIs that are used to perform a retrieval of a public blob, queue, table, web or dfs object via a microsoft routing endpoint.

StorageAccountSkuConversionStatus

This defines the sku conversion status object for asynchronous sku conversions.

StorageAccountUpdateParameters

The parameters that can be provided when updating the storage account properties.

UserAssignedIdentity

UserAssignedIdentity for the resource.

VirtualNetworkRule

Virtual Network rule.

AccessTier

Required for storage accounts where kind = BlobStorage. The access tier is used for billing. The 'Premium' access tier is the default value for premium block blobs storage account type and it cannot be changed for the premium block blobs storage account type.

Name Type Description
Cold

string

Cool

string

Hot

string

Premium

string

AccountImmutabilityPolicyProperties

This defines account-level immutability policy properties.

Name Type Description
allowProtectedAppendWrites

boolean

This property can only be changed for disabled and unlocked time-based retention policies. When enabled, new blocks can be written to an append blob while maintaining immutability protection and compliance. Only new blocks can be added and any existing blocks cannot be modified or deleted.

immutabilityPeriodSinceCreationInDays

integer

The immutability period for the blobs in the container since the policy creation, in days.

state

AccountImmutabilityPolicyState

The ImmutabilityPolicy state defines the mode of the policy. Disabled state disables the policy, Unlocked state allows increase and decrease of immutability retention time and also allows toggling allowProtectedAppendWrites property, Locked state only allows the increase of the immutability retention time. A policy can only be created in a Disabled or Unlocked state and can be toggled between the two states. Only a policy in an Unlocked state can transition to a Locked state which cannot be reverted.

AccountImmutabilityPolicyState

The ImmutabilityPolicy state defines the mode of the policy. Disabled state disables the policy, Unlocked state allows increase and decrease of immutability retention time and also allows toggling allowProtectedAppendWrites property, Locked state only allows the increase of the immutability retention time. A policy can only be created in a Disabled or Unlocked state and can be toggled between the two states. Only a policy in an Unlocked state can transition to a Locked state which cannot be reverted.

Name Type Description
Disabled

string

Locked

string

Unlocked

string

AccountStatus

Gets the status indicating whether the primary location of the storage account is available or unavailable.

Name Type Description
available

string

unavailable

string

AccountType

Specifies the Active Directory account type for Azure Storage.

Name Type Description
Computer

string

User

string

Action

The action of virtual network rule.

Name Type Description
Allow

string

ActiveDirectoryProperties

Settings properties for Active Directory (AD).

Name Type Description
accountType

AccountType

Specifies the Active Directory account type for Azure Storage.

azureStorageSid

string

Specifies the security identifier (SID) for Azure Storage.

domainGuid

string

Specifies the domain GUID.

domainName

string

Specifies the primary domain that the AD DNS server is authoritative for.

domainSid

string

Specifies the security identifier (SID).

forestName

string

Specifies the Active Directory forest to get.

netBiosDomainName

string

Specifies the NetBIOS domain name.

samAccountName

string

Specifies the Active Directory SAMAccountName for Azure Storage.

AllowedCopyScope

Restrict copy to and from Storage Accounts within an AAD tenant or with Private Links to the same VNet.

Name Type Description
AAD

string

PrivateLink

string

AzureFilesIdentityBasedAuthentication

Settings for Azure Files identity based authentication.

Name Type Description
activeDirectoryProperties

ActiveDirectoryProperties

Required if directoryServiceOptions are AD, optional if they are AADKERB.

defaultSharePermission

DefaultSharePermission

Default share permission for users using Kerberos authentication if RBAC role is not assigned.

directoryServiceOptions

DirectoryServiceOptions

Indicates the directory service used. Note that this enum may be extended in the future.

BlobRestoreParameters

Blob restore parameters

Name Type Description
blobRanges

BlobRestoreRange[]

Blob ranges to restore.

timeToRestore

string

Restore blob to the specified time.

BlobRestoreProgressStatus

The status of blob restore progress. Possible values are: - InProgress: Indicates that blob restore is ongoing. - Complete: Indicates that blob restore has been completed successfully. - Failed: Indicates that blob restore is failed.

Name Type Description
Complete

string

Failed

string

InProgress

string

BlobRestoreRange

Blob range

Name Type Description
endRange

string

Blob end range. This is exclusive. Empty means account end.

startRange

string

Blob start range. This is inclusive. Empty means account start.

BlobRestoreStatus

Blob restore status.

Name Type Description
failureReason

string

Failure reason when blob restore is failed.

parameters

BlobRestoreParameters

Blob restore request parameters.

restoreId

string

Id for tracking blob restore request.

status

BlobRestoreProgressStatus

The status of blob restore progress. Possible values are: - InProgress: Indicates that blob restore is ongoing. - Complete: Indicates that blob restore has been completed successfully. - Failed: Indicates that blob restore is failed.

Bypass

Specifies whether traffic is bypassed for Logging/Metrics/AzureServices. Possible values are any combination of Logging|Metrics|AzureServices (For example, "Logging, Metrics"), or None to bypass none of those traffics.

Name Type Description
AzureServices

string

Logging

string

Metrics

string

None

string

CustomDomain

The custom domain assigned to this storage account. This can be set via Update.

Name Type Description
name

string

Gets or sets the custom domain name assigned to the storage account. Name is the CNAME source.

useSubDomainName

boolean

Indicates whether indirect CName validation is enabled. Default value is false. This should only be set on updates.

DefaultAction

Specifies the default action of allow or deny when no other rules match.

Name Type Description
Allow

string

Deny

string

DefaultSharePermission

Default share permission for users using Kerberos authentication if RBAC role is not assigned.

Name Type Description
None

string

StorageFileDataSmbShareContributor

string

StorageFileDataSmbShareElevatedContributor

string

StorageFileDataSmbShareReader

string

DirectoryServiceOptions

Indicates the directory service used. Note that this enum may be extended in the future.

Name Type Description
AADDS

string

AADKERB

string

AD

string

None

string

DnsEndpointType

Allows you to specify the type of endpoint. Set this to AzureDNSZone to create a large number of accounts in a single subscription, which creates accounts in an Azure DNS Zone and the endpoint URL will have an alphanumeric DNS Zone identifier.

Name Type Description
AzureDnsZone

string

Standard

string

Encryption

The encryption settings on the storage account.

Name Type Default value Description
identity

EncryptionIdentity

The identity to be used with service-side encryption at rest.

keySource

KeySource

Microsoft.Storage

The encryption keySource (provider). Possible values (case-insensitive): Microsoft.Storage, Microsoft.Keyvault

keyvaultproperties

KeyVaultProperties

Properties provided by key vault.

requireInfrastructureEncryption

boolean

A boolean indicating whether or not the service applies a secondary layer of encryption with platform managed keys for data at rest.

services

EncryptionServices

List of services which support encryption.

EncryptionIdentity

Encryption identity for the storage account.

Name Type Description
federatedIdentityClientId

string

ClientId of the multi-tenant application to be used in conjunction with the user-assigned identity for cross-tenant customer-managed-keys server-side encryption on the storage account.

userAssignedIdentity

string

Resource identifier of the UserAssigned identity to be associated with server-side encryption on the storage account.

EncryptionService

A service that allows server-side encryption to be used.

Name Type Description
enabled

boolean

A boolean indicating whether or not the service encrypts the data as it is stored. Encryption at rest is enabled by default today and cannot be disabled.

keyType

KeyType

Encryption key type to be used for the encryption service. 'Account' key type implies that an account-scoped encryption key will be used. 'Service' key type implies that a default service key is used.

lastEnabledTime

string

Gets a rough estimate of the date/time when the encryption was last enabled by the user. Data is encrypted at rest by default today and cannot be disabled.

EncryptionServices

A list of services that support encryption.

Name Type Description
blob

EncryptionService

The encryption function of the blob storage service.

file

EncryptionService

The encryption function of the file storage service.

queue

EncryptionService

The encryption function of the queue storage service.

table

EncryptionService

The encryption function of the table storage service.

Endpoints

The URIs that are used to perform a retrieval of a public blob, queue, table, web or dfs object.

Name Type Description
blob

string

Gets the blob endpoint.

dfs

string

Gets the dfs endpoint.

file

string

Gets the file endpoint.

internetEndpoints

StorageAccountInternetEndpoints

Gets the internet routing storage endpoints

microsoftEndpoints

StorageAccountMicrosoftEndpoints

Gets the microsoft routing storage endpoints.

queue

string

Gets the queue endpoint.

table

string

Gets the table endpoint.

web

string

Gets the web endpoint.

ExpirationAction

The SAS Expiration Action defines the action to be performed when sasPolicy.sasExpirationPeriod is violated. The 'Log' action can be used for audit purposes and the 'Block' action can be used to block and deny the usage of SAS tokens that do not adhere to the sas policy expiration period.

Name Type Description
Block

string

Log

string

ExtendedLocation

The complex type of the extended location.

Name Type Description
name

string

The name of the extended location.

type

ExtendedLocationTypes

The type of the extended location.

ExtendedLocationTypes

The type of the extended location.

Name Type Description
EdgeZone

string

GeoReplicationStats

Statistics related to replication for storage account's Blob, Table, Queue and File services. It is only available when geo-redundant replication is enabled for the storage account.

Name Type Description
canFailover

boolean

A boolean flag which indicates whether or not account failover is supported for the account.

canPlannedFailover

boolean

A boolean flag which indicates whether or not planned account failover is supported for the account.

lastSyncTime

string

All primary writes preceding this UTC date/time value are guaranteed to be available for read operations. Primary writes following this point in time may or may not be available for reads. Element may be default value if value of LastSyncTime is not available, this can happen if secondary is offline or we are in bootstrap.

postFailoverRedundancy

postFailoverRedundancy

The redundancy type of the account after an account failover is performed.

postPlannedFailoverRedundancy

postPlannedFailoverRedundancy

The redundancy type of the account after a planned account failover is performed.

status

GeoReplicationStatus

The status of the secondary location. Possible values are: - Live: Indicates that the secondary location is active and operational. - Bootstrap: Indicates initial synchronization from the primary location to the secondary location is in progress.This typically occurs when replication is first enabled. - Unavailable: Indicates that the secondary location is temporarily unavailable.

GeoReplicationStatus

The status of the secondary location. Possible values are: - Live: Indicates that the secondary location is active and operational. - Bootstrap: Indicates initial synchronization from the primary location to the secondary location is in progress.This typically occurs when replication is first enabled. - Unavailable: Indicates that the secondary location is temporarily unavailable.

Name Type Description
Bootstrap

string

Live

string

Unavailable

string

Identity

Identity for the resource.

Name Type Description
principalId

string

The principal ID of resource identity.

tenantId

string

The tenant ID of resource.

type

IdentityType

The identity type.

userAssignedIdentities

<string,  UserAssignedIdentity>

Gets or sets a list of key value pairs that describe the set of User Assigned identities that will be used with this storage account. The key is the ARM resource identifier of the identity. Only 1 User Assigned identity is permitted here.

IdentityType

The identity type.

Name Type Description
None

string

SystemAssigned

string

SystemAssigned,UserAssigned

string

UserAssigned

string

ImmutableStorageAccount

This property enables and defines account-level immutability. Enabling the feature auto-enables Blob Versioning.

Name Type Description
enabled

boolean

A boolean flag which enables account-level immutability. All the containers under such an account have object-level immutability enabled by default.

immutabilityPolicy

AccountImmutabilityPolicyProperties

Specifies the default account-level immutability policy which is inherited and applied to objects that do not possess an explicit immutability policy at the object level. The object-level immutability policy has higher precedence than the container-level immutability policy, which has a higher precedence than the account-level immutability policy.

IPRule

IP rule with specific IP or IP range in CIDR format.

Name Type Default value Description
action

Action

Allow

The action of IP ACL rule.

value

string

Specifies the IP or IP range in CIDR format. Only IPV4 address is allowed.

KeyCreationTime

Storage account keys creation time.

Name Type Description
key1

string

key2

string

KeyPolicy

KeyPolicy assigned to the storage account.

Name Type Description
keyExpirationPeriodInDays

integer

The key expiration period in days.

KeySource

The encryption keySource (provider). Possible values (case-insensitive): Microsoft.Storage, Microsoft.Keyvault

Name Type Description
Microsoft.Keyvault

string

Microsoft.Storage

string

KeyType

Encryption key type to be used for the encryption service. 'Account' key type implies that an account-scoped encryption key will be used. 'Service' key type implies that a default service key is used.

Name Type Description
Account

string

Service

string

KeyVaultProperties

Properties of key vault.

Name Type Description
currentVersionedKeyExpirationTimestamp

string

This is a read only property that represents the expiration time of the current version of the customer managed key used for encryption.

currentVersionedKeyIdentifier

string

The object identifier of the current versioned Key Vault Key in use.

keyname

string

The name of KeyVault key.

keyvaulturi

string

The Uri of KeyVault.

keyversion

string

The version of KeyVault key.

lastKeyRotationTimestamp

string

Timestamp of last rotation of the Key Vault Key.

Kind

Indicates the type of storage account.

Name Type Description
BlobStorage

string

BlockBlobStorage

string

FileStorage

string

Storage

string

StorageV2

string

LargeFileSharesState

Allow large file shares if sets to Enabled. It cannot be disabled once it is enabled.

Name Type Description
Disabled

string

Enabled

string

MinimumTlsVersion

Set the minimum TLS version to be permitted on requests to storage. The default interpretation is TLS 1.0 for this property.

Name Type Description
TLS1_0

string

TLS1_1

string

TLS1_2

string

TLS1_3

string

NetworkRuleSet

Network rule set

Name Type Default value Description
bypass

Bypass

AzureServices

Specifies whether traffic is bypassed for Logging/Metrics/AzureServices. Possible values are any combination of Logging|Metrics|AzureServices (For example, "Logging, Metrics"), or None to bypass none of those traffics.

defaultAction

DefaultAction

Allow

Specifies the default action of allow or deny when no other rules match.

ipRules

IPRule[]

Sets the IP ACL rules

resourceAccessRules

ResourceAccessRule[]

Sets the resource access rules

virtualNetworkRules

VirtualNetworkRule[]

Sets the virtual network rules

postFailoverRedundancy

The redundancy type of the account after an account failover is performed.

Name Type Description
Standard_LRS

string

Standard_ZRS

string

postPlannedFailoverRedundancy

The redundancy type of the account after a planned account failover is performed.

Name Type Description
Standard_GRS

string

Standard_GZRS

string

Standard_RAGRS

string

Standard_RAGZRS

string

PrivateEndpoint

The Private Endpoint resource.

Name Type Description
id

string

The ARM identifier for Private Endpoint

PrivateEndpointConnection

The Private Endpoint Connection resource.

Name Type Description
id

string

Fully qualified resource ID for the resource. Ex - /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}

name

string

The name of the resource

properties.privateEndpoint

PrivateEndpoint

The resource of private end point.

properties.privateLinkServiceConnectionState

PrivateLinkServiceConnectionState

A collection of information about the state of the connection between service consumer and provider.

properties.provisioningState

PrivateEndpointConnectionProvisioningState

The provisioning state of the private endpoint connection resource.

type

string

The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"

PrivateEndpointConnectionProvisioningState

The current provisioning state.

Name Type Description
Creating

string

Deleting

string

Failed

string

Succeeded

string

PrivateEndpointServiceConnectionStatus

The private endpoint connection status.

Name Type Description
Approved

string

Pending

string

Rejected

string

PrivateLinkServiceConnectionState

A collection of information about the state of the connection between service consumer and provider.

Name Type Description
actionRequired

string

A message indicating if changes on the service provider require any updates on the consumer.

description

string

The reason for approval/rejection of the connection.

status

PrivateEndpointServiceConnectionStatus

Indicates whether the connection has been Approved/Rejected/Removed by the owner of the service.

ProvisioningState

Gets the status of the storage account at the time the operation was called.

Name Type Description
Creating

string

ResolvingDNS

string

Succeeded

string

PublicNetworkAccess

Allow, disallow, or let Network Security Perimeter configuration to evaluate public network access to Storage Account. Value is optional but if passed in, must be 'Enabled', 'Disabled' or 'SecuredByPerimeter'.

Name Type Description
Disabled

string

Enabled

string

SecuredByPerimeter

string

ResourceAccessRule

Resource Access Rule.

Name Type Description
resourceId

string

Resource Id

tenantId

string

Tenant Id

RoutingChoice

Routing Choice defines the kind of network routing opted by the user.

Name Type Description
InternetRouting

string

MicrosoftRouting

string

RoutingPreference

Routing preference defines the type of network, either microsoft or internet routing to be used to deliver the user data, the default option is microsoft routing

Name Type Description
publishInternetEndpoints

boolean

A boolean flag which indicates whether internet routing storage endpoints are to be published

publishMicrosoftEndpoints

boolean

A boolean flag which indicates whether microsoft routing storage endpoints are to be published

routingChoice

RoutingChoice

Routing Choice defines the kind of network routing opted by the user.

SasPolicy

SasPolicy assigned to the storage account.

Name Type Default value Description
expirationAction

ExpirationAction

Log

The SAS Expiration Action defines the action to be performed when sasPolicy.sasExpirationPeriod is violated. The 'Log' action can be used for audit purposes and the 'Block' action can be used to block and deny the usage of SAS tokens that do not adhere to the sas policy expiration period.

sasExpirationPeriod

string

The SAS expiration period, DD.HH:MM:SS.

Sku

The SKU of the storage account.

Name Type Description
name

SkuName

The SKU name. Required for account creation; optional for update. Note that in older versions, SKU name was called accountType.

tier

SkuTier

The SKU tier. This is based on the SKU name.

SkuConversionStatus

This property indicates the current sku conversion status.

Name Type Description
Failed

string

InProgress

string

Succeeded

string

SkuName

The SKU name. Required for account creation; optional for update. Note that in older versions, SKU name was called accountType.

Name Type Description
Premium_LRS

string

Premium_ZRS

string

Standard_GRS

string

Standard_GZRS

string

Standard_LRS

string

Standard_RAGRS

string

Standard_RAGZRS

string

Standard_ZRS

string

SkuTier

The SKU tier. This is based on the SKU name.

Name Type Description
Premium

string

Standard

string

State

Gets the state of virtual network rule.

Name Type Description
Deprovisioning

string

Failed

string

NetworkSourceDeleted

string

Provisioning

string

Succeeded

string

StorageAccount

The storage account.

Name Type Description
extendedLocation

ExtendedLocation

The extendedLocation of the resource.

id

string

Fully qualified resource ID for the resource. Ex - /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}

identity

Identity

The identity of the resource.

kind

Kind

Gets the Kind.

location

string

The geo-location where the resource lives

name

string

The name of the resource

properties.accessTier

AccessTier

Required for storage accounts where kind = BlobStorage. The access tier is used for billing. The 'Premium' access tier is the default value for premium block blobs storage account type and it cannot be changed for the premium block blobs storage account type.

properties.accountMigrationInProgress

boolean

If customer initiated account migration is in progress, the value will be true else it will be null.

properties.allowBlobPublicAccess

boolean

Allow or disallow public access to all blobs or containers in the storage account. The default interpretation is false for this property.

properties.allowCrossTenantReplication

boolean

Allow or disallow cross AAD tenant object replication. Set this property to true for new or existing accounts only if object replication policies will involve storage accounts in different AAD tenants. The default interpretation is false for new accounts to follow best security practices by default.

properties.allowSharedKeyAccess

boolean

Indicates whether the storage account permits requests to be authorized with the account access key via Shared Key. If false, then all requests, including shared access signatures, must be authorized with Azure Active Directory (Azure AD). The default value is null, which is equivalent to true.

properties.allowedCopyScope

AllowedCopyScope

Restrict copy to and from Storage Accounts within an AAD tenant or with Private Links to the same VNet.

properties.azureFilesIdentityBasedAuthentication

AzureFilesIdentityBasedAuthentication

Provides the identity based authentication settings for Azure Files.

properties.blobRestoreStatus

BlobRestoreStatus

Blob restore status

properties.creationTime

string

Gets the creation date and time of the storage account in UTC.

properties.customDomain

CustomDomain

Gets the custom domain the user assigned to this storage account.

properties.defaultToOAuthAuthentication

boolean

A boolean flag which indicates whether the default authentication is OAuth or not. The default interpretation is false for this property.

properties.dnsEndpointType

DnsEndpointType

Allows you to specify the type of endpoint. Set this to AzureDNSZone to create a large number of accounts in a single subscription, which creates accounts in an Azure DNS Zone and the endpoint URL will have an alphanumeric DNS Zone identifier.

properties.enableExtendedGroups

boolean

Enables extended group support with local users feature, if set to true

properties.encryption

Encryption

Encryption settings to be used for server-side encryption for the storage account.

properties.failoverInProgress

boolean

If the failover is in progress, the value will be true, otherwise, it will be null.

properties.geoReplicationStats

GeoReplicationStats

Geo Replication Stats

properties.immutableStorageWithVersioning

ImmutableStorageAccount

The property is immutable and can only be set to true at the account creation time. When set to true, it enables object level immutability for all the containers in the account by default.

properties.isHnsEnabled

boolean

Account HierarchicalNamespace enabled if sets to true.

properties.isLocalUserEnabled

boolean

Enables local users feature, if set to true

properties.isNfsV3Enabled

boolean

NFS 3.0 protocol support enabled if set to true.

properties.isSftpEnabled

boolean

Enables Secure File Transfer Protocol, if set to true

properties.isSkuConversionBlocked

boolean

This property will be set to true or false on an event of ongoing migration. Default value is null.

properties.keyCreationTime

KeyCreationTime

Storage account keys creation time.

properties.keyPolicy

KeyPolicy

KeyPolicy assigned to the storage account.

properties.largeFileSharesState

LargeFileSharesState

Allow large file shares if sets to Enabled. It cannot be disabled once it is enabled.

properties.lastGeoFailoverTime

string

Gets the timestamp of the most recent instance of a failover to the secondary location. Only the most recent timestamp is retained. This element is not returned if there has never been a failover instance. Only available if the accountType is Standard_GRS or Standard_RAGRS.

properties.minimumTlsVersion

MinimumTlsVersion

Set the minimum TLS version to be permitted on requests to storage. The default interpretation is TLS 1.0 for this property.

properties.networkAcls

NetworkRuleSet

Network rule set

properties.primaryEndpoints

Endpoints

Gets the URLs that are used to perform a retrieval of a public blob, queue, or table object. Note that Standard_ZRS and Premium_LRS accounts only return the blob endpoint.

properties.primaryLocation

string

Gets the location of the primary data center for the storage account.

properties.privateEndpointConnections

PrivateEndpointConnection[]

List of private endpoint connection associated with the specified storage account

properties.provisioningState

ProvisioningState

Gets the status of the storage account at the time the operation was called.

properties.publicNetworkAccess

PublicNetworkAccess

Allow, disallow, or let Network Security Perimeter configuration to evaluate public network access to Storage Account.

properties.routingPreference

RoutingPreference

Maintains information about the network routing choice opted by the user for data transfer

properties.sasPolicy

SasPolicy

SasPolicy assigned to the storage account.

properties.secondaryEndpoints

Endpoints

Gets the URLs that are used to perform a retrieval of a public blob, queue, or table object from the secondary location of the storage account. Only available if the SKU name is Standard_RAGRS.

properties.secondaryLocation

string

Gets the location of the geo-replicated secondary for the storage account. Only available if the accountType is Standard_GRS or Standard_RAGRS.

properties.statusOfPrimary

AccountStatus

Gets the status indicating whether the primary location of the storage account is available or unavailable.

properties.statusOfSecondary

AccountStatus

Gets the status indicating whether the secondary location of the storage account is available or unavailable. Only available if the SKU name is Standard_GRS or Standard_RAGRS.

properties.storageAccountSkuConversionStatus

StorageAccountSkuConversionStatus

This property is readOnly and is set by server during asynchronous storage account sku conversion operations.

properties.supportsHttpsTrafficOnly

boolean

Allows https traffic only to storage service if sets to true.

sku

Sku

Gets the SKU.

tags

object

Resource tags.

type

string

The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"

StorageAccountInternetEndpoints

The URIs that are used to perform a retrieval of a public blob, file, web or dfs object via a internet routing endpoint.

Name Type Description
blob

string

Gets the blob endpoint.

dfs

string

Gets the dfs endpoint.

file

string

Gets the file endpoint.

web

string

Gets the web endpoint.

StorageAccountMicrosoftEndpoints

The URIs that are used to perform a retrieval of a public blob, queue, table, web or dfs object via a microsoft routing endpoint.

Name Type Description
blob

string

Gets the blob endpoint.

dfs

string

Gets the dfs endpoint.

file

string

Gets the file endpoint.

queue

string

Gets the queue endpoint.

table

string

Gets the table endpoint.

web

string

Gets the web endpoint.

StorageAccountSkuConversionStatus

This defines the sku conversion status object for asynchronous sku conversions.

Name Type Description
endTime

string

This property represents the sku conversion end time.

skuConversionStatus

SkuConversionStatus

This property indicates the current sku conversion status.

startTime

string

This property represents the sku conversion start time.

targetSkuName

SkuName

This property represents the target sku name to which the account sku is being converted asynchronously.

StorageAccountUpdateParameters

The parameters that can be provided when updating the storage account properties.

Name Type Description
identity

Identity

The identity of the resource.

kind

Kind

Optional. Indicates the type of storage account. Currently only StorageV2 value supported by server.

properties.accessTier

AccessTier

Required for storage accounts where kind = BlobStorage. The access tier is used for billing. The 'Premium' access tier is the default value for premium block blobs storage account type and it cannot be changed for the premium block blobs storage account type.

properties.allowBlobPublicAccess

boolean

Allow or disallow public access to all blobs or containers in the storage account. The default interpretation is false for this property.

properties.allowCrossTenantReplication

boolean

Allow or disallow cross AAD tenant object replication. Set this property to true for new or existing accounts only if object replication policies will involve storage accounts in different AAD tenants. The default interpretation is false for new accounts to follow best security practices by default.

properties.allowSharedKeyAccess

boolean

Indicates whether the storage account permits requests to be authorized with the account access key via Shared Key. If false, then all requests, including shared access signatures, must be authorized with Azure Active Directory (Azure AD). The default value is null, which is equivalent to true.

properties.allowedCopyScope

AllowedCopyScope

Restrict copy to and from Storage Accounts within an AAD tenant or with Private Links to the same VNet.

properties.azureFilesIdentityBasedAuthentication

AzureFilesIdentityBasedAuthentication

Provides the identity based authentication settings for Azure Files.

properties.customDomain

CustomDomain

Custom domain assigned to the storage account by the user. Name is the CNAME source. Only one custom domain is supported per storage account at this time. To clear the existing custom domain, use an empty string for the custom domain name property.

properties.defaultToOAuthAuthentication

boolean

A boolean flag which indicates whether the default authentication is OAuth or not. The default interpretation is false for this property.

properties.dnsEndpointType

DnsEndpointType

Allows you to specify the type of endpoint. Set this to AzureDNSZone to create a large number of accounts in a single subscription, which creates accounts in an Azure DNS Zone and the endpoint URL will have an alphanumeric DNS Zone identifier.

properties.enableExtendedGroups

boolean

Enables extended group support with local users feature, if set to true

properties.encryption

Encryption

Not applicable. Azure Storage encryption at rest is enabled by default for all storage accounts and cannot be disabled.

properties.immutableStorageWithVersioning

ImmutableStorageAccount

The property is immutable and can only be set to true at the account creation time. When set to true, it enables object level immutability for all the containers in the account by default.

properties.isLocalUserEnabled

boolean

Enables local users feature, if set to true

properties.isSftpEnabled

boolean

Enables Secure File Transfer Protocol, if set to true

properties.keyPolicy

KeyPolicy

KeyPolicy assigned to the storage account.

properties.largeFileSharesState

LargeFileSharesState

Allow large file shares if sets to Enabled. It cannot be disabled once it is enabled.

properties.minimumTlsVersion

MinimumTlsVersion

Set the minimum TLS version to be permitted on requests to storage. The default interpretation is TLS 1.0 for this property.

properties.networkAcls

NetworkRuleSet

Network rule set

properties.publicNetworkAccess

PublicNetworkAccess

Allow, disallow, or let Network Security Perimeter configuration to evaluate public network access to Storage Account. Value is optional but if passed in, must be 'Enabled', 'Disabled' or 'SecuredByPerimeter'.

properties.routingPreference

RoutingPreference

Maintains information about the network routing choice opted by the user for data transfer

properties.sasPolicy

SasPolicy

SasPolicy assigned to the storage account.

properties.supportsHttpsTrafficOnly

boolean

Allows https traffic only to storage service if sets to true.

sku

Sku

Gets or sets the SKU name. Note that the SKU name cannot be updated to Standard_ZRS, Premium_LRS or Premium_ZRS, nor can accounts of those SKU names be updated to any other value.

tags

object

Gets or sets a list of key value pairs that describe the resource. These tags can be used in viewing and grouping this resource (across resource groups). A maximum of 15 tags can be provided for a resource. Each tag must have a key no greater in length than 128 characters and a value no greater in length than 256 characters.

UserAssignedIdentity

UserAssignedIdentity for the resource.

Name Type Description
clientId

string

The client ID of the identity.

principalId

string

The principal ID of the identity.

VirtualNetworkRule

Virtual Network rule.

Name Type Default value Description
action

Action

Allow

The action of virtual network rule.

id

string

Resource ID of a subnet, for example: /subscriptions/{subscriptionId}/resourceGroups/{groupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}.

state

State

Gets the state of virtual network rule.