az storage account
Note
This command group has commands that are defined in both Azure CLI and at least one extension. Install each extension to benefit from its extended capabilities. Learn more about extensions.
Manage storage accounts.
Commands
Name | Description | Type | Status |
---|---|---|---|
az storage account blob-inventory-policy |
Manage storage account Blob Inventory Policy. |
Core | Preview |
az storage account blob-inventory-policy create |
Create Blob Inventory Policy for storage account. |
Core | Preview |
az storage account blob-inventory-policy delete |
Delete Blob Inventory Policy associated with the specified storage account. |
Core | Preview |
az storage account blob-inventory-policy show |
Show Blob Inventory Policy properties associated with the specified storage account. |
Core | Preview |
az storage account blob-inventory-policy update |
Update Blob Inventory Policy associated with the specified storage account. |
Core | Preview |
az storage account blob-service-properties |
Manage the properties of a storage account's blob service. |
Core | GA |
az storage account blob-service-properties cors-rule |
Manage the Cross-Origin Resource Sharing (CORS) rules of a storage account's blob service properties. |
Core | GA |
az storage account blob-service-properties cors-rule add |
Add a CORS rule for a storage account. |
Core | GA |
az storage account blob-service-properties cors-rule clear |
Clear all CORS rules for a storage account. |
Core | GA |
az storage account blob-service-properties cors-rule list |
List all CORS rules of a storage account's blob service properties. |
Core | GA |
az storage account blob-service-properties show |
Show the properties of a storage account's blob service. |
Core | GA |
az storage account blob-service-properties update |
Update the properties of a storage account's blob service. |
Core | GA |
az storage account check-name |
Check that the storage account name is valid and is not already in use. |
Core | GA |
az storage account create |
Create a storage account. |
Core | GA |
az storage account create (storage-preview extension) |
Create a storage account. |
Extension | GA |
az storage account delete |
Delete a storage account. |
Core | GA |
az storage account encryption-scope |
Manage encryption scope for a storage account. |
Core | GA |
az storage account encryption-scope create |
Create an encryption scope within storage account. |
Core | GA |
az storage account encryption-scope list |
List encryption scopes within storage account. |
Core | GA |
az storage account encryption-scope show |
Show properties for specified encryption scope within storage account. |
Core | GA |
az storage account encryption-scope update |
Update properties for specified encryption scope within storage account. |
Core | GA |
az storage account failover |
Failover request can be triggered for a storage account in case of availability issues. |
Core | Preview |
az storage account file-service-properties |
Manage the properties of file service in storage account. |
Core | GA |
az storage account file-service-properties show |
Show the properties of file service in storage account. |
Core | GA |
az storage account file-service-properties update |
Update the properties of file service in storage account. |
Core | GA |
az storage account generate-sas |
Generate a shared access signature for the storage account. |
Core | GA |
az storage account hns-migration |
Manage storage account migration to enable hierarchical namespace. |
Core | GA |
az storage account hns-migration start |
Validate/Begin migrating a storage account to enable hierarchical namespace. |
Core | GA |
az storage account hns-migration stop |
Stop the enabling hierarchical namespace migration of a storage account. |
Core | GA |
az storage account keys |
Manage storage account keys. |
Core | GA |
az storage account keys list |
List the access keys or Kerberos keys (if active directory enabled) for a storage account. |
Core | GA |
az storage account keys renew |
Regenerate one of the access keys or Kerberos keys (if active directory enabled) for a storage account. |
Core | GA |
az storage account list |
List storage accounts. |
Core | GA |
az storage account local-user |
Manage storage account local users. |
Core and Extension | GA |
az storage account local-user create |
Create a local user for a given storage account. |
Core | GA |
az storage account local-user create (storage-preview extension) |
Create a local user for a given storage account. |
Extension | GA |
az storage account local-user delete |
Delete a local user. |
Core | GA |
az storage account local-user delete (storage-preview extension) |
Delete a local user. |
Extension | GA |
az storage account local-user list |
List local users for a storage account. |
Core | GA |
az storage account local-user list (storage-preview extension) |
List local users for a storage account. |
Extension | GA |
az storage account local-user list-keys |
List sharedkeys and sshAuthorizedKeys for a local user. |
Core | GA |
az storage account local-user list-keys (storage-preview extension) |
List sharedkeys and sshAuthorizedKeys for a local user. |
Extension | GA |
az storage account local-user regenerate-password |
Regenerate sshPassword for a local user. |
Core | GA |
az storage account local-user regenerate-password (storage-preview extension) |
Regenerate sshPassword for a local user. |
Extension | GA |
az storage account local-user show |
Show info for a local user. |
Core | GA |
az storage account local-user show (storage-preview extension) |
Show info for a local user. |
Extension | GA |
az storage account local-user update |
Update properties for a local user. |
Core | GA |
az storage account local-user update (storage-preview extension) |
Update properties for a local user. |
Extension | GA |
az storage account management-policy |
Manage storage account management policies. |
Core | GA |
az storage account management-policy create |
Create the data policy rules associated with the specified storage account. |
Core | GA |
az storage account management-policy delete |
Delete the data policy rules associated with the specified storage account. |
Core | GA |
az storage account management-policy show |
Get the data policy rules associated with the specified storage account. |
Core | GA |
az storage account management-policy update |
Update the data policy rules associated with the specified storage account. |
Core | GA |
az storage account migration |
Manage Storage Account Migration. |
Core and Extension | GA |
az storage account migration show |
Get the status of the ongoing migration for the specified storage account. |
Core | GA |
az storage account migration show (storage-preview extension) |
Get the status of the ongoing migration for the specified storage account. |
Extension | GA |
az storage account migration start |
Account Migration request can be triggered for a storage account to change its redundancy level. The migration updates the non-zonal redundant storage account to a zonal redundant account or vice-versa in order to have better reliability and availability. Zone-redundant storage (ZRS) replicates your storage account synchronously across three Azure availability zones in the primary region. |
Core | GA |
az storage account migration start (storage-preview extension) |
Account Migration request can be triggered for a storage account to change its redundancy level. The migration updates the non-zonal redundant storage account to a zonal redundant account or vice-versa in order to have better reliability and availability. Zone-redundant storage (ZRS) replicates your storage account synchronously across three Azure availability zones in the primary region. |
Extension | GA |
az storage account network-rule |
Manage network rules. |
Core | GA |
az storage account network-rule add |
Add a network rule. |
Core | GA |
az storage account network-rule list |
List network rules. |
Core | GA |
az storage account network-rule remove |
Remove a network rule. |
Core | GA |
az storage account or-policy |
Manage storage account Object Replication Policy. |
Core | Preview |
az storage account or-policy create |
Create Object Replication Service Policy for storage account. |
Core | Preview |
az storage account or-policy delete |
Delete specified Object Replication Service Policy associated with the specified storage account. |
Core | Preview |
az storage account or-policy list |
List Object Replication Service Policies associated with the specified storage account. |
Core | Preview |
az storage account or-policy rule |
Manage Object Replication Service Policy Rules. |
Core | Preview |
az storage account or-policy rule add |
Add rule to the specified Object Replication Service Policy. |
Core | Preview |
az storage account or-policy rule list |
List all the rules in the specified Object Replication Service Policy. |
Core | Preview |
az storage account or-policy rule remove |
Remove the specified rule from the specified Object Replication Service Policy. |
Core | Preview |
az storage account or-policy rule show |
Show the properties of specified rule in Object Replication Service Policy. |
Core | Preview |
az storage account or-policy rule update |
Update rule properties to Object Replication Service Policy. |
Core | Preview |
az storage account or-policy show |
Show the properties of specified Object Replication Service Policy for storage account. |
Core | Preview |
az storage account or-policy update |
Update Object Replication Service Policy properties for storage account. |
Core | Preview |
az storage account private-endpoint-connection |
Manage storage account private endpoint connection. |
Core | Preview |
az storage account private-endpoint-connection approve |
Approve a private endpoint connection request for storage account. |
Core | Preview |
az storage account private-endpoint-connection delete |
Delete a private endpoint connection request for storage account. |
Core | Preview |
az storage account private-endpoint-connection reject |
Reject a private endpoint connection request for storage account. |
Core | Preview |
az storage account private-endpoint-connection show |
Show details of a private endpoint connection request for storage account. |
Core | Preview |
az storage account private-link-resource |
Manage storage account private link resources. |
Core | GA |
az storage account private-link-resource list |
Get the private link resources that need to be created for a storage account. |
Core | Preview |
az storage account revoke-delegation-keys |
Revoke all user delegation keys for a storage account. |
Core | GA |
az storage account show |
Show storage account properties. |
Core | GA |
az storage account show-connection-string |
Get the connection string for a storage account. |
Core | GA |
az storage account show-usage |
Show the current count and limit of the storage accounts under the subscription. |
Core | GA |
az storage account task-assignment |
Manage storage account task assignment. |
Extension | GA |
az storage account task-assignment create |
Create creates a new storage task assignment sub-resource with the specified parameters. If a storage task assignment is already created and a subsequent create request is issued with different properties, the storage task assignment properties will be updated. If a storage task assignment is already created and a subsequent create or update request is issued with the exact same set of properties, the request will succeed. |
Extension | Preview |
az storage account task-assignment delete |
Delete the storage task assignment sub-resource. |
Extension | Preview |
az storage account task-assignment list |
List all the storage task assignments in an account. |
Extension | Preview |
az storage account task-assignment list-report |
List the report summary of a single storage task assignment's instances. |
Extension | Preview |
az storage account task-assignment show |
Get the storage task assignment properties. |
Extension | Preview |
az storage account task-assignment update |
Update creates a new storage task assignment sub-resource with the specified parameters. If a storage task assignment is already created and a subsequent create request is issued with different properties, the storage task assignment properties will be updated. If a storage task assignment is already created and a subsequent create or update request is issued with the exact same set of properties, the request will succeed. |
Extension | Preview |
az storage account task-assignment wait |
Place the CLI in a waiting state until a condition is met. |
Extension | GA |
az storage account update |
Update the properties of a storage account. |
Core | GA |
az storage account update (storage-preview extension) |
Update the properties of a storage account. |
Extension | GA |
az storage account check-name
Check that the storage account name is valid and is not already in use.
az storage account check-name --name
Required Parameters
The name of the storage account within the specified resource group.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az storage account create
Create a storage account.
The SKU of the storage account defaults to 'Standard_RAGRS'.
az storage account create --name
--resource-group
[--access-tier {Cold, Cool, Hot, Premium}]
[--account-type]
[--action]
[--allow-append {false, true}]
[--allow-blob-public-access {false, true}]
[--allow-cross-tenant-replication {false, true}]
[--allow-shared-key-access {false, true}]
[--assign-identity]
[--azure-storage-sid]
[--bypass {AzureServices, Logging, Metrics, None}]
[--custom-domain]
[--default-action {Allow, Deny}]
[--default-share-permission {None, StorageFileDataSmbShareContributor, StorageFileDataSmbShareElevatedContributor, StorageFileDataSmbShareReader}]
[--dns-endpoint-type {AzureDnsZone, Standard}]
[--domain-guid]
[--domain-name]
[--domain-sid]
[--edge-zone]
[--enable-alw {false, true}]
[--enable-files-aadds {false, true}]
[--enable-files-aadkerb {false, true}]
[--enable-files-adds {false, true}]
[--enable-hierarchical-namespace {false, true}]
[--enable-large-file-share]
[--enable-local-user {false, true}]
[--enable-nfs-v3 {false, true}]
[--enable-sftp {false, true}]
[--encryption-key-name]
[--encryption-key-source {Microsoft.Keyvault, Microsoft.Storage}]
[--encryption-key-type-for-queue {Account, Service}]
[--encryption-key-type-for-table {Account, Service}]
[--encryption-key-vault]
[--encryption-key-version]
[--encryption-services {blob, file, queue, table}]
[--forest-name]
[--https-only {false, true}]
[--identity-type {None, SystemAssigned, SystemAssigned,UserAssigned, UserAssigned}]
[--immutability-period]
[--immutability-state {Disabled, Locked, Unlocked}]
[--key-exp-days]
[--key-vault-federated-client-id]
[--key-vault-user-identity-id]
[--kind {BlobStorage, BlockBlobStorage, FileStorage, Storage, StorageV2}]
[--location]
[--min-tls-version {TLS1_0, TLS1_1, TLS1_2, TLS1_3}]
[--net-bios-domain-name]
[--public-network-access {Disabled, Enabled, SecuredByPerimeter}]
[--publish-internet-endpoints {false, true}]
[--publish-microsoft-endpoints {false, true}]
[--require-infrastructure-encryption {false, true}]
[--routing-choice {InternetRouting, MicrosoftRouting}]
[--sam-account-name]
[--sas-exp]
[--sku {Premium_LRS, Premium_ZRS, Standard_GRS, Standard_GZRS, Standard_LRS, Standard_RAGRS, Standard_RAGZRS, Standard_ZRS}]
[--subnet]
[--tags]
[--user-identity-id]
[--vnet-name]
Examples
Create a storage account 'mystorageaccount' in resource group 'MyResourceGroup' in the West US region with locally redundant storage.
az storage account create -n mystorageaccount -g MyResourceGroup -l westus --sku Standard_LRS
Create a storage account 'mystorageaccount' in resource group 'MyResourceGroup' in the eastus2euap region with account-scoped encryption key enabled for Table Service.
az storage account create -n mystorageaccount -g MyResourceGroup --kind StorageV2 -l eastus2euap -t Account
Required Parameters
The storage account name.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Optional Parameters
Required for storage accounts where kind = BlobStorage. The access tier is used for billing. The "Premium" access tier is the default value for premium block blobs storage account type and it cannot be changed for the premium block blobs storage account type.
Specify the Active Directory account type for Azure Storage.
The action of virtual network rule. Possible value is Allow.
This property can only be changed for disabled and unlocked time-based retention policies. When enabled, new blocks can be written to an append blob while maintaining immutability protection and compliance. Only new blocks can be added and any existing blocks cannot be modified or deleted.
Allow or disallow public access to all blobs or containers in the storage account. If not specified, the default value is false for new accounts to follow best security practices. When true, containers in the account may be configured for public access. Note that setting this property to true does not enable anonymous access to any data in the account. The additional step of configuring the public access setting for a container is required to enable anonymous access.
Allow or disallow cross AAD tenant object replication. Set this property to true for new or existing accounts only if object replication policies will involve storage accounts in different AAD tenants. If not specified, the default value is false for new accounts to follow best security practices.
Indicate whether the storage account permits requests to be authorized with the account access key via Shared Key. If false, then all requests, including shared access signatures, must be authorized with Azure Active Directory (Azure AD). The default value is null, which is equivalent to true.
Generate and assign a new Storage Account Identity for this storage account for use with key management services like Azure KeyVault.
Specify the security identifier (SID) for Azure Storage. Required when --enable-files-adds is set to True.
Bypass traffic for space-separated uses.
User domain assigned to the storage account. Name is the CNAME source.
Default action to apply when no rule matches.
Default share permission for users using Kerberos authentication if RBAC role is not assigned.
Allow you to specify the type of endpoint. Set this to AzureDNSZone to create a large number of accounts in a single subscription, which creates accounts in an Azure DNS Zone and the endpoint URL will have an alphanumeric DNS Zone identifier.
Specify the domain GUID. Required when --enable-files-adds is set to True.
Specify the primary domain that the AD DNS server is authoritative for. Required when --enable-files-adds is set to True.
Specify the security identifier (SID). Required when --enable-files-adds is set to True.
The name of edge zone.
The account level immutability property. The property is immutable and can only be set to true at the account creation time. When set to true, it enables object level immutability for all the containers in the account by default.
Enable Azure Active Directory Domain Services authentication for Azure Files.
Enable Azure Files Active Directory Domain Service Kerberos Authentication for the storage account.
Enable Azure Files Active Directory Domain Service Authentication for storage account. When --enable-files-adds is set to true, Azure Active Directory Properties arguments must be provided.
Allow the blob service to exhibit filesystem semantics. This property can be enabled only when storage account kind is StorageV2.
Enable the capability to support large file shares with more than 5 TiB capacity for storage account.Once the property is enabled, the feature cannot be disabled. Currently only supported for LRS and ZRS replication types, hence account conversions to geo-redundant accounts would not be possible. For more information, please refer to https://go.microsoft.com/fwlink/?linkid=2086047.
Enable local user features.
NFS 3.0 protocol support enabled if sets to true.
Enable Secure File Transfer Protocol.
The name of the KeyVault key.
The default encryption key source.
Set the encryption key type for Queue service. "Account": Queue will be encrypted with account-scoped encryption key. "Service": Queue will always be encrypted with service-scoped keys. Currently the default encryption key type is "Service".
Set the encryption key type for Table service. "Account": Table will be encrypted with account-scoped encryption key. "Service": Table will always be encrypted with service-scoped keys. Currently the default encryption key type is "Service".
The Uri of the KeyVault.
The version of the KeyVault key to use, which will opt out of implicit key rotation. Please use "" to opt in key auto-rotation again.
Specifies which service(s) to encrypt.
Specify the Active Directory forest to get. Required when --enable-files-adds is set to True.
Allow https traffic only to storage service if set to true. The default value is true.
The identity type.
The immutability period for the blobs in the container since the policy creation, in days.
Defines the mode of the policy. Disabled state disables the policy, Unlocked state allows increase and decrease of immutability retention time and also allows toggling allow-protected-append-write property, Locked state only allows the increase of the immutability retention time. A policy can only be created in a Disabled or Unlocked state and can be toggled between the two states. Only a policy in an Unlocked state can transition to a Locked state which cannot be reverted.
Expiration period in days of the Key Policy assigned to the storage account.
ClientId of the multi-tenant application to be used in conjunction with the user-assigned identity for cross-tenant customer-managed-keys server-side encryption on the storage account.
Resource identifier of the UserAssigned identity to be associated with server-side encryption on the storage account.
Indicate the type of storage account.
Location. Values from: az account list-locations
. You can configure the default location using az configure --defaults location=<location>
.
The minimum TLS version to be permitted on requests to storage. While the default setting is TLS 1.0 for this property, Microsoft recommends setting MinimumTlsVersion to 1.2 or above.
Specify the NetBIOS domain name. Required when --enable-files-adds is set to True.
Enable or disable public network access to the storage account. Possible values include: Enabled
or Disabled
.
A boolean flag which indicates whether internet routing storage endpoints are to be published.
A boolean flag which indicates whether microsoft routing storage endpoints are to be published.
A boolean indicating whether or not the service applies a secondary layer of encryption with platform managed keys for data at rest.
Routing Choice defines the kind of network routing opted by the user.
Specify the Active Directory SAMAccountName for Azure Storage.
Expiration period of the SAS Policy assigned to the storage account, DD.HH:MM:SS.
The storage account SKU.
Name or ID of subnet. If name is supplied, --vnet-name
must be supplied.
Space-separated tags: key[=value] [key[=value] ...]. Use "" to clear existing tags.
The key is the ARM resource identifier of the identity. Only 1 User Assigned identity is permitted here.
Name of a virtual network.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az storage account create (storage-preview extension)
Create a storage account.
The SKU of the storage account defaults to 'Standard_RAGRS'.
az storage account create --name
--resource-group
[--access-tier {Cold, Cool, Hot, Premium}]
[--account-type]
[--action]
[--allow-append {false, true}]
[--allow-blob-public-access {false, true}]
[--allow-cross-tenant-replication {false, true}]
[--allow-shared-key-access {false, true}]
[--allowed-copy-scope {AAD, PrivateLink}]
[--assign-identity]
[--azure-storage-sid]
[--bypass {AzureServices, Logging, Metrics, None}]
[--custom-domain]
[--default-action {Allow, Deny}]
[--default-share-permission {None, StorageFileDataSmbShareContributor, StorageFileDataSmbShareElevatedContributor, StorageFileDataSmbShareReader}]
[--dns-endpoint-type {AzureDnsZone, Standard}]
[--domain-guid]
[--domain-name]
[--domain-sid]
[--edge-zone]
[--enable-alw {false, true}]
[--enable-extended-groups {false, true}]
[--enable-files-aadds {false, true}]
[--enable-files-aadkerb {false, true}]
[--enable-files-adds {false, true}]
[--enable-hierarchical-namespace {false, true}]
[--enable-large-file-share]
[--enable-local-user {false, true}]
[--enable-nfs-v3 {false, true}]
[--enable-sftp {false, true}]
[--encryption-key-name]
[--encryption-key-source {Microsoft.Keyvault, Microsoft.Storage}]
[--encryption-key-type-for-queue {Account, Service}]
[--encryption-key-type-for-table {Account, Service}]
[--encryption-key-vault]
[--encryption-key-version]
[--encryption-services {blob, file, queue, table}]
[--forest-name]
[--https-only {false, true}]
[--identity-type {None, SystemAssigned, SystemAssigned,UserAssigned, UserAssigned}]
[--immutability-period]
[--immutability-state {Disabled, Locked, Unlocked}]
[--key-exp-days]
[--key-vault-federated-client-id]
[--key-vault-user-identity-id]
[--kind {BlobStorage, BlockBlobStorage, FileStorage, Storage, StorageV2}]
[--location]
[--min-tls-version {TLS1_0, TLS1_1, TLS1_2, TLS1_3}]
[--net-bios-domain-name]
[--public-network-access {Disabled, Enabled, SecuredByPerimeter}]
[--publish-internet-endpoints {false, true}]
[--publish-microsoft-endpoints {false, true}]
[--require-infrastructure-encryption {false, true}]
[--routing-choice {InternetRouting, MicrosoftRouting}]
[--sam-account-name]
[--sas-exp]
[--sku {Premium_LRS, Premium_ZRS, Standard_GRS, Standard_GZRS, Standard_LRS, Standard_RAGRS, Standard_RAGZRS, Standard_ZRS}]
[--subnet]
[--tags]
[--user-identity-id]
[--vnet-name]
Examples
Create a storage account 'mystorageaccount' in resource group 'MyResourceGroup' in the West US region with locally redundant storage.
az storage account create -n mystorageaccount -g MyResourceGroup -l westus --sku Standard_LRS
Required Parameters
The storage account name.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Optional Parameters
Required for storage accounts where kind = BlobStorage. The access tier is used for billing. The "Premium" access tier is the default value for premium block blobs storage account type and it cannot be changed for the premium block blobs storage account type.
Specify the Active Directory account type for Azure Storage.
The action of virtual network rule. Possible value is Allow.
This property can only be changed for disabled and unlocked time-based retention policies. When enabled, new blocks can be written to an append blob while maintaining immutability protection and compliance. Only new blocks can be added and any existing blocks cannot be modified or deleted.
Allow or disallow public access to all blobs or containers in the storage account. The default value for this property is null, which is equivalent to true. When true, containers in the account may be configured for public access. Note that setting this property to true does not enable anonymous access to any data in the account. The additional step of configuring the public access setting for a container is required to enable anonymous access.
Allow or disallow cross AAD tenant object replication. The default interpretation is true for this property.
Indicate whether the storage account permits requests to be authorized with the account access key via Shared Key. If false, then all requests, including shared access signatures, must be authorized with Azure Active Directory (Azure AD). The default value is null, which is equivalent to true.
Restrict copy to and from Storage Accounts within an AAD tenant or with Private Links to the same VNet.
Generate and assign a new Storage Account Identity for this storage account for use with key management services like Azure KeyVault.
Specify the security identifier (SID) for Azure Storage. Required when --enable-files-adds is set to True.
Bypass traffic for space-separated uses.
User domain assigned to the storage account. Name is the CNAME source.
Default action to apply when no rule matches.
Default share permission for users using Kerberos authentication if RBAC role is not assigned.
Allow you to specify the type of endpoint. Set this to AzureDNSZone to create a large number of accounts in a single subscription, which creates accounts in an Azure DNS Zone and the endpoint URL will have an alphanumeric DNS Zone identifier.
Specify the domain GUID. Required when --enable-files-adds is set to True.
Specify the primary domain that the AD DNS server is authoritative for. Required when --enable-files-adds is set to True.
Specify the security identifier (SID). Required when --enable-files-adds is set to True.
The name of edge zone.
The account level immutability property. The property is immutable and can only be set to true at the account creation time. When set to true, it enables object level immutability for all the containers in the account by default.
Enable extended group support with local users feature, if set to true.
Enable Azure Active Directory Domain Services authentication for Azure Files.
Enable Azure Files Active Directory Domain Service Kerberos Authentication for the storage account.
Enable Azure Files Active Directory Domain Service Authentication for storage account. When --enable-files-adds is set to true, Azure Active Directory Properties arguments must be provided.
Allow the blob service to exhibit filesystem semantics. This property can be enabled only when storage account kind is StorageV2.
Enable the capability to support large file shares with more than 5 TiB capacity for storage account.Once the property is enabled, the feature cannot be disabled. Currently only supported for LRS and ZRS replication types, hence account conversions to geo-redundant accounts would not be possible. For more information, please refer to https://go.microsoft.com/fwlink/?linkid=2086047.
Enable local user features.
NFS 3.0 protocol support enabled if sets to true.
Enable Secure File Transfer Protocol.
The name of the KeyVault key.
The default encryption key source.
Set the encryption key type for Queue service. "Account": Queue will be encrypted with account-scoped encryption key. "Service": Queue will always be encrypted with service-scoped keys. Currently the default encryption key type is "Service".
Set the encryption key type for Table service. "Account": Table will be encrypted with account-scoped encryption key. "Service": Table will always be encrypted with service-scoped keys. Currently the default encryption key type is "Service".
The Uri of the KeyVault.
The version of the KeyVault key to use, which will opt out of implicit key rotation. Please use "" to opt in key auto-rotation again.
Specifies which service(s) to encrypt.
Specify the Active Directory forest to get. Required when --enable-files-adds is set to True.
Allow https traffic only to storage service if set to true. The default value is true.
The identity type.
The immutability period for the blobs in the container since the policy creation, in days.
Defines the mode of the policy. Disabled state disables the policy, Unlocked state allows increase and decrease of immutability retention time and also allows toggling allow-protected-append-write property, Locked state only allows the increase of the immutability retention time. A policy can only be created in a Disabled or Unlocked state and can be toggled between the two states. Only a policy in an Unlocked state can transition to a Locked state which cannot be reverted.
Expiration period in days of the Key Policy assigned to the storage account.
ClientId of the multi-tenant application to be used in conjunction with the user-assigned identity for cross-tenant customer-managed-keys server-side encryption on the storage account.
Resource identifier of the UserAssigned identity to be associated with server-side encryption on the storage account.
Indicate the type of storage account.
Location. Values from: az account list-locations
. You can configure the default location using az configure --defaults location=<location>
.
The minimum TLS version to be permitted on requests to storage. The default interpretation is TLS 1.0 for this property.
Specify the NetBIOS domain name. Required when --enable-files-adds is set to True.
Enable or disable public network access to the storage account. Possible values include: Enabled
or Disabled
.
A boolean flag which indicates whether internet routing storage endpoints are to be published.
A boolean flag which indicates whether microsoft routing storage endpoints are to be published.
A boolean indicating whether or not the service applies a secondary layer of encryption with platform managed keys for data at rest.
Routing Choice defines the kind of network routing opted by the user.
Specify the Active Directory SAMAccountName for Azure Storage.
Expiration period of the SAS Policy assigned to the storage account, DD.HH:MM:SS.
The storage account SKU.
Name or ID of subnet. If name is supplied, --vnet-name
must be supplied.
Space-separated tags: key[=value] [key[=value] ...]. Use "" to clear existing tags.
The key is the ARM resource identifier of the identity. Only 1 User Assigned identity is permitted here.
Name of a virtual network.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az storage account delete
Delete a storage account.
az storage account delete [--ids]
[--name]
[--resource-group]
[--subscription]
[--yes]
Examples
Delete a storage account using a resource ID.
az storage account delete --ids /subscriptions/{SubID}/resourceGroups/{ResourceGroup}/providers/Microsoft.Storage/storageAccounts/{StorageAccount}
Delete a storage account using an account name and resource group.
az storage account delete -n MyStorageAccount -g MyResourceGroup
Optional Parameters
One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.
The storage account name.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Do not prompt for confirmation.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az storage account failover
This command is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus
Failover request can be triggered for a storage account in case of availability issues.
The failover occurs from the storage account's primary cluster to secondary cluster for (RA-)GRS/GZRS accounts. The secondary cluster will become primary after failover. For more information, please refer to https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance.
az storage account failover [--failover-type]
[--ids]
[--name]
[--no-wait]
[--resource-group]
[--subscription]
[--yes]
Examples
Failover a storage account.
az storage account failover -n mystorageaccount -g MyResourceGroup
Failover a storage account without waiting for complete.
az storage account failover -n mystorageaccount -g MyResourceGroup --no-wait
az storage account show -n mystorageaccount --expand geoReplicationStats
Optional Parameters
The parameter is set to 'Planned' to indicate whether a Planned failover is requested.
One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.
The storage account name.
Do not wait for the long-running operation to finish.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Do not prompt for confirmation.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az storage account generate-sas
Generate a shared access signature for the storage account.
az storage account generate-sas --expiry
--permissions
--resource-types
--services
[--account-key]
[--account-name]
[--blob-endpoint]
[--connection-string]
[--encryption-scope]
[--https-only]
[--ids]
[--ip]
[--start]
[--subscription]
Examples
Generate a sas token for the account that is valid for queue and table services on Linux.
end=`date -u -d "30 minutes" '+%Y-%m-%dT%H:%MZ'`
az storage account generate-sas --permissions cdlruwap --account-name MyStorageAccount --services qt --resource-types sco --expiry $end -o tsv
Generate a sas token for the account that is valid for queue and table services on MacOS.
end=`date -v+30M '+%Y-%m-%dT%H:%MZ'`
az storage account generate-sas --permissions cdlruwap --account-name MyStorageAccount --services qt --resource-types sco --expiry $end -o tsv
Generate a shared access signature for the account (autogenerated)
az storage account generate-sas --account-key 00000000 --account-name MyStorageAccount --expiry 2020-01-01 --https-only --permissions acuw --resource-types co --services bfqt
Required Parameters
Specifies the UTC datetime (Y-m-d'T'H:M'Z') at which the SAS becomes invalid.
The permissions the SAS grants. Allowed values: (a)dd (c)reate (d)elete (f)ilter_by_tags (i)set_immutability_policy (l)ist (p)rocess (r)ead (t)ag (u)pdate (w)rite (x)delete_previous_version (y)permanent_delete. Can be combined.
The resource types the SAS is applicable for. Allowed values: (s)ervice (c)ontainer (o)bject. Can be combined.
The storage services the SAS is applicable for. Allowed values: (b)lob (f)ile (q)ueue (t)able. Can be combined.
Optional Parameters
Storage account key. Must be used in conjunction with storage account name or service endpoint. Environment variable: AZURE_STORAGE_KEY.
Storage account name. Must be used in conjunction with either storage account key or a SAS token. Environment Variable: AZURE_STORAGE_ACCOUNT.
Storage data service endpoint. Must be used in conjunction with either storage account key or a SAS token. You can find each service primary endpoint with az storage account show
. Environment variable: AZURE_STORAGE_SERVICE_ENDPOINT.
Storage account connection string. Environment variable: AZURE_STORAGE_CONNECTION_STRING.
A predefined encryption scope used to encrypt the data on the service.
Only permit requests made with the HTTPS protocol. If omitted, requests from both the HTTP and HTTPS protocol are permitted.
One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.
Specifies the IP address or range of IP addresses from which to accept requests. Supports only IPv4 style addresses.
Specifies the UTC datetime (Y-m-d'T'H:M'Z') at which the SAS becomes valid. Defaults to the time of the request.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az storage account list
List storage accounts.
az storage account list [--resource-group]
Examples
List all storage accounts in a subscription.
az storage account list
List all storage accounts in a resource group.
az storage account list -g MyResourceGroup
Optional Parameters
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az storage account revoke-delegation-keys
Revoke all user delegation keys for a storage account.
az storage account revoke-delegation-keys [--ids]
[--name]
[--resource-group]
[--subscription]
Examples
Revoke all user delegation keys for a storage account by resource ID.
az storage account revoke-delegation-keys --ids /subscriptions/{SubID}/resourceGroups/{ResourceGroup}/providers/Microsoft.Storage/storageAccounts/{StorageAccount}
Revoke all user delegation keys for a storage account 'mystorageaccount' in resource group 'MyResourceGroup' in the West US region with locally redundant storage.
az storage account revoke-delegation-keys -n mystorageaccount -g MyResourceGroup
Optional Parameters
One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.
The storage account name.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az storage account show
Show storage account properties.
az storage account show [--expand]
[--ids]
[--name]
[--resource-group]
[--subscription]
Examples
Show properties for a storage account by resource ID.
az storage account show --ids /subscriptions/{SubID}/resourceGroups/{ResourceGroup}/providers/Microsoft.Storage/storageAccounts/{StorageAccount}
Show properties for a storage account using an account name and resource group.
az storage account show -g MyResourceGroup -n MyStorageAccount
Optional Parameters
May be used to expand the properties within account's properties. By default, data is not included when fetching properties. Currently we only support geoReplicationStats and blobRestoreStatus. Known values are: "geoReplicationStats" and "blobRestoreStatus". Default value is None.
One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.
The storage account name.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az storage account show-connection-string
Get the connection string for a storage account.
az storage account show-connection-string [--blob-endpoint]
[--file-endpoint]
[--ids]
[--key {key1, key2, primary, secondary}]
[--name]
[--protocol {http, https}]
[--queue-endpoint]
[--resource-group]
[--sas-token]
[--subscription]
[--table-endpoint]
Examples
Get a connection string for a storage account.
az storage account show-connection-string -g MyResourceGroup -n MyStorageAccount
Get the connection string for a storage account. (autogenerated)
az storage account show-connection-string --name MyStorageAccount --resource-group MyResourceGroup --subscription MySubscription
Optional Parameters
Custom endpoint for blobs.
Custom endpoint for files.
One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.
The key to use.
The storage account name.
The default endpoint protocol.
Custom endpoint for queues.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
The SAS token to be used in the connection-string.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Custom endpoint for tables.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az storage account show-usage
Show the current count and limit of the storage accounts under the subscription.
az storage account show-usage --location
Examples
Show the current count and limit of the storage accounts under the subscription. (autogenerated)
az storage account show-usage --location westus2
Required Parameters
Location. Values from: az account list-locations
. You can configure the default location using az configure --defaults location=<location>
.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az storage account update
Update the properties of a storage account.
az storage account update [--access-tier {Cold, Cool, Hot, Premium}]
[--account-type]
[--add]
[--allow-append {false, true}]
[--allow-blob-public-access {false, true}]
[--allow-cross-tenant-replication {false, true}]
[--allow-shared-key-access {false, true}]
[--assign-identity]
[--azure-storage-sid]
[--bypass {AzureServices, Logging, Metrics, None}]
[--custom-domain]
[--default-action {Allow, Deny}]
[--default-share-permission {None, StorageFileDataSmbShareContributor, StorageFileDataSmbShareElevatedContributor, StorageFileDataSmbShareReader}]
[--domain-guid]
[--domain-name]
[--domain-sid]
[--enable-files-aadds {false, true}]
[--enable-files-aadkerb {false, true}]
[--enable-files-adds {false, true}]
[--enable-large-file-share]
[--enable-local-user {false, true}]
[--enable-sftp {false, true}]
[--encryption-key-name]
[--encryption-key-source {Microsoft.Keyvault, Microsoft.Storage}]
[--encryption-key-vault]
[--encryption-key-version]
[--encryption-services {blob, file, queue, table}]
[--force-string]
[--forest-name]
[--https-only {false, true}]
[--identity-type {None, SystemAssigned, SystemAssigned,UserAssigned, UserAssigned}]
[--ids]
[--immutability-period]
[--immutability-state {Disabled, Locked, Unlocked}]
[--key-exp-days]
[--key-vault-federated-client-id]
[--key-vault-user-identity-id]
[--min-tls-version {TLS1_0, TLS1_1, TLS1_2, TLS1_3}]
[--name]
[--net-bios-domain-name]
[--public-network-access {Disabled, Enabled, SecuredByPerimeter}]
[--publish-internet-endpoints {false, true}]
[--publish-microsoft-endpoints {false, true}]
[--remove]
[--resource-group]
[--routing-choice {InternetRouting, MicrosoftRouting}]
[--sam-account-name]
[--sas-exp]
[--set]
[--sku {Premium_LRS, Premium_ZRS, Standard_GRS, Standard_GZRS, Standard_LRS, Standard_RAGRS, Standard_RAGZRS, Standard_ZRS}]
[--subscription]
[--tags]
[--upgrade-to-storagev2 {false, true}]
[--use-subdomain {false, true}]
[--user-identity-id]
[--yes]
Examples
Update the properties of a storage account. (autogenerated)
az storage account update --default-action Allow --name MyStorageAccount --resource-group MyResourceGroup
Use a user-assigned managed identity instead of system-assigned managed identity
az storage account update --name <storage-account-name> --resource-group <resource-group-name> --encryption-key-vault <keyvault-uri> --encryption-key-name <key-name-in-keyvault> --encryption-key-source Microsoft.Keyvault --key-vault-user-identity-id <user-assigned-identity-id> --identity-type UserAssigned --user-identity-id <user-assigned-identity-id>`
Optional Parameters
Required for storage accounts where kind = BlobStorage. The access tier is used for billing. The "Premium" access tier is the default value for premium block blobs storage account type and it cannot be changed for the premium block blobs storage account type.
Specify the Active Directory account type for Azure Storage.
Add an object to a list of objects by specifying a path and key value pairs. Example: --add property.listProperty <key=value, string or JSON string>
.
This property can only be changed for disabled and unlocked time-based retention policies. When enabled, new blocks can be written to an append blob while maintaining immutability protection and compliance. Only new blocks can be added and any existing blocks cannot be modified or deleted.
Allow or disallow public access to all blobs or containers in the storage account. If not specified, the default value is false for new account to follow best security practices. When true, containers in the account may be configured for public access. Note that setting this property to true does not enable anonymous access to any data in the account. The additional step of configuring the public access setting for a container is required to enable anonymous access.
Allow or disallow cross AAD tenant object replication. Set this property to true for new or existing accounts only if object replication policies will involve storage accounts in different AAD tenants. If not specified, the default value is false for new accounts to follow best security practices.
Indicate whether the storage account permits requests to be authorized with the account access key via Shared Key. If false, then all requests, including shared access signatures, must be authorized with Azure Active Directory (Azure AD). The default value is null, which is equivalent to true.
Generate and assign a new Storage Account Identity for this storage account for use with key management services like Azure KeyVault.
Specify the security identifier (SID) for Azure Storage. Required when --enable-files-adds is set to True.
Bypass traffic for space-separated uses.
User domain assigned to the storage account. Name is the CNAME source. Use "" to clear existing value.
Default action to apply when no rule matches.
Default share permission for users using Kerberos authentication if RBAC role is not assigned.
Specify the domain GUID. Required when --enable-files-adds is set to True.
Specify the primary domain that the AD DNS server is authoritative for. Required when --enable-files-adds is set to True.
Specify the security identifier (SID). Required when --enable-files-adds is set to True.
Enable Azure Active Directory Domain Services authentication for Azure Files.
Enable Azure Files Active Directory Domain Service Kerberos Authentication for the storage account.
Enable Azure Files Active Directory Domain Service Authentication for storage account. When --enable-files-adds is set to true, Azure Active Directory Properties arguments must be provided.
Enable the capability to support large file shares with more than 5 TiB capacity for storage account.Once the property is enabled, the feature cannot be disabled. Currently only supported for LRS and ZRS replication types, hence account conversions to geo-redundant accounts would not be possible. For more information, please refer to https://go.microsoft.com/fwlink/?linkid=2086047.
Enable local user features.
Enable Secure File Transfer Protocol.
The name of the KeyVault key.
The default encryption key source.
The Uri of the KeyVault.
The version of the KeyVault key to use, which will opt out of implicit key rotation. Please use "" to opt in key auto-rotation again.
Specifies which service(s) to encrypt.
When using 'set' or 'add', preserve string literals instead of attempting to convert to JSON.
Specify the Active Directory forest to get. Required when --enable-files-adds is set to True.
Allows https traffic only to storage service.
The identity type.
One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.
The immutability period for the blobs in the container since the policy creation, in days.
Defines the mode of the policy. Disabled state disables the policy, Unlocked state allows increase and decrease of immutability retention time and also allows toggling allow-protected-append-write property, Locked state only allows the increase of the immutability retention time. A policy can only be created in a Disabled or Unlocked state and can be toggled between the two states. Only a policy in an Unlocked state can transition to a Locked state which cannot be reverted.
Expiration period in days of the Key Policy assigned to the storage account.
ClientId of the multi-tenant application to be used in conjunction with the user-assigned identity for cross-tenant customer-managed-keys server-side encryption on the storage account.
Resource identifier of the UserAssigned identity to be associated with server-side encryption on the storage account.
The minimum TLS version to be permitted on requests to storage. While the default setting is TLS 1.0 for this property, Microsoft recommends setting MinimumTlsVersion to 1.2 or above.
The storage account name.
Specify the NetBIOS domain name. Required when --enable-files-adds is set to True.
Enable or disable public network access to the storage account. Possible values include: Enabled
or Disabled
.
A boolean flag which indicates whether internet routing storage endpoints are to be published.
A boolean flag which indicates whether microsoft routing storage endpoints are to be published.
Remove a property or an element from a list. Example: --remove property.list <indexToRemove>
OR --remove propertyToRemove
.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Routing Choice defines the kind of network routing opted by the user.
Specify the Active Directory SAMAccountName for Azure Storage.
Expiration period of the SAS Policy assigned to the storage account, DD.HH:MM:SS.
Update an object by specifying a property path and value to set. Example: --set property1.property2=<value>
.
Note that the SKU name cannot be updated to Standard_ZRS, Premium_LRS or Premium_ZRS, nor can accounts of those SKU names be updated to any other value.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Space-separated tags: key[=value] [key[=value] ...]. Use "" to clear existing tags.
Upgrade Storage Account Kind to StorageV2.
Specify whether to use indirect CNAME validation.
The key is the ARM resource identifier of the identity. Only 1 User Assigned identity is permitted here.
Do not prompt for confirmation.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az storage account update (storage-preview extension)
Update the properties of a storage account.
az storage account update [--access-tier {Cold, Cool, Hot, Premium}]
[--account-type]
[--add]
[--allow-append {false, true}]
[--allow-blob-public-access {false, true}]
[--allow-cross-tenant-replication {false, true}]
[--allow-shared-key-access {false, true}]
[--allowed-copy-scope {AAD, PrivateLink}]
[--assign-identity]
[--azure-storage-sid]
[--bypass {AzureServices, Logging, Metrics, None}]
[--custom-domain]
[--default-action {Allow, Deny}]
[--default-share-permission {None, StorageFileDataSmbShareContributor, StorageFileDataSmbShareElevatedContributor, StorageFileDataSmbShareReader}]
[--domain-guid]
[--domain-name]
[--domain-sid]
[--enable-extended-groups {false, true}]
[--enable-files-aadds {false, true}]
[--enable-files-aadkerb {false, true}]
[--enable-files-adds {false, true}]
[--enable-large-file-share]
[--enable-local-user {false, true}]
[--enable-sftp {false, true}]
[--encryption-key-name]
[--encryption-key-source {Microsoft.Keyvault, Microsoft.Storage}]
[--encryption-key-vault]
[--encryption-key-version]
[--encryption-services {blob, file, queue, table}]
[--force-string]
[--forest-name]
[--https-only {false, true}]
[--identity-type {None, SystemAssigned, SystemAssigned,UserAssigned, UserAssigned}]
[--ids]
[--immutability-period]
[--immutability-state {Disabled, Locked, Unlocked}]
[--key-exp-days]
[--key-vault-federated-client-id]
[--key-vault-user-identity-id]
[--min-tls-version {TLS1_0, TLS1_1, TLS1_2, TLS1_3}]
[--name]
[--net-bios-domain-name]
[--public-network-access {Disabled, Enabled, SecuredByPerimeter}]
[--publish-internet-endpoints {false, true}]
[--publish-microsoft-endpoints {false, true}]
[--remove]
[--resource-group]
[--routing-choice {InternetRouting, MicrosoftRouting}]
[--sam-account-name]
[--sas-exp]
[--set]
[--sku {Premium_LRS, Premium_ZRS, Standard_GRS, Standard_GZRS, Standard_LRS, Standard_RAGRS, Standard_RAGZRS, Standard_ZRS}]
[--subscription]
[--tags]
[--use-subdomain {false, true}]
[--user-identity-id]
Optional Parameters
Required for storage accounts where kind = BlobStorage. The access tier is used for billing. The "Premium" access tier is the default value for premium block blobs storage account type and it cannot be changed for the premium block blobs storage account type.
Specify the Active Directory account type for Azure Storage.
Add an object to a list of objects by specifying a path and key value pairs. Example: --add property.listProperty <key=value, string or JSON string>
.
This property can only be changed for disabled and unlocked time-based retention policies. When enabled, new blocks can be written to an append blob while maintaining immutability protection and compliance. Only new blocks can be added and any existing blocks cannot be modified or deleted.
Allow or disallow public access to all blobs or containers in the storage account. The default value for this property is null, which is equivalent to true. When true, containers in the account may be configured for public access. Note that setting this property to true does not enable anonymous access to any data in the account. The additional step of configuring the public access setting for a container is required to enable anonymous access.
Allow or disallow cross AAD tenant object replication. The default interpretation is true for this property.
Indicate whether the storage account permits requests to be authorized with the account access key via Shared Key. If false, then all requests, including shared access signatures, must be authorized with Azure Active Directory (Azure AD). The default value is null, which is equivalent to true.
Restrict copy to and from Storage Accounts within an AAD tenant or with Private Links to the same VNet.
Generate and assign a new Storage Account Identity for this storage account for use with key management services like Azure KeyVault.
Specify the security identifier (SID) for Azure Storage. Required when --enable-files-adds is set to True.
Bypass traffic for space-separated uses.
User domain assigned to the storage account. Name is the CNAME source. Use "" to clear existing value.
Default action to apply when no rule matches.
Default share permission for users using Kerberos authentication if RBAC role is not assigned.
Specify the domain GUID. Required when --enable-files-adds is set to True.
Specify the primary domain that the AD DNS server is authoritative for. Required when --enable-files-adds is set to True.
Specify the security identifier (SID). Required when --enable-files-adds is set to True.
Enable extended group support with local users feature, if set to true.
Enable Azure Active Directory Domain Services authentication for Azure Files.
Enable Azure Files Active Directory Domain Service Kerberos Authentication for the storage account.
Enable Azure Files Active Directory Domain Service Authentication for storage account. When --enable-files-adds is set to true, Azure Active Directory Properties arguments must be provided.
Enable the capability to support large file shares with more than 5 TiB capacity for storage account.Once the property is enabled, the feature cannot be disabled. Currently only supported for LRS and ZRS replication types, hence account conversions to geo-redundant accounts would not be possible. For more information, please refer to https://go.microsoft.com/fwlink/?linkid=2086047.
Enable local user features.
Enable Secure File Transfer Protocol.
The name of the KeyVault key.
The default encryption key source.
The Uri of the KeyVault.
The version of the KeyVault key to use, which will opt out of implicit key rotation. Please use "" to opt in key auto-rotation again.
Specifies which service(s) to encrypt.
When using 'set' or 'add', preserve string literals instead of attempting to convert to JSON.
Specify the Active Directory forest to get. Required when --enable-files-adds is set to True.
Allows https traffic only to storage service.
The identity type.
One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.
The immutability period for the blobs in the container since the policy creation, in days.
Defines the mode of the policy. Disabled state disables the policy, Unlocked state allows increase and decrease of immutability retention time and also allows toggling allow-protected-append-write property, Locked state only allows the increase of the immutability retention time. A policy can only be created in a Disabled or Unlocked state and can be toggled between the two states. Only a policy in an Unlocked state can transition to a Locked state which cannot be reverted.
Expiration period in days of the Key Policy assigned to the storage account.
ClientId of the multi-tenant application to be used in conjunction with the user-assigned identity for cross-tenant customer-managed-keys server-side encryption on the storage account.
Resource identifier of the UserAssigned identity to be associated with server-side encryption on the storage account.
The minimum TLS version to be permitted on requests to storage. The default interpretation is TLS 1.0 for this property.
The storage account name.
Specify the NetBIOS domain name. Required when --enable-files-adds is set to True.
Enable or disable public network access to the storage account. Possible values include: Enabled
or Disabled
.
A boolean flag which indicates whether internet routing storage endpoints are to be published.
A boolean flag which indicates whether microsoft routing storage endpoints are to be published.
Remove a property or an element from a list. Example: --remove property.list <indexToRemove>
OR --remove propertyToRemove
.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Routing Choice defines the kind of network routing opted by the user.
Specify the Active Directory SAMAccountName for Azure Storage.
Expiration period of the SAS Policy assigned to the storage account, DD.HH:MM:SS.
Update an object by specifying a property path and value to set. Example: --set property1.property2=<value>
.
Note that the SKU name cannot be updated to Standard_ZRS, Premium_LRS or Premium_ZRS, nor can accounts of those SKU names be updated to any other value.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Space-separated tags: key[=value] [key[=value] ...]. Use "" to clear existing tags.
Specify whether to use indirect CNAME validation.
The key is the ARM resource identifier of the identity. Only 1 User Assigned identity is permitted here.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.