Using Azure PowerShell with Azure Storage

Azure PowerShell is used to create and manage Azure resources from the PowerShell command line or in scripts. For Azure Storage, these cmdlets fall into two categories -- the control plane and the data plane. The control plane cmdlets are used to manage the storage account -- to create storage accounts, set properties, delete storage accounts, rotate the access keys, and so on. The data plane cmdlets are used to manage the data stored in the storage account. For example, uploading blobs, creating file shares, and adding messages to a queue.

This how-to article covers common operations using the management plane cmdlets to manage storage accounts. You learn how to:

  • List storage accounts
  • Get a reference to an existing storage account
  • Create a storage account
  • Set storage account properties
  • Retrieve and regenerate the access keys
  • Protecting access to your storage account
  • Enabling Storage Analytics

It also provides links to several other PowerShell articles for Storage, such as how to enable and access the Storage Analyics, and how to use the data plane cmdlets.

If you don't have an Azure subscription, create a free account before you begin.

This exercise requires the Azure PowerShell module version 3.6 or later. Run Get-Module -ListAvailable AzureRM to find the version. If you need to install or upgrade, see Install Azure PowerShell module.

For this exercise, you can type the commands into a regular PowerShell window, or you can use the Windows PowerShell Integrated Scripting Environment (ISE) and type the commands into an editor, then test one or more commands at a time as you go through the examples. You can highlight the rows you want to execute and click Run Selected to just run those commands.

For more information about storage accounts, see Introduction to Storage and About Azure storage accounts.

Log in to Azure

Log in to your Azure subscription with the Login-AzureRmAccount command and follow the on-screen directions.


List the storage accounts in the subscription

Run the Get-AzureRMStorageAccount cmdlet to retrieve the list of storage accounts in the current subscription.

Get-AzureRMStorageAccount | Select StorageAccountName, Location

Get a reference to a storage account

Next, you need a reference to a storage account. You can either create a new storage account or get a reference to an existing storage account. The following sections shows both methods.

Use an existing storage account

To retrieve an existing storage account, you need the name of the resource group and the name of the storage account. Set the variables for those two fields, then use the Get-AzureRmStorageAccount cmdlet.

$resourceGroup = "myexistingresourcegroup"
$storageAccountName = "myexistingstorageaccount"

$storageAccount = Get-AzureRmStorageAccount -ResourceGroupName $resourceGroup `
  -Name $storageAccountName 

Now you have $storageAccount, which points to an existing storage account.

Create a storage account

The following script shows how to create a general-purpose storage account using New-AzureRmStorageAccount. After you create the account, retrieve its context, which can be used in subsequent commands rather than specifying the authentication with each call.

# Get list of locations and select one.
Get-AzureRmLocation | select Location 
$location = "eastus"

# Create a new resource group.
$resourceGroup = "teststoragerg"
New-AzureRmResourceGroup -Name $resourceGroup -Location $location 

# Set the name of the storage account and the SKU name. 
$storageAccountName = "testpshstorage"
$skuName = "Standard\_LRS"

# Create the storage account.
$storageAccount = New-AzureRmStorageAccount -ResourceGroupName $resourceGroup `
  -Name $storageAccountName `
  -Location $location `
  -SkuName $skuName

# Retrieve the context. 
$ctx = $storageAccount.Context

The script uses the following PowerShell cmdlets:

  • Get-AzureRmLocation -- retrieves a list of the valid locations. The example uses eastus for location.

  • New-AzureRmResourceGroup -- creates a new resource group. A resource group is a logical container into which your Azure resources are deployed and managed. Ours is called teststoragerg.

  • New-AzureRmStorageAccount -- creates the actual storage account. The example uses testpshstorage.

The SKU name indicates the type of replication for the storage account, such as LRS (Locally Redundant Storage). For more information about replication, see Azure Storage Replication.


The name of your storage account must be unique within Azure and must be lowercase. For naming conventions and restrictions, see Naming and Referencing Containers, Blobs, and Metadata.

Now you have a new storage account and a reference to it.

Managing the storage account

Now that you have a reference to a new storage account or an existing storage account, the following section shows some of the commands you can use to manage your storage account.

Storage account properties

To change the settings for a storage account, use Set-AzureRmStorageAccount. While you can't change the location of a storage account, or the resource group in which it resides, you can change many of the other properties. The following lists some of the properties you can change using PowerShell.

  • The custom domain assigned to the storage account.

  • The tags assigned to the storage account. Tags are often used to categorize resources for billing purposes.

  • The SKU is the replication setting for the storage account, such as LRS for Locally Redundant Storage. For example, you might change from Standard_LRS to Standard_GRS or Standard_RAGRS. Note that you can't change Standard ZRS or Premium LRS to other SKUs, or change other SKUs to these.

  • The access tier for Blob storage accounts. The value for access tier is set to hot or cool, and allows you to minimize your cost by selecting the access tier that aligns with how you use the storage account. For more information, see Hot, cool, and archive storage tiers.

  • The storage service encryption setting for blob storage and/or file storage. For more information about SSE, see Storage Service Encryption.

  • Only allow HTTPS traffic.

Managing the access keys

An Azure Storage account comes with two account keys. To retrieve the keys, use Get-AzureRmStorageAccountKey. This example retrieves the first key. To retrieve the other one, use Value[1] instead of Value[0].

$storageAccountKey = `
    (Get-AzureRmStorageAccountKey `
    -ResourceGroupName $resourceGroup `
    -Name $storageAccountName).Value[0]

To regenerate the key, use New-AzureRmStorageAccountKey.

New-AzureRmStorageAccountKey -ResourceGroupName $resourceGroup `
  -Name $storageAccountName `
  -KeyName key1 

To regenerate the other key, use key2 as the key name instead of key1.

Regenerate one of your keys and then retrieve it again to see the new value.


You should perform careful planning before regenerating the key for a production storage account. Renegerating one or both keys will invalidate the access for any application using the key that was regenerated. For more information, please see Renegate storage access keys.

Delete a storage account

To delete a storage account, use Remove-AzureRmStorageAccount.


When you delete a storage account, all of the assets stored in the account are deleted as well. If you delete an account accidentally, call Support immediately and open a ticket to restore the storage account. Recovery of your data is not guaranteed, but it does sometimes work. Do not create a new storage account with the same name as the old one until the support ticket has been resolved.

Remove-AzureRmStorageAccount -ResourceGroup $resourceGroup -AccountName $storageAccountName

Protecting your storage account using VNets and firewalls

By default, all storage accounts are accessible by any network that has access to the internet. However, you can configure network rules to only allow applications from specific virtual networks to access a storage account. For more information, see Configure Azure Storage Firewalls and Virtual Networks.

The article shows how to manage these settings using the following PowerShell cmdlets:

Using storage analytics

Azure Storage Analytics consists of Storage Analytics Metrics and Storage Analytics Logging.

Storage Analytics Metrics is used to collect metrics for your Azure storage accounts that you can use to monitor the health of a storage account. Metrics can be enabled for blobs, files, tables, and queues.

Storage Analytics Logging happens server-side and enables you to record details for both successful and failed requests to your storage account. These logs enable you to see details of read, write, and delete operations against your tables, queues, and blobs as well as the reasons for failed requests. Logging is not available for Azure Files.

You can configure monitoring using the Azure portal, PowerShell, or programmatically using the storage client library.


You can enable minute analytics using PowerShell. This capability is not available in the portal.

Managing the data in the storage account

Now that you understand how to manage your storage account with PowerShell, the following articles show you how to use PowerShell to access the data objects in the storage account.

Next Steps

This how-to article covers common operations using the management plane cmdlets to manage storage accounts. You learn how to:

  • List storage accounts
  • Get a reference to an existing storage account
  • Create a storage account
  • Set storage account properties
  • Retrieve and regenerate the access keys
  • Protecting access to your storage account
  • Enabling Storage Analytics

You also have links to several other articles, such as how to manage the data objects, how to enable the Storage Analytics. Here are some other related articles and resources for reference: