Microsoft.Storage storageAccounts 2019-06-01

The storageAccounts resource type can be deployed to: Resource groups.

To learn about resource group deployments, see Bicep or ARM template.

Template format

To create a Microsoft.Storage/storageAccounts resource, add the following Bicep or JSON to your template.

resource symbolicname 'Microsoft.Storage/storageAccounts@2019-06-01' = {
  name: 'string'
  location: 'string'
  tags: {
    tagName1: 'tagValue1'
    tagName2: 'tagValue2'
  }
  sku: {
    name: 'string'
  }
  kind: 'string'
  identity: {
    type: 'SystemAssigned'
  }
  properties: {
    accessTier: 'string'
    allowBlobPublicAccess: bool
    allowSharedKeyAccess: bool
    azureFilesIdentityBasedAuthentication: {
      activeDirectoryProperties: {
        azureStorageSid: 'string'
        domainGuid: 'string'
        domainName: 'string'
        domainSid: 'string'
        forestName: 'string'
        netBiosDomainName: 'string'
      }
      directoryServiceOptions: 'string'
    }
    customDomain: {
      name: 'string'
      useSubDomainName: bool
    }
    encryption: {
      keySource: 'string'
      keyvaultproperties: {
        keyname: 'string'
        keyvaulturi: 'string'
        keyversion: 'string'
      }
      requireInfrastructureEncryption: bool
      services: {
        blob: {
          enabled: bool
          keyType: 'string'
        }
        file: {
          enabled: bool
          keyType: 'string'
        }
        queue: {
          enabled: bool
          keyType: 'string'
        }
        table: {
          enabled: bool
          keyType: 'string'
        }
      }
    }
    isHnsEnabled: bool
    largeFileSharesState: 'string'
    minimumTlsVersion: 'string'
    networkAcls: {
      bypass: 'string'
      defaultAction: 'string'
      ipRules: [
        {
          action: 'Allow'
          value: 'string'
        }
      ]
      virtualNetworkRules: [
        {
          action: 'Allow'
          id: 'string'
          state: 'string'
        }
      ]
    }
    routingPreference: {
      publishInternetEndpoints: bool
      publishMicrosoftEndpoints: bool
      routingChoice: 'string'
    }
    supportsHttpsTrafficOnly: bool
  }
}

Property values

storageAccounts

Name Description Value
type The resource type

For Bicep, set this value in the resource declaration.
'Microsoft.Storage/storageAccounts'
apiVersion The resource api version

For Bicep, set this value in the resource declaration.
'2019-06-01'
name The resource name string (required)
location The geo-location where the resource lives string (required)
tags Resource tags. Dictionary of tag names and values. See Tags in templates
sku The SKU of the storage account. Sku (required)
kind Indicates the type of storage account. 'BlobStorage'
'BlockBlobStorage'
'FileStorage'
'Storage'
'StorageV2'
identity Identity for the resource. Identity
properties Properties of the storage account. StorageAccountPropertiesCreateParameters

Identity

Name Description Value
type The identity type. 'SystemAssigned'

StorageAccountPropertiesCreateParameters

Name Description Value
accessTier Required for storage accounts where kind = BlobStorage. The access tier used for billing. 'Cool'
'Hot'
allowBlobPublicAccess Allow or disallow public access to all blobs or containers in the storage account. The default interpretation is true for this property. bool
allowSharedKeyAccess Indicates whether the storage account permits requests to be authorized with the account access key via Shared Key. If false, then all requests, including shared access signatures, must be authorized with Azure Active Directory (Azure AD). The default value is null, which is equivalent to true. bool
azureFilesIdentityBasedAuthentication Settings for Azure Files identity based authentication. AzureFilesIdentityBasedAuthentication
customDomain The custom domain assigned to this storage account. This can be set via Update. CustomDomain
encryption The encryption settings on the storage account. Encryption
isHnsEnabled Account HierarchicalNamespace enabled if sets to true. bool
largeFileSharesState Allow large file shares if sets to Enabled. It cannot be disabled once it is enabled. 'Disabled'
'Enabled'
minimumTlsVersion Set the minimum TLS version to be permitted on requests to storage. The default interpretation is TLS 1.0 for this property. 'TLS1_0'
'TLS1_1'
'TLS1_2'
networkAcls Network rule set NetworkRuleSet
routingPreference Routing preference defines the type of network, either microsoft or internet routing to be used to deliver the user data, the default option is microsoft routing RoutingPreference
supportsHttpsTrafficOnly Allows https traffic only to storage service if sets to true. bool

AzureFilesIdentityBasedAuthentication

Name Description Value
activeDirectoryProperties Settings properties for Active Directory (AD). ActiveDirectoryProperties
directoryServiceOptions Indicates the directory service used. 'AADDS'
'AD'
'None'

ActiveDirectoryProperties

Name Description Value
azureStorageSid Specifies the security identifier (SID) for Azure Storage. string (required)
domainGuid Specifies the domain GUID. string (required)
domainName Specifies the primary domain that the AD DNS server is authoritative for. string (required)
domainSid Specifies the security identifier (SID). string (required)
forestName Specifies the Active Directory forest to get. string (required)
netBiosDomainName Specifies the NetBIOS domain name. string (required)

CustomDomain

Name Description Value
name Gets or sets the custom domain name assigned to the storage account. Name is the CNAME source. string (required)
useSubDomainName Indicates whether indirect CName validation is enabled. Default value is false. This should only be set on updates. bool

Encryption

Name Description Value
keySource The encryption keySource (provider). Possible values (case-insensitive): Microsoft.Storage, Microsoft.Keyvault 'Microsoft.Keyvault'
'Microsoft.Storage'
keyvaultproperties Properties of key vault. KeyVaultProperties
requireInfrastructureEncryption A boolean indicating whether or not the service applies a secondary layer of encryption with platform managed keys for data at rest. bool
services A list of services that support encryption. EncryptionServices

KeyVaultProperties

Name Description Value
keyname The name of KeyVault key. string
keyvaulturi The Uri of KeyVault. string
keyversion The version of KeyVault key. string

EncryptionServices

Name Description Value
blob A service that allows server-side encryption to be used. EncryptionService
file A service that allows server-side encryption to be used. EncryptionService
queue A service that allows server-side encryption to be used. EncryptionService
table A service that allows server-side encryption to be used. EncryptionService

EncryptionService

Name Description Value
enabled A boolean indicating whether or not the service encrypts the data as it is stored. bool
keyType Encryption key type to be used for the encryption service. 'Account' key type implies that an account-scoped encryption key will be used. 'Service' key type implies that a default service key is used. 'Account'
'Service'

NetworkRuleSet

Name Description Value
bypass Specifies whether traffic is bypassed for Logging/Metrics/AzureServices. Possible values are any combination of Logging,Metrics,AzureServices (For example, "Logging, Metrics"), or None to bypass none of those traffics. 'AzureServices'
'Logging'
'Metrics'
'None'
defaultAction Specifies the default action of allow or deny when no other rules match. 'Allow'
'Deny'
ipRules Sets the IP ACL rules IPRule[]
virtualNetworkRules Sets the virtual network rules VirtualNetworkRule[]

IPRule

Name Description Value
action The action of virtual network rule. 'Allow'
value Specifies the IP or IP range in CIDR format. Only IPV4 address is allowed. string (required)

VirtualNetworkRule

Name Description Value
action The action of virtual network rule. 'Allow'
id Resource ID of a subnet, for example: /subscriptions/{subscriptionId}/resourceGroups/{groupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}. string (required)
state Gets the state of virtual network rule. 'deprovisioning'
'failed'
'networkSourceDeleted'
'provisioning'
'succeeded'

RoutingPreference

Name Description Value
publishInternetEndpoints A boolean flag which indicates whether internet routing storage endpoints are to be published bool
publishMicrosoftEndpoints A boolean flag which indicates whether microsoft routing storage endpoints are to be published bool
routingChoice Routing Choice defines the kind of network routing opted by the user. 'InternetRouting'
'MicrosoftRouting'

Sku

Name Description Value
name The SKU name. Required for account creation; optional for update. Note that in older versions, SKU name was called accountType. 'Premium_LRS'
'Premium_ZRS'
'Standard_GRS'
'Standard_GZRS'
'Standard_LRS'
'Standard_RAGRS'
'Standard_RAGZRS'
'Standard_ZRS'

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
Connect to a storage account from a VM via private endpoint

Deploy to Azure
This sample shows how to use connect a virtual network to access a blob storage account via private endpoint.
Connect to an Azure File Share via a Private Endpoint

Deploy to Azure
This sample shows how to use configure a virtual network and private DNS zone to access an Azure File Share via a private endpoint.
Create a Standard Storage Account

Deploy to Azure
This template creates a Standard Storage Account
Create a Storage Account with SSE

Deploy to Azure
This template creates a Storage Account with Storage Service Encryption for Data at Rest
Storage account with Advanced Threat Protection.

Deploy to Azure
This template allows you to deploy an Azure Storage account with Advanced Threat Protection enabled.
Create Storage Account and Blob Container

Deploy to Azure
Creates an Azure Storage account and a blob container. Template originally authored by John Downs.
Storage Account with SSE and blob deletion retention policy

Deploy to Azure
This template creates a Storage Account with Storage Service Encryption and a blob deletion retention policy
Create a storage account with file share

Deploy to Azure
Creates an Azure storage account and file share.
Create a storage account with multiple Blob containers

Deploy to Azure
Creates an Azure storage account and multiple blob containers.
Create a storage account with multiple file shares

Deploy to Azure
Creates an Azure storage account and multiple file shares.