Module storage-account

storageAccount

Property	Value	Description
general (required)	general
privateLinkBlob	privateLink	Settings for the private endpoint and private link for Blob services.
privateLinkTable	privateLink	Settings for the private endpoint and private link for Table services.
privateLinkQueue	privateLink	Settings for the private endpoint and private link for Queue services.
privateLinkFile	privateLink	Settings for the private endpoint and private link for File services.
privateLinkWeb	privateLink	Settings for the private endpoint and private link for Web services.
privateLinkDFS	privateLink	Settings for the private endpoint and private link for DFS services.
sku (required)	'Premium_LRS' 'Premium_ZRS' 'Standard_GRS' 'Standard_GZRS' 'Standard_LRS' 'Standard_RAGRS' 'Standard_RAGZRS' 'Standard_ZRS'	The SKU name. Required for account creation; optional for update. Note that in older versions, SKU name was called accountType.
kind (required)	'BlobStorage' 'BlockBlobStorage' 'FileStorage' 'Storage' 'StorageV2'	Indicates the type of storage account. (default: FileStorage)
managedIdentityType	'None' 'SystemAssigned' 'SystemAssigned, UserAssigned' 'UserAssigned'	Type of managed identity associated with this resource. (default: SystemAssigned)
managedIdentityId	string	User assigned managed identity ID to access other resources.
accessTier	'Cold' 'Cool' 'Hot' 'Premium'	Required for storage accounts where `kind: 'BlobStorage'`. The access tier is used for billing. The `Premium` access tier is the default value for premium block blobs storage account type and it cannot be changed for the premium block blobs storage account type.
allowBlobPublicAccess	bool	Allow or disallow public access to all blobs or containers in the storage account. (default: false)
allowCrossTenantReplication	bool	Allow or disallow cross AAD tenant object replication. Set this property to true for new or existing accounts only if object replication policies will involve storage accounts in different AAD tenants. (default: false)
allowedCopyScope	string	Restrict copy to and from Storage Accounts within an AAD tenant or with Private Links to the same VNet.
allowSharedKeyAccess	bool	Indicates whether the storage account permits requests to be authorized with the account access key via Shared Key. If false, then all requests, including shared access signatures, must be authorized with Azure Active Directory (Azure AD). (default: true)
azureFilesIdentityBasedAuthentication	azureFilesIdentityBasedAuthentication	Provides the identity based authentication settings for Azure Files.
customDomain	customDomain	User domain assigned to the storage account. Name is the CNAME source. Only one custom domain is supported per storage account at this time. To clear the existing custom domain, use an empty string for the custom domain name property.
defaultToOAuthAuthentication	bool	A boolean flag which indicates whether the default authentication is OAuth or not. (default: false)
dnsEndpointType	'AzureDnsZone' 'Standard'	Allows you to specify the type of endpoint. Set this to AzureDNSZone to create a large number of accounts in a single subscription. (default: Standard)
encryption	object	Encryption settings to be used for server-side encryption for the storage account.
requireInfrastructureEncryption	bool	A boolean indicating whether or not the service applies a secondary layer of encryption with platform managed keys for data at rest.
services	services	List of services which support encryption.
immutableStorageWithVersioning	immutableStorageWithVersioning	The property is immutable and can only be set to true at the account creation time. When set to true, it enables object level immutability for all the new containers in the account by default.
isHnsEnabled	bool	Account HierarchicalNamespace enabled if sets to true.
isLocalUserEnabled	bool	Enables local users feature, if set to true.
isNfsV3Enabled	bool	NFS 3.0 protocol support enabled if set to true.
isSftpEnabled	bool	Enables Secure File Transfer Protocol, if set to true.
largeFileSharesState	'Disabled' 'Enabled'	Allow large file shares if sets to Enabled. It cannot be disabled once it is enabled.
minimumTlsVersion	'TLS1_0' 'TLS1_1' 'TLS1_2'	Set the minimum TLS version to be permitted on requests to storage. (default: 'TLS1_0')
networkAcls	networkAcls	Network rule set
publicNetworkAccess	'Disabled' 'Enabled'	Allow, disallow, or let Network Security Perimeter configuration to evaluate public network access to Storage Account. Value is optional but if passed in, must be `Enabled`, `Disabled` or `SecuredByPerimeter`. (default: Enabled)
routingPreference	routingPreference	Maintains information about the network routing choice opted by the user for data transfer.
sasPolicy	sasPolicy	SasPolicy assigned to the storage account.
supportsHttpsTrafficOnly	bool	Allows https traffic only to storage service if sets to true. (default: true)
fileServices	storageAccountFileServices
blobServices	storageAccountBlobServices
fileShare	storageAccountShare[]
storageAccountContainer	storageAccountContainer[]
queueServices	storageAccountQueue[]
tableServices	storageAccountTable[]

azureFilesIdentityBasedAuthentication

Property	Value	Description
activeDirectoryProperties	directoryServiceOptions	Required if directoryServiceOptions are AD, optional if they are AADKERB.
defaultSharePermission	'None' 'StorageFileDataSmbShareContributor' 'StorageFileDataSmbShareElevatedContributor' 'StorageFileDataSmbShareReader'	Default share permission for users using Kerberos authentication if RBAC role is not assigned. (default: None)
directoryServiceOptions (required)	'AADDS' 'AADKERB' 'AD' 'None'	Indicates the directory service used. Note that this enum may be extended in the future. (Default: None)

customDomain

Property	Value	Description
name (required)	string	Gets or sets the custom domain name assigned to the storage account. Name is the CNAME source.
useSubDomainName	bool	Indicates whether indirect CName validation is enabled. This should only be set on updates. (default: false)

blob

Property	Value	Description
enabled	bool	A boolean indicating whether or not the service encrypts the data as it is stored. (default: true)
keyType (required)	'Account' 'Service'	Encryption key type to be used for the encryption service. Account key type implies that an account-scoped encryption key will be used. Service key type implies that a default service key is used.

file

Property	Value	Description
enabled	bool	A boolean indicating whether or not the service encrypts the data as it is stored. (default: true)
keyType (required)	'Account' 'Service'	Encryption key type to be used for the encryption service. Account key type implies that an account-scoped encryption key will be used. Service key type implies that a default service key is used.

queue

Property	Value	Description
enabled	bool	A boolean indicating whether or not the service encrypts the data as it is stored. (default: true)
keyType (required)	'Account' 'Service'	Encryption key type to be used for the encryption service. Account key type implies that an account-scoped encryption key will be used. Service key type implies that a default service key is used.

table

Property	Value	Description
enabled	bool	A boolean indicating whether or not the service encrypts the data as it is stored. (default: true)
keyType (required)	'Account' 'Service'	Encryption key type to be used for the encryption service. Account key type implies that an account-scoped encryption key will be used. Service key type implies that a default service key is used.

services

Property	Value	Description
blob (required)	blob	The encryption function of the blob storage service.
file (required)	file	The encryption function of the file storage service.
queue (required)	queue	The encryption function of the queue storage service.
table (required)	table	The encryption function of the table storage service.

immutabilityPolicy

Property	Value	Description
allowProtectedAppendWrites	bool	This property can only be changed for disabled and unlocked time-based retention policies. When enabled, new blocks can be written to an append blob while maintaining immutability protection and compliance. Only new blocks can be added and any existing blocks cannot be modified or deleted.
immutabilityPeriodSinceCreationInDays (required)	int	The immutability period for the blobs in the container since the policy creation, in days.
state (required)	'Disabled' 'Locked' 'Unlocked'	The ImmutabilityPolicy state defines the mode of the policy. Disabled state disables the policy, Unlocked state allows increase and decrease of immutability retention time and also allows toggling allowProtectedAppendWrites property, Locked state only allows the increase of the immutability retention time. A policy can only be created in a Disabled or Unlocked state and can be toggled between the two states. Only a policy in an Unlocked state can transition to a Locked state which cannot be reverted. (default: Unlocked)

immutableStorageWithVersioning

Property	Value	Description
enabled	bool	This is an immutable property, when set to true it enables object level immutability at the container level.

ipRules

Property	Value	Description
action (required)	'Allow'	The action of IP ACL rule. (default: Allow)
value (required)	string	Specifies the IP or IP range in CIDR format. Only IPV4 address is allowed.

virtualNetworkRules

Property	Value	Description
id (required)	string	Resource ID of a subnet, for example: /subscriptions/{subscriptionId}/resourceGroups/{groupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}

resourceAccessRules

Property	Value	Description
resourceId (required)	string	Resource Id
tenantId (required)	string	Tenant Id

networkAcls

Property	Value	Description
bypass	'AzureServices' 'None'	Specifies whether traffic is bypassed for AzureServices. (default: None)
defaultAction	'Allow' 'Deny'	Specifies the default action of allow or deny when no other rules match. (default: Deny)
ipRules	ipRules[]	Sets the IP ACL rules.
virtualNetworkRules	virtualNetworkRules[]	Sets the virtual network rules.
resourceAccessRules	resourceAccessRules[]	Sets the resource access rules.

routingPreference

Property	Value	Description
publishInternetEndpoints	bool	A boolean flag which indicates whether internet routing storage endpoints are to be published.
publishMicrosoftEndpoints	bool	A boolean flag which indicates whether microsoft routing storage endpoints are to be published.
routingChoice	'InternetRouting' 'MicrosoftRouting'	Routing Choice defines the kind of network routing opted by the user.

sasPolicy

Property	Value	Description
expirationAction (required)	'Block' 'Log'	The SAS Expiration Action defines the action to be performed when `sasPolicy.sasExpirationPeriod` is violated. The `Log` action can be used for audit purposes and the `Block` action can be used to block and deny the usage of SAS tokens that do not adhere to the sas policy expiration period.
sasExpirationPeriod (required)	string	The SAS expiration period, DD.HH:MM:SS.

storageAccountFileServices

Property	Value	Description
protocolSettings	protocolSettings	Protocol settings for file service.
shareDeleteRetentionPolicy	shareDeleteRetentionPolicy	The file service properties for share soft delete.

multichannel

Property	Value	Description
enabled	bool	Indicates whether multichannel is enabled

smb

Property	Value	Description
authenticationMethods	'Kerberos' 'NTLMv2'	SMB authentication methods supported by server. Valid values are NTLMv2, Kerberos.
channelEncryption	'AES-128-CCM' 'AES-128-GCM' 'AES-256-GCM'	SMB channel encryption supported by server. Valid values are AES-128-CCM, AES-128-GCM, AES-256-GCM.
kerberosTicketEncryption	'AES-256' 'RC4-HMAC'	Kerberos ticket encryption supported by server. Valid values are RC4-HMAC, AES-256.
multichannel	multichannel	Multichannel setting. Applies to Premium FileStorage only.
versions	'SMB2.1' 'SMB3.0' 'SMB3.1.1'	SMB protocol versions supported by server

protocolSettings

Property	Value	Description
smb	smb	Setting for SMB protocol.

shareDeleteRetentionPolicy

Property	Value	Description
allowPermanentDelete	bool	This property when set to true allows deletion of the soft deleted blob versions and snapshots. This property cannot be used blob restore policy. This property only applies to blob service and does not apply to containers or file share.
days	int	Indicates the number of days that the deleted item should be retained.
enabled	bool	Indicates whether DeleteRetentionPolicy is enabled.

storageAccountBlobServices

Property	Value	Description
changeFeed	changeFeed	The blob service properties for change feed events.
containerDeleteRetentionPolicy	containerDeleteRetentionPolicy	The blob service properties for container soft delete.
defaultServiceVersion	string	DefaultServiceVersion indicates the default version to use for requests to the Blob service if an incoming request’s version is not specified. Possible values include version 2008-10-27 and all more recent versions.
deleteRetentionPolicy	deleteRetentionPolicy	The blob service properties for blob soft delete.
isVersioningEnabled	bool	Versioning is enabled if set to true.
lastAccessTimeTrackingPolicy	lastAccessTimeTrackingPolicy	The blob service property to configure last access time based tracking policy.
restorePolicy	restorePolicy	The blob service properties for blob restore policy.
cors	cors	Specifies CORS rules for the Blob service. You can include up to five CorsRule elements in the request. If no CorsRule elements are included in the request body, all CORS rules will be deleted, and CORS will be disabled for the Blob service.

changeFeed

Property	Value	Description
enabled (required)	bool	Indicates whether change feed event logging is enabled for the Blob service.
retentionInDays (required)	int	Indicates the duration of changeFeed retention in days. A null value indicates an infinite retention of the change feed.

containerDeleteRetentionPolicy

Property	Value	Description
allowPermanentDelete (required)	bool	This property when set to true allows deletion of the soft deleted blob versions and snapshots. This property only applies to blob service and does not apply to containers or file share.
days (required)	int	Indicates the number of days that the deleted item should be retained
enabled (required)	bool	Indicates whether `DeleteRetentionPolicy` is enabled.

deleteRetentionPolicy

Property	Value	Description
allowPermanentDelete (required)	bool	This property when set to true allows deletion of the soft deleted blob versions and snapshots. This property cannot be used blob restore policy. This property only applies to blob service and does not apply to containers or file share.
days (required)	int	Indicates the number of days that the deleted item should be retained.
enabled (required)	bool	Indicates whether `DeleteRetentionPolicy` is enabled.

lastAccessTimeTrackingPolicy

Property	Value	Description
enable (required)	bool	When set to true last access time based tracking is enabled.

restorePolicy

Property	Value	Description
days (required)	int	how long this blob can be restored. It should be great than zero and less than `DeleteRetentionPolicy.days`.
enabled (required)	bool	Blob restore is enabled if set to true.

corsRules

Property	Value	Description
allowedHeaders (required)	string[]	Required if CorsRule element is present. A list of headers allowed to be part of the cross-origin request.
allowedMethods (required)	Array containing any of: 'CONNECT' 'DELETE' 'GET' 'HEAD' 'MERGE' 'OPTIONS' 'PATCH' 'POST' 'PUT' 'TRACE'	Required if CorsRule element is present. A list of HTTP methods that are allowed to be executed by the origin.
allowedOrigins (required)	string[]	Required if CorsRule element is present. A list of origin domains that will be allowed via CORS, or "*" to allow all domains
exposedHeaders (required)	string[]	Required if CorsRule element is present. A list of response headers to expose to CORS clients.
maxAgeInSeconds (required)	int	Required if CorsRule element is present. The number of seconds that the client/browser should cache a preflight response.

cors

Property	Value	Description
corsRules (required)	corsRules[]	The List of CORS rules. You can include up to five CorsRule elements in the request.

storageAccountShare

Property	Value	Description
name (required)	string	share name:Lowercase letters, numbers, and hyphens. Can't start or end with hyphen. Can't use consecutive hyphens.
accessTier	'Cool' 'Hot' 'Premium' 'TransactionOptimized'	Access tier for specific share. GpV2 account can choose between TransactionOptimized, Hot, and Cool. FileStorage account can choose Premium. (default: TransactionOptimized)
enabledProtocols	'NFS' 'SMB'	The authentication protocol that is used for the file share. Can only be specified when creating a share.
metadata	object	A name-value pair to associate with the share as metadata.
rootSquash	'AllSquash' 'NoRootSquash' 'RootSquash'	The property is for NFS share only. (default: NoRootSquash)
shareQuota (required)	int	The provisioned size of the share, in gibibytes. Must be greater than 0, and less than or equal to 5TB (5120). For Large File Shares, the maximum size is 102400. For file shares created under Files Provisioned v2 account type, please refer to the GetFileServiceUsage API response for the minimum and maximum allowed provisioned storage size.
signedIdentifiers	storageAccountSignedIdentifiers[]	List of stored access policies specified on the share.

storageAccountSignedIdentifiers

Property	Value	Description
accessPolicy (required)	accessPolicy	Access policy
id (required)	string	An unique identifier of the stored access policy.

accessPolicy

Property	Value	Description
expiryTime (required)	string	Expiry time of the access policy
permission (required)	string	List of abbreviated permissions.
startTime (required)	string	Start time of the access policy.

storageAccountQueue

Property	Value	Description
name (required)	string	The resource name.
properties	properties	Queue resource properties.

properties

Property	Value	Description
id	string	Unique-64-character-value of the stored access policy.

storageAccountTable

Property	Value	Description
name (required)	string	The resource name.
properties	properties	Queue resource properties.

storageAccountContainer

Property	Value	Description
name (required)	string	The resource name.
defaultEncryptionScope	string	Default the container to use specified encryption scope for all writes.
denyEncryptionScopeOverride	bool	Block override of encryption scope from the container default.
enableNfsV3AllSquash	bool	Enable NFSv3 all squash on blob container.
enableNfsV3RootSquash	bool	Enable NFSv3 root squash on blob container.
immutableStorageWithVersioning	immutableStorageWithVersioning	The object level immutability property of the container. The property is immutable and can only be set to true at the container creation time. Existing containers must undergo a migration process.
metadata	object	A name-value pair to associate with the container as metadata.
publicAccess	'Blob' 'Container' 'None'	Specifies whether data in the container may be accessed publicly and the level of access. (default: None)

directoryServiceOptions

Set the directoryServiceOption property to specify the type of object.

For AD, use:

Property	Value	Description
directoryServiceOption (required)	'AD'	Indicates the directory service used. Note that this enum may be extended in the future.
accountType	'Computer' 'User'	Specifies the Active Directory account type for Azure Storage.
azureStorageSid	string	Specifies the security identifier (SID) for Azure Storage.
domainGuid (required)	string	Specifies the domain GUID.
domainName (required)	string	Specifies the primary domain that the AD DNS server is authoritative for.
domainSid	string	Specifies the security identifier (SID).
forestName	string	Specifies the Active Directory forest to get.
netBiosDomainName	string	Specifies the NetBIOS domain name.
samAccountName	string	Specifies the Active Directory SAMAccountName for Azure Storage.

Set the directoryServiceOption property to specify the type of object.

For AADKERB, use:

Property	Value	Description
directoryServiceOption (required)	'AADKERB'	Indicates the directory service used. Note that this enum may be extended in the future.
domainGuid (required)	string	Specifies the domain GUID.
domainName (required)	string	Specifies the primary domain that the AD DNS server is authoritative for.

Set the directoryServiceOption property to specify the type of object.

For AADDS, use:

Property	Value	Description
directoryServiceOption (required)	'AADDS'	Indicates the directory service used. Note that this enum may be extended in the future.
domainGuid (required)	string	Specifies the domain GUID.
domainName (required)	string	Specifies the primary domain that the AD DNS server is authoritative for.

naming

Property	Value	Description
forceFunctionAsFullName	bool	Use the function value as the full name of the resource
abbreviation	string	Override the abbreviation of this resource with this parameter
environment	string	The resource environment (for example: dev, tst, acc, prd)
location	string	The resource location (for example: weu, we, westeurope)
customer	string	The name of the customer
delimiter	string	The delimiter between resources (default: -)
nameFormat	Array containing any of: 'abbreviation' 'customer' 'environment' 'function' 'location' 'param1' 'param2' 'param3' 'useCaseName'	The order of the array defines the order of elements in the naming scheme
param1	string	Extra parameter self defined
param2	string	Extra parameter self defined
param3	string	Extra parameter self defined
function (required)	string	Function of the resource [can be app, db, security,...]
useCaseName	string	Name of the use case [can be hub, spoke,...]
suffix	string	Suffix for the resource, if empty non will be appended, otherwise will be added to the end [can be index, ...]
forceDefaultNaming	bool	Force the CAF naming instead of default company naming

resourceLock

Property	Value	Description
name	string	Character limit: 1-90. Valid characters: Alphanumerics, periods, underscores, hyphens, and parenthesis. Can't end in period.
level (required)	'CanNotDelete' 'ReadOnly'	The level of the lock. Possible values are: CanNotDelete and ReadOnly. CanNotDelete means authorized users are able to read and modify the resources, but not delete. ReadOnly means authorized users can only read from a resource, but they can't modify or delete it. Read-Only locks must be commented to be able to deploy again
notes	string	Notes about the lock. Maximum of 512 characters.
owners	resourceLockOwner[]	The owners of the lock

resourceLockOwner

Property	Value	Description
applicationId (required)	string	The application ID of the lock owner.

roleAssignment

Property	Value	Description
principalId (required)	string	The principal ID
roleDefinitionId (required)	string	The role definition ID, data file can be used for this
condition	string	Condition on the role assignment
conditionVersion	string	Version of the condition. Currently the only accepted value is "2.0"
delegatedManagedIdentityResourceId	string	Id of the delegated managed identity resource
description	string	Description of role assignment

general

Property	Value	Description
tags	object	Tags of the resource [hashtable]
location (required)	string	Location of the resource
naming (required)	naming	Naming module of the resource
resourceGroupName (required)	string	Name of the resource group where the resource should be located
sharedNaming (required)	naming	Reference to the default naming
roleAssignments	roleAssignment[]	Role assignments on the resource
resourceLocks	resourceLock[]	Resource Locks on the resource

privateLink

Property	Value	Description
pepNaming	naming	Name of the private endpoint
nicNaming	naming	Name of the network interface of the private endpoint
privateLinkNaming	naming	Name of the private link connection
subnets (required)	subnets[]	Id of the subnets and optionally the name of the resourcegroup in which the private endpoint should be created
dnsZoneIds (required)	string[]	List of DNS zone ids that need to be linked

subnets

Property	Value	Description
resourceGroupName	string	Resourcegroup (default: resourcegroup defined here => resourceGroup of pep resource => resourceGroup of subnet)
id (required)	string	Id of the subnet
location	string	Location if Vnet is in different location

Bicep Module Documentation

Module storage-account

storageAccount

azureFilesIdentityBasedAuthentication

customDomain

blob

file

queue

table

services

immutabilityPolicy

immutableStorageWithVersioning

ipRules

virtualNetworkRules

resourceAccessRules

networkAcls

routingPreference

sasPolicy

storageAccountFileServices

multichannel

smb

protocolSettings

shareDeleteRetentionPolicy

storageAccountBlobServices

changeFeed

containerDeleteRetentionPolicy

deleteRetentionPolicy

lastAccessTimeTrackingPolicy

restorePolicy

corsRules

cors

storageAccountShare

storageAccountSignedIdentifiers

accessPolicy

storageAccountQueue

properties

storageAccountTable

storageAccountContainer

directoryServiceOptions

naming

resourceLock

resourceLockOwner

roleAssignment

general

privateLink

subnets

Changelog

9.2.0 (2025-10-28)

Features

9.1.0 (2025-10-07)

Features

9.0.2 (2025-09-26)

Bug Fixes

9.0.1 (2025-09-24)

Bug Fixes

9.0.0 (2025-09-24)

⚠ BREAKING CHANGES

Bug Fixes

8.3.0 (2025-09-16)

Features

8.2.1 (2025-06-30)

Bug Fixes

8.2.0 (2025-05-14)

Features

8.1.0 (2025-05-14)

Features

8.0.0 (2025-05-12)

⚠ BREAKING CHANGES

Bug Fixes

7.2.1 (2025-04-11)

Bug Fixes

7.2.0 (2025-03-26)

Features

7.1.0 (2025-03-20)

Features

7.0.1 (2025-03-19)

Bug Fixes

7.0.0 (2025-03-19)

⚠ BREAKING CHANGES

Bug Fixes