The Set-AzStorageAccount cmdlet modifies an Azure Storage account.
You can use this cmdlet to modify the account type, update a customer domain, or set tags on a Storage account.
The command sets the custom domain and tags for a Storage account.
Example 5: Set Encryption KeySource to Keyvault
Set-AzStorageAccount -ResourceGroupName "MyResourceGroup" -Name "mystorageaccount" -AssignIdentity
$account = Get-AzStorageAccount -ResourceGroupName "MyResourceGroup" -Name "mystorageaccount"
$keyVault = New-AzKeyVault -VaultName "MyKeyVault" -ResourceGroupName "MyResourceGroup" -Location "EastUS2"
$key = Add-AzKeyVaultKey -VaultName "MyKeyVault" -Name "MyKey" -Destination 'Software'
Set-AzKeyVaultAccessPolicy -VaultName "MyKeyVault" -ObjectId $account.Identity.PrincipalId -PermissionsToKeys wrapkey,unwrapkey,get
# In case to enable key auto rotation, don't set KeyVersion
Set-AzStorageAccount -ResourceGroupName "MyResourceGroup" -Name "mystorageaccount" -KeyvaultEncryption -KeyName $key.Name -KeyVersion $key.Version -KeyVaultUri $keyVault.VaultUri
# In case to enable key auto rotation after set keyvault properties with KeyVersion, can update account by set KeyVersion to empty
Set-AzStorageAccount -ResourceGroupName "MyResourceGroup" -Name "mystorageaccount" -KeyvaultEncryption -KeyName $key.Name -KeyVersion "" -KeyVaultUri $keyVault.VaultUri
This command set Encryption KeySource with a new created Keyvault.
If want to enable key auto rotation, don't set keyversion when set Keyvault properties for the first time, or clean up it by set keyvault properties again with keyversion as empty.
Example 6: Set Encryption KeySource to "Microsoft.Storage"
The command update a Storage account by enable Azure Files Microsoft Entra Domain Services Authentication.
Example 11: Update a Storage account by enable Files Active Directory Domain Service Authentication, and then show the File Identity Based authentication setting
The command updates a Storage account by enable Azure Files Active Directory Domain Service Authentication, and then shows the File Identity Based authentication setting
Example 12: Set MinimumTlsVersion, AllowBlobPublicAccess and AllowSharedKeyAccess
This command updates a Storage account with RoutingPreference setting: PublishMicrosoftEndpoint as false, PublishInternetEndpoint as true, and RoutingChoice as MicrosoftRouting.
Example 14: Update a Storage account with KeyExpirationPeriod and SasExpirationPeriod with SasExpirationAction
This command updates a Storage account with KeyExpirationPeriod and SasExpirationPeriod with SasExpirationAction, then show the updated account related properties.
Example 15: Update a Storage account to Keyvault encryption, and access Keyvault with user assigned identity
# Create KeyVault (no need if using exist keyvault)
$keyVault = New-AzKeyVault -VaultName $keyvaultName -ResourceGroupName $resourceGroupName -Location eastus2euap -EnablePurgeProtection
$key = Add-AzKeyVaultKey -VaultName $keyvaultName -Name $keyname -Destination 'Software'
# create user assigned identity and grant access to keyvault (no need if using exist user assigned identity)
$userId = New-AzUserAssignedIdentity -ResourceGroupName $resourceGroupName -Name $userIdName
Set-AzKeyVaultAccessPolicy -VaultName $keyvaultName -ResourceGroupName $resourceGroupName -ObjectId $userId.PrincipalId -PermissionsToKeys get,wrapkey,unwrapkey -BypassObjectIdValidation
$useridentityId= $userId.Id
# Update Storage account with Keyvault encryption and access Keyvault with user assigned identity, then show properties
$account = Set-AzStorageAccount -ResourceGroupName $resourceGroupName -Name $storageAccountName `
-IdentityType UserAssigned -UserAssignedIdentityId $useridentityId `
-KeyVaultUri $keyVault.VaultUri -KeyName $keyname -KeyVaultUserAssignedIdentityId $useridentityId
$account.Encryption.EncryptionIdentity.EncryptionUserAssignedIdentity
/subscriptions/{subscription-id}/resourceGroups/myresourcegroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myuserid
$account.Encryption.KeyVaultProperties
KeyName : wrappingKey
KeyVersion :
KeyVaultUri : https://mykeyvault.vault.azure.net:443
CurrentVersionedKeyIdentifier : https://mykeyvault.vault.azure.net/keys/wrappingKey/8e74036e0d534e58b3bd84b319e31d8f
LastKeyRotationTimestamp : 4/12/2021 8:17:57 AM
This command first creates a keyvault and a user assigned identity, then updates a storage account with keyvault encryption, the storage access access keyvault with the user assigned identity.
Example 16: Update a Keyvault encrypted Storage account, from access Keyvault with user assigned identity, to access Keyvault with system assigned identity
# Assign System identity to the account, and give the system assigned identity access to the keyvault
$account = Set-AzStorageAccount -ResourceGroupName $resourceGroupName -Name $storageAccountName -IdentityType SystemAssignedUserAssigned
Set-AzKeyVaultAccessPolicy -VaultName $keyvaultName -ResourceGroupName $resourceGroupName -ObjectId $account.Identity.PrincipalId -PermissionsToKeys get,wrapkey,unwrapkey -BypassObjectIdValidation
# Update account from access Keyvault with user assigned identity to access Keyvault with system assigned identity
$account = Set-AzStorageAccount -ResourceGroupName $resourceGroupName -Name $storageAccountName -IdentityType SystemAssignedUserAssigned -KeyName $keyname -KeyVaultUri $keyvaultUri -KeyVaultUserAssignedIdentityId ""
# EncryptionUserAssignedIdentity is empty, so the account access keyvault with system assigned identity
$account.Encryption.EncryptionIdentity
EncryptionUserAssignedIdentity
------------------------------
$account.Encryption.KeyVaultProperties
KeyName : wrappingKey
KeyVersion :
KeyVaultUri : https://mykeyvault.vault.azure.net:443
CurrentVersionedKeyIdentifier : https://mykeyvault.vault.azure.net/keys/wrappingKey/8e74036e0d534e58b3bd84b319e31d8f
LastKeyRotationTimestamp : 4/12/2021 8:17:57 AM
This command first assigns System identity to the account, and give the system assigned identity access to the keyvault; then updates the Storage account to access Keyvault with system assigned identity.
Example 17: Update both Keyvault and the user assigned identity to access keyvault
# Update to another user assigned identity
$account = Set-AzStorageAccount -ResourceGroupName $resourceGroupName -Name $storageAccountName -IdentityType SystemAssignedUserAssigned -UserAssignedIdentityId $useridentity2 -KeyVaultUserAssignedIdentityId $useridentity2
# Update to encrypt with another keyvault
$account = Set-AzStorageAccount -ResourceGroupName $resourceGroupName -Name $storageAccountName -KeyVaultUri $keyvaultUri2 -KeyName $keyname2 -KeyVersion $keyversion2
This command first update the user assigned identity to access keyvault, then update the keyvault for encryption.
To update both both Keyvault and the user assigned identity, we need update with the above 2 steps.
Example 18: Update a Storage account with AllowCrossTenantReplication
The command updates account-level immutability policy properties on an existing storage account, and show the result.
The storage account must be created with enable account level immutability with versioning.
The account-level immutability policy will be inherited and applied to objects that do not possess an explicit immutability policy at the object level.
Example 20: Update a Storage account by enable Sftp and localuser
This command updates a Storage account by enable Sftp and localuser.
To run the command successfully, the Storage account should already enable Hierarchical Namespace.
Example 21: Update a Storage account with Keyvault from another tenant (access Keyvault with FederatedClientId)
This command updates a Storage account by setting Zone to 1 and ZonePlacementPolicy to Any, then shows the updated account related properties.
Parameters
-AccessTier
Specifies the access tier of the Storage account that this cmdlet modifies.
The acceptable values for this parameter are: Hot and Cool.
If you change the access tier, it may result in additional charges. For more information, see
Azure Blob Storage: Hot and cool storage tiers.
If the Storage account has Kind as StorageV2 or BlobStorage, you can specify the AccessTier parameter.
If the Storage account has Kind as Storage, do not specify the AccessTier parameter.
Specifies the primary domain that the AD DNS server is authoritative for. This parameter must be set when -EnableActiveDirectoryDomainServicesForFile is set to true.
Set restrict copy to and from Storage Accounts within a Microsoft Entra tenant or with Private Links to the same VNet. Possible values include: 'PrivateLink', 'AAD'
Indicates whether the storage account permits requests to be authorized with the account access key via Shared Key. If false, then all requests, including shared access signatures, must be authorized with Microsoft Entra ID. The default value is null, which is equivalent to true.
Indicates whether or not the storage account can support large file shares with more than 5 TiB capacity.
Once the account is enabled, the feature cannot be disabled.
Currently only supported for LRS and ZRS replication types, hence account conversions to geo-redundant accounts would not be possible.
Learn more in https://go.microsoft.com/fwlink/?linkid=2086047
The immutability period for the blobs in the container since the policy creation in days.
This property can only be changed when account is created with '-EnableAccountLevelImmutability'.
The mode of the policy. Possible values include: 'Unlocked', 'Locked', 'Disabled.
Disabled state disables the policy.
Unlocked state allows increase and decrease of immutability retention time and also allows toggling allowProtectedAppendWrites property.
Locked state only allows the increase of the immutability retention time.
A policy can only be created in a Disabled or Unlocked state and can be toggled between the two states. Only a policy in an Unlocked state can transition to a Locked state which cannot be reverted.
This property can only be changed when account is created with '-EnableAccountLevelImmutability'.
Indicates whether or not to use Microsoft KeyVault for the encryption keys when using Storage Service Encryption.
If KeyName, KeyVersion, and KeyVaultUri are all set, KeySource will be set to Microsoft.Keyvault whether this parameter is set or not.
Set ClientId of the multi-tenant application to be used in conjunction with the user-assigned identity for cross-tenant customer-managed-keys server-side encryption on the storage account.
Set resource id for user assigned Identity used to access Azure KeyVault of Storage Account Encryption, the id must in the storage account's UserAssignIdentityId.
NetworkRuleSet is used to define a set of configuration rules for firewalls and virtual networks, as well as to set values for network properties such as services allowed to bypass the rules and how to handle requests that don't match any of the defined rules.
The action to be performed when SasExpirationPeriod is violated. The 'Log' action can be used for audit purposes and the 'Block' action can be used to block and deny the usage of SAS tokens that do not adhere to the sas policy expiration period.
StandardV2_LRS - Locally-redundant storage for File Provision v2.
StandardV2_GRS - Geo-redundant storage for File Provision v2.
StandardV2_ZRS - Zone-redundant storage for File Provision v2.
StandardV2_GZRS - Geo-redundant zone-redundant storage for File Provision v2.
PremiumV2_LRS - Premium locally-redundant storage for File Provision v2.
PremiumV2_ZRS - Premium zone-redundant storage for File Provision v2.
You cannot change Standard_ZRS and Premium_LRS types to other account types.
You cannot change other account types to Standard_ZRS or Premium_LRS.
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable,
-InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable,
-ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see
about_CommonParameters.
The source for this content can be found on GitHub, where you can also create and review issues and pull requests. For more information, see our contributor guide.