Basics

Subscription

String

Required. Select the subscription in which to create the new storage account.

Resource group

String

Required. You can create a new resource group for this storage account, or select an existing one. For more information, see Resource groups.

Storage account name

String

Specify a unique name for your storage account.

Region

drop-down

Select the appropriate region for your storage account from the drop-down list. For more information, see Regions and Availability Zones in Azure.

Performance

Radio button

Select the appropriate performance as per the purpose of your accounts. The options are:
Standard: Select for general-purpose v2 storage accounts. This is a default option. This type of account is recommended by Microsoft.
Premium: Select this option for scenarios requiring low latency. Under Premium, select the Premium account type to create. The following types of premium storage accounts are available:

• Block blobs: Recommended for scenarios with high transaction rates or that use smaller objects or require consistently low storage latency.

• File shares: Recommended for enterprise or high-performance scale applications. Use this account type if you want a storage account that supports both Server Message Block (SMB) and NFS file shares.

• Page blobs: Recommended for random read and write operations.

Redundancy

drop-down

Select your desired redundancy configuration. The options available are:

• LRS: Locally redundant storage - Recommended for non-critical scenarios. Low cost option with basic protection against server rack and drive failures.

• GRS: Geo-redundant storage - Recommended for backup scenarios. Intermediate option with failover capabilities in a secondary region.

• Zone-redundant storage - Provides protection against data center level failures. Recommended for high availability scenarios.

• Geo-zone-redundant storage - Optimal data protection storage that includes the offerings of both GRS and ZRS. Recommended for critical data scenarios.

If you select a geo-redundant configuration (GRS or GZRS), your data is replicated to a data center in a different region.

Make read access to data available in the event of regional unavailability.

Checkbox

Select this checkbox to get the read access to data in the secondary region.

Advanced

Require secure transfer for REST API operations

Checkbox

Optional. Require secure transfer to ensure that incoming requests to this storage account are made only via HTTPS (default). Recommended for optimal security. For more information, see Require secure transfer to ensure secure connections.

Enable blob public access

Checkbox

Optional. When enabled, this setting allows a user with the appropriate permissions to enable anonymous public access to a container in the storage account (default). Disabling this setting prevents all anonymous public access to the storage account. For more information, see Prevent anonymous public read access to containers and blobs.

Enabling blob public access does not make blob data available for public access unless the user takes the additional step to explicitly configure the container's public access setting.

Enable storage account key access

Checkbox

Optional. When enabled, this setting allows clients to authorize requests to the storage account using either the account access keys or an Azure Active Directory (Azure AD) account (default). Disabling this setting prevents authorization with the account access keys. For more information, see Prevent Shared Key authorization for an Azure Storage account.

Default to Azure Active Directory authorization in the Azure portal

Checkbox

Optional. When enabled, the Azure portal authorizes data operations with the user's Azure AD credentials by default. If the user does not have the appropriate permissions assigned via Azure role-based access control (Azure RBAC) to perform data operations, then the portal will use the account access keys for data access instead. The user can also choose to switch to using the account access keys. For more information, see Default to Azure AD authorization in the Azure portal.

Minimum TLS version

drop-down

Required. Select the minimum version of Transport Layer Security (TLS) for incoming requests to the storage account. The default value is TLS version 1.2. When set to the default value, incoming requests made using TLS 1.0 or TLS 1.1 are rejected. For more information, see Enforce a minimum required version of Transport Layer Security (TLS) for requests to a storage account.

Enable hierarchical namespace

Checkbox

Optional. To use this storage account for Azure Data Lake Storage Gen2 workloads, configure a hierarchical namespace. For more information, see Introduction to Azure Data Lake Storage Gen2.

Enable SFTP

Checkbox

Optional. Enable the use of Secure File Transfer Protocol (SFTP) to securely transfer of data over the internet. For more information, see Secure File Transfer (SFTP) protocol support in Azure Blob Storage.

Enable network file share (NFS) v3

Checkbox

Optional. NFS v3 provides Linux file system compatibility at object storage scale enables Linux clients to mount a container in Blob storage from an Azure Virtual Machine (VM) or a computer on-premises. For more information, see Network File System (NFS) 3.0 protocol support in Azure Blob storage.

Allow cross-tenant replication

Checkbox

Required. By default, users with appropriate permissions can configure object replication across Azure AD tenants. To prevent replication across tenants, deselect this option. For more information, see Prevent replication across Azure AD tenants.

Enable large file shares

Checkbox

Optional. Available only for standard file shares with the LRS or ZRS redundancies.

Networking

Network access

Radio button

Required. By default, incoming network traffic is routed to the public endpoint for your storage account. You can specify that traffic must be routed to the public endpoint through an Azure virtual network. You can also configure private endpoints for your storage account. The available options are:

• Enable public access for all the networks

• Enable public access from selected networks and IP addresses

• Disable public access and use private access

Routing preference

Radio button

Required. The network routing preference specifies how network traffic is routed to the public endpoint of your storage account from clients over the internet. By default, a new storage account uses Microsoft network routing.

Data protection

Enable point-in-time restore for containers

Checkbox

Provides protection against accidental deletion or corruption by enabling you to restore block blob data to an earlier state. For more information, see Point-in-time restore for block blobs.

Enable soft delete for blobs

Checkbox

Optional. Soft delete enables you to recover blobs that were previously marked for deletion, including blobs that were overwritten.

Enable soft delete for blobs

Checkbox

Optional. Blob soft delete protects an individual blob, snapshot, or version from accidental deletes or overwrites by maintaining the deleted data in the system for a specified retention period.

Enable soft delete for containers

Checkbox

Container soft delete protects a container and its contents from accidental deletes by maintaining the deleted data in the system for a specified retention period. During the retention period, you can restore a soft-deleted container to its state at the time it was deleted. For more information, see Soft delete for containers (preview).

Microsoft recommends enabling container soft delete for your storage accounts and setting a minimum retention period of seven days.

Enable soft delete for file shares

Checkbox

Optional. Soft delete for file shares protects a file share and its contents from accidental deletes by maintaining the deleted data in the system for a specified retention period. During the retention period, you can restore a soft-deleted file share to its state at the time it was deleted. For more information, see Prevent accidental deletion of Azure file shares.

Microsoft recommends enabling soft delete for file shares for Azure Files workloads and setting a minimum retention period of seven days.

Enable versioning for blobs

Checkbox

Optional. Blob versioning automatically saves the state of a blob in a previous version when the blob is overwritten. For more information, see Blob versioning.

Microsoft recommends enabling blob versioning for optimal data protection for the storage account.

Enable blob change feed

Checkbox

Optional. The blob change feed provides transaction logs of all changes to all blobs in your storage account, as well as to their metadata. For more information, see Change feed support in Azure Blob Storage.

Enable version-level immutability support

Checkbox

Optional. Enable support for immutability policies that are scoped to the blob version. If this option is selected, then after you create the storage account, you can configure a default time-based retention policy for the account or for the container, which blob versions within the account or container will inherit by default. For more information, see Enable version-level immutability support on a storage account.

Encryption

Encryption type

Radio button

By default, data in the storage account is encrypted by using Microsoft-managed keys. You can rely on Microsoft-managed keys for the encryption of your data, or you can manage encryption with your own keys. The options available are:

• Microsoft-managed keys

• Customer-managed keys

Enable support for customer-managed keys

Radio button

By default, customer managed keys can be used to encrypt only blobs and files. Set this option to All service types (blobs, files, tables, and queues) to enable support for customer-managed keys for all services. You are not required to use customer-managed keys if you choose this option.

Enable infrastructure encryption

Checkbox

Required if Encryption type field is set to Customer-managed keys. The available options are:

• Select a key vault and key: Provides you an option to navigate to the key vault and key that you wish to use.

• Enter key from URI: Provides you an option with a field to enter the key URI and the subscription.

User-assigned identity

Radio button

Required if Encryption type field is set to Customer-managed keys. If you are configuring customer-managed keys at create time for the storage account, you must provide a user-assigned identity to use for authorizing access to the key vault.

Enable infrastructure encryption

Checkbox

Optional. By default, infrastructure encryption is not enabled. Enable infrastructure encryption to encrypt your data at both the service level and the infrastructure level.