Search code examples

How do I specify in an ARM template that my storage account should have `Public network access` set to `Disabled`?

How do I specify in an ARM template that my storage account should have Public network access set to Disabled ?

I have the following storageAccounts resource in an ARM template and when I upload the template I was expecting to see Public network access set to Disabled, but instead I see 'Enabled from selected virtual networks and IP Addresses', I have tried to put a storage account to Public network access=Disabled manually and export that template and it has the same as I do, so not quite sure how to do it.

My understanding of it is that as long as I keep the virtual networks + IP Addresses to empty arrays then it's the same as putting Public access to Disabled, not sure if this is the logic.

Public network access result of uploading the template:

Public network access result of uploading the template

The resource defined in my ARM template:

"type": "Microsoft.Storage/storageAccounts",
"name": "[parameters('storageAccountName')]",
"apiVersion": "2017-10-01",
"sku": {
    "name": "[parameters('storageAccountSku')]",
    "tier": "[parameters('storageAccountTier')]"
"kind": "StorageV2",
"location": "[parameters('storageAccountLocation')]",
"tags": {},
"identity": {
    "type": "SystemAssigned"
"properties": {
    "defaultToOAuthAuthentication": false,
    "supportsHttpsTrafficOnly": true,
    "AllowBlobPublicAccess": false,
    "targetResourceId": "",
    "networkAcls": {
        "resourceAccessRules": [],
        "bypass": "AzureServices",
        "defaultAction": "Deny",
        "ipRules": [],
        "virtualNetworkRules": []
    "publicNetworkAccess": "Disabled",
    "accessTier": "Hot"


  • I could see that you are using "apiVersion": "2017-10-01" and it is a very old version of ARM template for storage account. To avoid the conflicts, use the latest version which is "apiVersion": "2023-01-01".

    Refer MSDoc for all the latest available Api versions of"Microsoft.Storage/storageAccounts".

    Complete code is given below.

        "$schema": "",
        "contentVersion": "",
        "parameters": {
            "storageaccountname": {
                "defaultValue": "teststorejah",
                "type": "String"
            "storageAccountType": {
                "defaultValue": "Standard_GRS",
                "allowedValues": [
                "type": "String",
                "metadata": {
                    "description": "Accounttype"
            "location": {
                "defaultValue": "[resourceGroup().location]",
                "type": "String",
                "metadata": {
                    "description": "Location"
        "resources": [
                "type": "Microsoft.Storage/storageAccounts",
                "apiVersion": "2023-01-01",
                "name": "[parameters('storageaccountname')]",
                "location": "[parameters('location')]",
                "sku": {
                    "name": "[parameters('storageAccountType')]"
                "kind": "StorageV2",
                "properties": {
                    "networkAcls": {
                        "defaultAction": "Deny",
                        "bypass": "AzureServices",
                        "ipRules": [],
                        "virtualNetworkRules": []
                    "publicNetworkAccess": "Disabled"
        "outputs": {}

    enter image description here

    enter image description here