Skip to content

[Reference feedback]: AZ Storage Account CLI - Wrong Default listed in Docs #32276

Open
Open
[Reference feedback]: AZ Storage Account CLI - Wrong Default listed in Docs#32276
Assignees
calvinhzy
Labels
Auto-AssignAuto assign by botAzure CLI TeamThe command of the issue is owned by Azure CLI teamStorageaz storageact-codegen-extensibility-squadcustomer-reportedIssues that are reported by GitHub users external to the Azure organization.needs-triageThis is a new issue that needs to be triaged to the appropriate team.questionThe issue doesn't require a change to the product in order to be resolved. Most issues start as that
Milestone
Backlog
@JBarazani

Description

@JBarazani
JBarazani
opened on Oct 18, 2025

Type of issue

Other (describe below)

Reference command name

az storage account create

Feedback

The documentation states when the --cross-tenant-replication flag is not set, it defaults to 'false'

--allow-cross-tenant-replication -r
Allow or disallow cross AAD tenant object replication. Set this property to true for new or existing accounts only if object replication policies will involve storage accounts in different AAD tenants. If not specified, the default value is false for new accounts to follow best security practices.

However, this is not actually the case, as can be seen by this:

**Command: ** az storage account create --name testnoflagsa --resource-group testrg
Response:

Code: RequestDisallowedByPolicy
Message: Resource 'testnoflagsa' was disallowed by policy. Policy identifiers: '[{"policyAssignment":{"name":"","id":"/subscriptions//resourceGroups/testrg/providers/Microsoft.Authorization/policyAssignments/"},"policyDefinition":{"name":"AZAS-DP05A-1: Cross Tenant Replication MUST be disabled","id":"/providers/Microsoft.Management/managementGroups//providers/Microsoft.Authorization/policyDefinitions/AZAS-DP05A-1","version":"1.0.0"},"policySetDefinition":{"name":"","id":"/providers/Microsoft.Management/managementGroups//providers/Microsoft.Authorization/policySetDefinitions/","version":"1.0.0"}}]'.
Target: testnoflagsa
Additional Information:Type: PolicyViolation
Info: {
"evaluationDetails": {
"evaluatedExpressions": [
{
"result": "True",
"expressionKind": "Field",
"expression": "type",
"path": "type",
"expressionValue": "Microsoft.Storage/storageAccounts",
"targetValue": "Microsoft.Storage/storageAccounts",
"operator": "Equals"
},
{
"result": "True",
"expressionKind": "Field",
"expression": "Microsoft.Storage/storageAccounts/allowCrossTenantReplication",
"path": "properties.allowCrossTenantReplication",
"targetValue": "false",
"operator": "Exists"
}
]
},
"policyDefinitionId": "/providers/Microsoft.Management/managementGroups/*/providers/Microsoft.Authorization/policyDefinitions/AZAS-DP05A-1",

Page URL

https://learn.microsoft.com/en-us/cli/azure/storage/account?view=azure-cli-latest

Content source URL

https://github.com/MicrosoftDocs/azure-docs-cli/blob/main/docs-ref-autogen/Latest-version/latest/storage/account.yml

Author

@mikefrobbins

Document Id

aa8a0403-f0a1-d5a8-14b8-072d4e8af140

Metadata

Metadata

Assignees

Labels

Auto-AssignAuto assign by botAzure CLI TeamThe command of the issue is owned by Azure CLI teamStorageaz storageact-codegen-extensibility-squadcustomer-reportedIssues that are reported by GitHub users external to the Azure organization.needs-triageThis is a new issue that needs to be triaged to the appropriate team.questionThe issue doesn't require a change to the product in order to be resolved. Most issues start as that

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions