Azure · calvinhzy · Jun 20, 2025 · Jun 19, 2025 · Jun 20, 2025
@@ -199,6 +199,15 @@ def load_arguments(self, _):  # pylint: disable=too-many-locals, too-many-statem
         help='Expiration period of the SAS Policy assigned to the storage account, DD.HH:MM:SS.'
     )
 
+    t_expiration_action_type = self.get_models('ExpirationAction', resource_type=ResourceType.MGMT_STORAGE)
+    sas_expiration_action_type = CLIArgumentType(
+        arg_type=get_enum_type(t_expiration_action_type),
+        options_list=['--sas-expiration-action', '--sas-exp-action'],
+        help="The action to be performed when --sas-expiration-period is violated. The 'Log' action can be used "
+             "for audit purposes and the 'Block' action can be used to block and deny the usage of SAS tokens that "
+             "do not adhere to the sas policy expiration period. The default action is 'Log'."
+    )
+
     key_expiration_period_in_days_type = CLIArgumentType(
         options_list=['--key-expiration-period-in-days', '--key-exp-days'], type=int,
         help='Expiration period in days of the Key Policy assigned to the storage account'
@@ -389,7 +398,8 @@ def load_arguments(self, _):  # pylint: disable=too-many-locals, too-many-statem
                    help='The key is the ARM resource identifier of the identity. Only 1 User Assigned identity is '
                    'permitted here.')
         c.argument('key_expiration_period_in_days', key_expiration_period_in_days_type, is_preview=True)
-        c.argument('sas_expiration_period', sas_expiration_period_type, is_preview=True)
+        c.argument('sas_expiration_period', sas_expiration_period_type)
+        c.argument('sas_expiration_action', sas_expiration_action_type)
         c.argument('allow_cross_tenant_replication', allow_cross_tenant_replication_type)
         c.argument('default_share_permission', default_share_permission_type)
         c.argument('enable_nfs_v3', arg_type=get_three_state_flag(),
@@ -492,7 +502,8 @@ def load_arguments(self, _):  # pylint: disable=too-many-locals, too-many-statem
                    help='The key is the ARM resource identifier of the identity. Only 1 User Assigned identity is '
                    'permitted here.')
         c.argument('key_expiration_period_in_days', key_expiration_period_in_days_type, is_preview=True)
-        c.argument('sas_expiration_period', sas_expiration_period_type, is_preview=True)
+        c.argument('sas_expiration_period', sas_expiration_period_type)
+        c.argument('sas_expiration_action', sas_expiration_action_type)
         c.argument('allow_cross_tenant_replication', allow_cross_tenant_replication_type)
         c.argument('default_share_permission', default_share_permission_type)
         c.argument('immutability_period_since_creation_in_days',

@@ -73,7 +73,7 @@ def create_storage_account(cmd, resource_group_name, account_name, sku=None, loc
                            min_tls_version=None, allow_shared_key_access=None, edge_zone=None,
                            identity_type=None, user_identity_id=None,
                            key_vault_user_identity_id=None, federated_identity_client_id=None,
-                           sas_expiration_period=None, key_expiration_period_in_days=None,
+                           sas_expiration_action=None, sas_expiration_period=None, key_expiration_period_in_days=None,
                            allow_cross_tenant_replication=None, default_share_permission=None,
                            enable_nfs_v3=None, subnet=None, vnet_name=None, action='Allow', enable_alw=None,
                            immutability_period_since_creation_in_days=None, immutability_policy_state=None,
@@ -265,9 +265,16 @@ def create_storage_account(cmd, resource_group_name, account_name, sku=None, loc
         KeyPolicy = cmd.get_models('KeyPolicy')
         params.key_policy = KeyPolicy(key_expiration_period_in_days=key_expiration_period_in_days)
 
-    if sas_expiration_period:
+    if sas_expiration_period is not None or sas_expiration_action is not None:
         SasPolicy = cmd.get_models('SasPolicy')
-        params.sas_policy = SasPolicy(sas_expiration_period=sas_expiration_period)
+        if sas_expiration_period is None and sas_expiration_action is not None:
+            from azure.cli.core.azclierror import InvalidArgumentValueError
+            raise InvalidArgumentValueError('--sas-expiration-action can only be specified together with'
+                                            ' --sas-expiration-period')
+        if sas_expiration_action is None:
+            sas_expiration_action = 'Log'
+        params.sas_policy = SasPolicy(sas_expiration_period=sas_expiration_period,
+                                      expiration_action=sas_expiration_action)
 
     if allow_cross_tenant_replication is not None:
         params.allow_cross_tenant_replication = allow_cross_tenant_replication
@@ -387,7 +394,7 @@ def update_storage_account(cmd, instance, sku=None, tags=None, custom_domain=Non
                            allow_blob_public_access=None, min_tls_version=None, allow_shared_key_access=None,
                            identity_type=None, user_identity_id=None,
                            key_vault_user_identity_id=None, federated_identity_client_id=None,
-                           sas_expiration_period=None, key_expiration_period_in_days=None,
+                           sas_expiration_action=None, sas_expiration_period=None, key_expiration_period_in_days=None,
                            allow_cross_tenant_replication=None, default_share_permission=None,
                            immutability_period_since_creation_in_days=None, immutability_policy_state=None,
                            allow_protected_append_writes=None, public_network_access=None, upgrade_to_storagev2=None,
@@ -646,9 +653,19 @@ def update_storage_account(cmd, instance, sku=None, tags=None, custom_domain=Non
         KeyPolicy = cmd.get_models('KeyPolicy')
         params.key_policy = KeyPolicy(key_expiration_period_in_days=key_expiration_period_in_days)
 
-    if sas_expiration_period:
+    if sas_expiration_period is not None or sas_expiration_action is not None:
         SasPolicy = cmd.get_models('SasPolicy')
-        params.sas_policy = SasPolicy(sas_expiration_period=sas_expiration_period)
+        if sas_expiration_period is None and sas_expiration_action is not None:
+            from azure.cli.core.azclierror import InvalidArgumentValueError
+            raise InvalidArgumentValueError('--sas-expiration-action can only be specified together '
+                                            'with --sas-expiration-period')
+        if sas_expiration_action is None:
+            sas_expiration_action = 'Log'
+            if instance.sas_policy is not None and instance.sas_policy.expiration_action is not None:
+                sas_expiration_action = instance.sas_policy.expiration_action
+
+        params.sas_policy = SasPolicy(sas_expiration_period=sas_expiration_period,
+                                      expiration_action=sas_expiration_action)
 
     if allow_cross_tenant_replication is not None:
         params.allow_cross_tenant_replication = allow_cross_tenant_replication