Storage Account Types
| Account type | Performance | Supported services | Redundancy |
|---|---|---|---|
| Standard general-purpose v2 | Standard (HDD) | Blob, Files, Queue, Table | LRS, ZRS, GRS, RA-GRS, GZRS, RA-GZRS |
| Premium block blobs | Premium (SSD) | Blob only (block and append blobs) | LRS, ZRS |
| Premium file shares | Premium (SSD) | Azure Files only (SMB and NFS) | LRS, ZRS |
| Premium page blobs | Premium (SSD) | Page blobs only | LRS |
Standard general-purpose v2The recommended storage account type for most scenarios. It is the only account type that supports all six redundancy options including GZRS and RA-GZRS. is the recommended account type for most scenarios and the only one supporting all six redundancy options including GZRS and RA-GZRS.
Storage account names must be 3–24 characters, contain only lowercase letters and numbers, and be globally unique across Azure. You cannot convert a storage account to a different type after creation — you must create a new account and copy data.
Storage Redundancy Options
All storage accounts replicate data three times in the primary region as a baseline.
| Option | Primary region | Secondary region | Secondary reads? | Durability |
|---|---|---|---|---|
| LRS (Locally Redundant) | 3 copies in one datacenter | None | No | 11 nines |
| ZRS (Zone-Redundant) | 3 copies across 3 availability zones | None | No | 12 nines |
| GRS (Geo-Redundant) | 3 copies via LRS | 3 copies via LRS (async) | No | 16 nines |
| RA-GRS (Read-Access Geo-Redundant) | 3 copies via LRS | 3 copies via LRS (async) | Yes (secondary endpoint) | 16 nines |
| GZRS (Geo-Zone-Redundant) | 3 copies across 3 zones (ZRS) | 3 copies via LRS (async) | No | 16 nines |
| RA-GZRS (Read-Access Geo-Zone-Redundant) | 3 copies across 3 zones (ZRS) | 3 copies via LRS (async) | Yes (secondary endpoint) | 16 nines |
GRS and GZRS replicate to the secondary region asynchronously — a small amount of data loss (RPO) is possible during a regional outage. The RPO for block blobs is typically under 15 minutes.
The Archive tier only supports LRS, GRS, and RA-GRS — it does not support ZRS-based options.
Object Replication
Object replicationAsynchronous copying of block blobs between source and destination storage accounts (same or different region, cross-subscription). Requires blob versioning on both accounts and change feed on the source. asynchronously copies block blobs between storage accounts and requires blob versioning on both accounts and change feed on the source.
Object replication does not support append blobs or page blobs, and does not replicate blob snapshots or soft-deleted blobs.
Storage Account Encryption
All data in Azure Storage is encrypted at rest by default using 256-bit AES. By default, Microsoft-managed keys (MMK)The default encryption key management option where Azure controls key rotation and lifecycle — no additional cost. are used.
You can switch to customer-managed keys (CMK)Encryption keys stored in Azure Key Vault or Azure Key Vault Managed HSM under customer control, including the ability to revoke access to data by disabling the key. for greater control.
Infrastructure encryptionA second layer of encryption at the infrastructure level using different keys. Must be enabled at account creation time and cannot be added afterward. adds a second layer of encryption at the infrastructure level using different keys; it must be enabled at account creation time and cannot be added afterward.
Azure Storage Explorer and AzCopy
Azure Storage Explorer is a standalone GUI for managing storage accounts, containers, blobs, queues, tables, and file shares. Supports connections via Azure subscription, SAS URI, storage account key, or Entra credentials.
AzCopyA command-line utility optimized for high-performance data transfers to and from Azure Storage. Supports server-side blob-to-blob copies, local uploads, and downloads. is a command-line utility optimized for high-performance data transfers to and from Azure Storage, supporting server-side blob-to-blob copies, local uploads, and downloads.
Key AzCopy commands:
azcopy copy— upload, download, or copy between accountsazcopy sync— one-way synchronization (only copies new or modified files)azcopy login— authenticate using Entra ID (avoids embedding keys in scripts)
Redundancy Decision Matrix
Must Memorize
To read from the secondary region without initiating a failover, you must use RA-GRS or RA-GZRS. With plain GRS/GZRS, secondary data is only accessible after a failover is initiated.
Microsoft recommends GZRS for applications requiring maximum durability and availability — it combines zone-redundancy in the primary with geo-redundancy to a secondary region.
Account Type Conversion
Exam Trap
You cannot upgrade a Standard general-purpose v2 account to Premium. You cannot change a storage account type after creation. You must create a new Premium account and migrate data.
Archive Tier and ZRS Incompatibility
Exam Trap
Archive tier does not support ZRS, GZRS, or RA-GZRS. The Archive tier only supports LRS, GRS, and RA-GRS. Lifecycle management policies cannot apply TierToArchive to accounts using zone-redundant storage.
Object Replication Prerequisites
Must Memorize
Object replication requires blob versioning enabled on both source and destination accounts, and change feed enabled on the source account. Only block blobs are replicated — append and page blobs are not.
Infrastructure Encryption Timing
Exam Trap
Infrastructure encryption must be enabled at account creation time. It cannot be added to an existing account. Customer-managed keys (CMK), however, can be enabled on an existing account at any time.
AzCopy sync Direction
Exam Trap
azcopy sync is one-directional — source to destination only. Files deleted from the source are optionally deleted at the destination only with the --delete-destination flag.
Create a Storage Account
Portal → Search Storage accounts → + Create
- On the Basics tab: select Subscription, Resource Group, enter a unique account name, Region, Performance (Standard or Premium), and Redundancy.
- On the Advanced tab: optionally enable hierarchical namespace (Data Lake Storage Gen2), infrastructure encryption, or access tier default.
- On the Networking tab: configure public or private access and firewall rules.
- On the Data protection tab: configure soft delete retention periods, blob versioning, and change feed.
- On the Encryption tab: choose Microsoft-managed keys or customer-managed keys.
- Select Review + create, then Create.
Change Redundancy Configuration
Portal → Storage account → Data management → Redundancy
- Use the Redundancy dropdown to select the new option (e.g., change from LRS to GRS).
- Note: changing to or from ZRS requires a live migration or manual migration.
- Select Save.
Configure Object Replication
Portal → Storage account (destination) → Data management → Object replication
- Select + Add replication rules (or Set up replication).
- For the source, select the source subscription and storage account.
- Under Rule configuration, map source containers to destination containers.
- Optionally set prefix filters and a copy-over-object creation date.
- Select Save. Ensure blob versioning and change feed are enabled on both accounts.
Use AzCopy (CLI example)
# Login with Entra ID (interactive)
azcopy login
# Copy a local file to a blob container
azcopy copy "./localfile.txt" "https://<account>.blob.core.windows.net/<container>/localfile.txt"
# Copy between two storage accounts (server-side)
azcopy copy "https://<source>.blob.core.windows.net/<container>/<blob>" \
"https://<dest>.blob.core.windows.net/<container>/<blob>"
# Sync a local folder to a container (one-way)
azcopy sync "./localfolder" "https://<account>.blob.core.windows.net/<container>"
AZ-104 Exam Focus
Exam Trap
"GRS means you can always read from the secondary region." → GRS replicates to a secondary region but secondary reads require RA-GRS. With GRS, secondary data is only accessible after a failover is initiated.
Exam Trap
"You can upgrade a Standard general-purpose v2 account to Premium." → You cannot change a storage account type after creation. You must create a new Premium account and migrate data.
Exam Trap
"Archive tier blobs are supported by ZRS." → The Archive tier only supports LRS, GRS, and RA-GRS. ZRS, GZRS, and RA-GZRS are not supported for Archive tier.
Exam Trap
"Object replication works with all blob types." → Object replication only supports block blobs. Append blobs and page blobs are not replicated. Blob versioning must be enabled on both source and destination accounts.
Exam Trap
"Infrastructure encryption can be enabled on an existing account any time." → Infrastructure encryption must be enabled at account creation time and cannot be added to an existing account.
Exam Trap
"AzCopy sync is bidirectional." → azcopy sync is one-directional — from source to destination only.
Question — click to flip
Q: Which redundancy option provides both zone-redundancy in the primary region AND geo-redundancy to a secondary region?
Question — click to flip
Q: What prerequisites are required for object replication between two storage accounts?
Question — click to flip
Q: Can you read from the secondary region with plain GRS without initiating a failover?
Question — click to flip
Q: Which is the only storage account type that supports all six redundancy options?
Question — click to flip
Q: What happens when you use azcopy copy with both source and destination as HTTPS blob URLs?
Question — click to flip
Q: When must infrastructure encryption be enabled for a storage account?