az storage account show no longer returns "properties"

[mbraekman]

Describe the bug

When executing the following command, the "properties" section is no longer being returned.
az storage account show --resource-group '%MyResourceGroupName%' --name '%MyStorageAccountName%' --query 'properties'

Because of this, Azure Policies based on specific settings, which should be returned as part of this properties section, prevent any deployments, due to the inability to verify the setting values.
One example of these settings is the "allowedCopyScope"-property.

This has been verified on multiple storage accounts, in different subscriptions/tenants, by different people.

Related command

az storage account show

Errors

The command executes without error but no longer returns all properties.

Issue script & Debug output

az storage account show --resource-group '%MyResourceGroup%' --name '%MyStorageAccount%' --query 'properties' --debug

cli.knack.cli: Command arguments: ['storage', 'account', 'show', '--resource-group', '%MyResourceGroup%', '--name', '%MyStorageAccount%', '--query', 'properties', '--debug']
cli.knack.cli: init debug log:
Enable color in terminal.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x02244100>, <function OutputProducer.on_global_arguments at 0x022B1F58>, <function CLIQuery.on_global_arguments at 0x023D7B20>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'storage': ['azure.cli.command_modules.storage']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name Load Time Groups Commands
cli.azure.cli.core: storage 0.066 55 256
cli.azure.cli.core: Total (1) 0.066 55 256
cli.azure.cli.core: These extensions are not installed and will be skipped: ['azext_ai_examples', 'azext_next']
cli.azure.cli.core: Loading extensions:
cli.azure.cli.core: Name Load Time Groups Commands Directory
cli.azure.cli.core: Total (0) 0.000 0 0
cli.azure.cli.core: Loaded 55 groups, 256 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command : storage account show
cli.azure.cli.core: Command table: storage account show
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x03E49850>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to 'C:\Users\Me.azure\commands\2025-02-18.09-49-29.storage_account_show.23368.log'.
az_command_data_logger: command args: storage account show --resource-group {} --name {} --query {} --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subscription_parameter at 0x03E985C8>]
cli.azure.cli.core.profiles._shared: Traceback (most recent call last):
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/profiles/_shared.py", line 600, in _get_attr
AttributeError: module 'azure.mgmt.storage.v2021_06_01.models' has no attribute 'AccountType'

cli.azure.cli.core.profiles._shared: Traceback (most recent call last):
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/profiles/_shared.py", line 600, in _get_attr
AttributeError: module 'azure.mgmt.storage.v2021_06_01.models' has no attribute 'ListKeyExpand'

cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments at 0x03E986A0>, <function register_cache_arguments..add_cache_arguments at 0x03EFB6A0>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x022B1FA0>, <function CLIQuery.handle_query_parameter at 0x023D7B68>, <function register_ids_argument..parse_ids_arguments at 0x03EFB658>]
cli.azure.cli.core.commands.client_factory: Getting management service client client_type=StorageManagementClient
cli.azure.cli.core.auth.persistence: build_persistence: location='C:\Users\Me\.azure\msal_token_cache.bin', encrypt=True
cli.azure.cli.core.auth.identity: _load_msal_http_cache: C:\Users\Me.azure\msal_http_cache.bin
cli.azure.cli.core.auth.identity: __load_msal_http_cache: C:\Users\Me.azure\msal_http_cache.bin
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: openid_config = {'token_endpoint': 'https://login.microsoftonline.com/%TenantId%/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/%TenantId%/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/%TenantId%/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/%TenantId%/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/%TenantId%/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/%TenantId%/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/%TenantId%/kerberos', 'tenant_region_scope': 'EU', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
cli.azure.cli.core.auth.credential_adaptor: CredentialAdaptor.get_token: scopes=('https://management.core.windows.net//.default',), kwargs={}
cli.azure.cli.core.auth.msal_authentication: UserCredential.get_token: scopes=('https://management.core.windows.net//.default',), kwargs={}
msal.application: Cache hit an AT
msal.telemetry: Generate or reuse correlation_id: f90fca24-90bc-4a02-b2a7-7753cefd7c9e
cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions/%MySubscriptionId%/resourceGroups/%MyResourceGroup%/providers/Microsoft.Storage/storageAccounts/%MyStorageAccount%?api-version=2021-06-01'
cli.azure.cli.core.sdk.policies: Request method: 'GET'
cli.azure.cli.core.sdk.policies: Request headers:
cli.azure.cli.core.sdk.policies: 'Accept': 'application/json'
cli.azure.cli.core.sdk.policies: 'x-ms-client-request-id': '442af91a-edd5-11ef-a91a-a0cec8e995b2'
cli.azure.cli.core.sdk.policies: 'CommandName': 'storage account show'
cli.azure.cli.core.sdk.policies: 'ParameterSetName': '--resource-group --name --query --debug'
cli.azure.cli.core.sdk.policies: 'User-Agent': 'AZURECLI/2.33.1 (MSI) azsdk-python-azure-mgmt-storage/19.0.0 Python/3.8.9 (Windows-10-10.0.22621-SP0)'
cli.azure.cli.core.sdk.policies: 'Authorization': '*****'
cli.azure.cli.core.sdk.policies: Request body:
cli.azure.cli.core.sdk.policies: This request has no body
urllib3.connectionpool: Starting new HTTPS connection (1): management.azure.com:443
urllib3.connectionpool: https://management.azure.com:443 "GET /subscriptions/%MySubscriptionId%/resourceGroups/%MyResourceGroup%/providers/Microsoft.Storage/storageAccounts/%MyStorageAccount%?api-version=2021-06-01 HTTP/1.1" 200 1984
cli.azure.cli.core.sdk.policies: Response status: 200
cli.azure.cli.core.sdk.policies: Response headers:
cli.azure.cli.core.sdk.policies: 'Cache-Control': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Pragma': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Content-Length': '1984'
cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json'
cli.azure.cli.core.sdk.policies: 'Expires': '-1'
cli.azure.cli.core.sdk.policies: 'x-ms-request-id': '37d59765-0157-4643-85cc-efd0496f61fa'
cli.azure.cli.core.sdk.policies: 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
cli.azure.cli.core.sdk.policies: 'x-ms-ratelimit-remaining-subscription-reads': '249'
cli.azure.cli.core.sdk.policies: 'x-ms-ratelimit-remaining-subscription-global-reads': '3749'
cli.azure.cli.core.sdk.policies: 'x-ms-correlation-request-id': '6be7efd3-88b7-4020-8ea7-c4ba55ee6502'
cli.azure.cli.core.sdk.policies: 'x-ms-routing-request-id': 'UKWEST:20250218T084932Z:6be7efd3-88b7-4020-8ea7-c4ba55ee6502'
cli.azure.cli.core.sdk.policies: 'X-Content-Type-Options': 'nosniff'
cli.azure.cli.core.sdk.policies: 'X-Cache': 'CONFIG_NOCACHE'
cli.azure.cli.core.sdk.policies: 'X-MSEdge-Ref': 'Ref A: 620CBF72A0C4441AB2BD25FFA353A0EF Ref B: VIEEDGE2806 Ref C: 2025-02-18T08:49:32Z'
cli.azure.cli.core.sdk.policies: 'Date': 'Tue, 18 Feb 2025 08:49:31 GMT'
cli.azure.cli.core.sdk.policies: Response content:
cli.azure.cli.core.sdk.policies: {"sku":{"name":"Standard_RAGRS","tier":"Standard"},"kind":"StorageV2","id":"/subscriptions/%MySubscriptionId%/resourceGroups/%MyResourceGroup%/providers/Microsoft.Storage/storageAccounts/%MyStorageAccount%","name":"%MyStorageAccount%","type":"Microsoft.Storage/storageAccounts","location":"westeurope","tags":{"CreatedBy":"my@mail.com","Owner":"my@mail.com"},"properties":{"defaultToOAuthAuthentication":false,"keyCreationTime":{"key1":"2021-08-11T11:58:11.8082370Z","key2":"2021-08-11T11:58:11.8082370Z"},"privateEndpointConnections":[],"minimumTlsVersion":"TLS1_2","allowBlobPublicAccess":true,"allowSharedKeyAccess":true,"networkAcls":{"bypass":"AzureServices","virtualNetworkRules":[],"ipRules":[],"defaultAction":"Allow"},"supportsHttpsTrafficOnly":true,"encryption":{"services":{"file":{"keyType":"Account","enabled":true,"lastEnabledTime":"2021-08-11T11:58:11.8082370Z"},"blob":{"keyType":"Account","enabled":true,"lastEnabledTime":"2021-08-11T11:58:11.8082370Z"}},"keySource":"Microsoft.Storage"},"accessTier":"Hot","provisioningState":"Succeeded","creationTime":"2021-08-11T11:58:11.6988566Z","primaryEndpoints":{"dfs":"https://%MyStorageAccount%.dfs.core.windows.net/","web":"https://%MyStorageAccount%.z6.web.core.windows.net/","blob":"https://%MyStorageAccount%.blob.core.windows.net/","queue":"https://%MyStorageAccount%.queue.core.windows.net/","table":"https://%MyStorageAccount%.table.core.windows.net/","file":"https://%MyStorageAccount%.file.core.windows.net/"},"primaryLocation":"westeurope","statusOfPrimary":"available","secondaryLocation":"northeurope","statusOfSecondary":"available","secondaryEndpoints":{"dfs":"https://%MyStorageAccount%-secondary.dfs.core.windows.net/","web":"https://%MyStorageAccount%-secondary.z6.web.core.windows.net/","blob":"https://%MyStorageAccount%-secondary.blob.core.windows.net/","queue":"https://%MyStorageAccount%-secondary.queue.core.windows.net/","table":"https://%MyStorageAccount%-secondary.table.core.windows.net/"}}}
cli.knack.cli: Event: CommandInvoker.OnTransformResult [<function _resource_group_transform at 0x03E918E0>, <function x509_from_base64_to_hex_transform at 0x03E91928>]
cli.knack.cli: Event: CommandInvoker.OnFilterResult [<function CLIQuery.handle_query_parameter..filter_output at 0x04F81460>]
cli.knack.cli: Event: Cli.SuccessfulExecute []
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x03E49970>]
az_command_data_logger: exit code: 0
cli.main: Command ran in 2.616 seconds (init: 0.347, invoke: 2.269)
telemetry.save: Save telemetry record of length 2959 in cache
telemetry.check: Returns Positive.
telemetry.main: Begin creating telemetry upload process.
telemetry.process: Creating upload process: "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\Lib\site-packages\azure\cli\telemetry_init.pyc C:\Users\Me.azure"
telemetry.process: Return from creating process
telemetry.main: Finish creating telemetry upload process.
cli.azure.cli.core.auth.identity: _dump_msal_http_cache: C:\Users\Me.azure\msal_http_cache.bin

Expected behavior

The "properties"-section should still be returned.
This includes for example the "allowedCopyScope"-property.

Environment Summary

az version
{
"azure-cli": "2.33.1",
"azure-cli-core": "2.33.1",
"azure-cli-telemetry": "1.0.6",
"extensions": {
"account": "0.2.1",
"application-insights": "0.1.17",
"azure-devops": "0.26.0",
"communication": "1.3.0",
"resource-graph": "2.1.0"
}
}

Additional context

No response

[azure-client-tools-bot-prd]

Hi @mbraekman,

2.33.1 is not the latest Azure CLI(2.69.0).

If you haven't already attempted to do so, please upgrade to the latest Azure CLI version by following https://learn.microsoft.com/en-us/cli/azure/update-azure-cli.

[yonzhan]

Thank you for opening this issue, we will look into it.

[calvinhzy]

@mbraekman please upgrade to the latest version and give it a try. Thanks.

[mbraekman]

@calvinhzy
version has been upgraded: az version
{
"azure-cli": "2.69.0",
"azure-cli-core": "2.69.0",
"azure-cli-telemetry": "1.1.0",
"extensions": {
"account": "0.2.1",
"application-insights": "0.1.17",
"azure-devops": "0.26.0",
"communication": "1.3.0",
"resource-graph": "2.1.0"
}
}

Executing the command "az storage account show" now again contains the "allowedCopyScope"-setting but at a different level than before. The 'properties'-object is no longer included, but those properties are moved up 1 level.
This is causing the Azure Policies to fails in our situation where expectations have been set to a path like properties.allowedCopyScope.

Any specific reason why these type of issues started occurring as of yesterday afternoon?
Before that, queries with the previously defined az version where working as expected, since yesterday afternoon (without any update/version changes on our end) command responses are different, both on our machine and in azure devops release pipelines and corresponding azure policies.

[calvinhzy]

Confirming the current behavior that I am seeing. Do you know what az version was giving the nested properties object? If there is no local update, could be a service side change.

[mbraekman]

It has been a while since this has been executed locally, as it has been Azure DevOps executing the full setup for quite some time.
However, considering the MSFT-hosted agent that is being used (windows-2022), the docs seem to indicate it is using Azure CLI v2.68.0.

The weirdest part though, was that the Azure Policy was not complaining when using the Azure Portal to modify anything on the storage account manually, it's only complaining when attempting to use the az cli (with the old version on my machine or via DevOps).

But, I've now managed to work around the issue, by adding a task in the yaml pipeline that upgrades the Azure CLI version. So, that works but it takes ages to get the job done.
Looking forward to that moment when the image has been upgraded out of the box.

[calvinhzy]

For Azure Devops, you can give the Azure CLIv2 Task a try