`az costmanagement export create` requires storage account access keys to be enabled

[AdamSharif-MSFT]

Describe the bug

When calling the command az costmanagement export create with a configured storage account, the following error is returned:

# Create the custom cost management exports
az costmanagement export create \
--name "$EXPORT_NAME" --type "Usage" \
--dataset-configuration columns="Date" columns="MeterId" columns="ResourceLocation" columns="CostInUSD" columns="ResourceId" columns="PricingModel" \
--timeframe "MonthToDate" \
--storage-container="$STORAGE_CONTAINER_NAME" \
--storage-account-id="$STORAGE_ACCOUNT_ID" \
--storage-directory="ad-hoc" \
--recurrence "Daily" \
--recurrence-period from="2026-03-05T14:00:00Z" to="2027-03-05T13:20:00Z" \
--schedule-status "Active" \
--scope "subscriptions/$SUBSCRIPTION"
(400) Key-based authentication is currently disabled on this storage account. To proceed, please enable "Allow storage account key access". For instructions on how to change this setting, please visit https://aka.ms/sharedkey. (Request ID: [redacted] )
Code: 400

The problem is firstly I can't enable access keys on my storage account, and secondly this is an anti-pattern for storage account security.

Related command

az costmanagement export create \
--name "$EXPORT_NAME" --type "Usage" \
--dataset-configuration columns="Date" columns="MeterId" columns="ResourceLocation" columns="CostInUSD" columns="ResourceId" columns="PricingModel" \
--timeframe "MonthToDate" \
--storage-container="$STORAGE_CONTAINER_NAME" \
--storage-account-id="$STORAGE_ACCOUNT_ID" \
--storage-directory="ad-hoc" \
--recurrence "Daily" \
--recurrence-period from="2026-03-05T14:00:00Z" to="2027-03-05T13:20:00Z" \
--schedule-status "Active" \
--scope "subscriptions/$SUBSCRIPTION"

Errors

(400) Key-based authentication is currently disabled on this storage account. To proceed, please enable "Allow storage account key access". For instructions on how to change this setting, please visit https://aka.ms/sharedkey. (Request ID: [redacted] ) Code: 400

Issue script & Debug output

cli.knack.cli: Command arguments: ['costmanagement', 'export', 'create', '--name', 'TestExport', '--type', 'Usage', '--dataset-configuration', 'columns=Date', 'columns=MeterId', 'columns=ResourceLocation', 'columns=CostInUSD', 'columns=ResourceId', 'columns=PricingModel', '--timeframe', 'MonthToDate', '--storage-container=cost-management-exports', '--storage-account-id=/subscriptions/[redacted]/resourceGroups/rg-cost-management-demo/providers/Microsoft.Storage/storageAccounts/stacccostmgmtgkrxez5x', '--storage-directory=ad-hoc', '--recurrence', 'Daily', '--recurrence-period', 'from=2026-03-05T14:00:00Z', 'to=2027-03-05T13:20:00Z', '--schedule-status', 'Active', '--scope', 'subscriptions/[redacted]', '--debug']
cli.knack.cli: __init__ debug log:
Enable color in terminal.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x7502d67327a0>, <function OutputProducer.on_global_arguments at 0x7502d647e660>, <function CLIQuery.on_global_arguments at 0x7502d64b87c0>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'costmanagement': ['azext_costmanagement']
cli.azure.cli.core: Loading command modules...
cli.azure.cli.core: Loaded command modules in parallel:
cli.azure.cli.core: Name                  Load Time    Groups  Commands
cli.azure.cli.core: Total (0)                 0.000         0         0
cli.azure.cli.core: These extensions are not installed and will be skipped: ['azext_ai_examples', 'azext_next']
cli.azure.cli.core: Loading extensions:
cli.azure.cli.core: Name                  Load Time    Groups  Commands  Directory
cli.azure.cli.core: costmanagement            0.118         2         6  /home/[redacted]/.azure/cliextensions/costmanagement
cli.azure.cli.core: Total (1)                 0.118         2         6
cli.azure.cli.core: Loaded 2 groups, 6 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command  : costmanagement export create
cli.azure.cli.core: Command table: costmanagement export create
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x7502d5723380>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to '/home/[redacted]/.azure/commands/2026-03-05.14-13-18.costmanagement_export_create.5547.log'.
az_command_data_logger: command args: costmanagement export create --name {} --type {} --dataset-configuration {} {} {} {} {} {} --timeframe {} --storage-container={} --storage-account-id={} --storage-directory={} --recurrence {} --recurrence-period {} {} --schedule-status {} --scope {} --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument.<locals>.add_subscription_parameter at 0x7502d5770e00>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument.<locals>.add_ids_arguments at 0x7502d5773100>, <function register_cache_arguments.<locals>.add_cache_arguments at 0x7502d57732e0>, <function register_upcoming_breaking_change_info.<locals>.update_breaking_change_info at 0x7502d5773380>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x7502d647e700>, <function CLIQuery.handle_query_parameter at 0x7502d64b8860>, <function register_ids_argument.<locals>.parse_ids_arguments at 0x7502d57731a0>]
az_command_data_logger: extension name: costmanagement
az_command_data_logger: extension version: 1.0.0
cli.azure.cli.core.commands.client_factory: Getting management service client client_type=CostManagementClient
cli.azure.cli.core.auth.persistence: build_persistence: location='/home/[redacted]/.azure/msal_token_cache.json', encrypt=False
cli.azure.cli.core.auth.binary_cache: load: /home/[redacted]/.azure/msal_http_cache.bin
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: Initializing with Entra authority: https://login.microsoftonline.com/[redacted]msal.authority: openid_config("https://login.microsoftonline.com/16b3c013-d300-468d-ac64-7eda0820b6d3/v2.0/.well-known/openid-configuration") = {'token_endpoint': 'https://login.microsoftonline.com/16b3c013-d300-468d-ac64-7eda0820b6d3/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic', 'self_signed_tls_client_auth'], 'jwks_uri': 'https://login.microsoftonline.com/16b3c013-d300-468d-ac64-7eda0820b6d3/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/16b3c013-d300-468d-ac64-7eda0820b6d3/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/16b3c013-d300-468d-ac64-7eda0820b6d3/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/16b3c013-d300-468d-ac64-7eda0820b6d3/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/16b3c013-d300-468d-ac64-7eda0820b6d3/kerberos', 'mtls_endpoint_aliases': {'token_endpoint': 'https://mtlsauth.microsoft.com/16b3c013-d300-468d-ac64-7eda0820b6d3/oauth2/v2.0/token'}, 'tls_client_certificate_bound_access_tokens': True, 'tenant_region_scope': 'NA', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? None
cli.azure.cli.core.auth.credential_adaptor: CredentialAdaptor.get_token_info: scopes=('https://management.core.windows.net//.default',), options={}
cli.azure.cli.core.auth.msal_credentials: UserCredential.acquire_token: scopes=['https://management.core.windows.net//.default'], claims_challenge=None, kwargs={}
msal.application: Cache hit an AT
msal.telemetry: Generate or reuse correlation_id: c4cc8881-23d1-4f56-b3d3-7d300aacf474
cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions/[redacted]/providers/Microsoft.CostManagement/exports/TestExport?api-version=2020-06-01'
cli.azure.cli.core.sdk.policies: Request method: 'PUT'
cli.azure.cli.core.sdk.policies: Request headers:
cli.azure.cli.core.sdk.policies:     'Content-Type': 'application/json'
cli.azure.cli.core.sdk.policies:     'Accept': 'application/json'
cli.azure.cli.core.sdk.policies:     'Content-Length': '671'
cli.azure.cli.core.sdk.policies:     'x-ms-client-request-id': '75964542-189d-11f1-821a-4f9b7c9d32b6'
cli.azure.cli.core.sdk.policies:     'CommandName': 'costmanagement export create'
cli.azure.cli.core.sdk.policies:     'ParameterSetName': '--name --type --dataset-configuration --timeframe --storage-container --storage-account-id --storage-directory --recurrence --recurrence-period --schedule-status --scope --debug'
cli.azure.cli.core.sdk.policies:     'User-Agent': 'AZURECLI/2.84.0 (DEB) azsdk-python-core/1.38.0 Python/3.13.11 (Linux-6.6.87.2-microsoft-standard-WSL2-x86_64-with-glibc2.35)'
cli.azure.cli.core.sdk.policies:     'Authorization': '*****'
cli.azure.cli.core.sdk.policies: Request body:
cli.azure.cli.core.sdk.policies: {"properties": {"format": "Csv", "deliveryInfo": {"destination": {"resourceId": "/subscriptions/[redacted]/resourceGroups/rg-cost-management-demo/providers/Microsoft.Storage/storageAccounts/stacccostmgmtgkrxez5x", "container": "cost-management-exports", "rootFolderPath": "ad-hoc"}}, "definition": {"type": "Usage", "timeframe": "MonthToDate", "dataSet": {"granularity": "Daily", "configuration": {"columns": ["Date", "MeterId", "ResourceLocation", "CostInUSD", "ResourceId", "PricingModel"]}}}, "schedule": {"status": "Active", "recurrence": "Daily", "recurrencePeriod": {"from": "2026-03-05T14:00:00.000Z", "to": "2027-03-05T13:20:00.000Z"}}}}
urllib3.connectionpool: Starting new HTTPS connection (1): management.azure.com:443
urllib3.connectionpool: https://management.azure.com:443 "PUT /subscriptions/[redacted]/providers/Microsoft.CostManagement/exports/TestExport?api-version=2020-06-01 HTTP/1.1" 400 310
cli.azure.cli.core.sdk.policies: Response status: 400
cli.azure.cli.core.sdk.policies: Response headers:
cli.azure.cli.core.sdk.policies:     'Cache-Control': 'no-cache'
cli.azure.cli.core.sdk.policies:     'Pragma': 'no-cache'
cli.azure.cli.core.sdk.policies:     'Content-Length': '310'
cli.azure.cli.core.sdk.policies:     'Content-Type': 'application/json; charset=utf-8'
cli.azure.cli.core.sdk.policies:     'Expires': '-1'
cli.azure.cli.core.sdk.policies:     'session-id': '[redacted]'
cli.azure.cli.core.sdk.policies:     'x-ms-request-id': '7ad27316-024c-41a4-bcec-cb1a4d5fb70a'
cli.azure.cli.core.sdk.policies:     'x-ms-correlation-id': '9863bd10-d4c5-440c-8a50-b04021624151'
cli.azure.cli.core.sdk.policies:     'x-ms-correlation-request-id': '2224f940-123e-4317-bb78-e929d395a167'
cli.azure.cli.core.sdk.policies:     'x-ms-client-request-id': '75964542-189d-11f1-821a-4f9b7c9d32b6'
cli.azure.cli.core.sdk.policies:     'X-Powered-By': 'ASP.NET'
cli.azure.cli.core.sdk.policies:     'x-ms-operation-identifier': 'tenantId=16b3c013-d300-468d-ac64-7eda0820b6d3,objectId=50216ef7-bf1a-40b4-8497-b45681d6a614/ukwest/5ff30fff-8086-4adf-b315-2c8b2968f0d9'
cli.azure.cli.core.sdk.policies:     'x-ms-ratelimit-remaining-subscription-reads': '249'
cli.azure.cli.core.sdk.policies:     'x-ms-ratelimit-remaining-subscription-global-reads': '3749'
cli.azure.cli.core.sdk.policies:     'x-ms-routing-request-id': 'UKWEST:20260305T141320Z:2224f940-123e-4317-bb78-e929d395a167'
cli.azure.cli.core.sdk.policies:     'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
cli.azure.cli.core.sdk.policies:     'X-Content-Type-Options': 'nosniff'
cli.azure.cli.core.sdk.policies:     'X-Cache': 'CONFIG_NOCACHE'
cli.azure.cli.core.sdk.policies:     'X-MSEdge-Ref': 'Ref A: 6ECAC5F007D64516A2D4ADF231FC8600 Ref B: AMS231032607033 Ref C: 2026-03-05T14:13:18Z'
cli.azure.cli.core.sdk.policies:     'Date': 'Thu, 05 Mar 2026 14:13:20 GMT'
cli.azure.cli.core.sdk.policies: Response content:
cli.azure.cli.core.sdk.policies: {"error":{"code":"400","message":"Key-based authentication is currently disabled on this storage account. To proceed, please enable \"Allow storage account key access\". For instructions on how to change this setting, please visit https://aka.ms/sharedkey. (Request ID: 7ad27316-024c-41a4-bcec-cb1a4d5fb70a)"}}
cli.azure.cli.core.azclierror: Traceback (most recent call last):
  File "/opt/az/lib/python3.13/site-packages/knack/cli.py", line 233, in invoke
    cmd_result = self.invocation.execute(args)
  File "/opt/az/lib/python3.13/site-packages/azure/cli/core/commands/__init__.py", line 682, in execute
    raise ex
  File "/opt/az/lib/python3.13/site-packages/azure/cli/core/commands/__init__.py", line 812, in _run_jobs_serially
    results.append(self._run_job(expanded_arg, cmd_copy))
                   ~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.13/site-packages/azure/cli/core/commands/__init__.py", line 781, in _run_job
    result = cmd_copy(params)
  File "/opt/az/lib/python3.13/site-packages/azure/cli/core/commands/__init__.py", line 336, in __call__
    return self.handler(*args, **kwargs)
           ~~~~~~~~~~~~^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.13/site-packages/azure/cli/core/commands/command_operation.py", line 120, in handler
    return op(**command_args)
  File "/home/[redacted]/.azure/cliextensions/costmanagement/azext_costmanagement/manual/custom.py", line 44, in costmanagement_export_create
    return client.create_or_update(scope=scope,
           ~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^
                                   export_name=export_name,
                                   ^^^^^^^^^^^^^^^^^^^^^^^^
                                   parameters=export_parameters)
                                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/[redacted]/.azure/cliextensions/costmanagement/azext_costmanagement/vendored_sdks/costmanagement/operations/_exports_operations.py", line 277, in create_or_update
    raise HttpResponseError(response=response, model=error, error_format=ARMErrorFormat)
azure.core.exceptions.HttpResponseError: (400) Key-based authentication is currently disabled on this storage account. To proceed, please enable "Allow storage account key access". For instructions on how to change this setting, please visit https://aka.ms/sharedkey. (Request ID: 7ad27316-024c-41a4-bcec-cb1a4d5fb70a)
Code: 400
Message: Key-based authentication is currently disabled on this storage account. To proceed, please enable "Allow storage account key access". For instructions on how to change this setting, please visit https://aka.ms/sharedkey. (Request ID: 7ad27316-024c-41a4-bcec-cb1a4d5fb70a)

Expected behavior

As per the API & Bicep etc., access keys should not be required for the command to work since an Entra ID is used following pre-checks. It would be great to either bypass these checks entirely, or have a flag option to disable access keys checks.

Environment Summary

az --version
azure-cli                         2.84.0

core                              2.84.0
telemetry                          1.1.0

Extensions:
aks-agent                       1.0.0b19
aks-preview                    19.0.0b22
alb                                2.0.1
amg                                2.8.1
aro                                1.0.6
azure-firewall                     2.1.0
bastion                            1.4.3
connectedk8s                      1.11.0
containerapp                     1.3.0b3
costmanagement                     1.0.0
dataprotection                     1.8.0
interactive                      1.0.0b1
k8s-configuration                  2.3.0
k8s-extension                      1.7.0
resource-graph                     2.1.1
ssh                                2.0.6
virtual-wan                        1.0.1

Dependencies:
msal                            1.35.0b1
azure-mgmt-resource               24.0.0

Python location '/opt/az/bin/python3'
Config directory '/home/[redacted]/.azure'
Extensions directory '/home/[redacted]/.azure/cliextensions'

Python (Linux) 3.13.11 (main, Feb 25 2026, 02:29:12) [GCC 11.4.0]

Legal docs and information: aka.ms/AzureCliLegal

Additional context

No response

[yonzhan]

Thank you for opening this issue, we will look into it.

[microsoft-github-policy-service]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @ms-premp, @ramaganesan-rg.