Azure · kah279 · Mar 5, 2026 · Mar 5, 2026
diff --git a/policyDefinitions/Storage/deny-zrs-storage-accounts-without-smart-tier/README.md b/policyDefinitions/Storage/deny-zrs-storage-accounts-without-smart-tier/README.md
@@ -0,0 +1,34 @@
+# Deny ZRS storage accounts without Smart tier
+
+This policy ensures that all Standard Zone-Redundant Storage (ZRS) accounts use the Smart access tier. The Smart tier automatically optimizes storage costs by intelligently moving data between access tiers based on access patterns. It targets storage accounts with `Standard_ZRS`, `Standard_GZRS`, and `Standard_RAGZRS` SKUs of kind `StorageV2` or `BlobStorage`.
+
+The policy supports the following effects:
+
+- **Deny** (default) – Prevents creation or update of ZRS storage accounts that do not use the Smart tier.
+- **Audit** – Logs non-compliant ZRS storage accounts without making changes.
+- **Disabled** – Turns off the policy evaluation entirely.
+
+> **Note:** The policy only evaluates requests using API version `2025-08-01` or later, which supports the Smart access tier. Requests made with older API versions are not affected.
+
+## Try on Portal
+
+[![Deploy to Azure](http://azuredeploy.net/deploybutton.png)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/CreatePolicyDefinitionBlade/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FCommunity-Policy%2Fmaster%2FpolicyDefinitions%2FStorage%2Fdeny-zrs-storage-accounts-without-smart-tier%2Fazurepolicy.json)
+
+## Try with PowerShell
+
+````powershell
+$definition = New-AzPolicyDefinition -Name "deny-zrs-storage-accounts-without-smart-tier" -DisplayName "Deny ZRS storage accounts without Smart tier" -description "This policy ensures that all Standard ZRS storage accounts use the Smart access tier." -Policy 'https://raw.githubusercontent.com/Azure/Community-Policy/master/policyDefinitions/Storage/deny-zrs-storage-accounts-without-smart-tier/azurepolicy.rules.json' -Parameter 'https://raw.githubusercontent.com/Azure/Community-Policy/master/policyDefinitions/Storage/deny-zrs-storage-accounts-without-smart-tier/azurepolicy.parameters.json' -Mode All
+$definition
+$assignment = New-AzPolicyAssignment -Name <assignmentname> -Scope <scope> -PolicyDefinition $definition
+$assignment 
+````
+
+## Try with CLI
+
+````cli
+
+az policy definition create --name 'deny-zrs-storage-accounts-without-smart-tier' --display-name 'Deny ZRS storage accounts without Smart tier' --description 'This policy ensures that all Standard ZRS storage accounts use the Smart access tier.' --rules 'https://raw.githubusercontent.com/Azure/Community-Policy/master/policyDefinitions/Storage/deny-zrs-storage-accounts-without-smart-tier/azurepolicy.rules.json' --params 'https://raw.githubusercontent.com/Azure/Community-Policy/master/policyDefinitions/Storage/deny-zrs-storage-accounts-without-smart-tier/azurepolicy.parameters.json' --mode All
+
+az policy assignment create --name <assignmentname> --scope <scope> --policy "deny-zrs-storage-accounts-without-smart-tier" 
+
+````
diff --git a/policyDefinitions/Storage/deny-zrs-storage-accounts-without-smart-tier/azurepolicy.json b/policyDefinitions/Storage/deny-zrs-storage-accounts-without-smart-tier/azurepolicy.json
@@ -0,0 +1,64 @@
+{
+  "name": "a3c7bb4e-8e62-4f1d-9c3a-bf5d42e6f9d1",
+  "type": "Microsoft.Authorization/policyDefinitions",
+  "properties": {
+    "displayName": "Deny ZRS storage accounts without Smart tier",
+    "description": "This policy ensures that all Standard ZRS storage accounts use the Smart access tier. The Smart tier automatically optimizes storage costs by moving data between access tiers based on access patterns. This policy targets Standard_ZRS, Standard_GZRS, and Standard_RAGZRS SKUs of kind StorageV2 or BlobStorage. Only requests using API version 2025-08-01 or later are evaluated, as earlier versions do not support the Smart tier.",
+    "metadata": {
+      "version": "1.0.0",
+      "category": "Storage"
+    },
+    "mode": "All",
+    "parameters": {
+      "effect": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Effect",
+          "description": "Deny, Audit or Disabled the execution of the Policy"
+        },
+        "allowedValues": [
+          "Deny",
+          "Audit",
+          "Disabled"
+        ],
+        "defaultValue": "Deny"
+      }
+    },
+    "policyRule": {
+      "if": {
+        "allOf": [
+          {
+            "field": "type",
+            "equals": "Microsoft.Storage/storageAccounts"
+          },
+          {
+            "field": "kind",
+            "in": [
+              "StorageV2",
+              "BlobStorage"
+            ]
+          },
+          {
+            "field": "Microsoft.Storage/storageAccounts/sku.name",
+            "in": [
+              "Standard_ZRS",
+              "Standard_GZRS",
+              "Standard_RAGZRS"
+            ]
+          },
+          {
+            "value": "[requestContext().apiVersion]",
+            "greaterOrEquals": "2025-08-01"
+          },
+          {
+            "field": "Microsoft.Storage/storageAccounts/accessTier",
+            "notEquals": "Smart"
+          }
+        ]
+      },
+      "then": {
+        "effect": "[parameters('effect')]"
+      }
+    }
+  }
+}
diff --git a/...initions/Storage/deny-zrs-storage-accounts-without-smart-tier/azurepolicy.parameters.json b/...initions/Storage/deny-zrs-storage-accounts-without-smart-tier/azurepolicy.parameters.json
@@ -0,0 +1,15 @@
+{
+  "effect": {
+    "type": "String",
+    "metadata": {
+      "displayName": "Effect",
+      "description": "Deny, Audit or Disabled the execution of the Policy"
+    },
+    "allowedValues": [
+      "Deny",
+      "Audit",
+      "Disabled"
+    ],
+    "defaultValue": "Deny"
+  }
+}
diff --git a/...cyDefinitions/Storage/deny-zrs-storage-accounts-without-smart-tier/azurepolicy.rules.json b/...cyDefinitions/Storage/deny-zrs-storage-accounts-without-smart-tier/azurepolicy.rules.json
@@ -0,0 +1,36 @@
+{
+  "if": {
+    "allOf": [
+      {
+        "field": "type",
+        "equals": "Microsoft.Storage/storageAccounts"
+      },
+      {
+        "field": "kind",
+        "in": [
+          "StorageV2",
+          "BlobStorage"
+        ]
+      },
+      {
+        "field": "Microsoft.Storage/storageAccounts/sku.name",
+        "in": [
+          "Standard_ZRS",
+          "Standard_GZRS",
+          "Standard_RAGZRS"
+        ]
+      },
+      {
+        "value": "[requestContext().apiVersion]",
+        "greaterOrEquals": "2025-08-01"
+      },
+      {
+        "field": "Microsoft.Storage/storageAccounts/accessTier",
+        "notEquals": "Smart"
+      }
+    ]
+  },
+  "then": {
+    "effect": "[parameters('effect')]"
+  }
+}