Azure · vidai-msft · Jan 26, 2026 · Jan 13, 2026 · Jan 20, 2026 · Jan 20, 2026
diff --git a/src/Storage/Storage.Management.Test/ScenarioTests/StorageFileTests.ps1 b/src/Storage/Storage.Management.Test/ScenarioTests/StorageFileTests.ps1
@@ -382,6 +382,7 @@ function Test-FileServiceProperties
     {
         # Test
         $stoname = 'sto' + $rgname;
+		$stoname2 = 'sto2' + $rgname;
         $stotype = 'Premium_LRS';
         $loc = Get-ProviderLocation_Canary2 ResourceManagement;
         $kind = 'FileStorage'
@@ -403,32 +404,47 @@ function Test-FileServiceProperties
         # $loc = Get-ProviderLocation_Canary ResourceManagement;
         New-AzStorageAccount -ResourceGroupName $rgname -Name $stoname -Location $loc -Type $stotype -Kind $kind 
         $stos = Get-AzStorageAccount -ResourceGroupName $rgname;
+
+		New-AzStorageAccount -ResourceGroupName $rgname -Name $stoname2 -Location $loc -SkuName $stotype -Kind $kind 
+
+		# Test Nfs encryption in transit setting 
+		Update-AzStorageFileServiceProperty -ResourceGroupName $rgname -StorageAccountName $stoname2 -NfsEncryptionInTransitRequired $true
+		$serviceProperty = Get-AzStorageFileServiceProperty -ResourceGroupName $rgname -StorageAccountName $stoname2
+		Assert-AreEqual $true $serviceProperty.ProtocolSettings.Nfs.EncryptionInTransit.Required
+
+		Update-AzStorageFileServiceProperty -ResourceGroupName $rgname -StorageAccountName $stoname2 -NfsEncryptionInTransitRequired $false
+		$serviceProperty = Get-AzStorageFileServiceProperty -ResourceGroupName $rgname -StorageAccountName $stoname2
+		Assert-AreEqual $false $serviceProperty.ProtocolSettings.Nfs.EncryptionInTransit.Required
 
 		# Enable MC, and set smb setting
 		Update-AzStorageFileServiceProperty -ResourceGroupName $rgname -StorageAccountName $stoname -EnableSmbMultichannel $true `
 					-SMBProtocolVersion SMB2.1,SMB3.0,SMB3.1.1 `
 					-SMBAuthenticationMethod Kerberos,NTLMv2 `
 					-SMBKerberosTicketEncryption RC4-HMAC,AES-256 `
-					-SMBChannelEncryption AES-128-CCM,AES-128-GCM,AES-256-GCM
+					-SMBChannelEncryption AES-128-CCM,AES-128-GCM,AES-256-GCM `
+					-SmbEncryptionInTransitRequired $true
 		$servicePropertie = Get-AzStorageFileServiceProperty -ResourceGroupName $rgname -StorageAccountName $stoname 
 		Assert-AreEqual 3 $servicePropertie.ProtocolSettings.Smb.Versions.Count
 		Assert-AreEqual 2 $servicePropertie.ProtocolSettings.Smb.AuthenticationMethods.Count
 		Assert-AreEqual 2 $servicePropertie.ProtocolSettings.Smb.KerberosTicketEncryption.Count
 		Assert-AreEqual 3 $servicePropertie.ProtocolSettings.Smb.ChannelEncryption.Count
 		Assert-AreEqual $true $servicePropertie.ProtocolSettings.Smb.Multichannel.Enabled
+		Assert-AreEqual $true $servicePropertie.ProtocolSettings.Smb.EncryptionInTransit.Required
 
 		# Disable MC, update smb setting
 		Update-AzStorageFileServiceProperty -ResourceGroupName $rgname -StorageAccountName $stoname -EnableSmbMultichannel $false `
 					-SMBProtocolVersion SMB3.1.1 `
 					-SMBAuthenticationMethod Kerberos `
 					-SMBKerberosTicketEncryption AES-256 `
-					-SMBChannelEncryption AES-128-CCM
+					-SMBChannelEncryption AES-128-CCM `
+					-SmbEncryptionInTransitRequired $false 
 		$servicePropertie = Get-AzStorageFileServiceProperty -ResourceGroupName $rgname -StorageAccountName $stoname 
 		Assert-AreEqual "SMB3.1.1" $servicePropertie.ProtocolSettings.Smb.Versions[0]
 		Assert-AreEqual "Kerberos" $servicePropertie.ProtocolSettings.Smb.AuthenticationMethods[0]
 		Assert-AreEqual "AES-256" $servicePropertie.ProtocolSettings.Smb.KerberosTicketEncryption[0]
 		Assert-AreEqual "AES-128-CCM" $servicePropertie.ProtocolSettings.Smb.ChannelEncryption[0]
 		Assert-AreEqual $false $servicePropertie.ProtocolSettings.Smb.Multichannel.Enabled
+		Assert-AreEqual $false $servicePropertie.ProtocolSettings.Smb.EncryptionInTransit.Required
 
 		# remove smb setting
 		Update-AzStorageFileServiceProperty -ResourceGroupName $rgname -StorageAccountName $stoname `

diff --git a/...nds.Management.Storage.Test.ScenarioTests.StorageFileTests/TestFileServiceProperties.json b/...nds.Management.Storage.Test.ScenarioTests.StorageFileTests/TestFileServiceProperties.json
diff --git a/src/Storage/Storage.Management/ChangeLog.md b/src/Storage/Storage.Management/ChangeLog.md
@@ -18,6 +18,8 @@
         - Additional information about change #1
 -->
 ## Upcoming Release
+* Supported encryption in transit in file service properties 
+    - `Update-AzStorageFileServiceProperty`
 * When users input TLS 1.0 or TLS 1.1 to create or update a Storage account, automatically upgrade to TLS 1.2
     - `New-AzStorageAccount`
     - `Set-AzStorageAccount`

diff --git a/src/Storage/Storage.Management/File/UpdateAzAzStorageFileServiceProperty.cs b/src/Storage/Storage.Management/File/UpdateAzAzStorageFileServiceProperty.cs
@@ -162,6 +162,40 @@ public bool EnableSmbMultichannel
             IgnoreCase = true)]
         public string[] SmbKerberosTicketEncryption { get; set; }
 
+        [Parameter(
+            Mandatory = false,
+            HelpMessage = "Enable Multichannel by set to $true, disable Multichannel by set to $false. Applies to Premium FileStorage only.")]
+        [ValidateNotNullOrEmpty]
+        public bool SmbEncryptionInTransitRequired
+        {
+            get
+            {
+                return smbEncryptionInTransitRequired is null ? false : smbEncryptionInTransitRequired.Value;
+            }
+            set
+            {
+                smbEncryptionInTransitRequired = value;
+            }
+        }
+        private bool? smbEncryptionInTransitRequired = null;
+
+        [Parameter(
+            Mandatory = false,
+            HelpMessage = "Enable Multichannel by set to $true, disable Multichannel by set to $false. Applies to Premium FileStorage only.")]
+        [ValidateNotNullOrEmpty]
+        public bool NfsEncryptionInTransitRequired
+        {
+            get
+            {
+                return nfsEncryptionInTransitRequired is null ? false : nfsEncryptionInTransitRequired.Value;
+            }
+            set
+            {
+                nfsEncryptionInTransitRequired = value;
+            }
+        }
+        private bool? nfsEncryptionInTransitRequired = null;
+
         [Parameter(Mandatory = false,
             HelpMessage = "Specifies CORS rules for the File service.")]
         [ValidateNotNull]
@@ -221,11 +255,12 @@ public override void ExecuteCmdlet()
                 fileServiceProperties.ShareDeleteRetentionPolicy = deleteRetentionPolicy;
 
                 ProtocolSettings protocolSettings = null;
-                if(this.SmbProtocolVersion != null ||
+                if (this.SmbProtocolVersion != null ||
                     this.SmbAuthenticationMethod != null ||
                     this.SmbKerberosTicketEncryption != null ||
                     this.SmbChannelEncryption != null ||
-                    this.enableSmbMultichannel != null)
+                    this.enableSmbMultichannel != null || 
+                    this.smbEncryptionInTransitRequired != null)
                 {
                     protocolSettings = new ProtocolSettings();
                     protocolSettings.Smb = new SmbSetting();
@@ -250,7 +285,22 @@ public override void ExecuteCmdlet()
                         protocolSettings.Smb.Multichannel = new Multichannel();
                         protocolSettings.Smb.Multichannel.Enabled = this.enableSmbMultichannel;
                     }
+                    if (this.smbEncryptionInTransitRequired != null)
+                    {
+                        protocolSettings.Smb.EncryptionInTransit = new EncryptionInTransit(this.smbEncryptionInTransitRequired);
+                    }
+                }
+
+                if (nfsEncryptionInTransitRequired != null)
+                {
+                    if (protocolSettings == null)
+                    {
+                        protocolSettings = new ProtocolSettings();
+                    }
+                    protocolSettings.Nfs = new NfsSetting();
+                    protocolSettings.Nfs.EncryptionInTransit = new EncryptionInTransit(this.nfsEncryptionInTransitRequired);
                 }
+
                 fileServiceProperties.ProtocolSettings = protocolSettings;
 
                 if (this.CorsRule != null)

diff --git a/src/Storage/Storage.Management/Models/PSFileServiceProperties.cs b/src/Storage/Storage.Management/Models/PSFileServiceProperties.cs
@@ -64,10 +64,12 @@ public FileServiceProperties ParseFileServiceProperties()
     public class PSProtocolSettings
     {
         public PSSmbSetting Smb { get; set; }
+        public PSNfsSetting Nfs { get; set; }
 
         public PSProtocolSettings(ProtocolSettings protocolSettings)
         {
             this.Smb = protocolSettings.Smb is null ? null : new PSSmbSetting(protocolSettings.Smb);
+            this.Nfs = protocolSettings.Nfs is null ? null : new PSNfsSetting(protocolSettings.Nfs);
         }
     }
 
@@ -78,6 +80,7 @@ public class PSSmbSetting
         public string[] KerberosTicketEncryption { get; set; }
         public string[] ChannelEncryption { get; set; }
         public PSMultichannel Multichannel { get; set; }
+        public PSEncryptionInTransit EncryptionInTransit { get; set; }
 
         public PSSmbSetting(SmbSetting smbSetting)
         {
@@ -86,6 +89,26 @@ public PSSmbSetting(SmbSetting smbSetting)
             this.KerberosTicketEncryption = smbSetting.KerberosTicketEncryption is null ? null : smbSetting.KerberosTicketEncryption.Split(new char[] { ';' });
             this.ChannelEncryption = smbSetting.ChannelEncryption is null ? null : smbSetting.ChannelEncryption.Split(new char[] { ';' });
             this.Multichannel = smbSetting.Multichannel is null ? null : new PSMultichannel(smbSetting.Multichannel);
+            this.EncryptionInTransit = smbSetting.EncryptionInTransit is null ? null : new PSEncryptionInTransit(smbSetting.EncryptionInTransit);
+        }
+    }
+
+    public class PSNfsSetting
+    {
+        public PSEncryptionInTransit EncryptionInTransit { get; set; }
+        public PSNfsSetting(NfsSetting nfsSetting)
+        {
+            this.EncryptionInTransit = nfsSetting.EncryptionInTransit is null ? null : new PSEncryptionInTransit(nfsSetting.EncryptionInTransit);
+        }
+    }
+
+    public class PSEncryptionInTransit 
+    { 
+        public bool? Required { get; set; }
+
+        public PSEncryptionInTransit(EncryptionInTransit encryptionInTransit)
+        {
+            this.Required = encryptionInTransit.Required is null ? null : encryptionInTransit.Required;
         }
     }
 

diff --git a/src/Storage/Storage.Management/Storage.Management.format.ps1xml b/src/Storage/Storage.Management/Storage.Management.format.ps1xml
@@ -447,6 +447,14 @@
                 <Label>ProtocolSettings.Smb.ChannelEncryption</Label>
                 <ScriptBlock>$_.ProtocolSettings.Smb.ChannelEncryption</ScriptBlock>
               </ListItem>
+                <ListItem>
+                  <Label>ProtocolSettings.Smb.EncryptionInTransit.Required</Label>
+                  <ScriptBlock>$_.ProtocolSettings.Smb.EncryptionInTransit.Required</ScriptBlock>
+              </ListItem>
+              <ListItem>
+                  <Label>ProtocolSettings.Nfs.EncryptionInTransit.Required</Label>
+                  <ScriptBlock>$_.ProtocolSettings.Nfs.EncryptionInTransit.Required</ScriptBlock>
+              </ListItem> 
-              </ListItem> 
+              </ListItem>
-              </ListItem> 
+              </ListItem>
             </ListItems>
           </ListEntry>
         </ListEntries>

diff --git a/src/Storage/Storage.Management/help/Get-AzStorageFileServiceProperty.md b/src/Storage/Storage.Management/help/Get-AzStorageFileServiceProperty.md
@@ -15,19 +15,19 @@ Gets service properties for Azure Storage File services.
 ### AccountName (Default)
 ```
 Get-AzStorageFileServiceProperty [-ResourceGroupName] <String> [-StorageAccountName] <String>
- [-DefaultProfile <IAzureContextContainer>] [<CommonParameters>]
+ [-DefaultProfile <IAzureContextContainer>] [-ProgressAction <ActionPreference>] [<CommonParameters>]
 ```
 
 ### AccountObject
 ```
 Get-AzStorageFileServiceProperty -StorageAccount <PSStorageAccount> [-DefaultProfile <IAzureContextContainer>]
- [<CommonParameters>]
+ [-ProgressAction <ActionPreference>] [<CommonParameters>]
 ```
 
 ### FileServicePropertiesResourceId
 ```
 Get-AzStorageFileServiceProperty [-ResourceId] <String> [-DefaultProfile <IAzureContextContainer>]
- [<CommonParameters>]
+ [-ProgressAction <ActionPreference>] [<CommonParameters>]
 ```
 
 ## DESCRIPTION
@@ -41,15 +41,17 @@ Get-AzStorageFileServiceProperty -ResourceGroupName "myresourcegroup" -AccountNa
 ```
 
 ```output
-StorageAccountName                            : mystorageaccount
-ResourceGroupName                             : myresourcegroup
-ShareDeleteRetentionPolicy.Enabled            : True
-ShareDeleteRetentionPolicy.Days               : 3
-ProtocolSettings.Smb.Multichannel.Enabled     : False
-ProtocolSettings.Smb.Versions                 : {SMB2.1, SMB3.0, SMB3.1.1}
-ProtocolSettings.Smb.AuthenticationMethods    : {Kerberos, NTLMv2}
-ProtocolSettings.Smb.KerberosTicketEncryption : {RC4-HMAC, AES-256}
-ProtocolSettings.Smb.ChannelEncryption        : {AES-128-CCM, AES-128-GCM, AES-256-GCM}
+StorageAccountName                                : mystorageaccount
+ResourceGroupName                                 : myresourcegroup
+ShareDeleteRetentionPolicy.Enabled                : True
+ShareDeleteRetentionPolicy.Days                   : 3
+ProtocolSettings.Smb.Multichannel.Enabled         : False
+ProtocolSettings.Smb.Versions                     : {SMB2.1, SMB3.0, SMB3.1.1}
+ProtocolSettings.Smb.AuthenticationMethods        : {Kerberos, NTLMv2}
+ProtocolSettings.Smb.KerberosTicketEncryption     : {RC4-HMAC, AES-256}
+ProtocolSettings.Smb.ChannelEncryption            : {AES-128-CCM, AES-128-GCM, AES-256-GCM}
+ProtocolSettings.Smb.EncryptionInTransit.Required : True 
+ProtocolSettings.Nfs.EncryptionInTransit.Required :
 ```
 
 This command gets the File services property of a specified Storage Account.
@@ -71,6 +73,21 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
+### -ProgressAction
+{{ Fill ProgressAction Description }}
+
+```yaml
+Type: System.Management.Automation.ActionPreference
+Parameter Sets: (All)
+Aliases: proga
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### -ResourceGroupName
 Resource Group Name.
 

diff --git a/src/Storage/Storage.Management/help/Update-AzStorageFileServiceProperty.md b/src/Storage/Storage.Management/help/Update-AzStorageFileServiceProperty.md
@@ -17,8 +17,9 @@ Modifies the service properties for the Azure Storage File service.
 Update-AzStorageFileServiceProperty [-ResourceGroupName] <String> [-StorageAccountName] <String>
  [-EnableShareDeleteRetentionPolicy <Boolean>] [-ShareRetentionDays <Int32>] [-EnableSmbMultichannel <Boolean>]
  [-SmbProtocolVersion <String[]>] [-SmbAuthenticationMethod <String[]>] [-SmbChannelEncryption <String[]>]
- [-SmbKerberosTicketEncryption <String[]>] [-CorsRule <PSCorsRule[]>]
- [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm]
+ [-SmbKerberosTicketEncryption <String[]>] [-SmbEncryptionInTransitRequired <Boolean>]
+ [-NfsEncryptionInTransitRequired <Boolean>] [-CorsRule <PSCorsRule[]>]
+ [-DefaultProfile <IAzureContextContainer>] [-ProgressAction <ActionPreference>] [-WhatIf] [-Confirm]
  [<CommonParameters>]
 ```
 
@@ -27,8 +28,9 @@ Update-AzStorageFileServiceProperty [-ResourceGroupName] <String> [-StorageAccou
 Update-AzStorageFileServiceProperty -StorageAccount <PSStorageAccount>
  [-EnableShareDeleteRetentionPolicy <Boolean>] [-ShareRetentionDays <Int32>] [-EnableSmbMultichannel <Boolean>]
  [-SmbProtocolVersion <String[]>] [-SmbAuthenticationMethod <String[]>] [-SmbChannelEncryption <String[]>]
- [-SmbKerberosTicketEncryption <String[]>] [-CorsRule <PSCorsRule[]>]
- [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm]
+ [-SmbKerberosTicketEncryption <String[]>] [-SmbEncryptionInTransitRequired <Boolean>]
+ [-NfsEncryptionInTransitRequired <Boolean>] [-CorsRule <PSCorsRule[]>]
+ [-DefaultProfile <IAzureContextContainer>] [-ProgressAction <ActionPreference>] [-WhatIf] [-Confirm]
  [<CommonParameters>]
 ```
 
@@ -37,8 +39,9 @@ Update-AzStorageFileServiceProperty -StorageAccount <PSStorageAccount>
 Update-AzStorageFileServiceProperty [-ResourceId] <String> [-EnableShareDeleteRetentionPolicy <Boolean>]
  [-ShareRetentionDays <Int32>] [-EnableSmbMultichannel <Boolean>] [-SmbProtocolVersion <String[]>]
  [-SmbAuthenticationMethod <String[]>] [-SmbChannelEncryption <String[]>]
- [-SmbKerberosTicketEncryption <String[]>] [-CorsRule <PSCorsRule[]>]
- [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm]
+ [-SmbKerberosTicketEncryption <String[]>] [-SmbEncryptionInTransitRequired <Boolean>]
+ [-NfsEncryptionInTransitRequired <Boolean>] [-CorsRule <PSCorsRule[]>]
+ [-DefaultProfile <IAzureContextContainer>] [-ProgressAction <ActionPreference>] [-WhatIf] [-Confirm]
  [<CommonParameters>]
 ```
 
@@ -171,7 +174,22 @@ The second command sets the rules in $CorsRules to the File service of a Storage
 Update-AzStorageFileServiceProperty -ResourceGroupName myresourcegroup -StorageAccountName mystorageaccount -CorsRule @()
 ```
 
-This command cleans up the CORS rules of a Storage account by inputting @() to parameter CorsRule. 
+This command cleans up the CORS rules of a Storage account by inputting @() to parameter CorsRule
+
+### Example 7: Enable SMB encryption in transit
+```powershell
+Update-AzStorageFileServiceProperty -ResourceGroupName myresourcegroup -StorageAccountName mystorageaccount -SmbEncryptionInTransitRequired $true
+```
+
+This command enabled SMB encryption in transit for the specified storage account.
+
+### Example 8: Enable NFS encryption in transit
+```powershell
+Update-AzStorageFileServiceProperty -ResourceGroupName myresourcegroup -StorageAccountName mystorageaccount -NfsEncryptionInTransitRequired $true
+```
+
+This command enabled NFS encryption in transit for the specified storage account.
+
 
 ## PARAMETERS
 
@@ -235,6 +253,36 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
+### -NfsEncryptionInTransitRequired
+Enable Multichannel by set to $true, disable Multichannel by set to $false. Applies to Premium FileStorage only.
-Enable Multichannel by set to $true, disable Multichannel by set to $false. Applies to Premium FileStorage only.
+Require NFS encryption in transit by setting to $true, or allow NFS connections without enforced encryption in transit by setting to $false. Applies to Premium FileStorage only.
-Enable Multichannel by set to $true, disable Multichannel by set to $false. Applies to Premium FileStorage only.
+Require NFS encryption in transit by setting to $true, or allow NFS connections without enforced encryption in transit by setting to $false. Applies to Premium FileStorage only.
+
+```yaml
+Type: System.Boolean
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ProgressAction
+{{ Fill ProgressAction Description }}
+
+```yaml
+Type: System.Management.Automation.ActionPreference
+Parameter Sets: (All)
+Aliases: proga
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### -ResourceGroupName
 Resource Group Name.
 
@@ -313,6 +361,21 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
+### -SmbEncryptionInTransitRequired
+Enable Multichannel by set to $true, disable Multichannel by set to $false. Applies to Premium FileStorage only.
-Enable Multichannel by set to $true, disable Multichannel by set to $false. Applies to Premium FileStorage only.
+Enable SMB encryption in transit when set to $true, disable SMB encryption in transit when set to $false. Applies to Premium FileStorage only.
-Enable Multichannel by set to $true, disable Multichannel by set to $false. Applies to Premium FileStorage only.
+Enable SMB encryption in transit when set to $true, disable SMB encryption in transit when set to $false. Applies to Premium FileStorage only.
+
+```yaml
+Type: System.Boolean
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### -SmbKerberosTicketEncryption
 Gets or sets kerberos ticket encryption supported by server. Valid values are RC4-HMAC, AES-256.