diff --git a/infra/core/storage/storage-account.bicep b/infra/core/storage/storage-account.bicep
index 5dd98f1b9b..a69ad6d06e 100644
--- a/infra/core/storage/storage-account.bicep
+++ b/infra/core/storage/storage-account.bicep
@@ -25,13 +25,20 @@ param publicNetworkAccess string = 'Enabled'
 param sku object = { name: 'Standard_LRS' }
 @allowed([ 'None', 'AzureServices' ])
 param bypass string = 'AzureServices'
+param storageInfrastructureEncryption string = 'Disabled'
 
 var networkAcls = (publicNetworkAccess == 'Enabled') ? {
   bypass: bypass
   defaultAction: 'Allow'
 } : { defaultAction: 'Deny' }
 
-resource storage 'Microsoft.Storage/storageAccounts@2022-05-01' = {
+var encryption = (storageInfrastructureEncryption == 'Enabled') ? {
+  requireInfrastructureEncryption: true
+} : {
+  requireInfrastructureEncryption: false
+}
+
+resource storage 'Microsoft.Storage/storageAccounts@2023-01-01' = {
   name: name
   location: location
   tags: tags
@@ -49,6 +56,7 @@ resource storage 'Microsoft.Storage/storageAccounts@2022-05-01' = {
     networkAcls: networkAcls
     publicNetworkAccess: publicNetworkAccess
     supportsHttpsTrafficOnly: supportsHttpsTrafficOnly
+    encryption: encryption
   }
 
   resource blobServices 'blobServices' = if (!empty(containers)) {
diff --git a/infra/main.bicep b/infra/main.bicep
index 344623df20..a031d9280f 100644
--- a/infra/main.bicep
+++ b/infra/main.bicep
@@ -36,6 +36,7 @@ param storageResourceGroupName string = '' // Set in main.parameters.json
 param storageResourceGroupLocation string = location
 param storageContainerName string = 'content'
 param storageSkuName string // Set in main.parameters.json
+param storageInfrastructureEncryption string // Set in main.parameters.json
 
 param userStorageAccountName string = ''
 param userStorageContainerName string = 'user-content'
@@ -662,6 +663,7 @@ module storage 'core/storage/storage-account.bicep' = {
         publicAccess: 'None'
       }
     ]
+    storageInfrastructureEncryption: storageInfrastructureEncryption
   }
 }
 
@@ -688,6 +690,7 @@ module userStorage 'core/storage/storage-account.bicep' = if (useUserUpload) {
         publicAccess: 'None'
       }
     ]
+    storageInfrastructureEncryption: storageInfrastructureEncryption
   }
 }
 
diff --git a/infra/main.parameters.json b/infra/main.parameters.json
index a7ba80373e..dc0fa69210 100644
--- a/infra/main.parameters.json
+++ b/infra/main.parameters.json
@@ -80,6 +80,9 @@
     "storageSkuName": {
       "value": "${AZURE_STORAGE_SKU=Standard_LRS}"
     },
+    "storageInfrastructureEncryption": {
+      "value": "${AZURE_STORAGE_INFRA_ENCRYPTION}"
+    },
     "appServicePlanName": {
       "value": "${AZURE_APP_SERVICE_PLAN}"
     },