diff --git a/src/apps.js b/src/apps.js
index 4716d14ec..112fd7bbe 100644
--- a/src/apps.js
+++ b/src/apps.js
@@ -482,8 +482,6 @@ function validateStorage(volume, prefix) {
     assert.strictEqual(typeof volume, 'object');
     assert.strictEqual(typeof prefix, 'string');
 
-    // TODO: check the volume type
-
     if (path.isAbsolute(prefix)) return new BoxError(BoxError.BAD_FIELD, `prefix "${prefix}" must be a relative path`);
     if (prefix.endsWith('/')) return new BoxError(BoxError.BAD_FIELD, `prefix "${prefix}" contains trailing slash`);
     if (path.normalize(prefix) !== prefix) return new BoxError(BoxError.BAD_FIELD, `prefix "${prefix}" is not a normalized path`);
@@ -1797,7 +1795,10 @@ async function setStorage(app, volumeId, volumePrefix, auditSource) {
 
     if (volumeId) {
         const volume = await volumes.get(volumeId);
-        if (volume === null) return new BoxError(BoxError.BAD_FIELD, 'Storage volume not found');
+        if (volume === null) throw new BoxError(BoxError.BAD_FIELD, 'Storage volume not found');
+
+        const status = await volumes.getStatus(volume);
+        if (status.state !== 'active') throw new BoxError(BoxError.BAD_FIELD, 'Volume is not active');
 
         error = validateStorage(volume, volumePrefix);
         if (error) throw error;
diff --git a/src/routes/apps.js b/src/routes/apps.js
index fdcbfe21f..1c3dee1b4 100644
--- a/src/routes/apps.js
+++ b/src/routes/apps.js
@@ -436,10 +436,14 @@ async function setStorage(req, res, next) {
     assert.strictEqual(typeof req.body, 'object');
     assert.strictEqual(typeof req.app, 'object');
 
-    if (req.body.storageVolumeId !== null && typeof req.body.storageVolumeId !== 'string') return next(new HttpError(400, 'storageVolumeId must be a string'));
-    if (req.body.storageVolumePrefix !== null && typeof req.body.storageVolumePrefix !== 'string') return next(new HttpError(400, 'storageVolumePrefix must be a string'));
+    const { storageVolumeId, storageVolumePrefix } = req.body;
 
-    const [error, result] = await safe(apps.setStorage(req.app, req.body.storageVolumeId, req.body.storageVolumePrefix, AuditSource.fromRequest(req)));
+    if (storageVolumeId !== null) {
+        if (typeof storageVolumeId !== 'string') return next(new HttpError(400, 'storageVolumeId must be a string'));
+        if (typeof storageVolumePrefix !== 'string') return next(new HttpError(400, 'storageVolumePrefix must be a string'));
+    }
+
+    const [error, result] = await safe(apps.setStorage(req.app, storageVolumeId, storageVolumePrefix, AuditSource.fromRequest(req)));
     if (error) return next(BoxError.toHttpError(error));
 
     next(new HttpSuccess(202, { taskId: result.taskId }));