Container Registry soft delete policy is not enabled
July 12, 2025 ยท View on GitHub
SYNOPSIS
Container registry artifacts are permanently lost when accidentally deleted without soft delete protection.
DESCRIPTION
Azure Container Registry (ACR) allows you to enable the soft delete policy to recover any accidentally deleted artifacts for a set retention period.
This feature is available in all the service tiers (also known as SKUs). For information about registry service tiers, see Azure Container Registry service tiers.
Once you enable the soft delete policy, ACR manages the deleted artifacts as the soft deleted artifacts with a set retention period. Thereby you have ability to list, filter, and restore the soft deleted artifacts. Once the retention period is complete, all the soft deleted artifacts are auto-purged.
Current preview limitations:
- ACR currently doesn't support manually purging soft deleted artifacts.
- The soft delete policy doesn't support a geo-replicated registry.
- ACR doesn't allow enabling both the retention policy and the soft delete policy. See retention policy for untagged manifests.
RECOMMENDATION
Azure Container Registries should have soft delete enabled to enable recovery of accidentally deleted artifacts.
EXAMPLES
Configure with Bicep
To deploy an Azure Container Registry that pass this rule:
- Set the
properties.policies.softDeletePolicy.statusproperty toenabled.
For example:
resource registry 'Microsoft.ContainerRegistry/registries@2025-05-01-preview' = {
name: name
location: location
sku: {
name: 'Premium'
}
identity: {
type: 'SystemAssigned'
}
properties: {
adminUserEnabled: false
anonymousPullEnabled: false
publicNetworkAccess: 'Disabled'
zoneRedundancy: 'Enabled'
policies: {
quarantinePolicy: {
status: 'enabled'
}
retentionPolicy: {
days: 30
status: 'enabled'
}
softDeletePolicy: {
retentionDays: 90
status: 'enabled'
}
exportPolicy: {
status: 'disabled'
}
}
}
}
Configure with Azure template
To deploy an Azure Container Registry that pass this rule:
- Set the
properties.policies.softDeletePolicy.statusproperty toenabled.
For example:
{
"type": "Microsoft.ContainerRegistry/registries",
"apiVersion": "2025-05-01-preview",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"sku": {
"name": "Premium"
},
"identity": {
"type": "SystemAssigned"
},
"properties": {
"adminUserEnabled": false,
"anonymousPullEnabled": false,
"publicNetworkAccess": "Disabled",
"zoneRedundancy": "Enabled",
"policies": {
"quarantinePolicy": {
"status": "enabled"
},
"retentionPolicy": {
"days": 30,
"status": "enabled"
},
"softDeletePolicy": {
"retentionDays": 90,
"status": "enabled"
},
"exportPolicy": {
"status": "disabled"
}
}
}
}
Configure with Azure CLI
az acr config soft-delete update -r '<name>' --days 90 --status enabled