Use blob soft delete
March 21, 2025 ยท View on GitHub
SYNOPSIS
Enable blob soft delete on Storage Accounts.
DESCRIPTION
Soft delete provides an easy way to recover deleted or modified blob data stored within Storage Accounts. When soft delete is enabled, deleted blobs are kept and can be restored within the configured interval.
Blob soft delete should be considered part of the strategy to protect and retain data. Also consider:
- Implementing role-based access control (RBAC).
- Configuring resource locks to protect against deletion.
- Configuring blob container soft delete.
Blobs can be configured to retain deleted blobs for a period of time between 1 and 365 days.
RECOMMENDATION
Consider enabling soft delete on storage accounts to protect blobs from accidental deletion or modification.
EXAMPLES
Configure with Azure template
To deploy Storage Accounts that pass this rule:
- Set the
properties.deleteRetentionPolicy.enabledproperty totrueon the blob services sub-resource. - Configure the
properties.deleteRetentionPolicy.daysproperty to the number of days to retain blobs.
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2023-01-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"sku": {
"name": "Standard_GRS"
},
"kind": "StorageV2",
"properties": {
"allowBlobPublicAccess": false,
"supportsHttpsTrafficOnly": true,
"minimumTlsVersion": "TLS1_2",
"accessTier": "Hot",
"allowSharedKeyAccess": false,
"networkAcls": {
"defaultAction": "Deny"
}
},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts/blobServices",
"apiVersion": "2023-01-01",
"name": "[format('{0}/{1}', parameters('name'), 'default')]",
"properties": {
"deleteRetentionPolicy": {
"enabled": true,
"days": 7
},
"containerDeleteRetentionPolicy": {
"enabled": true,
"days": 7
}
},
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', parameters('name'))]"
]
}
]
}
Configure with Bicep
To deploy Storage Accounts that pass this rule:
- Set the
properties.deleteRetentionPolicy.enabledproperty totrueon the blob services sub-resource. - Configure the
properties.deleteRetentionPolicy.daysproperty to the number of days to retain blobs.
For example:
resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {
name: name
location: location
sku: {
name: 'Standard_GRS'
}
kind: 'StorageV2'
properties: {
allowBlobPublicAccess: false
supportsHttpsTrafficOnly: true
minimumTlsVersion: 'TLS1_2'
accessTier: 'Hot'
allowSharedKeyAccess: false
networkAcls: {
defaultAction: 'Deny'
}
}
}
resource blobService 'Microsoft.Storage/storageAccounts/blobServices@2023-01-01' = {
parent: storageAccount
name: 'default'
properties: {
deleteRetentionPolicy: {
enabled: true
days: 7
}
containerDeleteRetentionPolicy: {
enabled: true
days: 7
}
}
}
Configure with Azure CLI
az storage account blob-service-properties update --enable-delete-retention true --delete-retention-days 7 -n '<name>' -g '<resource_group>'
Configure with Azure PowerShell
Enable-AzStorageBlobDeleteRetentionPolicy -ResourceGroupName '<resource_group>' -AccountName '<name>' -RetentionDays 7
NOTES
Cloud Shell storage with the tag ms-resource-usage = 'azure-cloud-shell' is excluded.
Storage accounts used for Cloud Shell are not intended to store data.
Storage accounts with:
- Hierarchical namespace enabled to not support blob soft delete.
- Deployed as a
FileStoragestorage account do not support blob soft delete.