Skip to content

Use blob soft delete#

Reliability · Storage Account · Azure.Storage.SoftDelete

Enable blob soft delete on Storage Accounts.

Description#

Soft delete provides an easy way to recover deleted or modified blob data stored within Storage Accounts. When soft delete is enabled, deleted blobs are kept and can be restored within the configured interval.

Blob soft delete should be considered part of the strategy to protect and retain data. Also consider:

  • Implementing role-based access control (RBAC).
  • Configuring resource locks to protect against deletion.
  • Configuring blob container soft delete.

Blobs can be configured to retain deleted blobs for a period of time between 1 and 365 days.

Recommendation#

Consider enabling soft delete on storage accounts to protect blobs from accidental deletion or modification.

Examples#

Configure with Azure template#

To deploy Storage Accounts that pass this rule:

  • Set the properties.deleteRetentionPolicy.enabled property to true on the blob services sub-resource.
  • Configure the properties.deleteRetentionPolicy.days property to the number of days to retain blobs.
{
    "comments": "Storage Account",
    "type": "Microsoft.Storage/storageAccounts",
    "apiVersion": "2021-04-01",
    "name": "st0000001",
    "location": "[parameters('location')]",
    "sku": {
        "name": "Standard_GRS",
        "tier": "Standard"
    },
    "kind": "StorageV2",
    "properties": {
        "supportsHttpsTrafficOnly": true,
        "accessTier": "Hot",
        "allowBlobPublicAccess": false,
        "minimumTlsVersion": "TLS1_2"
    },
    "resources": [
        {
            "comments": "Configure blob storage services",
            "type": "Microsoft.Storage/storageAccounts/blobServices",
            "apiVersion": "2019-06-01",
            "name": "st0000001/default",
            "dependsOn": [
                "[resourceId('Microsoft.Storage/storageAccounts', 'st0000001')]"
            ],
            "sku": {
                "name": "Standard_GRS"
            },
            "properties": {
                "cors": {
                    "corsRules": []
                },
                "deleteRetentionPolicy": {
                    "enabled": true,
                    "days": 7
                },
                "containerDeleteRetentionPolicy": {
                    "enabled": true,
                    "days": 7
                }
            }
        }
    ]
}

Configure with Bicep#

To deploy Storage Accounts that pass this rule:

  • Set the properties.deleteRetentionPolicy.enabled property to true on the blob services sub-resource.
  • Configure the properties.deleteRetentionPolicy.days property to the number of days to retain blobs.

For example:

resource st0000001_blob 'Microsoft.Storage/storageAccounts/blobServices@2021-04-01' = {
  name: 'default'
  parent: st0000001
  properties: {
    deleteRetentionPolicy: {
      enabled: true
      days: 7
    }
    containerDeleteRetentionPolicy: {
      enabled: true
      days: 7
    }
  }
}

Configure with Azure CLI#

az storage account blob-service-properties update --enable-delete-retention true --delete-retention-days 7 -n '<name>' -g '<resource_group>'

Configure with Azure PowerShell#

Enable-AzStorageBlobDeleteRetentionPolicy -ResourceGroupName '<resource_group>' -AccountName '<name>' -RetentionDays 7

Notes#

Cloud Shell storage with the tag ms-resource-usage = 'azure-cloud-shell' is excluded. Storage accounts used for Cloud Shell are not intended to store data.

Storage accounts with:

  • Hierarchical namespace enabled to not support blob soft delete.
  • Deployed as a FileStorage storage account do not support blob soft delete.

Last update: 2021-09-24