Azure Storage Blob Soft Delete

What is Blob Soft Delete?

Blob soft delete is a crucial feature for protecting your data in Azure Blob Storage against accidental deletions or overwrites. When enabled, it allows you to recover blobs that have been deleted or overwritten within a specified retention period.

Instead of permanently deleting a blob, soft delete marks it as deleted and retains it for a configurable number of days. During this retention period, the deleted blob's data is preserved, and you can restore it to its previous state.

How it Works

When you delete a blob with soft delete enabled:

The blob is marked as 'deleted'.
The blob's data is preserved for the defined retention period.
The blob's metadata is also retained.

If you need to recover a deleted blob, you can perform a restore operation. This operation will undelete the blob, making it accessible again.

Benefits of Soft Delete

Data Protection: Safeguards against accidental data loss.
Compliance: Helps meet regulatory and compliance requirements by retaining data for a specified period.
Simplified Recovery: Provides an easy mechanism to restore deleted or overwritten blobs.
Operational Resilience: Reduces the risk of downtime due to data loss.

Enabling Soft Delete

Soft delete can be enabled at the storage account level. You can configure the retention period for soft-deleted blobs, typically ranging from 1 to 365 days.

Recommendation: It is highly recommended to enable soft delete for all your production storage accounts.

Azure Portal

To enable soft delete via the Azure portal:

Navigate to your storage account in the Azure portal.
Under "Data protection", select "Soft delete for blobs".
Toggle "Enable soft delete for blobs" to 'Enabled'.
Set the "Days to retain deleted blobs" value.
Click "Save".

Azure CLI

You can also enable soft delete using the Azure CLI:

az storage account update --name  --resource-group  --set blobServices.deleteRetentionPolicy.enabled=true blobServices.deleteRetentionPolicy.days=

Replace <your-storage-account-name>, <your-resource-group-name>, and <retention-days> with your specific values.

Restoring Deleted Blobs

You can restore deleted blobs using the Azure portal, Azure CLI, or Azure Storage SDKs.

Azure Portal

To restore blobs in the Azure portal:

Navigate to your storage account and select "Containers".
Browse to the container where the blob was located.
Deleted blobs will be marked with a "Deleted" indicator. You can select them and click the "Undelete" button.

Azure CLI

To restore a specific blob using the Azure CLI:

az storage blob undelete --container-name  --name  --deleted-container  --delete-id

Note: The exact parameters for undelete might vary slightly based on the CLI version and the complexity of the deletion (e.g., if versioning is also involved). Often, restoring a deleted blob is done by specifying the container and the name of the blob you wish to restore.

A simpler undelete command often looks like:

az storage blob undelete --container-name  --name

This command restores the latest soft-deleted version of the blob to its original name.

Key Considerations

Soft delete applies to both blob data and blob snapshots.
It does not protect against the deletion of the storage account itself or the container. Ensure you have appropriate controls for these resources.
When blob versioning is also enabled, soft delete protects deleted versions of a blob. Undeleting a blob will restore its latest committed version.
The retention period for soft-deleted blobs is a separate setting from the versioning retention period.