Azure Storage Documentation

On This Page

Configure Blob Immutability with Azure Storage

This document provides a comprehensive guide on configuring and managing blob immutability policies in Azure Storage. Immutability ensures that data, once written to a blob, cannot be modified or deleted for a specified period, meeting regulatory compliance and data protection requirements.

Introduction to Blob Immutability

Data immutability is a critical feature for organizations that need to retain data for extended periods due to regulatory, legal, or business requirements. Azure Storage offers robust solutions to enforce immutability, ensuring data integrity and compliance.

What is Blob Immutability?

Blob immutability, also known as worm (write-once, read-many) storage, prevents data from being altered or deleted. This is achieved by applying policies to blobs or containers that enforce specific retention periods or legal holds.

Benefits of Blob Immutability:

Types of Immutability

Azure Storage supports two primary types of immutability policies:

  1. Time-based Retention Policy: Automatically delete or make blobs read-only after a specified period.
  2. Legal Hold: A user-defined immutability lock that can be applied and removed manually.

Key Concepts

How It Works

Immutability policies are configured at the container level. When a policy is applied, it governs all existing and newly uploaded blobs within that container.

A legal hold is a flexible immutability option that requires manual application and removal. It is ideal for situations where data needs to be preserved indefinitely until a specific legal or business requirement is met.

Retention Policy

A time-based retention policy enforces immutability for a predefined duration. Once the retention period expires, blobs can be modified or deleted, depending on the policy configuration.

Tip: Time-based retention policies can be configured as either locked (cannot be shortened or deleted) or unlocked (can be modified or deleted by users with appropriate permissions). Locked policies offer stronger immutability guarantees.

Creating and Preserving Data with Immutability

To implement blob immutability, you typically follow these steps:

  1. Create an Azure Storage Account: If you don't already have one.
  2. Create a Blob Container: Within your storage account.
  3. Configure Immutability Policy:
    • Navigate to the container in the Azure portal.
    • Select "Immutability policies" from the left-hand menu.
    • Choose "Add policy" and select either "Legal hold" or "Retention policy."
    • For a retention policy, specify the retention period (days) and the mode (locked or unlocked).
    • For a legal hold, provide a name for the hold.
    • Save the policy.

Once the policy is applied, any attempt to delete or modify a blob within that container will be denied until the policy's conditions are met (e.g., retention period expires or legal hold is removed).

Managing Immutability Policies

You can manage existing immutability policies through the Azure portal, Azure CLI, Azure PowerShell, or the Azure Storage SDKs.

Example: Applying a Locked Retention Policy via Azure CLI


az storage container immutability set --account-name  --name  --retention-days 365 --type locked

Replace <your-storage-account-name> and <your-container-name> with your actual storage account and container names.

Example: Applying a Legal Hold via Azure PowerShell


Set-AzRmStorageContainerImmutabilityPolicy -ResourceGroupName "" -StorageAccountName "" -Name "" -State Locked -RetentionDays 365 -UnlessPermission `

Note: The above PowerShell example is illustrative. Actual cmdlet usage might vary slightly based on specific requirements and versions. For legal holds specifically, you'd typically use a different cmdlet or parameter combination to define the hold, not just retention days. For direct legal hold setup, you might use New-AzRmStorageContainerLegalHold after creating the container.

A more direct approach for Legal Hold with PowerShell might look like:


$storageAccount = Get-AzStorageAccount -ResourceGroupName "" -Name ""
$container = Get-AzStorageContainer -Context $storageAccount.Context -Name ""
Add-AzStorageContainerLegalHold -Name "" -Context $storageAccount.Context -KeyInfo "MyLegalHold"

Replace placeholders accordingly.

Common Scenarios for Immutability

Scenario Use Case Recommended Immutability Type
Financial Records Compliance with regulations like FINRA. Locked Time-based Retention Policy
Healthcare Data HIPAA compliance, long-term patient record retention. Locked Time-based Retention Policy
Legal Discovery Preserving evidence for ongoing or potential litigation. Legal Hold
Auditing Logs Maintaining an immutable audit trail for security and compliance. Locked Time-based Retention Policy
Archival Data Long-term storage of inactive data without modification. Unlocked Time-based Retention Policy (if occasional access/update is needed after expiry) or Locked if strict preservation is required.
Warning: Once a locked retention policy is applied, it cannot be shortened or deleted. Carefully consider the retention period before applying a locked policy.

By leveraging Azure Storage's immutability features, you can effectively protect your data, ensure compliance, and maintain the integrity of your stored information.