Soft delete for Azure Blob Storage

Published: July 15, 2024

This article describes how to enable and configure soft delete for blobs. Soft delete protects your blob data from accidental or malicious deletion by retaining deleted blobs and their versions for a specified period.

Note: Soft delete for blobs is a feature that helps protect your data. It's recommended to enable this feature for all your storage accounts that hold critical data.

How soft delete works

When soft delete is enabled, if a blob is deleted, it's not permanently removed from the storage account. Instead, it's marked as deleted and can be recovered within the configured retention period. During the retention period, the deleted blob is still visible in the storage account with a special marker.

Soft delete also supports versioning. If blob versioning is enabled, then a new version is created when a blob is overwritten. If a blob is deleted, then a new version is created for the deleted blob. Both the deleted blob and its versions can be recovered.

Enable soft delete

You can enable soft delete for blobs through the Azure portal, Azure CLI, PowerShell, or REST API.

Azure Portal

Navigate to your storage account in the Azure portal.
Under the Data management section, select Data protection.
Under Soft delete, toggle the switch to Enabled.
Configure the Retention period (days), from 1 to 365 days.
Click Save.

Azure CLI

Use the following Azure CLI command to enable soft delete and set the retention period:

az storage account update \
    --name <storage-account-name> \
    --resource-group <resource-group-name> \
    --set properties.deleteRetentionPolicy.enabled=true \
    --set properties.deleteRetentionPolicy.days=7

Replace <storage-account-name> and <resource-group-name> with your actual values.

Azure PowerShell

Use the following Azure PowerShell command:

Set-AzStorageAccount `
    -ResourceGroupName <resource-group-name> `
    -AccountName <storage-account-name> `
    -EnableBlobDeleteRetentionPolicy `
    -RetentionDays 7

Replace <storage-account-name> and <resource-group-name> with your actual values.

Configure retention period

The retention period for soft deleted blobs can be configured from 1 to 365 days. It's crucial to choose a retention period that balances data protection needs with storage cost considerations.

Recovering soft deleted blobs

If you need to recover a deleted blob, you can do so using the Azure portal, Azure CLI, or PowerShell. The recovery process restores the blob to its state at the time of deletion.

Azure Portal Recovery

Navigate to your storage account.
Select Containers under the Data storage section.
Select the container where the blob was deleted.
Click on Show deleted blobs.
Select the blob(s) you wish to restore and click Undelete.

Azure CLI Recovery

az storage blob undelete \
    --container-name <container-name> \
    --name <blob-name> \
    --account-name <storage-account-name> \
    --resource-group <resource-group-name>

Azure PowerShell Recovery

Restore-AzDataLakeGen2Item `
    -FileSystem <container-name> `
    -Path <blob-name> `
    -Context (Get-AzStorageAccount `
        -ResourceGroupName <resource-group-name> `
        -Name <storage-account-name>).Context `
    -IncludeDeleted `
    -WhatIf:False

Important: Once the soft delete retention period expires, deleted blobs and their versions are permanently deleted and cannot be recovered.

Considerations

Soft delete incurs storage costs for the retained deleted data.
Ensure your retention period aligns with your organization's data retention policies and compliance requirements.
When blob versioning is enabled along with soft delete, the retention period applies to both deleted blobs and blob versions.