Configure immutability policies for containers

Immutable storage for Azure Blob Storage enables users to store business-critical data in a WORM (Write Once, Read Many) state. While in a WORM state, data can't be modified or deleted for a user-specified interval. By configuring immutability policies for blob data, you can protect your data from overwrites and deletes. Immutability policies include time-based retention policies and legal holds. For more information about immutability policies for Blob Storage, see Store business-critical blob data with immutable storage.

An immutability policy may be scoped either to an individual blob version or to a container. This article describes how to configure a container-level immutability policy. To learn how to configure version-level immutability policies, see Configure immutability policies for blob versions.

Note

Immutability policies are not supported in accounts that have the Network File System (NFS) 3.0 protocol or the SSH File Transfer Protocol (SFTP) enabled on them.

Configure a retention policy on a container

To configure a time-based retention policy on a container, use the Azure portal, PowerShell, or Azure CLI. You can configure a container-level retention policy for between 1 and 146,000 days.

To configure a time-based retention policy on a container with the Azure portal, follow these steps:

  1. Navigate to the desired container.

  2. Select the More button on the right, then select Access policy.

  3. In the Immutable blob storage section, select Add policy.

  4. In the Policy type field, select Time-based retention, and specify the retention period in days.

  5. To create a policy with container scope, don't check the box for Enable version-level immutability.

  6. Choose whether to allow protected append writes.

    The Append blobs option enables your workloads to add new blocks of data to the end of an append blob by using the Append Block operation.

    The Block and append blobs option provides you with the same permissions as the Append blobs option but adds the ability to write new blocks to a block blob. The Blob Storage API doesn't provide a way for applications to do this directly. However, applications can accomplish this by using append and flush methods that are available in the Data Lake Storage API. Also, some Microsoft applications use internal APIs to create block blobs and then append to them. If your workloads depend on any of these tools, then you can use this property to avoid errors that can appear when those tools attempt to append blocks to a block blob.

    To learn more about these options, see Allow protected append blobs writes.

    Screenshot showing how to configure immutability policy scoped to container

After you've configured the immutability policy, you'll see that it's scoped to the container:

Screenshot showing an existing immutability policy that is scoped to the container

Modify an unlocked retention policy

You can modify an unlocked time-based retention policy to shorten or lengthen the retention interval and to allow additional writes to append blobs in the container. You can also delete an unlocked policy.

To modify an unlocked time-based retention policy in the Azure portal, follow these steps:

  1. Navigate to the desired container.

  2. Select the More button and choose Access policy.

  3. Under the Immutable blob versions section, locate the existing unlocked policy. Select the More button, then select Edit from the menu.

  4. Provide a new retention interval for the policy. You can also select Allow additional protected appends to permit writes to protected append blobs.

    Screenshot showing how to modify an unlocked time-based retention policy

To delete an unlocked policy, select the More button, then Delete.

Note

You can enable version-level immutability policies by selecting the Enable version-level immutability checkbox. For more information about enabling version-level immutability policies, see Configure immutability policies for blob versions.

Lock a time-based retention policy

When you have finished testing a time-based retention policy, you can lock the policy. A locked policy is compliant with SEC 17a-4(f) and other regulatory compliance. You can lengthen the retention interval for a locked policy up to five times, but you can't shorten it.

After a policy is locked, you can't delete it. However, you can delete the blob after the retention interval has expired.

To lock a policy with the Azure portal, follow these steps:

  1. Navigate to a container with an unlocked policy.
  2. Under the Immutable blob versions section, locate the existing unlocked policy. Select the More button, then select Lock policy from the menu.
  3. Confirm that you want to lock the policy.

Screenshot showing how to lock time-based retention policy in Azure portal

A legal hold stores immutable data until the legal hold is explicitly cleared. To learn more about legal hold policies, see Legal holds for immutable blob data.

To configure a legal hold on a container with the Azure portal, follow these steps:

  1. Navigate to the desired container.

  2. Select the More button and choose Access policy.

  3. Under the Immutable blob versions section, select Add policy.

  4. Choose Legal hold as the policy type.

  5. Add one or more legal hold tags.

  6. Choose whether to allow protected append writes, and then select Save.

    The Append blobs option enables your workloads to add new blocks of data to the end of an append blob by using the Append Block operation.

    This setting also adds the ability to write new blocks to a block blob. The Blob Storage API doesn't provide a way for applications to do this directly. However, applications can accomplish this by using append and flush methods that are available in the Data Lake Storage API. Also, this property enables Microsoft applications such as Azure Data Factory to append blocks of data by using internal APIs. If your workloads depend on any of these tools, then you can use this property to avoid errors that can appear when those tools attempt to append data to blobs.

    To learn more about these options, see Allow protected append blobs writes.

    Screenshot showing how to configure legal hold policy scoped to container.

After you've configured the immutability policy, you'll see that it's scoped to the container:

The following image shows a container with both a time-based retention policy and legal hold configured.

Screenshot showing a container with both a time-based retention policy and legal hold configured

To clear a legal hold, navigate to the Access policy dialog, and in the context menu of the policy, select Edit. Then, delete all tags for the policy to clear the hold.

Next steps