Configure immutability policies for containers

Immutable storage for Azure Blob Storage enables users to store business-critical data in a WORM (Write Once, Read Many) state. While in a WORM state, data cannot be modified or deleted for a user-specified interval. By configuring immutability policies for blob data, you can protect your data from overwrites and deletes. Immutability policies include time-based retention policies and legal holds. For more information about immutability policies for Blob Storage, see Store business-critical blob data with immutable storage.

An immutability policy may be scoped either to an individual blob version or to a container. This article describes how to configure a container-level immutability policy. To learn how to configure version-level immutability policies, see Configure immutability policies for blob versions.

Configure a retention policy on a container

To configure a time-based retention policy on a container, use the Azure portal, PowerShell, or Azure CLI. You can configure a container-level retention policy for between 1 and 146000 days.

To configure a time-based retention policy on a container with the Azure portal, follow these steps:

  1. Navigate to the desired container.

  2. Select the More button on the right, then select Access policy.

  3. In the Immutable blob storage section, select Add policy.

  4. In the Policy type field, select Time-based retention, and specify the retention period in days.

  5. To create a policy with container scope, do not check the box for Enable version-level immutability.

  6. If desired, select Allow additional protected appends to enable writes to append blobs that are protected by an immutability policy. For more information, see Allow protected append blobs writes.

    Screenshot showing how to configure immutability policy scoped to container

After you've configured the immutability policy, you will see that it is scoped to the container:

Screenshot showing an existing immutability policy that is scoped to the container

Modify an unlocked retention policy

You can modify an unlocked time-based retention policy to shorten or lengthen the retention interval and to allow additional writes to append blobs in the container. You can also delete an unlocked policy.

To modify an unlocked time-based retention policy in the Azure portal, follow these steps:

  1. Navigate to the desired container.

  2. Select the More button and choose Access policy.

  3. Under the Immutable blob versions section, locate the existing unlocked policy. Select the More button, then select Edit from the menu.

  4. Provide a new retention interval for the policy. You can also select Allow additional protected appends to permit writes to protected append blobs.

    Screenshot showing how to modify an unlocked time-based retention policy

To delete an unlocked policy, select the More button, then Delete.

Note

You can enable version-level immutability policies by selecting the Enable version-level immutability checkbox. For more information about enabling version-level immutability policies, see Configure immutability policies for blob versions.

Lock a time-based retention policy

When you have finished testing a time-based retention policy, you can lock the policy. A locked policy is compliant with SEC 17a-4(f) and other regulatory compliance. You can lengthen the retention interval for a locked policy up to five times, but you cannot shorten it.

After a policy is locked, you cannot delete it. However, you can delete the blob after the retention interval has expired.

To lock a policy with the Azure portal, follow these steps:

  1. Navigate to a container with an unlocked policy.
  2. Under the Immutable blob versions section, locate the existing unlocked policy. Select the More button, then select Lock policy from the menu.
  3. Confirm that you want to lock the policy.

Screenshot showing how to lock time-based retention policy in Azure portal

A legal hold stores immutable data until the legal hold is explicitly cleared. To learn more about legal hold policies, see Legal holds for immutable blob data.

To configure a legal hold on a container with the Azure portal, follow these steps:

  1. Navigate to the desired container.
  2. Select the More button and choose Access policy.
  3. Under the Immutable blob versions section, select Add policy.
  4. Choose Legal hold as the policy type, and select OK to apply it.

The following image shows a container with both a time-based retention policy and legal hold configured.

Screenshot showing a container with both a time-based retention policy and legal hold configured

To clear a legal hold, navigate to the Access policy dialog, select the More button, and choose Delete.

Next steps