Set and manage immutability policies for Blob storage
Immutable storage for Azure Blob storage enables users to store business-critical data objects in a WORM (Write Once, Read Many) state. This state makes the data non-erasable and non-modifiable for a user-specified interval. For the duration of the retention interval, blobs can be created and read, but cannot be modified or deleted. Immutable storage is available for general-purpose v2 and Blob storage accounts in all Azure regions.
This article shows how to set and manage immutability policies and legal holds for data in Blob storage using the Azure portal, PowerShell, or Azure CLI. For more information about immutable storage, see Store business-critical blob data with immutable storage.
Set retention policies and legal holds
Create a new container or select an existing container to store the blobs that need to be kept in the immutable state. The container must be in a general-purpose v2 or Blob storage account.
Select Access policy in the container settings. Then select Add policy under Immutable blob storage.
To enable time-based retention, select Time-based retention from the drop-down menu.
Enter the retention interval in days (acceptable values are 1 to 146000 days).
The initial state of the policy is unlocked allowing you to test the feature and make changes to the policy before you lock it. Locking the policy is essential for compliance with regulations like SEC 17a-4.
Lock the policy. Right-click the ellipsis (...), and the following menu appears with additional actions:
Select Lock Policy and confirm the lock. The policy is now locked and cannot be deleted, only extensions of the retention interval will be allowed. Blob deletes and overrides are not permitted.
To enable legal holds, select Add Policy. Select Legal hold from the drop-down menu.
Create a legal hold with one or more tags.
To clear a legal hold, remove the applied legal hold identifier tag.
