Set and manage immutability policies for Blob storage

Immutable storage for Azure Blob storage enables users to store business-critical data objects in a WORM (Write Once, Read Many) state. This state makes the data non-erasable and non-modifiable for a user-specified interval. For the duration of the retention interval, blobs can be created and read, but cannot be modified or deleted. Immutable storage is available for general-purpose v2 and Blob storage accounts in all Azure regions.

This article shows how to set and manage immutability policies and legal holds for data in Blob storage using the Azure portal, PowerShell, or Azure CLI. For more information about immutable storage, see Store business-critical blob data with immutable storage.

  1. Create a new container or select an existing container to store the blobs that need to be kept in the immutable state. The container must be in a general-purpose v2 or Blob storage account.

  2. Select Access policy in the container settings. Then select Add policy under Immutable blob storage.

    Container settings in the portal

  3. To enable time-based retention, select Time-based retention from the drop-down menu.

    "Time-based retention" selected under "Policy type"

  4. Enter the retention interval in days (acceptable values are 1 to 146000 days).

    "Update retention period to" box

    The initial state of the policy is unlocked allowing you to test the feature and make changes to the policy before you lock it. Locking the policy is essential for compliance with regulations like SEC 17a-4.

  5. Lock the policy. Right-click the ellipsis (...), and the following menu appears with additional actions:

    "Lock policy" on the menu

  6. Select Lock Policy and confirm the lock. The policy is now locked and cannot be deleted, only extensions of the retention interval will be allowed. Blob deletes and overrides are not permitted.

    Confirm "Lock policy" on the menu

  7. To enable legal holds, select Add Policy. Select Legal hold from the drop-down menu.

    "Legal hold" on the menu under "Policy type"

  8. Create a legal hold with one or more tags.

    "Tag name" box under the policy type

  9. To clear a legal hold, remove the applied legal hold identifier tag.

Enabling allow protected append blobs writes

Allow additional append writes

Next steps

Store business-critical blob data with immutable storage