DEV_NET_CORE
GET_STARTED
AzureAzure Blob Storage and file handling

Lifecycle management, soft delete, versioning, immutability, encryption, and retention

Overview

Azure Blob Storage provides several controls that address different data-protection goals:

  • Lifecycle management changes storage tiers or deletes data according to policy.
  • Soft delete makes deleted blobs, snapshots, versions, or containers recoverable for a retention period.
  • Versioning preserves earlier blob states when a blob is created, replaced, or deleted.
  • Point-in-time restore can return supported block blobs to an earlier account state.
  • Immutable storage prevents protected data from being modified or deleted.
  • Encryption protects stored data from disclosure.
  • Retention policies define how long data and recovery copies must remain.

These controls are complementary, not interchangeable. Versioning does not replace backup, encryption does not prevent deletion, and lifecycle deletion is not a compliance retention mechanism.

For interviews, a strong answer starts with the failure or regulatory requirement and then selects controls. The candidate should be able to explain accidental-deletion recovery, overwrite recovery, ransomware resistance, legal retention, encryption-key ownership, storage cost, and recovery testing.

Core Concepts

Start with the Protection Goal

Choose a feature only after identifying the risk:

RequirementRelevant controls
Recover an accidentally deleted blobBlob soft delete, versioning, backup
Recover a deleted containerContainer soft delete
Recover an overwritten blobVersioning, point-in-time restore, backup
Prevent deletion during a legal periodTime-based immutability policy or legal hold
Reduce old-data costLifecycle tiering
Delete expired data automaticallyLifecycle deletion, subject to retention rules
Protect data at restStorage service encryption
Control encryption keysCustomer-managed keys
Recover many blobs after a bad deploymentPoint-in-time restore or backup
Survive account or regional lossAppropriate redundancy and backup strategy

Protection should cover both the blob data and the metadata system that makes the data meaningful.

Lifecycle Management

A lifecycle management policy is a collection of rules. Each rule can filter blobs and apply actions based on age or state.

Common actions include:

  • Move current blob versions to cooler access tiers.
  • Move previous versions or snapshots to cooler tiers.
  • Delete current versions, previous versions, or snapshots after a specified age.
  • Apply rules only to matching prefixes.
  • Apply rules only to blobs with matching index tags.

Example policy:

Code
{
  "rules": [
    {
      "enabled": true,
      "name": "archive-and-expire-audit-exports",
      "type": "Lifecycle",
      "definition": {
        "filters": {
          "blobTypes": ["blockBlob"],
          "prefixMatch": ["audit-exports/"]
        },
        "actions": {
          "baseBlob": {
            "tierToCool": {
              "daysAfterModificationGreaterThan": 30
            },
            "tierToArchive": {
              "daysAfterModificationGreaterThan": 180
            },
            "delete": {
              "daysAfterModificationGreaterThan": 2555
            }
          },
          "version": {
            "delete": {
              "daysAfterCreationGreaterThan": 90
            }
          }
        }
      }
    }
  ]
}

Lifecycle processing is asynchronous. A rule becoming eligible does not mean the action happens at an exact second. Applications must not depend on lifecycle execution as a real-time scheduler.

Lifecycle Cost Trade-offs

Tiering and deletion can reduce capacity cost but introduce other costs:

  • Read and rehydration charges.
  • Higher access latency for offline archive data.
  • Early deletion charges for data removed before a tier's minimum duration.
  • Transactions generated by lifecycle operations.
  • Additional versions and snapshots waiting for cleanup.

Archive data must be rehydrated before normal online access. Lifecycle rules should reflect actual access patterns and recovery objectives rather than moving every old blob to the coldest tier.

Blob Soft Delete

Blob soft delete retains deleted blobs for a configured period. Depending on configuration and feature interactions, it also protects deleted snapshots and versions.

During the retention period:

  • Deleted data is marked for deletion rather than removed immediately.
  • Authorized users or services can restore it.
  • The retained data continues to consume storage.
  • Permanent deletion occurs after the retention period expires.

Soft delete is useful for operational mistakes. It is not a substitute for an independently protected backup because an attacker with sufficient control may change protection settings or wait for the retention period to expire.

Container Soft Delete

Container soft delete protects against deleting an entire container. Blob soft delete alone does not provide the same container-level recovery experience.

A practical baseline for many general-purpose accounts is:

  • Enable container soft delete.
  • Enable blob soft delete.
  • Enable versioning for overwrite recovery.
  • Configure lifecycle rules for old versions.
  • Restrict who can change account protection settings.

Blob Versioning

When versioning is enabled, updates create immutable previous versions. The current version remains the normal blob URL, while older versions can be addressed by version ID.

Versioning helps recover from:

  • Accidental overwrites.
  • Defective processing jobs.
  • Incorrect metadata changes.
  • Deletions that can be restored by promoting an earlier version.

Versioning can produce substantial cost if frequently updated blobs accumulate versions. Pair it with lifecycle rules that delete or tier previous versions after the required recovery window.

Versioning is not application-level history. It does not explain who made a business change or why. Store business audit data separately when that context is required.

Point-in-Time Restore

Point-in-time restore is designed for account-wide operational recovery of supported block blobs. It can restore blobs to a state from an earlier time within the configured restore window.

It depends on related protection features, including:

  • Blob versioning.
  • Change feed.
  • An adequate soft-delete retention period.

Important design considerations include:

  • It applies only to supported account and blob configurations.
  • Restore scope and timing should be tested before an incident.
  • It does not restore external database records.
  • Feature compatibility can differ for hierarchical namespace, premium accounts, and immutable data.

For a single overwritten object, restoring a previous version is often simpler. Point-in-time restore is more useful after a broad accidental or malicious change.

Backup and Independent Recovery

Operational protection features live close to the storage account. Backup provides an additional recovery control and can support centrally managed recovery policies.

Evaluate:

  • Whether backup data is stored in an independently controlled vault.
  • Whether the backup protects against deletion of the source account.
  • Supported blob types and account configurations.
  • Recovery granularity and recovery time.
  • Cross-region requirements.
  • Protection of the metadata database.

A recovery design is incomplete until the team has performed a restore test.

Immutable Storage and WORM

Immutable storage implements write once, read many behavior. Protected data cannot be modified or deleted until policy conditions allow it.

It is intended for:

  • Regulatory records.
  • Financial or audit data.
  • Legal evidence.
  • Security logs.
  • Records that must resist privileged deletion.

The two major controls are time-based retention and legal holds.

Time-Based Retention

A time-based policy retains data for a configured interval. During that interval, protected data cannot be overwritten or deleted.

Policies can be:

  • Unlocked during configuration and testing.
  • Locked when the retention requirement is finalized.

Locking is a serious governance action. A locked policy cannot simply be removed, and retention generally cannot be shortened. Validate scope, costs, and legal requirements before locking.

Version-level immutability can protect individual blob versions and supports scenarios where each version has its own retention lifecycle.

Legal Holds

A legal hold retains protected data until an authorized user explicitly clears the hold. It is appropriate when the end date is unknown, such as litigation or investigation.

Use a legal hold when:

  • Retention depends on an external legal event.
  • A fixed duration is not known.
  • Data must remain protected until counsel releases it.

Authorization to apply and remove holds should be tightly controlled and audited.

Immutability Is Not Soft Delete

Soft delete answers:

How can we recover data after deletion?

Immutability answers:

How can we prevent deletion or modification during retention?

They can be used together, but immutability can restrict lifecycle deletion and restore operations. Test the exact combination on the selected storage account type.

Encryption at Rest

Azure Storage service encryption encrypts stored data by default. Applications normally do not need to encrypt each blob merely to obtain basic at-rest encryption.

Encryption protects confidentiality of stored media. It does not provide:

  • Authorization.
  • Deletion protection.
  • Malware scanning.
  • Immutability.
  • Business-level field protection after an authorized read.

Use TLS for data in transit and Microsoft Entra authorization or carefully scoped SAS for access.

Microsoft-Managed and Customer-Managed Keys

With Microsoft-managed keys:

  • Azure manages key creation, rotation, and availability.
  • Operational complexity is low.
  • This is appropriate for many workloads.

With customer-managed keys:

  • The organization controls a key in Azure Key Vault or Managed HSM.
  • Key rotation, access policy, monitoring, and recovery become customer responsibilities.
  • Disabling or losing the key can make data unavailable.
  • The storage account needs an authorized identity to access the key.

Choose customer-managed keys for a concrete regulatory, contractual, separation-of-duties, or key-control requirement, not because they are automatically more secure in every operating environment.

Infrastructure Encryption

Infrastructure encryption adds another encryption layer using a separate key. It can satisfy requirements for double encryption at the infrastructure level.

It should be enabled because of a documented requirement. It does not replace customer-managed keys, authorization controls, or application-layer encryption.

Encryption Scopes

Encryption scopes allow different blobs or containers to use different encryption configurations within an account.

They are useful for:

  • Tenant or dataset separation requirements.
  • Applying a customer-managed key to selected data.
  • Enforcing a container's default encryption behavior.

Encryption scopes affect key boundaries, not authorization boundaries. RBAC and object naming still need to isolate tenants.

Client-Side Encryption

Client-side encryption encrypts content before it reaches Azure Storage. It can protect data from storage administrators and support application-controlled cryptographic boundaries.

Trade-offs include:

  • The application owns key management and format compatibility.
  • Server-side inspection, indexing, and transformation become harder.
  • Range reads and streaming may require special handling.
  • Key loss can make data permanently unreadable.
  • Rotation may require re-encryption.

Use it only when the threat model requires protection beyond service-side encryption.

Retention Strategy

A retention strategy should define:

  • The authoritative retention period.
  • Whether the period starts at creation, business closure, or another event.
  • Whether legal holds can override normal disposal.
  • Which copies, versions, snapshots, and backups are covered.
  • Who can change or lock policies.
  • How deletion is proven after retention expires.
  • How exceptions are approved and audited.

Avoid implementing legal retention only through lifecycle rules. Lifecycle rules automate storage actions, while immutability enforces non-deletion.

Feature Interaction Example

Consider invoice documents:

  1. Upload to a quarantine container.
  2. Scan and validate the content.
  3. Move or copy the approved blob into its final location.
  4. Apply the correct retention policy before exposing it.
  5. Store the immutable version ID and business metadata.
  6. Use lifecycle rules to tier older retained data.
  7. Delete eligible data only after retention and legal holds allow it.
  8. Test retrieval from every tier and recovery system.

The ordering matters. An immutable malicious or incorrectly classified file can become difficult or impossible to remove.

Common Mistakes

  • Treating soft delete as backup.
  • Enabling versioning without cleaning up old versions.
  • Using lifecycle deletion as legal retention.
  • Locking an immutability policy before validating it.
  • Assuming encryption prevents authorized deletion.
  • Losing access to a customer-managed key.
  • Ignoring feature compatibility for the account type.
  • Protecting blobs but not the metadata database.
  • Never testing restore procedures.
  • Giving application identities permission to change protection policies.

Best Practices

  • Document recovery point and recovery time objectives.
  • Enable protection before production data is written.
  • Separate data-plane access from protection-policy administration.
  • Apply least privilege to key and retention administrators.
  • Use Azure Policy and monitoring to detect configuration drift.
  • Alert on protection-setting changes and key-access failures.
  • Bound version and snapshot growth with lifecycle rules.
  • Use immutable storage only for data with a clear retention requirement.
  • Keep customer-managed key recovery and rotation procedures tested.
  • Run periodic restore exercises and record the result.

Interview Practice

Beginner4 questions

Beginner Interview Practice

Practice the beginner questions for this topic.

Intermediate4 questions

Intermediate Interview Practice

Practice the intermediate questions for this topic.

Advanced4 questions

Advanced Interview Practice

Practice the advanced questions for this topic.

PreviousLarge file uploads, block upload, retry behavior, checksums, and resumable upload patternsNext UpShared access signatures, managed identity, RBAC, stored access policies, and public access risks