Blob soft delete protects an individual blob and its versions, snapshots, and metadata from accidental deletes or overwrites by maintaining the deleted data in the system for a specified period of time. During the retention period, you can restore the blob to its state at deletion. After the retention period has expired, the blob is permanently deleted. For more information about blob soft delete, see Soft delete for blobs.
Blob soft delete is part of a comprehensive data protection strategy for blob data. To learn more about Azure's recommendations for data protection, see Data protection overview.
Enable blob soft delete
You can enable or disable soft delete for a storage account at any time by using the Azure portal, PowerShell, or Azure CLI.
Blob soft delete is enabled by default when you create a new storage account with the Azure portal. The setting to enable or disable blob soft delete when you create a new storage account is on the Data protection tab. For more information about creating a storage account, see Create a storage account.
To enable blob soft delete for an existing storage account by using the Azure portal, follow these steps:
In the Azure portal, navigate to your storage account.
Locate the Data Protection option under Data management.
In the Recovery section, select Turn on soft delete for blobs.
Specify a retention period between 1 and 365 days. We recommend a minimum retention period of seven days.
Save your changes.
Blob soft delete is not enabled when you create a new storage account with PowerShell. You can enable blob soft delete after the new account has been created.
To enable blob soft delete for an existing storage account with PowerShell, call the Enable-AzStorageBlobDeleteRetentionPolicy command, specifying the retention period in days.
The following example enables blob soft delete and sets the retention period to seven days. Remember to replace the placeholder values in brackets with your own values:
Blob soft delete is not enabled when you create a new storage account with Azure CLI. You can enable blob soft delete after the new account has been created.
The following example enables blob soft delete and sets the retention period to seven days. Remember to replace the placeholder values in brackets with your own values:
az storage account blob-service-properties show --account-name <storage-account> \
--resource-group <resource-group>
To enable blob soft delete with an Azure Resource Manager template, create a template that sets the deleteRetentionPolicy property. The following steps describe how to create a template in the Azure portal.
In the Azure portal, choose Create a resource.
In Search the Marketplace, type Deploy a custom template, and then press ENTER.
Choose Build your own template in the editor.
In the template editor, paste in the following JSON. Replace the <account-name> placeholder with the name of your storage account.
Obtain storage account authorization by using either a storage account key, a connection string, or Microsoft Entra ID. For more information, see Connect to the account.
The following example obtains authorization by using a storage account key.
To enable soft delete with Azure CLI, call the az storage fs service-properties update command, specifying the retention period in days.
The following example enables blob and directory soft delete and sets the retention period to 5 days.
az storage fs service-properties update --delete-retention --delete-retention-period 5 --auth-mode login
To check the current settings for blob soft delete, call the az storage fs service-properties update command:
az storage fs service-properties update --delete-retention false --connection-string $con
To enable blob soft delete with an Azure Resource Manager template, create a template that sets the deleteRetentionPolicy property. The following steps describe how to create a template in the Azure portal.
In the Azure portal, choose Create a resource.
In Search the Marketplace, type Deploy a custom template, and then press ENTER.
Choose Build your own template in the editor.
In the template editor, paste in the following JSON. Replace the <account-name> placeholder with the name of your storage account.