az storage container immutability-policy show --account-name <account> --container-name <container> --auth-mode loginBlob immutability policy
A blob immutability policy is a time-based retention or legal hold configuration that protects blob data from modification or deletion while the policy is in effect.
Source: Microsoft Learn - Overview of immutable storage for blob data Reviewed 2026-05-12
- Exam trap
- Running commands in the wrong subscription, account, container, or environment.
- Production check
- Show the target resource and confirm the Blob immutability policy value before changing anything.
Article details and learning context
- Aliases
- None listed
- Difficulty
- intermediate
- CLI mappings
- 3
- Last verified
- 2026-05-12
- Review level
- top250-pre130-priority
- Article depth
- field-manual-complete
Understand the concept
In plain English
Blob immutability policy is a WORM protection rule for blob data used with Azure Blob Storage. It helps teams keep regulated or business-critical objects from being changed or deleted until approved retention conditions are met. You normally encounter it while designing applications, reviewing storage behavior, troubleshooting incidents, or validating automation. In plain English, it is not just a label; it affects how data is addressed, protected, processed, billed, and explained. Operators should confirm live resource state instead of relying only on code comments, screenshots, or old deployment notes.
Why it matters
Blob immutability policy matters because a small misunderstanding can change where data goes, who can read it, how quickly it is available, and what the workload costs. The common failure pattern is accidental deletion of records, irreversible lock mistakes, blocked cleanup jobs, failed overwrites, retention evidence gaps, and expensive data that cannot be removed early. In enterprise environments, storage behavior crosses application, security, compliance, operations, and finance boundaries. Clear glossary coverage gives teams shared language for design reviews and incident calls. It also tells operators which proof to collect: resource properties, logs, permissions, metrics, and business impact. That discipline turns a vague storage problem into a reviewable decision with owners, evidence, and next actions.
Official wording and source
A blob immutability policy is a time-based retention or legal hold configuration that protects blob data from modification or deletion while the policy is in effect. Microsoft Learn places it in Overview of immutable storage for blob data; operators confirm scope, configuration, dependencies, and production impact.
Technical context
Technically, Blob immutability policy depends on container-level policies, version-level policies, retention intervals, locked or unlocked state, legal hold tags, versioning, protected append writes, and authorized policy changes. Operators validate it by reviewing immutability policy state, retention-until date, lock status, legal hold tags, protected append-write setting, delete failures, Activity Log events, and storage diagnostics. The safest workflow is to compare desired configuration, live Azure state, application behavior, and logs before changing production. Use Azure CLI, SDK, or REST evidence to identify the account, container, blob, identity, network path, and operation outcome.
Exam context
Compare with
Where it is used
Where you see it
- In the Azure portal, Blob immutability policy appears on storage accounts, containers, versions, legal holds, retention settings, and protected blob lifecycle views during regular audits.
- In Azure CLI output, it appears as immutability period, policy mode, legal hold state, ETag, version scope, and lock status evidence for containers during reviews.
- In audit workbooks and storage runbooks, it appears near backup retention, lifecycle management, privileged access reviews, and records management approval evidence for regulated data annually.
Common situations
- Protect regulated blobs from overwrite or delete by applying time-based retention or legal hold controls at the right scope.
- Validate whether an immutability policy is unlocked, locked, expired, or extended before approving storage lifecycle changes.
- Prepare audit evidence for WORM storage requirements across financial records, healthcare documents, or legal archives.
- Prevent cleanup jobs, migrations, or application deletes from touching containers that must retain protected versions.
- Estimate retention cost and operational impact before enabling immutable storage for high-volume backup or archive workloads.
Illustrative Azure scenarios
These examples show how the concept can affect design and operations. They are illustrative scenarios, not customer claims.
Scenario 01 Blob immutability policy in financial services operations Scenario, objectives, solution, measured impact, and takeaway.
Northbridge Securities, a financial services organization, had a concrete Azure challenge: trade confirmation archives needed regulator-approved write-once protection without delaying statement retrieval. The team needed a practical design that operators could validate without guessing.
- Protect 42 million confirmations from overwrite or delete.
- Keep customer-service reads under 2 seconds.
- Prove retention state during quarterly audits.
- Prevent cleanup scripts from touching protected containers.
Architects designed the workflow around Blob immutability policy by defining the affected storage account, container scope, identity, network path, and validation evidence before production. They configured the feature or property in the application and Azure control plane, then connected it with Azure Monitor, deployment checks, and a runbook for support teams. Operators used Azure CLI and service logs to compare expected configuration with live state, while security reviewed permissions, SAS exposure, private access, and audit records. A pilot used representative objects, failure cases, and rollback steps so the release team could prove the behavior before customer traffic depended on it. They documented ownership, emergency contacts, rollback criteria, and a sample command transcript for future incidents. The acceptance plan included before-and-after samples, monitored metrics, a named rollback owner, and clear sign-off criteria for business, security, and operations teams. Documentation showed intended state, observed Azure output, and the exact command evidence operators should keep for future incidents, audits, and release reviews.
- Protected confirmations passed 100 percent of sampled audit checks.
- Read latency stayed at 1.4 seconds for current-year files.
- Cleanup exceptions dropped to zero.
- Audit preparation fell from 6 days to 2 days.
Blob immutability policy creates practical value when teams pair the Azure capability with ownership, validation evidence, and operating discipline.
Scenario 02 Blob immutability policy in healthcare operations Scenario, objectives, solution, measured impact, and takeaway.
Alder Valley Health, a healthcare organization, had a concrete Azure challenge: diagnostic image exports needed retention that operations could verify before a hospital accreditation review. The team needed a practical design that operators could validate without guessing.
- Apply immutable retention to 9 years of exports.
- Keep radiology viewers working normally.
- Document emergency extension procedures.
- Reduce manual evidence collection by 60 percent.
The operations team implemented Blob immutability policy as part of a governed automation pattern instead of a one-off script. They tagged or named target objects consistently, limited the automation identity to the required container, and captured request IDs, timestamps, and output properties for every run. Azure Monitor alerts tracked failures, latency, and unexpected volume. The team added pre-release checks that sampled live blobs and compared them with the approved design. Business owners received a simple evidence report, and support engineers received quick commands for triage, rollback, and escalation. A dry run compared candidate objects against production exclusions and saved a signed approval note before automation ran unattended. The acceptance plan included before-and-after samples, monitored metrics, a named rollback owner, and clear sign-off criteria for business, security, and operations teams. Documentation showed intended state, observed Azure output, and the exact command evidence operators should keep for future incidents, audits, and release reviews.
- Retention coverage reached 99.97 percent of sampled exports.
- Viewer workflow remained unchanged.
- Extension runbooks were approved before go-live.
- Evidence collection fell by 72 percent.
Blob immutability policy creates practical value when teams pair the Azure capability with ownership, validation evidence, and operating discipline.
Scenario 03 Blob immutability policy in transportation operations Scenario, objectives, solution, measured impact, and takeaway.
HarborWorks Logistics, a transportation organization, had a concrete Azure challenge: customs documents were being modified after shipment closeout, creating disputes with port authorities. The team needed a practical design that operators could validate without guessing.
- Freeze closed-shipment documents after final approval.
- Allow controlled append-only status notes.
- Reduce document dispute investigations.
- Give legal teams clear retention evidence.
Engineers integrated Blob immutability policy into the release and incident process. The design used documented naming rules, least-privilege data access, private connectivity where required, and explicit validation after each change. During rollout, they tested normal operations, stale data, permission failures, and recovery paths. Operators saved CLI output, metrics, and application traces with the change record so future incidents could be reconstructed. The final handoff included owner contacts, known limits, cost considerations, and a decision tree for whether to retry, restore, revert, or escalate. After rollout, a weekly review compared metrics, costs, support tickets, and security findings against the objectives, then tuned thresholds without changing ownership boundaries. The acceptance plan included before-and-after samples, monitored metrics, a named rollback owner, and clear sign-off criteria for business, security, and operations teams. Documentation showed intended state, observed Azure output, and the exact command evidence operators should keep for future incidents, audits, and release reviews.
- Post-closeout modifications stopped.
- Append-note workflow handled 11,000 monthly updates.
- Dispute investigation time dropped 48 percent.
- Legal reviewers accepted the policy evidence.
Blob immutability policy creates practical value when teams pair the Azure capability with ownership, validation evidence, and operating discipline.
Azure CLI
CLI checks make Blob immutability policy observable by turning portal assumptions into repeatable commands, properties, metrics, and troubleshooting evidence.
Useful for
- Confirm current Blob immutability policy configuration before a release, incident change, or migration step.
- Collect resource properties, identity context, metrics, and operation status for support evidence.
- Compare expected design values with live Azure state after automation or application changes.
Before you run a command
- Confirm subscription, tenant, storage account, container, blob name, and authentication method.
- Use least-privilege data-plane access and avoid exposing account keys or long-lived SAS tokens.
- Know whether the command reads state, changes data, deletes objects, or triggers billable operations.
What the output tells you
- Properties output shows live resource values such as tier, ETag, metadata, status, and timestamps.
- Metrics and logs show whether operations succeeded, retried, failed, or created downstream pressure.
- Errors usually identify missing permissions, wrong names, network restrictions, precondition failures, or unsupported operations.
Mapped commands
Blob immutability policy operational CLI checks
directaz storage container immutability-policy create --account-name <account> --container-name <container> --period <days> --auth-mode loginaz storage container immutability-policy lock --account-name <account> --container-name <container> --auth-mode loginArchitecture context
Blob immutability policy matters because a small misunderstanding can change where data goes, who can read it, how quickly it is available, and what the workload costs. The common failure pattern is accidental deletion of records, irreversible lock mistakes, blocked cleanup jobs, failed overwrites, retention evidence gaps, and expensive data that cannot be removed early. In enterprise environments, storage behavior crosses application, security, compliance, operations, and finance boundaries. Clear glossary coverage gives teams shared language for design reviews and incident calls. It also tells operators which proof to collect: resource properties, logs, permissions, metrics, and business impact. That discipline turns a vague storage problem into a reviewable decision with owners, evidence, and next actions.
- Security
- Security for Blob immutability policy starts with knowing who can configure it, who can use it, and what data exposure it can create. Important controls include least-privilege policy administration, separation of duties, change approval, immutable retention evidence, legal hold control, private access, and audit logging. Review Azure RBAC, data-plane permissions, SAS usage, account-key access, network restrictions, diagnostic logging, and automation that changes blob state. Avoid broad write permissions for cleanup, copy, tiering, tagging, or metadata jobs. For sensitive workloads, document approved identities, private access paths, retention controls, and investigation evidence. A safe design makes accidental exposure harder and suspicious changes easier to trace.
- Cost
- Cost for Blob immutability policy is driven by retained capacity, version growth, snapshots, legal hold duration, failed cleanup automation, lifecycle conflicts, inventory reporting, and compliance monitoring. The main mistake is treating blob behavior as free because the object itself looks simple. Transactions, reads, writes, listing, copy activity, rehydration, retention, tagging, inventory, and monitoring can all add cost at scale. FinOps reviews should connect data age, access frequency, lifecycle policy, redundancy, and business value. Use inventory, metrics, cost analysis, and application evidence to find waste. A good cost decision preserves required durability and access while avoiding expensive defaults that nobody still needs.
- Reliability
- Reliability depends on whether Blob immutability policy behaves predictably during normal load, deployment changes, retries, and outages. Teams should test realistic object names, sizes, concurrency, permissions, and failure modes. Common reliability work includes validating immutability policy state, retention-until date, lock status, legal hold tags, protected append-write setting, delete failures, Activity Log events, and storage diagnostics, confirming retry behavior, and documenting what should happen when a request fails. Use soft delete, versioning, immutable storage, restore procedures, or idempotent application logic where the workload requires them. Runbooks should explain whether the issue is application code, identity, network, storage service health, policy, or operator action.
- Performance
- Performance for Blob immutability policy depends on extra validation on writes or deletes, append behavior, version volume, list operations, policy checks, and recovery workflows that depend on retained data. Operators should measure real workload behavior rather than assuming all blob operations behave the same. Large objects, many tiny objects, hot prefixes, broad tag queries, inventory scans, archive rehydration, and aggressive retries can all create bottlenecks. Use metrics, logs, client timing, and storage diagnostics to separate service limits from application design issues. Tune concurrency, batching, transfer options, naming, and retry policy carefully. For production workloads, validate performance with realistic data volume, network path, identity method, and downstream processing.
- Operations
- Operationally, Blob immutability policy needs ownership, monitoring, and repeatable checks. Document the storage account, container, naming rules, identities, network path, lifecycle settings, and support contacts that affect it. Operators should use immutability-policy show, create, lock, extend, allow-protected-append-writes, legal-hold checks, and blob delete validation commands to verify current state before making changes. Monitoring should connect Azure metrics, logs, application symptoms, and business impact instead of showing isolated counters. During incidents, capture commands, timestamps, request IDs, and observed outputs. During releases, compare design assumptions with live configuration so drift is found before customers or auditors find it. Keep the evidence close to the runbook so future responders can repeat the check.
Common mistakes
- Running commands in the wrong subscription, account, container, or environment.
- Assuming management-plane permissions automatically allow blob data operations.
- Ignoring operation side effects such as deletion, rehydration, tier changes, copies, or extra transactions.