Azure Storage Account Immutability (Part 3/4): Legal Hold Based Retention
In the last article, the options & steps to configure Time based retention were explained. Following are the articles in this series for quick reference.
Azure Storage Account Immutability : Basics
Azure Storage Account Immutability : Time Based Retention
Azure Storage Account Immutability : Legal Hold Based Retention *
What is Legal Hold Based immutability Policy — Capability to prevent editing & deleting Blob and optionally its versions indefinitely until the policy is cleared. Go for Legal Hold based immutability when the time to keep blob in READ ONLY/WORM state is unknown.
Legal Hold Based Retention Policy — Supported scopes:
Scope #1: Version level immutability — Immutability at Blob Version level
Scope #2: Container level immutability — Immutability at Blob level
Steps to configure Scope #1 Version level immutability (Blob/version level Legal Hold):
- Enable Blob Versioning at Account level. This is a pre-requisite to enable Blob Version immutability at Account level or at specific container level which in turn is a pre-requisite to achieve Time based retention at Blob version level. [Discussed in the first article on basics of Storage Blob immutability]
- Enable Blob Version immutability at Account level or at Container level. If not enabled at Account level, then it needs to be enabled at a specific container level to use Legal Hold based imutability at blob version level. If enabled at Account level, then the Blob Version immutability is automatically enabled for all the containers in the Storage Account and this option shall not be disabled at container level. [Discussed in the first article on basics of Storage Blob immutability]
- Once the Blob version immutability is enabled at Account or Container level, the Legal Hold policy shall not be enabled at Container level. Also, unlike Time based retention, there is no option to enable Legal Hold policy at Account level.
Case #1: Blob version immutability is set at Account level. This would prevent creating a Legal Hold policy at Container level.
The only option to set Legal Hold policy at Blob/version level is to set the policy directly at the blob/version level. Navigation path is Storage Account > Go to specific Container > Upload Blob > Select Access Policy (Screen shot #3 below)> Add Policy > Define a Legal Hold based retention policy.
Case #2: Blob version immutability is set at Container level. This would prevent creating a Legal Hold policy at Container level.
The only option to set Legal Hold policy at Blob/version level is to set the policy directly at the blob/version level. Navigation path is Storage Account > Go to specific Container > Upload Blob > Select Access Policy (Screen shot #4 below)> Add Policy > Define a Legal Hold based retention policy.
Steps to configure Scope #2 Container level immutability (Blob level Legal Hold):
- Do not enable Blob Version immutability at Account and Container level [Discussed in the first article on basics of Storage Blob immutability].
2. Define a Legal Hold based retention policy at every container level where the blobs needs to achieve immutability through Legal Hold. This Legal Hold immutability policy would be applied for all the blobs uploaded to the specific container and the blobs uploaded would be immutable until the legal hold is removed.
In this article, the options & steps to configure Legal Hold based immutability policy have be explained in detail.
In the next article, the summary of Time based retention and Legal Hold immutability policy would be discussed. In addition, a pictorial representation of possible options to configure both the Time based retention & Legal Hold immutable policies across all the scopes would be given for easy understanding.
Happy Learning !
