Deleted storage account reappearing in subscription

Tom 6 Reputation points
2025-06-19T17:48:48.0833333+00:00

I deleted 2 storage accounts in 2024. When checking Defender for Cloud, I saw recommendations related to these storage accounts. When checking the activity log, I saw that Microsoft Defender for Cloud Scanner Resource Provider deleted Microsoft.EventGrid/eventSubscriptions/StorageAntimalwareSubscription

How have these storage accounts been hanging around? Is it related to soft deletes? How did this delete event prompt them to reappear?

Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
3,202 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Keshavulu Dasari 4,840 Reputation points Microsoft External Staff Moderator
    2025-06-19T19:41:06.96+00:00

    Hi Tom,

    When you delete a storage account, associated resources like EventGrid subscriptions not be immediately or fully cleaned up. These subscriptions are often created by services like Microsoft Defender for Cloud to monitor storage accounts for threats.In your case, the Microsoft Defender for Cloud Scanner Resource Provider deleted an EventGrid subscription. This action might have triggered a scan or cleanup process that surfaced lingering metadata or references to the deleted storage accounts.
     

    Azure Storage supports soft delete for blobs and containers, but not for storage accounts themselves, metadata about deleted resources can persist in:

    Activity logs, Security recommendations, Monitoring configurations

    These remnants can cause Defender for Cloud to continue referencing the deleted accounts until its internal cache or configuration is refreshed.

    The deletion of the Event Grid subscription likely prompted a rescan or re-evaluation of storage-related configurations. If Defender for Cloud had cached references to the deleted accounts, this action might have caused those references to resurface temporarily in the portal or recommendations.

    To fully clean up:

    Check Defender for Cloud settings for lingering references to the deleted accounts. Review Event Grid and other monitoring configurations to ensure no orphaned subscriptions or policies remain. And Use Azure Resource Graph Explorer to query for any ghost resources or metadata.

    Please upvote if the information helps and let me know if you have any other queries. I am glad to assist.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.