Deleted storage account reappearing in subscription

Question

Deleted storage account reappearing in subscription

Tom 6

I deleted 2 storage accounts in 2024. When checking Defender for Cloud, I saw recommendations related to these storage accounts. When checking the activity log, I saw that Microsoft Defender for Cloud Scanner Resource Provider deleted Microsoft.EventGrid/eventSubscriptions/StorageAntimalwareSubscription

How have these storage accounts been hanging around? Is it related to soft deletes? How did this delete event prompt them to reappear?

Keshavulu Dasari 4,840 Reputation points Microsoft External Staff Moderator

2025-06-20T11:08:46.1466667+00:00

Hi Tom,

Just checking if you’ve had time to review my answer. If you have any other questions, please let me know in the comments. I am happy to assist.
Keshavulu Dasari 4,840 Reputation points Microsoft External Staff Moderator

2025-06-23T11:09:19.3733333+00:00

Hi Tom,

If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you.

1 answer

Your answer

Keshavulu Dasari 4,840 Reputation points Microsoft External Staff Moderator

2025-06-20T11:08:46.1466667+00:00

Hi Tom,

Just checking if you’ve had time to review my answer. If you have any other questions, please let me know in the comments. I am happy to assist.
Keshavulu Dasari 4,840 Reputation points Microsoft External Staff Moderator

2025-06-23T11:09:19.3733333+00:00

Hi Tom,

If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you.

Answer 1

Hi Tom,

When you delete a storage account, associated resources like EventGrid subscriptions not be immediately or fully cleaned up. These subscriptions are often created by services like Microsoft Defender for Cloud to monitor storage accounts for threats.In your case, the Microsoft Defender for Cloud Scanner Resource Provider deleted an EventGrid subscription. This action might have triggered a scan or cleanup process that surfaced lingering metadata or references to the deleted storage accounts.

Azure Storage supports soft delete for blobs and containers, but not for storage accounts themselves, metadata about deleted resources can persist in:

Activity logs, Security recommendations, Monitoring configurations

These remnants can cause Defender for Cloud to continue referencing the deleted accounts until its internal cache or configuration is refreshed.

The deletion of the Event Grid subscription likely prompted a rescan or re-evaluation of storage-related configurations. If Defender for Cloud had cached references to the deleted accounts, this action might have caused those references to resurface temporarily in the portal or recommendations.

To fully clean up:

Check Defender for Cloud settings for lingering references to the deleted accounts. Review Event Grid and other monitoring configurations to ensure no orphaned subscriptions or policies remain. And Use Azure Resource Graph Explorer to query for any ghost resources or metadata.

Please upvote if the information helps and let me know if you have any other queries. I am glad to assist.

Share via

Deleted storage account reappearing in subscription

1 answer

Your answer