Azure container/blob immutability Policy reporting

Neels Sham 0 Reputation points


I am looking for a reporting option to list out the storage accounts / containers / blob from all available storage accounts from all subscriptions (within same directory) with immutable policy (time based / legal any one) .

Please suggest how can I achieve this ? As I am not from development background, so in case you suggest for using any REST API / query, then please suggest in step by step pattern .

Thanks in advance !!

Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,068 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Carlos Solís Salazar 14,631 Reputation points

    Here are the steps to generate such a report:

    Using Azure PowerShell

    1. Install Azure PowerShell Module: If not already installed, you can install the Azure PowerShell module:
         Install-Module -Name Az -AllowClobber -Scope CurrentUser
    2. Login to Azure: Log in to your Azure account:
    3. List Storage Accounts and Check for Immutability Policies: The following script lists all storage accounts across all subscriptions and checks each container for an immutability policy:
         # Get all subscriptions
         $subscriptions = Get-AzSubscription
         foreach ($subscription in $subscriptions) {
             # Set the context to the subscription
             Set-AzContext -SubscriptionId $subscription.Id
             # List all storage accounts in the subscription
             $storageAccounts = Get-AzStorageAccount
             foreach ($storageAccount in $storageAccounts) {
                 # Get the context for the storage account
                 $context = $storageAccount.Context
                 # List all containers in the storage account
                 $containers = Get-AzStorageContainer -Context $context
                 foreach ($container in $containers) {
                     # Check if the container has an immutability policy
                     $immutabilityPolicy = Get-AzStorageContainerImmutabilityPolicy -ContainerName $container.Name -Context $context
                     if ($immutabilityPolicy) {
                         # Output details if the container has an immutability policy
                         Write-Output "Subscription: $($subscription.Name), Storage Account: $($storageAccount.StorageAccountName), Container: $($container.Name), Immutability Policy: $($immutabilityPolicy)"

    Additional Considerations

    • Permissions: Ensure you have the necessary permissions to list storage accounts and containers across subscriptions.
    • Output Format: The script outputs to the console. You can modify it to export the data to a CSV file or another format if needed.
    • API Rate Limits: Keep in mind that running this script may take time, especially if you have a large number of subscriptions and storage accounts, due to API rate limits.

    This script provides a basic framework. Depending on your exact needs, it might require further customization. If you're not comfortable with PowerShell scripting, you may want to seek assistance from someone with a development background.

    Accept the answer if the information helped you. This will help us and others in the community as well.

    0 comments No comments

  2. Anand Prakash Yadav 380 Reputation points Microsoft Vendor

    Hello Neels Sham,

    Thank you for posting your query here!

    I attempted to reproduce the inquiry and did not encounter any issues.

    Hope this helps.

    You can connect to Azure PowerShell in the Azure Cloud Shell environment.

    Step 1: Use the following command to list all subscriptions in your current directory:


    Step 2: Use the following command and set the subscription context to the one you want to work with:

    Set-AzContext -SubscriptionId <SubscriptionId>

    Step 3: You can use the following commands to list storage accounts, containers, and blobs with immutable policies:

    $storageAccounts = Get-AzStorageAccount
    foreach ($storageAccount in $storageAccounts) {
        $containers = Get-AzStorageContainer -Context $storageAccount.Context
        foreach ($container in $containers) {
            $blobs = Get-AzStorageBlob -Context $storageAccount.Context -Container $container.Name
            $immutabilityPolicy = Get-AzRmStorageContainerImmutabilityPolicy -ContainerName $container.Name -ResourceGroupName $storageAccount.ResourceGroupName -AccountName $storageAccount.StorageAccountName
            Write-Output "Storage Account: $($storageAccount.StorageAccountName), Container: $($container.Name), Immutability Policy: $($immutabilityPolicy.ImmutabilityPeriodSinceCreationInDays) days"

    This should give you the Storage Account Name, Container Name, and Immutability Policy (in number of days) for all the Storage Accounts and Containers in the subscription.

    Repeat Steps 2-3 for each subscription by setting the subscription context and executing the script.

    Please make sure you have the necessary permissions to access the Azure resources.

    Kindly let us know if you have any further queries. I’m happy to assist you further.

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments No comments