Share via

❓ Cannot Upload .bacpac File to Blob Container with Time-Based Immutability Policy

Biswas Shilpa (SEIT) 20 Reputation points
2025-06-20T09:20:40.55+00:00

I have a storage account with a container that has a time-based immutability policy enabled (immutabilityPeriodSinceCreationInDays: 30, state: Unlocked). I’m using GitHub Actions to take automated SQL database backups via az sql db export, which saves the .bacpac file to this container.

Each backup generates a unique blob name using the GitHub run ID, so no overwrites are attempted.

However, I'm getting the following error during upload:
This operation is not permitted as the blob is immutable due to a policy.

ErrorCode: BlobImmutableDueToPolicy

Container Immutability Policy:

{

"immutabilityPeriodSinceCreationInDays": 30,

"state": "Unlocked",

"allowProtectedAppendWrites": false,

"allowProtectedAppendWritesAll": false

}
Why am I unable to upload new blobs with unique names to a container that has a time-based immutability policy (in Unlocked state)? Is version-level immutability required to upload new blobs when container-level immutability is in effect?

Azure Storage
Azure Storage
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,529 questions
0 comments
Accepted answer
  1. Alex Burlachenko 9,780 Reputation points
    2025-06-20T12:34:38.0166667+00:00

    Biswas hi there,

    even when the policy is 'unlocked', u still can't just upload new files like normal. the container itself locks down any writes during the immutability period, unless u specifically allow it. kinda strict, right?

    for microsoft's way to fix this, u gotta tweak your container settings. set 'allowProtectedAppendWrites' to true in your immutability policy. this lets u add new blobs while keeping existing ones locked.

    when dealing with immutable storage, always plan your backup strategy around the lock period. maybe create a new container for each backup cycle? or use versioning if your storage system supports it. this might help in other tools too.

    also worth looking into whether your backup tool can handle immutable storage natively. some just don't play nice with these policies. u might need to adjust your github action to use different storage during the immutability window.

    microsoft's sql export might be trying to modify metadata or something during upload. try using azcopy instead for more control. their docs have a good section on immutable blobs https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-blobs.

    hope this unsticks your backups,

    rgds,

    Alex

    1 person found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vedprakash Rote 180 Reputation points Microsoft External Staff Moderator
    2025-06-20T12:51:45.8266667+00:00

    Hi Biswas Shilpa (SEIT),

    Thank you for your question

    The issue you're facing stems from how Azure Blob Storage enforces immutability policies, even when the container is in an "Unlocked" state.

    your container's immutability policy is in the "Unlocked" state, Azure still enforces the policy on any blob created. Here's what that means: 

    When a new blob is uploaded to a container with a time-based immutability policy, it becomes immutable immediately upon creation.

    If the upload process includes multiple stages (such as creating the blob, writing data, and setting metadata), and any of these steps attempt to modify the blob after its creation, Azure will block it with an error.

    ErrorCode: BlobImmutableDueToPolicy

    This is likely the issue with the "az sql db" export, as it may be facing challenges due to the immutability policy.   
    1.Create the blob.   
    2.Attempt to write or update metadata or properties.   
    3.Get blocked because the blob is now immutable.

    The container's immutability policy is currently "Unlocked," which allows you to change or delete the policy, however, blobs that have already been written remain immutable. When the policy is "Locked," it cannot be changed or removed until the retention period expires. So, "Unlocked" doesn't mean blobs can be written to. It just means the policy itself can be changed.   
    here, are some steps to solve:  

    The container's immutability policy is currently "Unlocked," which allows you to change or delete the policy, however, blobs that have already been written remain immutable. When the policy is "Locked," it cannot be changed or removed until the retention period expires. So, "Unlocked" doesn't mean blobs can be written to. It just means the policy itself can be changed. 
    Here, are some steps to solve:  
    consider using a staging container:

    • Upload .bacpac files to a separate container where immutability is not enabled.
    • After the upload finishes, copy the blob to the immutable container using Start-Copy or az storage blob copy start.

    Use version-level immutability if it is supported. 1.Version-level immutability enables creating new blob versions while keeping earlier versions immutable. 2.However, this might not be effective if the export tool attempts to modify the blob after it has been created.
    Consider temporarily removing the immutability policy:
    If your process involves writing metadata or modifying the blob, you can:

    • Remove the immutability policy before the upload,
    • Then reapply the policy after the upload is complete.
    • This can only be done while the policy is in the unlocked state.

    Reference:

    I hope this information helps. Please do let us know if you have any further queries.

    Please do not forget to “up-vote” wherever the information provided helps you, this can be beneficial to other community members. 

    1 person found this answer helpful.
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.