Azure Blob Storage ABAC + Index Tags: can NOT exists(blobIndexTags['key']) temporarily allow reads after upload?

Question

I am designing a security-critical solution using Azure Blob Storage, RBAC with ABAC conditions, and Blob Index Tags, together with Microsoft Defender for Cloud for malware scanning.

I understand from the documentation and community posts that blob index tags are indexed asynchronously and are therefore eventually consistent. That part is clear.

What is still unclear to me — and I could not find explicit documentation for — is how this affects ABAC enforcement at read time, especially when tags are provided during the blob upload itself.

Scenario:

A blob is uploaded using a single PUT request (or SDK equivalent).

The request includes index tags via the x-ms-tags header.

Read access is controlled using an ABAC condition based on tag existence (for example exists / NOT exists).

Defender for Cloud may later update tags based on malware scan results.

Core question:

When a blob is uploaded with index tags provided in the same request, is ABAC guaranteed to see those tags when evaluating read access?

Or, due to asynchronous indexing, is it possible that ABAC temporarily evaluates the blob as having no index tags, causing:

NOT exists(blobIndexTags['key']) == true

and therefore allowing download access to a blob that should still be blocked?

In other words:

Does ABAC evaluate tags from the transactional write path, or

Does it rely only on the asynchronously indexed tag store?

Additional clarification requested:

Is there any documented guarantee or upper bound for index tag visibility in ABAC evaluation?

Is a design where “missing tag = allow” considered safe when using ABAC + index tags?

This distinction is very important for security-by-design scenarios (e.g., blocking reads until malware scanning completes). Any official clarification or documentation reference would be greatly appreciated.

Answer 1

Hi @Iacono, Vito,

Thank you for reaching out on Microsoft Q&A forum.

Azure Blob Storage supports blob index tags, and Microsoft documentation states that the blob index is updated asynchronously. While tags are attached to the blob immediately when they are set (including when provided during upload), the index that powers tag-based discovery and evaluation may take some time to update.

ABAC conditions for Blob Storage reference blobIndexTags, which rely on this indexed view of tags. Microsoft documentation does not state that ABAC evaluates tags transactionally from the write path, nor does it provide a guarantee that newly set tags are immediately visible during authorization decisions.

Because of this behavior:

There may be a brief period after upload where ABAC conditions evaluate a blob as missing a tag, even if the tag was recently set.

Microsoft does not publish any upper bound for how long index propagation can take.

For this reason, designs that rely on “missing tag = allow” are not considered safe as a security boundary. For security-by-design scenarios (such as malware scanning), the recommended approach is to default to deny and explicitly allow access only when a known-good tag value (for example, MalwareScanResult = Clean) is present.

This avoids reliance on tag indexing timing and aligns with least-privilege and zero-trust principles.

Kindly let us know if the above helps or you need further assistance on this issue.

If the answer is helpful,please "Accept the answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".