immutableStorageWithVersioning enabled even though policy is removed

Question

immutableStorageWithVersioning enabled even though policy is removed

Lukáš Vaško 40

Hello,

I setup a WORM on my storage account with immutability policy and later I deleted it. It was never locked because of testing purposes. It was enabled on storage account level and few blobs were created there. Now I removed policy but I'm still not able to delete a storage account.

What should I do to be able to delete it?

Lukáš Vaško 40 Reputation points

2026-01-27T07:26:31.77+00:00

Hello,

thank you for your answer. However, I was not able to delete a blobs from container and got error saying that a blob is immutable due to a policy which I have already removed from storage account and containers.

Is there anything else I can do to delete blobs?
Thanmayi Godithi 6,245 Reputation points Microsoft External Staff Moderator

2026-01-29T01:27:24.47+00:00

Hi @Lukáš Vaško,

If the immutability policy was removed but blobs still cannot be deleted, this is expected behavior when ImmutableStorageWithVersioning is enabled.

When version-level immutability is enabled, immutability is enforced on individual blob versions. Any blob version created while an immutability policy was in effect remains immutable, even if the policy is later unlocked or deleted. Policy removal is not retroactive.

Key points to note:

Version-level immutability cannot be disabled once enabled on a storage account.

Existing blob versions remain protected until their retention period expires.

Locked blob versions cannot be deleted or overridden by CLI, Portal, or Support.

All blob versions and snapshots must be deleted before a container or storage account can be deleted.

Control-plane operations (for example, az storage container-rm delete) are required, but they do not bypass active immutability retention.

The next step is to inspect the affected blob versions and check their immutability retention expiry time. Once the retention period expires for all versions, blob deletion will succeed, followed by container and storage account deletion.

This behaviour is by design to preserve WORM compliance guarantees.

Kindly let us know if the above helps or you need further assistance on this issue.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Answer accepted by question author

0 additional answers

Your answer

Lukáš Vaško 40 Reputation points

2026-01-27T07:26:31.77+00:00

Hello,

thank you for your answer. However, I was not able to delete a blobs from container and got error saying that a blob is immutable due to a policy which I have already removed from storage account and containers.

Is there anything else I can do to delete blobs?
Thanmayi Godithi 6,245 Reputation points Microsoft External Staff Moderator

2026-01-29T01:27:24.47+00:00

Hi @Lukáš Vaško,

If the immutability policy was removed but blobs still cannot be deleted, this is expected behavior when ImmutableStorageWithVersioning is enabled.

When version-level immutability is enabled, immutability is enforced on individual blob versions. Any blob version created while an immutability policy was in effect remains immutable, even if the policy is later unlocked or deleted. Policy removal is not retroactive.

Key points to note:

Version-level immutability cannot be disabled once enabled on a storage account.

Existing blob versions remain protected until their retention period expires.

Locked blob versions cannot be deleted or overridden by CLI, Portal, or Support.

All blob versions and snapshots must be deleted before a container or storage account can be deleted.

Control-plane operations (for example, az storage container-rm delete) are required, but they do not bypass active immutability retention.

The next step is to inspect the affected blob versions and check their immutability retention expiry time. Once the retention period expires for all versions, blob deletion will succeed, followed by container and storage account deletion.

This behaviour is by design to preserve WORM compliance guarantees.

Kindly let us know if the above helps or you need further assistance on this issue.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Answer 1

Hi @Lukáš Vaško,

Thank you for confirming and for sharing the exact CLI error, this behavior is expected and aligns with how version-level immutability (ImmutableStorageWithVersioning) works in Azure Blob Storage.

Although the immutability policy was unlocked and deleted, the key point is that:

This is explicitly documented by Microsoft:

“Version-level immutability cannot be disabled after it is enabled on the storage account, although unlocked policies can be deleted.”

Because of this:

The storage account still has ImmutableStorageWithVersioning enabled

Azure blocks deletion of containers that are not empty

“Not empty” includes:

Current blobs
All blob versions
Snapshots (if any)

That is why the following command fails:

az storage container-rm delete --name <container> --storage-account <account>

with:

(ContainerProtectedFromDeletion)
The storage account container is protected from deletion due to ImmutableStorageWithVersioning

Azure enforces this protection before container deletion, regardless of whether an immutability policy currently exists.

To delete the storage account, the following sequence is required:

1.Delete all blobs from each container

This must include all blob versions, not just the latest version
If versioning was enabled, older versions continue to exist and block deletion

2.Delete the containers

Once a container has zero blobs, versions, and snapshots, container deletion will succeed

3.Delete the storage account

This requirement is also documented:

User's image

Refer: Configure immutability policies for blob versions

Kindly let us know if the above helps or you need further assistance on this issue.

If the answer is helpful, please "Accept the answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Share via

immutableStorageWithVersioning enabled even though policy is removed

0 additional answers

Your answer