Is Azure Policy able to report on soft delete for blob , container and files?

Question

Is Azure Policy able to report on soft delete for blob , container and files?

Robert Allcock 0

Is Azure Policy able to report on soft delete for blob , container and files despite whether or not theyve had anything set up / created or changed for each component? The important bit here is for new storage accounts that may have no configuration change from default for blob , file or container. As Ive previously had it half working for storage accounts that had some sort of change to their config.

If anyone has managed to do this , Id appreciate a share of the definition.

Bharath Y P 7,240 Reputation points Microsoft External Staff Moderator

2026-03-16T09:34:35.4566667+00:00

Hello Robert Allcock, I just wanted to kindly follow up to check, If the provided answer is helpful, it would be great if you could accept the answer and up-vote. This not only helps us but also makes it easier for other community members who might face the same issue. Thanks

1 answer

Your answer

Bharath Y P 7,240 Reputation points Microsoft External Staff Moderator

2026-03-16T09:34:35.4566667+00:00

Hello Robert Allcock, I just wanted to kindly follow up to check, If the provided answer is helpful, it would be great if you could accept the answer and up-vote. This not only helps us but also makes it easier for other community members who might face the same issue. Thanks

Answer 1

Hello Robert Allcock, thank you for posting your query on Microsoft Q&A platform.

You want to know whether Azure Policy can report on Soft Delete configuration for Blob, Container and File Share. even when the storage account is newly created, no configuration has ever been modified, and the storage services are still using default settings.

Previously, your policy only partially worked it reported correctly only when the storage account had some configuration change, but not for untouched storage accounts. Your goal is to consistently audit Soft Delete status for all storage accounts, regardless of whether the configuration has been modified.

Azure Policy can report Soft Delete settings even when no configuration has been changed, but only if the policy evaluates the correct resource types. Soft delete settings are not stored on the storage account resource itself. Instead, they exist under service-level resources.

The issue occurs because of how Azure models storage resources. A storage account contains service resources underneath it, such as:

Storage Account: blobServices/default , fileServices/default and queueServices/default

Soft delete configuration exists only in these service resources. When a storage account is created:

These default service objects already exist

But if your policy checks only:

Microsoft.Storage/storageAccounts

Azure Policy cannot see the soft delete properties, because they live under:

Microsoft.Storage/storageAccounts/blobServices

Microsoft.Storage/storageAccounts/fileServices

That is why your earlier policy only worked after configuration changes, because those actions caused the service resource properties to appear in the evaluation context. Evaluating the service-level resource directly fixes the problem.

You can try with Custom Policy:

In Azure Portal > Policy > Definitions > New Policy Definition

Use mode: Indexed

Blob Soft Delete Audit Policy:

{
  "properties": {
    "displayName": "Audit Blob Soft Delete not enabled",
    "policyType": "Custom",
    "mode": "Indexed",
    "description": "Audits storage accounts where Blob Soft Delete is not enabled.",
    "metadata": {
      "category": "Storage"
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Storage/storageAccounts/blobServices"
          },
          {
            "field": "name",
            "equals": "default"
          },
          {
            "field": "Microsoft.Storage/storageAccounts/blobServices/deleteRetentionPolicy.enabled",
            "notEquals": "true"
          }
        ]
      },
      "then": {
        "effect": "audit"
      }
    }
  }
}

Container Soft Delete Audit:

{
  "if": {
    "allOf": [
      {
        "field": "type",
        "equals": "Microsoft.Storage/storageAccounts/blobServices"
      },
      {
        "field": "name",
        "equals": "default"
      },
      {
        "field": "Microsoft.Storage/storageAccounts/blobServices/containerDeleteRetentionPolicy.enabled",
        "notEquals": "true"
      }
    ]
  },
  "then": {
    "effect": "audit"
  }
}

File Share Soft Delete Audit:

{
  "if": {
    "allOf": [
      {
        "field": "type",
        "equals": "Microsoft.Storage/storageAccounts/fileServices"
      },
      {
        "field": "name",
        "equals": "default"
      },
      {
        "field": "Microsoft.Storage/storageAccounts/fileServices/shareDeleteRetentionPolicy.enabled",
        "notEquals": "true"
      }
    ]
  },
  "then": {
    "effect": "audit"
  }
}

Assign the Policy: Assign the policy at

Management Group
Subscription
Resource Group

Then allow Azure Policy compliance scan to evaluate the resources.

You can also trigger a manual scan: az policy state trigger-scan

Hope this helps. and please feel free to reach out if you have any further questions. Thanks

Thanks,

Naveena Patlolla 9,310 Reputation points Microsoft External Staff Moderator

2026-03-20T04:45:43.02+00:00

Hi Robert Allcock

I just wanted to check if the solution worked for you. If not, please let us know if you need any assistance—we’re always here to help.

Also, if you found the information helpful, please don’t forget to accept the answer and upvote it. This helps other community members as well and is greatly appreciated.

Share via

Is Azure Policy able to report on soft delete for blob , container and files?

1 answer

Your answer