Hi, today I want to talk to you about immutable storage. Immutable Storage is an Azure Blob Storage capability that allows you to store business-critical data in a WORM state (write once, read many). This state is set at the container level, and through policies, you can set time-based retention, extend retention intervals, set and remove legal holds. These policies apply to all blobs in the container, both existing and new.

Immutable storage supports two policy type:

Once explained the characteristics of the Azure Immutable storage we can begin this tutorial.

In this post, I’ll show you how to list, create, update, lock, and extend immutability policies in your Azure Blob storage using Azure CLI.


  • This tutorial assumes that you already have a Microsoft Azure account configured.
  • You can use an existing Storage Account, or you can create a new one. If you want to know how to create a Storage Account using PowerShell, check out this¬†link.

Azure CLI Workaround

In this case, we will use Azure Cloud Shell, a browser-based shell built into Azure Portal. This allows us to use the Azure command-line tools (Azure CLI and Azure PowerShell) directly from a browser. If you want to know more about Azure Cloud Shell, check out this link.

First, we define the characteristics of our environment and store the values in variables.

Time-based retention Policy

First, using the following command to list the commands available to work with the immutability policies.

immutable policy

Gets the existing immutability policies

If you want to see the existing immutability policies, you should use the following command.

Creates an immutability policy

To create an immutability policy for a container, you should use the following command.

–period: The time period must be indicated in days.

immutable policy create

The immutability policies are always created with the unlock state.

Updates an immutability policy

As long as the state of the policy is unlocked, you can modify it. In the following example, the policy is modified to allow the creation of new blobs in the container.

immutable policy cli

Set the Immutability Policy to Locked state

Important: Keep in mind that once the policy is established, its deletion is not allowed and you must wait for the period of time stipulated in the policy to be able to delete both the container and the storage account.

To lock the immutability policies, we will first use the $etag variable to store the ETag value of the policy you want to lock and then use the following command to lock the policy.

immutable policy lock

Extend the immutability Period

If you want to extend the policy period, use the following command. As for the lock command, you should use the ETag value of the policy.

immutable policy extend

Legal holds Policy

First, using the following command to list the commands available to work with the legal hold policies.

legal hold policy

Get the legal hold properties

If you want to see the properties of existing legal hold policies, you should use the following command.

legal hold show

Set a legal hold

To set a legal retention policy you must use the following command. The –tag parameter is used as a named identifier, such as a case ID or event, to categorize and describe the purpose of the hold.

legal hold set

Clear a legal hold

Finally, to delete the policy, you must use the following command, indicating in your request the associated tags that you want to remove.

legal hold clear

Thanks for reading my post. I hope you find it useful.

If you want to know more about immutable storage, check out this link: https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-immutable-storage