Profile Applicability:

  • Level 2

Description:

Enabling blob versioning allows Azure to retain previous versions of blobs automatically. When versioning is enabled, every write operation to a blob results in the creation of a new version. These versions can be restored if the current blob is deleted or overwritten.

Rationale:

Blob versioning supports data integrity and recoverability. It protects against accidental deletion, unintended overwrites, or malicious tampering by maintaining a history of changes.

Impact:

  • Enabling versioning increases storage consumption and may raise storage costs.

  • Organizations can mitigate this by applying lifecycle management policies to automatically delete older blob versions.

Default Value:

Blob versioning is disabled by default on Azure storage account.

Pre-Requisites:

  • The storage account must be a General-purpose v2 (StorageV2) account.

Test Plan:

Using Azure Console:

  1. Navigate to Storage accounts in the Azure Portal.

  2. Select a storage account with Blob storage enabled.

  3. Under Settings, click Data protection.

  4. Confirm that Enable versioning for blobs is checked.

Using Azure CLI:

Run:

az storage account blob-service-properties show --account-name <storage-account>

Ensure the output includes:

"isVersioningEnabled": true

Using PowerShell:

Create a context:

$context = New-AzStorageContext -StorageAccountName <storage-account>

Check versioning:

$account = Get-AzStorageBlobServiceProperty -ResourceGroupName <resource-group> -AccountName <storage-account>
$account.IsVersioningEnabled

Implementation Plan

Using Azure Console:

  1. Go to Storage accounts.

  2. Click on a storage account.

  3. Select Data protection under Settings.

  4. Check Enable versioning for blobs.

  5. Choose to either:

    • Keep all versions, or

    • Delete versions after a specified number of days.

  6. Click Save.

Using Azure CLI:

Run:

az storage account blob-service-properties update --account-name <storage-account> --enable-versioning true

Using PowerShell:

Run:

Update-AzStorageBlobServiceProperty -ResourceGroupName <resource-group> -StorageAccountName <storage-account> -IsVersioningEnabled $true

Backout Plan

Using Azure Console:

  1. Go to Storage accounts.

  2. Open the relevant storage account.

  3. Navigate to Data protection.

  4. Uncheck Enable versioning for blobs.

  5. Click Save.

Using Azure CLI:

Run:

az storage account blob-service-properties update --account-name <storage-account> --enable-versioning false

Using PowerShell:

Update-AzStorageBlobServiceProperty -ResourceGroupName <resource-group> -StorageAccountName <storage-account> -IsVersioningEnabled $false

References: