If the policy inherited from a previous version is unlocked, the retention interval can be shortened or extended, or the policy can be deleted. The policy of an earlier version can also be locked for that version, even if the policy of the current version is unlocked. You cannot delete a locked time retention policy. You can extend, but not decrease, the retention period. A maximum of five increases in the effective retention period is allowed over the lifetime of a container-defined locked policy. For a policy configured for a blob version, there is no limit to the number of increases over the current period. Time-based retention policies: A time-based retention policy allows users to set policies to store data for a specific interval. When a temporal retention policy is defined, objects can be created and read, but cannot be modified or deleted. After the retention period expires, objects can be deleted, but not overwritten. For more information about time-based retention policies, see Time-Based Retention Policies for Immutable Blob Data.
To lock a policy using PowerShell, call the az storage blob immutability-policy set command and set the –policy-mode parameter to Locked. You can also change the expiration at the time you lock the policy. Ensure that immutable blob storage is enabled for Microsoft Azure Storage blob containers that contain sensitive and business-critical information. You can use immutable blob storage to store critical production data objects in the Write Once, Read Many (WORM) state. This state renders the data indelible and cannot be changed during a user-specified time interval. Azure blobs can be created and read for the duration of the configured retention interval, but cannot be edited or deleted. The feature supports two types of policies that you can apply to a container to store data in the specified container in an immutable, deletion-protected state:1. A time-based immutability policy – this policy can be used for regulatory compliance to block data for future processing. After the policy is locked, it cannot be unlocked.2. A legal retention policy: This allows you to set an unlimited lock on all blobs in a container. If a legal lock is set, the container data is placed in a delete-protected state and a change-protected state. After versioning is enabled and a blob is downloaded for the first time, that version of the blob is the current version.
Each time the blob is replaced, a new version is created that saves the previous state of the blob. If you delete the current version of a blob, the current version becomes an earlier version and is retained until it is explicitly deleted. An earlier blob version has the time-based retention policy that was in effect when the current version became an earlier version. After you enable version-level immutability support for a storage account or container, you have the option to configure a default temporal retention policy for the account or container. If you configure a default temporal retention policy for the account or container and then upload a blob, the blob inherits that default policy. You can also override the default policy for each blob during upload by configuring a custom policy for that blob. When you use the Azure portal to upload a blob to a container that supports version-level immutability, you have several options for configuring a temporal retention policy for the new blob: if the default temporal retention policy for the account or container is unlocked. The current version of a blob that inherits from the default policy also has an unlocked policy. After only one blob is downloaded, you can shorten or extend the policy retention period for the current version of the blob, or delete the current version.
You can also lock the policy for the current version, even if the default policy for the account or container remains unlocked. If a default policy is valid for the storage account or container, the new current version inherits the default policy for the account or container when an override operation creates an earlier version.
