Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Enable Versioning for Blobs

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that your Microsoft Azure Storage accounts are configured with blob versioning in order to protect your object data from being overwritten or accidentally deleted. Blob versioning is a method of keeping multiple variants of a blob within the same Azure Storage account.

Security
Reliability

With blob versioning enabled, Azure Storage object data can be recovered from both unintended user actions and application failures, as the versioning feature allows you to preserve, retrieve, and restore versions of objects. Blob versioning acts as an extra layer of data protection and can be used for retention scenarios such as recovering objects that have been accidentally or intentionally deleted, or overwritten by users or applications.

Audit

To determine if blob versioning is enabled for your Microsoft Azure Storage accounts, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

04 From the Type equals all filter box, choose Equals, select Storage account, and choose Apply to list only the Storage accounts available in the selected Azure subscription.

05 Click on the name (link) of the Azure Storage account that you want to examine.

06 In the resource navigation panel, choose Overview, and select the Properties tab to access the configuration properties available for the selected Storage account.

07 Choose the Blob service section and check the Versioning feature status to determine if blob versioning is enabled for your Storage account. If Versioning is set to Disabled, blob versioning is not enabled for the selected Microsoft Azure Storage account.

08 Repeat steps no. 5 – 7 for each Azure Storage account available within the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run storage account list command (Windows/macOS/Linux) with custom output filters to describe the identifier (name) of each storage account provisioned in the selected subscription: 

az storage account list
	--query '[*].name'

05 The command output should return the requested storage account names: 

[
	"project5storageaccount",
	"cloudaistorageaccount"
]

06 Run storage account blob-service-properties show command (Windows/macOS/Linux) with the name of the Azure Storage account that you want to examine as the identifier parameter and custom output filters to determine if blob versioning is enabled for the selected Storage account: 

az storage account blob-service-properties show
	--account-name project5storageaccount
	--query '{"isVersioningEnabled":isVersioningEnabled}'

07 The command output should return the Versioning feature status: 

{
	"isVersioningEnabled": false
}

If the storage account blob-service-properties show command output returns null or false for "isVersioningEnabled", as shown in the example above, blob versioning is not enabled for the selected Microsoft Azure Storage account.

08 Repeat steps no. 6 and 7 for each Azure Storage account created within the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To ensure data protection and enable blob versioning for your Microsoft Azure Storage accounts, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

04 From the Type equals all filter box, choose Equals, select Storage account, and choose Apply to list only the Storage accounts available in the selected Azure subscription.

05 Click on the name (link) of the Azure Storage account that you want to configure.

06 In the resource navigation panel, choose Overview, and select the Properties tab to access the configuration properties available for the selected Storage account.

07 Choose the Blob service section and click on Disabled (link) next to Versioning to access the Versioning feature settings.

08 On the Data protection page, in the Tracking section, select the Enable versioning for blobs setting checkbox and choose whether to keep all versions or delete blob versions after the specified number of days. Choose Save to apply the configuration changes. This will enable blob versioning for the selected Microsoft Azure Storage account.

09 Repeat steps no. 5 – 8 for each Azure Storage account provisioned within the selected subscription.

10 Repeat steps no. 3 – 9 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run storage account blob-service-properties update command (OSX/Linux/UNIX) with the name of the Microsoft Azure Storage account that you want to configure as the identifier parameter, to enable blob versioning for the selected Azure Storage account: 

az storage account blob-service-properties update
	--account-name project5storageaccount
	--enable-versioning true

05 The command output should return the configuration information available for the Storage account's blob service: 

{
	"automaticSnapshotPolicyEnabled": null,
	"changeFeed": null,
	"containerDeleteRetentionPolicy": null,
	"cors": {
		"corsRules": []
	},
	"defaultServiceVersion": null,
	"deleteRetentionPolicy": {
		"allowPermanentDelete": false,
		"days": null,
		"enabled": false
	},
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Storage/storageAccounts/project5storageaccount/blobServices/default",
	"isVersioningEnabled": true,
	"lastAccessTimeTrackingPolicy": null,
	"name": "default",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"restorePolicy": null,
	"sku": null,
	"type": "Microsoft.Storage/storageAccounts/blobServices"
}

06 Repeat steps no. 4 and 5 for each Azure Storage account created within the selected subscription.

07 Repeat steps no. 3 – 6 for each subscription created in your Microsoft Azure cloud account.

References

Publication date May 8, 2025

Related StorageAccounts rules