Who Deleted a Blob?

This post has been republished via RSS; it originally appeared at: Microsoft Tech Community - Latest Blogs - .

Who Deleted a Blob?

It is sometimes useful to know who created/modified/deleted a storage blob. For that information to be recorded in a log the authentication must be done with Azure AD to populate the user information correctly.

There are two sets of logs that can help, Azure Monitor logs and classic Analytics logs

1. Azure monitor storage columns - https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/storagebloblogs

Columns of interest

CallerIpAddress - The IP address of the requester, including the port number

OperationName - The type of REST operation that was performed

RequesterObjectId - The OAuth object ID of the requester

RequesterUpn - The User Principal Names of requestor

2. Classic Analytics logs columns - https://learn.microsoft.com/en-us/rest/api/storageservices/storage-analytics-log-format
(version 2.0 format has the columns that record user info)

Columns of interest

operation-type - The type of REST operation performed

requester-ip-address - the IP address of the requester, including the port number

user-object-id - The object ID used for authentication. May be any security principal, including a user, managed identity, or service principal

user-principal-name - User principal name used in bearer authorization

Delete a blob using Azure CLI and AAD authentication


Query Azure Monitor logs for DeleteBlob requests that use OAuth (AAD)


Check classic Analytics log for the DeleteBlob request


Further information
Monitoring Azure Blob Storage


Azure Storage analytics logging


Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.