Retirement: MICROSOFT AZURE OPERATED BY 21VIANET – Action Required to Migrate to Azure China North 3 Region by July 1, 2026, as China North 1 and China East 1 Regions
May 22, 2025How to use OpenSSL to Send HTTP(S) Requests
May 22, 2025
Background:
We often encounter scenarios where we need to delete blobs that have been idle in a storage account for an extended period. For a small number of blobs, deletion can be handled easily using the Azure Portal, Storage Explorer, or inline scripts such as PowerShell or Azure CLI.
However, in most cases, we deal with a large volume of blobs, making manual deletion impractical. In such situations, it’s essential to leverage automation tools to streamline the deletion process. One effective option is using Automation Tasks, which can help schedule and manage blob deletions efficiently.
Note: Behind the scenes, an automation task is actually a logic app resource that runs a workflow. So, the Consumption pricing model of logic-app applies to automation tasks.
Scenario’s where “Automation Tasks” are helpful:
- You have a requirement to automate deletion of blobs which are older than a specific time, in days, weeks or months.
- You don’t want to put in much manual effort rather have simple UI based steps to achieve your goal
- You have System containers, and you want to action on it.
We have “LCM (Life Cycle management)” which too can be leveraged by users to automation deletion of older blobs; however LCM cannot be used to delete blobs from System containers. - You have to work on page blobs.
Setup “Automation Tasks”:
Let’s walk through on how to achieve our goal.
- Navigate to the desired storage account and scroll down to the “Automation” section and select the “Tasks” blade and then click on “Add Task” from the top panel or bottom panel (highlighted in image).
- On the next page click the “Select” (highlighted image)
- The new page which opens up should look as below, however there isn’t anything we are doing. So let’s just click on the “Next : Configure” (highlighted in image) and move to the next screen.
- The new page opens needs to be filled as per your requirement. I have added a sample. You can also use it on your own containers as well.
- ‘sample’ is a folder inside container ‘$web’
- ‘sample’ is a folder inside container ‘$web’
The “Expiration Age” field means that Blobs older than these number of days needs be deleted. In above screenshot, blobs older than 180 days would be deleted.
Similarly, we can configure values in weeks or months as well.
Once we are through with the steps proceed with creation of the task.
- Once task is created it looks as below:
- You can click on the “View Run” to see run history.
- In-case you want to modify the task, click on your tasks name. For example in above screenshot I can modify by clicking “mytask” link and re-configure the task.
Now this isn’t sufficient. We will update some of the steps which were used to create the Logic-app. Hence we would need to edit some steps and save those before re-running the app.
a) Go the logic app and navigate to the “Logic App Designer” blade
b) Now click on the “+” sign as shown below and “Add an Action”
c) Once the new page opens up, search for “List Blobs (v2)” and select it
d) Choose the “Enter custom value” and enter your storage account name
e) The values would like as shown below
f) Now let’s navigate to the “For Each” condition
g) We need to delete the “Delete blob” too and replace with “Delete blob (V2)”
h) The “Delete Blob (V2)” looks like as below
i) With all steps ready, lets save the logic app and click on “Run”. You should observe the run passing successfully.
Impact due to Firewall:
The above steps for works when your storage account is configured for public access.
However, when firewall is enabled, you would need to provide the necessary permissions, else you are going to encounter 403 “Authorization Failure” errors. There would be no issue to create the task, but you will see failures when you check the runs. Example:
To overcome this limitation, you need to navigate to your logic app and generate a managed identity for the app and provide the identity “Storage Blob Data Contributor” role.
Step1. Enable Managed Identity:
- In Azure Portal, go to your Logic App resource.
- Under Settings, select Identity.
- In the Identity pane, under System assigned, select On and Save.
- This step registers the system-assigned identity with Microsoft Entra ID, represented by an object ID.
Step2. Assign Necessary Role:
- Open the Azure Storage Account in Azure Portal.
- Select Access control (IAM) > Add > Add role assignment.
- Assign a role like ‘Storage Blob Data Contributor’, which includes write access for blobs in an Azure Storage container, to the managed identity.
- Under Assign access to, select Managed identity > Add members, and choose your Logic App’s identity
- Save and refresh and you see the new role configured to your storage account
Remember that, if the Storage Account and logic app are in different region you should add another step in the firewall of storage account. You need to whitelist the logic app instance in “Resource instances” list as shown below:
Conclusion:
The multiple ways to action on blobs are provided for your convenience. Depending on your requirement, feasibility & other factors like comfortability with the feature or pricing too would certainly influence your decisions.
However, in-case you want to action upon System containers like $logs or $web, “Automation Tasks” are one of the most helpful feature which you can use and achieve your goal.
Note: At the time of writing this blog this feature is still in preview. So ensure to check if there are any limitations which might impact you before implementing it in your Production environment.
References:
Create automation tasks to manage and monitor Azure resources – Azure Logic Apps | Microsoft Learn
Optimize costs by automatically managing the data lifecycle – Azure Blob Storage | Microsoft Learn