Who Deleted a Blob?
It is sometimes useful to know who created/modified/deleted a storage blob. For that information to be recorded in a log the authentication must be done with Azure AD to populate the user information correctly.
There are two sets of logs that can help, Azure Monitor logs and classic Analytics logs
1. Azure monitor storage columns - https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/storagebloblogs
Columns of interest
CallerIpAddress - The IP address of the requester, including the port number
OperationName - The type of REST operation that was performed
RequesterObjectId - The OAuth object ID of the requester
RequesterUpn - The User Principal Names of requestor
2. Classic Analytics logs columns - https://learn.microsoft.com/en-us/rest/api/storageservices/storage-analytics-log-format
(version 2.0 format has the columns that record user info)
Columns of interest
operation-type - The type of REST operation performed
requester-ip-address - the IP address of the requester, including the port number
user-object-id - The object ID used for authentication. May be any security principal, including a user, managed identity, or service principal
user-principal-name - User principal name used in bearer authorization
Delete a blob using Azure CLI and AAD authentication
Query Azure Monitor logs for DeleteBlob requests that use OAuth (AAD)
Check classic Analytics log for the DeleteBlob request
Further information
Monitoring Azure Blob Storage
https://learn.microsoft.com/en-us/azure/storage/blobs/monitor-blob-storage?tabs=azure-portal
Azure Storage analytics logging
https://learn.microsoft.com/en-us/azure/storage/common/storage-analytics-logging
Updated Sep 28, 2023
Version 1.0Rich_McKinnon
Microsoft
Joined May 26, 2023
Azure PaaS Blog
Follow this blog board to get notified when there's new activity