You are building a compliance solution that stores terabytes of data in Azure Blob Storage. Data is appended frequently and never modified. Regulatory requirements mandate that no data can be overwritten or deleted for 7 years. Which storage configuration should you enable?
Correct. A time-based retention policy makes blobs immutable for the specified duration (up to 7 years or more), meeting compliance requirements.
Why this answer
A is correct because a time-based retention policy under Azure Blob Storage immutability policy ensures that blobs cannot be overwritten or deleted for a specified duration (here, 7 years). This meets the regulatory requirement of write-once-read-many (WORM) compliance, and the policy is enforced at the storage container level, preventing any modifications or deletions even by the storage account owner.
Exam trap
The trap here is that candidates often confuse immutability policies with soft delete or versioning, thinking that preserving previous versions or recovering deleted blobs satisfies the 'no overwrite or delete' requirement, but only immutability policies provide a hard enforcement that prevents the operation from succeeding in the first place.
How to eliminate wrong answers
Option B is wrong because blob soft delete only protects against accidental deletion by retaining deleted blobs for a configurable retention period, but it does not prevent overwrites or provide a hard guarantee against deletion—data can still be permanently deleted before the soft-delete retention expires if the policy is changed. Option C is wrong because blob versioning preserves previous versions of a blob when it is overwritten or deleted, but it does not prevent overwrites or deletions from occurring; a user can still overwrite the current version, and the regulatory requirement mandates that no data can be overwritten or deleted at all. Option D is wrong because the change feed provides a transaction log of all changes to blobs in a container, but it does not enforce any retention or immutability—it only records events and does not prevent modifications or deletions.