Enable Azure Storage blob inventory reports

Article
01/09/2025

The Azure Storage blob inventory feature provides an overview of your containers, blobs, snapshots, and blob versions within a storage account. Use the inventory report to understand various attributes of blobs and containers such as your total data size, age, encryption status, immutability policy, and legal hold and so on. The report provides an overview of your data for business and compliance requirements.

To learn more about blob inventory reports, see Azure Storage blob inventory.

Enable blob inventory reports by adding a policy with one or more rules to your storage account. Add, edit, or remove a policy by using the Azure portal.

Enable inventory reports

Sign in to the Azure portal to get started.
Locate your storage account and display the account overview.
Under Data management, select Blob inventory.
Select Add your first inventory rule.

The Add a rule page appears.
In the Add a rule page, name your new rule.
Choose the container that will store inventory reports.
Under Object type to inventory, choose whether to create a report for blobs or containers.

If you select Blob, then under Blob subtype, choose the types of blobs that you want to include in your report, and whether to include blob versions and/or snapshots in your inventory report.

Note

The option to include blob versions appears only for accounts that don't have the hierarchical namespace feature enabled. Versions and snapshots must be enabled on the account to save a new rule with the corresponding option enabled.
Select the fields that you would like to include in your report, and the format of your reports.
Choose how often you want to generate reports.
Optionally, add a prefix match to filter blobs in your inventory report.
Select Save.

You can add, edit, or remove a policy by using the Azure PowerShell module.

Open a Windows PowerShell command window.
Make sure that you have the latest Azure PowerShell module. See Install Azure PowerShell module.
Sign in to your Azure subscription with the Connect-AzAccount command and follow the on-screen directions.
```
Connect-AzAccount
```
If your identity is associated with more than one subscription, then set your active subscription.
```
$context = Get-AzSubscription -SubscriptionId <subscription-id>
Set-AzContext $context
```
Replace the <subscription-id> placeholder value with the ID of your subscription.
Get the storage account context that defines the storage account you want to use.
```
$storageAccount = Get-AzStorageAccount -ResourceGroupName "<resource-group-name>" -AccountName "<storage-account-name>"
$ctx = $storageAccount.Context
```
- Replace the <resource-group-name> placeholder value with the name of your resource group.
- Replace the <storage-account-name> placeholder value with the name of your storage account.

Create inventory rules by using the New-AzStorageBlobInventoryPolicyRule command. Each rule lists report fields. For a complete list of report fields, see Azure Storage blob inventory.

 $containerName = "my-container"

 $rule1 = New-AzStorageBlobInventoryPolicyRule -Name Test1 -Destination $containerName -Disabled -Format Csv -Schedule Daily -PrefixMatch con1,con2 `
             -ContainerSchemaField Name,Metadata,PublicAccess,Last-modified,LeaseStatus,LeaseState,LeaseDuration,HasImmutabilityPolicy,HasLegalHold

 $rule2 = New-AzStorageBlobInventoryPolicyRule -Name test2 -Destination $containerName -Format Parquet -Schedule Weekly  -BlobType blockBlob,appendBlob -PrefixMatch aaa,bbb `
             -BlobSchemaField name,Last-Modified,Metadata,LastAccessTime

 $rule3 = New-AzStorageBlobInventoryPolicyRule -Name Test3 -Destination $containerName -Format Parquet -Schedule Weekly -IncludeBlobVersion -IncludeSnapshot -BlobType blockBlob,appendBlob -PrefixMatch aaa,bbb `
             -BlobSchemaField name,Creation-Time,Last-Modified,Content-Length,Content-MD5,BlobType,AccessTier,AccessTierChangeTime,Expiry-Time,hdi_isfolder,Owner,Group,Permissions,Acl,Metadata,LastAccessTime

 $rule4 = New-AzStorageBlobInventoryPolicyRule -Name test4 -Destination $containerName -Format Csv -Schedule Weekly -BlobType blockBlob -BlobSchemaField Name,BlobType,Content-Length,Creation-Time

Use the Set-AzStorageBlobInventoryPolicy to create a blob inventory policy. Pass rules into this command by using the -Rule parameter.
```
$policy = Set-AzStorageBlobInventoryPolicy -StorageAccount $storageAccount -Rule $rule1,$rule2,$rule3,$rule4  
```

You can add, edit, or remove a policy via the Azure CLI.

First, open the Azure Cloud Shell, or if you've installed the Azure CLI locally, open a command console application such as Windows PowerShell.
If your identity is associated with more than one subscription, then set your active subscription.
```
   az account set --subscription <subscription-id>
```
Replace the <subscription-id> placeholder value with the ID of your subscription.

Define the rules of your policy in a JSON document. The following shows the contents of an example JSON file named policy.json.

{
"enabled": true,
"type": "Inventory",
"rules": [
  {
    "enabled": true,
    "name": "inventoryPolicyRule2",
    "destination": "mycontainer",
    "definition": {
      "filters": {
        "blobTypes": [
          "blockBlob"
        ],
        "prefixMatch": [
          "inventoryprefix1",
          "inventoryprefix2"
        ],
        "includeSnapshots": true,
        "includeBlobVersions": true
      },
      "format": "Csv",
      "schedule": "Daily",
      "objectType": "Blob",
      "schemaFields": [
        "Name",
        "Creation-Time",
        "Last-Modified",
        "Content-Length",
        "Content-MD5",
        "BlobType",
        "AccessTier",
        "AccessTierChangeTime",
        "Snapshot",
        "VersionId",
        "IsCurrentVersion",
        "Metadata"
      ]
    }
  }
 ]
}

Create a blob inventory policy by using the az storage account blob-inventory-policy create command. Provide the name of your JSON document by using the --policy parameter.
```
az storage account blob-inventory-policy create -g myresourcegroup --account-name mystorageaccount --policy @policy.json
```

Disable inventory reports

While you can disable individual reports, you can also prevent blob inventory from running at all.

Sign in to the Azure portal.
Locate your storage account and display the account overview.
Under Data management, select Blob inventory.
Select Blob inventory settings, and in the Blob inventory settings pane, clear the Enable blob inventory checkbox, and then select Save.

Clearing the Enable blob inventory checkbox suspends all blob inventory runs. You can select this checkbox later if you want to resume inventory runs.

You can suscribe to blob inventory completed event to receive information on the outcome of your inventory runs. This event gets triggered when the inventory run completes for a rule that is defined an inventory policy. This event also occurs if the inventory run fails with a user error before it starts to run. For example, an invalid policy, or an error that occurs when a destination container isn't present will trigger the event.

Sign in to the Azure portal.
Locate your storage account and display the account overview.
In the left menu, select Events.
Select + Event Subscription.

The Create Event Subscription page appears.
In the Create Event Subscription page, name your event subscription and use default schema, Event Grid Schema.
Under EVENT TYPES, choose Blob Inventory Completed.
Under ENDPOINT DETAILS, choose Storage Queue as the Endpoint Type and select Configure an endpoint.
In the Queues page, choose the subscription, the storage account and create a new queue. Name your queue then click Create.
Optionally, select the Filters tab if you want to filter the subject of the event or its attributes.
Optionally, select the Additional Features tab if you want to enable dead-lettering, retry policies and set event subscription expiration time.
Optionally, select Delivery Properties tab to set the storage queue message time to live.
Select Create

To view the delivered queue messages

Locate your storage account and display the account overview.
Under Data Storage, select Queues and open the newly create queue used to configure the endpoint to access the messages.
Select the message for the desired inventory run time to access the message properties the review the message body for the event status.

For more methods on how to subscribe to blob storage events, see Azure Blob Storage as Event Grid source - Azure Event Grid | Microsoft Learn

Optionally enable access time tracking

You can choose to enable blob access time tracking. When access time tracking is enabled, inventory reports will include the LastAccessTime field based on the time that the blob was last accessed with a read or write operation. To minimize the effect on read access latency, only the first read of the last 24 hours updates the last access time. Subsequent reads in the same 24-hour period don't update the last access time. If a blob is modified between reads, the last access time is the more recent of the two values.

To enable last access time tracking with the Azure portal, follow these steps:

Sign in to the Azure portal.
Locate your storage account and display the account overview.
Under Data management, select Blob inventory.
Select Blob inventory settings, and in the Blob inventory settings pane, select the Enable last access tracking checkbox.

To enable last access time tracking with PowerShell, call the Enable-AzStorageBlobLastAccessTimeTracking command, as shown in the following example. Remember to replace placeholder values in angle brackets with your own values:

# Initialize these variables with your values.
$rgName = "<resource-group>"
$accountName = "<storage-account>"

Enable-AzStorageBlobLastAccessTimeTracking  -ResourceGroupName $rgName `
    -StorageAccountName $accountName `
    -PassThru

To enable last access time tracking with Azure CLI, call the az storage account blob-service-properties update command, as shown in the following example. Remember to replace placeholder values in angle brackets with your own values:

az storage account blob-service-properties update \
    --resource-group <resource-group> \
    --account-name <storage-account> \
    --enable-last-access-tracking true

Share via

Enable Azure Storage blob inventory reports

Enable inventory reports

Disable inventory reports

Optionally enable access time tracking

Next steps

Feedback

Additional resources

Share via

Enable Azure Storage blob inventory reports

Enable inventory reports

Disable inventory reports

Subscribe to blob inventory policy completed event

Optionally enable access time tracking

Next steps

Feedback

Additional resources