Azure Blob Storage — Complete Guide
Understand Azure Blob Storage architecture, blob types, access tiers, data protection, and security — with exam tips for AZ-104.
What you'll learn
- Explain the three-layer Blob Storage architecture (Storage Account → Container → Blob)
- Describe the flat namespace and how virtual folders work
- Differentiate Block, Append, and Page blobs and choose the right type
- Compare Hot, Cool, Cold, and Archive tiers and their cost trade-offs
- Explain blob versioning and lifecycle management policies
- Describe authentication options: Entra ID, Access Keys, and SAS
Prerequisites
Relevant for certifications
What Is Azure Blob Storage?
Azure Blob Storage is a massively scalable object storage service for unstructured data — documents, images, videos, logs, backups, and VM disk files. It lives inside an Azure Storage Account and is accessible over HTTP/HTTPS via REST APIs, SDKs, and the Azure portal.
Think of it this way
Blob Storage is Azure's equivalent of AWS S3. If you need to store a file that isn't a database row or a file-system entry, it almost certainly belongs in Blob Storage.
Architecture Overview
Blob Storage is structured in four layers:
Storage Account
└── Blob Service (internal engine)
└── Containers (logical buckets — like folders at the top level)
└── Blobs (the actual data objects)
| Layer | Description |
|---|---|
| Storage Account | Top-level Azure resource. Controls performance tier (Standard/Premium), replication, networking, and security settings. |
| Blob Service | The internal engine that handles all object storage within the account. |
| Container | A logical grouping of blobs. Equivalent to a "bucket" in AWS S3. No nesting — containers live directly under the Storage Account. |
| Blob | The actual data object — a file, image, video, log, VHD, etc. |
The Flat Namespace
Unlike a traditional file system, Blob Storage has no real folders or directory hierarchy. It uses a flat namespace.
What look like folders are simply prefixes embedded in the blob's name:
Container: my-container
Blob name: images/2026/march/photo1.jpg
↑ this is NOT a folder — it is part of the blob name
The Azure portal and Storage Explorer display these prefixes as folders, but the underlying structure is flat — every blob is just a named object inside a container.
Warning
This matters for AZ-104 and real-world access control. You cannot apply permissions to a "folder" directly — you scope SAS tokens and RBAC roles to the container or the whole storage account, not to virtual-folder prefixes.
Types of Blobs
Azure supports three blob types. Choosing the wrong type is a common mistake.
| Blob Type | Optimised For | Typical Use Cases |
|---|---|---|
| Block Blob | Sequential upload and download of large files | Images, videos, documents, backups, log archives |
| Append Blob | Append-only write operations | Diagnostic logs, audit trails, streaming telemetry |
| Page Blob | Random read/write access | Virtual machine disk files (VHD/VHDX) |
Exam shortcut
Block = most content. Append = logs. Page = VM disks. Azure Managed Disks use page blobs under the hood. You cannot change a blob's type after creation.
Access Tiers and Cost Optimisation
Tiers let you balance storage cost against access cost. Higher storage cost = lower access cost, and vice versa.
| Tier | Storage Cost | Access Cost | Minimum Retention | Best For |
|---|---|---|---|---|
| Hot | Highest | Lowest | None | Frequently accessed data (active workloads) |
| Cool | Lower | Higher | 30 days | Infrequently accessed, stored for at least a month |
| Cold | Even lower | Higher | 90 days | Rarely accessed, stored for at least 3 months |
| Archive | Lowest | Highest | 180 days | Long-term retention; data is offline |
Archive tier is offline
Blobs in the Archive tier cannot be read immediately. You must first rehydrate them — moving them to Hot or Cool — which can take several hours. Plan accordingly for restore scenarios.
Tier flexibility
- Tiers can be set at the storage account level (default) or per blob (overrides the account default)
- You can automate tier transitions with Lifecycle Management (see below)
- Early deletion fees apply if you delete or move a blob before its minimum retention period
Data Protection
Blob Versioning
When enabled, Azure automatically saves a new version every time a blob is written or overwritten. Each version has a unique version ID.
- Protects against accidental overwrites and deletions
- Old versions can be listed, restored, or deleted individually
- Restoring an old version creates a new copy — it does not revert the current blob in place
Warning
AZ-104 exam trap: "Promoting" (restoring) a previous version does not delete the current version. It creates a new version. You now have both.
Lifecycle Management
Lifecycle Management lets you define rules that automatically:
- Transition blobs between tiers (e.g., move to Cool after 30 days)
- Delete blobs or old versions after a defined period
// Example: move to Cool after 30 days, Archive after 90 days, delete after 365 days
{
"rules": [{
"name": "cost-optimise",
"enabled": true,
"definition": {
"actions": {
"baseBlob": {
"tierToCool": { "daysAfterModificationGreaterThan": 30 },
"tierToArchive": { "daysAfterModificationGreaterThan": 90 },
"delete": { "daysAfterModificationGreaterThan": 365 }
}
},
"filters": { "blobTypes": ["blockBlob"] }
}
}]
}
Security and Access
Authentication Options
| Method | Description | When to Use |
|---|---|---|
| Microsoft Entra ID (Azure AD) | RBAC-based identity access | Preferred for users and managed identities |
| Access Keys | Full account-level secrets | Service-to-service; rotate regularly |
| Shared Access Signatures (SAS) | Time-limited, scoped tokens | Granting temporary, limited access to external parties |
Blob Endpoint Format
Every blob has a predictable, publicly routable URL:
https://<storage-account-name>.blob.core.windows.net/<container>/<blob-name>
Example:
https://mystorageaccount.blob.core.windows.net/images/photos/beach.jpg
Access to this URL is controlled by the container's access level and/or a SAS token appended to the URL.
Common Interview Questions
Q: What is the difference between Block, Append, and Page blobs? Block blobs are for general-purpose file storage (images, videos, backups). Append blobs only allow writes to the end — ideal for logs. Page blobs support random read/write and are used internally by Azure VM disks.
Q: A blob in Archive tier needs to be read urgently. What do you do? You must rehydrate it — copy or move it to Hot or Cool tier first. This can take up to 15 hours for standard priority, or a few hours for high priority rehydration. There is no way to read directly from Archive.
Q: What happens if you delete a blob before its minimum retention period ends? Early deletion charges apply. For example, deleting a Cool tier blob after 10 days still incurs the 30-day minimum storage charge.
Q: How do you give a third-party vendor read access to a specific container for 24 hours without exposing your Access Keys? Generate a Shared Access Signature (SAS) scoped to the container with read permissions and an expiry set to 24 hours from now. Share only the SAS URL.
Common Mistakes
- Storing VM disks as Block Blobs — VM disks must be Page Blobs (or use Azure Managed Disks)
- Assuming Archive tier is immediately accessible — it requires rehydration, which takes hours
- Setting tier at account level and not per-blob — per-blob tier overrides the account default; mixing tiers in one account is valid and common
- Treating the flat namespace as a file system — you cannot apply RBAC or SAS permissions to a "virtual folder" prefix
- Restoring an old version and expecting it to replace the current — promotion creates a new version, not an in-place revert
- Leaving Access Keys long-lived without rotation — use Entra ID + Managed Identity where possible; rotate keys on a schedule if keys must be used
What to Learn Next
- Configuring Blob Lifecycle Management — automate tier transitions and deletions with policy rules
- Configuring Object Replication — geo-replicate blobs across storage accounts
- Securing Storage Accounts — network rules, private endpoints, SAS best practices
- Azure Files — SMB/NFS file shares as an alternative to blob for file-system workloads