{"id":515,"date":"2026-04-14T08:30:44","date_gmt":"2026-04-14T08:30:44","guid":{"rendered":"https:\/\/www.devopsschool.com\/tutorials\/azure-storage-actions-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-storage\/"},"modified":"2026-04-14T08:30:44","modified_gmt":"2026-04-14T08:30:44","slug":"azure-storage-actions-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-storage","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/tutorials\/azure-storage-actions-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-storage\/","title":{"rendered":"Azure Storage Actions Tutorial: Architecture, Pricing, Use Cases, and Hands-On Guide for Storage"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Category<\/h2>\n\n\n\n<p>Storage<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">1. Introduction<\/h2>\n\n\n\n<p>Azure Storage Actions is an Azure Storage service for automating common data management operations on objects stored in Azure Storage\u2014especially Azure Blob Storage and data lake-style storage patterns\u2014without needing to build and operate your own job runners.<\/p>\n\n\n\n<p>In simple terms: <strong>you define \u201cwhat should happen to which objects,\u201d and Azure runs those actions for you<\/strong>. This is useful for tasks like applying consistent tags\/metadata, managing access tiers, and performing bulk operations safely at scale.<\/p>\n\n\n\n<p>Technically, Azure Storage Actions provides a <strong>management-plane resource<\/strong> (often described in documentation and the portal as <em>storage tasks<\/em> and <em>task assignments<\/em>) that can execute <strong>policy-like, rules-based actions<\/strong> against a target scope (for example: a storage account, a container, or a subset of blobs matching filters). It complements (not replaces) Azure Blob lifecycle management, Event Grid + Functions\/Logic Apps, and inventory-style reporting.<\/p>\n\n\n\n<p>The problem it solves is operational and governance-oriented: <strong>reliably applying standard operations to very large numbers of storage objects<\/strong> (millions\/billions), with consistent execution, monitoring, and access control\u2014without teams having to write custom scripts, run cron jobs, or maintain batch compute.<\/p>\n\n\n\n<blockquote>\n<p>Service naming note: The official service name is <strong>Azure Storage Actions<\/strong>. In some Azure experiences and documentation, you may also see the terms <strong>storage tasks<\/strong> and <strong>task assignments<\/strong> as core building blocks. If the service is in Preview\/GA transition in your region, features and pricing can change\u2014<strong>verify current status in official docs<\/strong>.<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">2. What is Azure Storage Actions?<\/h2>\n\n\n\n<p>Azure Storage Actions is an Azure Storage automation service designed to <strong>orchestrate actions against Azure Storage data<\/strong> based on defined rules\/conditions and a selected target scope.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Official purpose (practical framing)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Automate storage object operations at scale<\/strong> using centrally defined tasks.<\/li>\n<li><strong>Standardize governance<\/strong> by consistently applying tags\/metadata\/tiering\/cleanup patterns.<\/li>\n<li><strong>Reduce custom code<\/strong> (scripts, ad-hoc automation) and improve operational reliability.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Core capabilities (high-level)<\/h3>\n\n\n\n<p>Azure Storage Actions typically centers around:\n&#8211; Defining a <strong>task<\/strong> (the \u201cwhat to do\u201d logic).\n&#8211; Creating an <strong>assignment<\/strong> (the \u201cwhere\/when to do it\u201d binding to storage scope).\n&#8211; Executing the task and tracking <strong>run history\/results<\/strong>.<\/p>\n\n\n\n<blockquote>\n<p>The exact set of supported actions (for example, tagging vs tiering vs delete) and trigger modes (on-demand vs scheduled vs event-driven) can vary by release and region. <strong>Verify supported actions and triggers in official docs for your subscription and region.<\/strong><\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">Major components<\/h3>\n\n\n\n<p>While names can vary slightly across portal\/ARM\/REST, the common conceptual components are:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Component<\/th>\n<th>What it is<\/th>\n<th>Why it matters<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Storage task (task definition)<\/td>\n<td>A reusable definition of conditions and actions to apply<\/td>\n<td>Enables standardization and reuse across many storage targets<\/td>\n<\/tr>\n<tr>\n<td>Task assignment<\/td>\n<td>A binding between a task and a target scope (storage account \/ container \/ subset)<\/td>\n<td>Separates \u201cdefinition\u201d from \u201cdeployment\u201d and supports multi-account rollouts<\/td>\n<\/tr>\n<tr>\n<td>Identity (managed identity)<\/td>\n<td>The identity used to perform data-plane operations<\/td>\n<td>Enables least privilege and auditability without embedding keys<\/td>\n<\/tr>\n<tr>\n<td>Runs \/ execution history<\/td>\n<td>Records of each execution and its outcome<\/td>\n<td>Operational visibility, troubleshooting, compliance evidence<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Service type<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Service type:<\/strong> Azure-managed automation\/orchestration for Storage operations (control-plane managed resource that performs data-plane operations).<\/li>\n<li><strong>Scope:<\/strong> Typically <strong>subscription\/resource-group scoped<\/strong> for the task resources, and <strong>storage-account scoped<\/strong> for the data targets.<\/li>\n<li><strong>Regionality:<\/strong> Often <strong>region-bound<\/strong> (the task resource is created in an Azure region). The storage account also lives in a region. <strong>Verify cross-region capabilities and constraints in official docs<\/strong>.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">How it fits into the Azure ecosystem<\/h3>\n\n\n\n<p>Azure Storage Actions sits between:\n&#8211; <strong>Azure Storage native policies<\/strong> (like Blob lifecycle management) and\n&#8211; <strong>General automation<\/strong> (Functions, Logic Apps, Automation, Data Factory)<\/p>\n\n\n\n<p>It is most valuable when you need:\n&#8211; Repeatable, auditable bulk operations\n&#8211; A managed execution model (instead of scripts)\n&#8211; Central governance over multiple storage accounts\/environments<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">3. Why use Azure Storage Actions?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Business reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Lower operational overhead:<\/strong> fewer bespoke scripts and runbooks to maintain.<\/li>\n<li><strong>Consistency:<\/strong> policy-driven application of governance rules.<\/li>\n<li><strong>Faster rollouts:<\/strong> reuse a task definition across many storage accounts and subscriptions (with proper access design).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Technical reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Scale-friendly design:<\/strong> intended for large object sets where naive scripting becomes fragile or too slow.<\/li>\n<li><strong>Separation of concerns:<\/strong> define tasks once, assign many times.<\/li>\n<li><strong>Better control vs ad-hoc tooling:<\/strong> more predictable than \u201csomeone ran a script from a laptop.\u201d<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operational reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Central monitoring and repeatability:<\/strong> run history helps with troubleshooting and audit trails.<\/li>\n<li><strong>Change control:<\/strong> tasks can be versioned\/managed like infrastructure, depending on your deployment approach (Portal vs IaC).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Security\/compliance reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Managed identity-based access:<\/strong> avoid storing storage keys in scripts or CI\/CD variables.<\/li>\n<li><strong>RBAC alignment:<\/strong> assign least privilege roles to the identity used for actions.<\/li>\n<li><strong>Auditable operations:<\/strong> integrate with Azure Monitor\/diagnostics as supported.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Scalability\/performance reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Designed for bulk operations:<\/strong> reduces the need to enumerate and mutate objects from external compute.<\/li>\n<li><strong>Avoids \u201cDIY batch compute\u201d:<\/strong> less risk of throttling and runaway costs from poorly written scanners.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">When teams should choose it<\/h3>\n\n\n\n<p>Choose Azure Storage Actions when you need:\n&#8211; A <strong>managed<\/strong> way to apply actions across many blobs\/paths\/containers\n&#8211; <strong>Governance automation<\/strong> (tagging, cleanup, tiering enforcement, standardization)\n&#8211; <strong>Repeatable operations<\/strong> with centralized definitions and assignments<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">When teams should not choose it<\/h3>\n\n\n\n<p>It may not be the best fit when:\n&#8211; You need <strong>content transformation<\/strong> (parsing files, resizing images, ETL). Use Functions, Batch, Databricks, Data Factory.\n&#8211; You only need <strong>simple age-based tiering\/deletion<\/strong>. Blob lifecycle management may be simpler.\n&#8211; You need fully custom branching logic, complex external calls, or multi-system orchestration. Logic Apps or Durable Functions may be better.\n&#8211; The service is not yet available in your region or does not support the operation you require. (Common for newer\/preview services.)<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">4. Where is Azure Storage Actions used?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Industries<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Financial services:<\/strong> retention enforcement, tagging for records management, controlled cleanup of transient data.<\/li>\n<li><strong>Healthcare\/life sciences:<\/strong> standardized labeling\/metadata, data lake hygiene, archival workflows (subject to compliance).<\/li>\n<li><strong>Media &amp; entertainment:<\/strong> cost optimization via tiering and catalog tagging.<\/li>\n<li><strong>Retail\/e-commerce:<\/strong> log and telemetry storage governance, lifecycle hygiene.<\/li>\n<li><strong>Manufacturing\/IoT:<\/strong> continuous data ingestion to blob\/data lake, automated organization\/tagging.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Team types<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cloud platform\/landing zone teams (governance at scale)<\/li>\n<li>Storage and data platform teams<\/li>\n<li>Security\/compliance teams (policy enforcement)<\/li>\n<li>DevOps\/SRE teams (operational automation)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Workloads<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Data lakes on Azure Blob Storage \/ ADLS Gen2-style patterns<\/li>\n<li>Central logging\/telemetry archives<\/li>\n<li>Backup\/restore staging areas<\/li>\n<li>Analytics sandboxes with rapid churn of data<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Architectures<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Multi-subscription Azure estates (central tasks assigned to many storage targets)<\/li>\n<li>Hub-and-spoke networking with private endpoints to storage<\/li>\n<li>Event-driven ingestion pipelines that need downstream governance actions<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Real-world deployment contexts<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Production:<\/strong> tasks assigned via controlled pipelines, least-privileged managed identity, monitored with run alerts.<\/li>\n<li><strong>Dev\/test:<\/strong> smaller scopes and on-demand runs for validation, cost control, and workflow iteration.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">5. Top Use Cases and Scenarios<\/h2>\n\n\n\n<p>Below are realistic scenarios where Azure Storage Actions is commonly considered. The exact feasibility depends on the supported action set in your region\u2014<strong>verify supported actions in official docs<\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1) Standardize blob index tags for governance<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Teams upload data without consistent tags; downstream governance\/search breaks.<\/li>\n<li><strong>Why it fits:<\/strong> Centrally apply tags based on path\/prefix\/container patterns.<\/li>\n<li><strong>Example:<\/strong> Anything under <code>raw\/finance\/<\/code> gets tags <code>{domain=finance, stage=raw}<\/code>.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">2) Enforce access tiering policy beyond simple age rules<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Cost overruns because data stays in Hot tier unnecessarily.<\/li>\n<li><strong>Why it fits:<\/strong> Apply tier actions based on naming, tags, or other conditions (where supported).<\/li>\n<li><strong>Example:<\/strong> Logs under <code>logs\/<\/code> are moved to Cool tier shortly after ingestion.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">3) Cleanup of transient processing artifacts<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> ETL jobs leave behind temp files; storage grows uncontrolled.<\/li>\n<li><strong>Why it fits:<\/strong> Automated deletion\/cleanup actions based on location\/pattern.<\/li>\n<li><strong>Example:<\/strong> Delete blobs in <code>tmp\/<\/code> after pipeline success markers are present.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">4) Remediate non-compliant naming conventions<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Objects are uploaded with unexpected prefixes, breaking data lake conventions.<\/li>\n<li><strong>Why it fits:<\/strong> Identify and act on objects that violate policy (action may be tagging, moving\/copying, or alerting\u2014verify).<\/li>\n<li><strong>Example:<\/strong> Tag offending blobs with <code>{noncompliant=true}<\/code> for follow-up.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">5) Implement retention label tagging for records management<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Compliance needs retention labels; users don\u2019t apply them reliably.<\/li>\n<li><strong>Why it fits:<\/strong> Apply retention-related tags\/metadata as part of ingestion governance.<\/li>\n<li><strong>Example:<\/strong> All invoices stored under <code>finance\/invoices\/<\/code> get <code>{retention=7y}<\/code> tag.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6) Quarantine suspicious uploads (pattern-based)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Malware scanning pipeline flags objects; they must be isolated.<\/li>\n<li><strong>Why it fits:<\/strong> Automate moving\/copying\/tagging to quarantine scope (verify supported operations).<\/li>\n<li><strong>Example:<\/strong> Tag blobs as <code>{quarantine=true}<\/code> and move to a separate container for investigation.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">7) Backfill tags\/metadata for historical data<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> You\u2019ve introduced new tagging standards but have years of legacy blobs.<\/li>\n<li><strong>Why it fits:<\/strong> Bulk apply tags to existing objects in batches.<\/li>\n<li><strong>Example:<\/strong> Run a one-time assignment over containers to populate <code>owner<\/code> and <code>costCenter<\/code> tags.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">8) Operational housekeeping across many storage accounts<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Each app team runs different scripts; outcomes vary.<\/li>\n<li><strong>Why it fits:<\/strong> Standard tasks can be assigned across many accounts with consistent identity and monitoring.<\/li>\n<li><strong>Example:<\/strong> A central platform team assigns \u201ccleanup temp data\u201d to 50 app storage accounts.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">9) Prepare data for downstream lifecycle rules<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Lifecycle rules require tags\/prefix structure; ingestion is inconsistent.<\/li>\n<li><strong>Why it fits:<\/strong> Use Storage Actions to normalize tags, then lifecycle management handles age-based archiving\/deletion.<\/li>\n<li><strong>Example:<\/strong> Add <code>{archiveCandidate=true}<\/code> tag, then lifecycle policy archives after N days.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">10) Reduce manual toil for periodic storage governance audits<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Quarterly audits require checking containers for compliance; too manual.<\/li>\n<li><strong>Why it fits:<\/strong> Automated runs can tag noncompliant items and generate actionable results (verify reporting options).<\/li>\n<li><strong>Example:<\/strong> Tag blobs missing required tags as <code>{needsReview=true}<\/code>.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">6. Core Features<\/h2>\n\n\n\n<p>Because Azure Storage Actions has evolved and may be in Preview\/GA depending on region, treat the items below as <strong>core feature themes<\/strong> and <strong>verify exact availability<\/strong> in official docs for your subscription.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Feature 1: Task definitions (reusable automation logic)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Lets you define reusable automation logic (\u201ctask\u201d) that can be applied to multiple targets.<\/li>\n<li><strong>Why it matters:<\/strong> Centralizes governance and reduces per-team scripting.<\/li>\n<li><strong>Practical benefit:<\/strong> One task definition can be applied to dev\/test\/prod and across multiple storage accounts.<\/li>\n<li><strong>Caveats:<\/strong> Task definition language\/schema and supported conditions\/actions are service-specific\u2014<strong>verify current schema<\/strong>.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Feature 2: Task assignments (scope binding)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Applies a task definition to a specific target scope (storage account\/container\/prefix).<\/li>\n<li><strong>Why it matters:<\/strong> Separates policy design from deployment.<\/li>\n<li><strong>Practical benefit:<\/strong> Safer rollout\u2014start with a test container, then widen scope.<\/li>\n<li><strong>Caveats:<\/strong> Scope granularity varies; verify whether prefix\/path filtering is supported in your release.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Feature 3: Managed identity execution (security model)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Uses an Azure managed identity to perform data-plane operations on storage.<\/li>\n<li><strong>Why it matters:<\/strong> Eliminates shared key usage and improves auditability.<\/li>\n<li><strong>Practical benefit:<\/strong> Least privilege RBAC (for example, only blob tag write permissions where applicable).<\/li>\n<li><strong>Caveats:<\/strong> You must grant the identity appropriate <strong>data-plane roles<\/strong> on target storage.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Feature 4: Execution tracking (runs, status, outcomes)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Provides visibility into when tasks ran and whether they succeeded.<\/li>\n<li><strong>Why it matters:<\/strong> Operations teams need observability for governance automation.<\/li>\n<li><strong>Practical benefit:<\/strong> Faster troubleshooting and evidence for compliance.<\/li>\n<li><strong>Caveats:<\/strong> Detail level and export to logs\/diagnostics can vary\u2014verify monitoring integration.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Feature 5: Integration with Azure governance patterns<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Supports Azure RBAC, Azure Policy guardrails (indirectly), tagging standards, and resource organization.<\/li>\n<li><strong>Why it matters:<\/strong> Storage governance isn\u2019t just data; it\u2019s also who can run what.<\/li>\n<li><strong>Practical benefit:<\/strong> Platform teams can standardize tasks and allow app teams to request assignments.<\/li>\n<li><strong>Caveats:<\/strong> Azure Policy does not automatically \u201cunderstand\u201d task internals unless you enforce through conventions\/IaC.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Feature 6: Designed for bulk operations at scale<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Intended to operate across many objects without requiring customer-managed scanning compute.<\/li>\n<li><strong>Why it matters:<\/strong> Script-based scanners often hit throttling, timeouts, and operational fragility.<\/li>\n<li><strong>Practical benefit:<\/strong> More predictable operations for large scopes.<\/li>\n<li><strong>Caveats:<\/strong> Still subject to Storage account limits and throttling behaviors; design to avoid aggressive concurrency.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Feature 7: Safer change rollout (test \u2192 expand)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Encourages deploying tasks first to small scopes before broad rollout.<\/li>\n<li><strong>Why it matters:<\/strong> Bulk operations can cause large-scale impact quickly.<\/li>\n<li><strong>Practical benefit:<\/strong> Reduced blast radius and safer governance evolution.<\/li>\n<li><strong>Caveats:<\/strong> Requires disciplined operational process\u2014don\u2019t assign broad scopes without validation.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">7. Architecture and How It Works<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">High-level architecture<\/h3>\n\n\n\n<p>Azure Storage Actions typically works like this:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>You define a <strong>task<\/strong> (conditions + actions).<\/li>\n<li>You create an <strong>assignment<\/strong> connecting the task to a storage target (scope) and execution mode (on-demand\/scheduled\/event-driven where available).<\/li>\n<li>Azure Storage Actions uses a <strong>managed identity<\/strong> to authenticate to the target storage account and perform <strong>data-plane operations<\/strong>.<\/li>\n<li>Execution results are recorded (run status, success\/failure), and you can integrate monitoring\/alerts.<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">Request\/data\/control flow<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Control plane:<\/strong> Create\/update task resources and assignments (Azure Resource Manager).<\/li>\n<li><strong>Data plane:<\/strong> The service performs operations on blobs\/containers using Azure Storage APIs under the managed identity.<\/li>\n<li><strong>Observability:<\/strong> Run history in the service + Azure Monitor integration (diagnostic settings), depending on current support.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Integrations with related services<\/h3>\n\n\n\n<p>Commonly paired services:\n&#8211; <strong>Azure Storage (Blob Storage \/ ADLS Gen2):<\/strong> the target of actions.\n&#8211; <strong>Microsoft Entra ID (Azure AD):<\/strong> identity provider for managed identities.\n&#8211; <strong>Azure Monitor \/ Log Analytics:<\/strong> logs\/metrics and alerting (where supported).\n&#8211; <strong>Event Grid \/ Logic Apps \/ Functions:<\/strong> complementary event processing or custom workflows when Storage Actions does not cover your needs.\n&#8211; <strong>Azure Policy:<\/strong> enforce that storage accounts meet prerequisites (e.g., secure transfer required, private endpoints) and that Storage Actions resources follow naming\/tagging rules.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Dependency services<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Target storage accounts must support the operations you want to perform (for example, blob tags require blob index tags enabled at the account level where applicable).<\/li>\n<li>Identity and RBAC must be configured correctly.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Security\/authentication model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Primary pattern: <strong>managed identity<\/strong> (system-assigned or user-assigned) granted appropriate <strong>Azure Storage data-plane roles<\/strong> on the target scope.<\/li>\n<li>Avoid using storage account keys\/SAS tokens for automation whenever possible.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Networking model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Storage Actions is a managed Azure service. Data-plane calls to Storage may occur over Microsoft backbone.<\/li>\n<li>If your storage account uses <strong>private endpoints<\/strong> and restricted public network access, confirm whether the service supports operating with those restrictions in your configuration. This can be a key limitation for managed services\u2014<strong>verify in official docs<\/strong>.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Monitoring\/logging\/governance considerations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Track:<\/li>\n<li>Task run success\/failure rates<\/li>\n<li>Error types (auth failures, throttling, unsupported operations)<\/li>\n<li>Change management approvals for task edits<\/li>\n<li>Enable diagnostic settings if supported.<\/li>\n<li>Apply consistent tags to Storage Actions resources: <code>env<\/code>, <code>owner<\/code>, <code>costCenter<\/code>, <code>dataClassification<\/code>.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Simple architecture diagram<\/h3>\n\n\n\n<pre><code class=\"language-mermaid\">flowchart LR\n  A[Admin\/Platform Engineer] --&gt;|Create task + assignment (ARM)| B[Azure Storage Actions]\n  B --&gt;|Uses managed identity| C[Microsoft Entra ID]\n  B --&gt;|Performs data-plane ops| D[Azure Storage Account (Blob)]\n  B --&gt; E[Run history \/ monitoring]\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Production-style architecture diagram<\/h3>\n\n\n\n<pre><code class=\"language-mermaid\">flowchart TB\n  subgraph Sub[Azure Subscription]\n    subgraph RG1[Resource Group: platform-storage-governance]\n      SACTIONS[Azure Storage Actions\\n(Task definitions + assignments)]\n      MI[User-assigned Managed Identity]\n      LAW[Log Analytics Workspace]\n      AM[Azure Monitor Alerts]\n    end\n\n    subgraph RG2[Resource Groups: application teams]\n      ST1[Storage Account: app1prod]\n      ST2[Storage Account: app2prod]\n      ST3[Storage Account: app3prod]\n    end\n  end\n\n  SACTIONS --&gt;|Assume identity| MI\n  MI --&gt;|RBAC: Storage Blob Data roles| ST1\n  MI --&gt;|RBAC: Storage Blob Data roles| ST2\n  MI --&gt;|RBAC: Storage Blob Data roles| ST3\n\n  SACTIONS --&gt;|Diagnostics (if supported)| LAW\n  LAW --&gt; AM\n\n  AM --&gt;|Notify| OPS[Ops On-call \/ ITSM]\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">8. Prerequisites<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Account\/subscription requirements<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>An active <strong>Azure subscription<\/strong> with billing enabled.<\/li>\n<li>Permission to create resources in a resource group.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Permissions \/ IAM roles<\/h3>\n\n\n\n<p>You typically need:\n&#8211; At minimum: <strong>Contributor<\/strong> on the resource group to create Azure Storage Actions resources.\n&#8211; For the managed identity to perform actions:\n  &#8211; Appropriate <strong>Azure Storage data-plane roles<\/strong> on the target storage scope, such as:\n    &#8211; <code>Storage Blob Data Contributor<\/code> (broad; often too permissive)\n    &#8211; More specific roles if available for the exact operation (preferred)\n  &#8211; If using blob index tags, ensure you have the permissions to read\/write tags.<\/p>\n\n\n\n<blockquote>\n<p>Role names and the least-privileged role for each action can vary. Always validate with the \u201crequired permissions\u201d section in the official docs for Azure Storage Actions.<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">Billing requirements<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Costs can come from:<\/li>\n<li>Storage operations performed (transactions, writes, reads)<\/li>\n<li>Potential service-side execution charges (if Azure Storage Actions is billed separately in your region\/GA)<\/li>\n<li>Ensure you have cost visibility and budgets configured.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">CLI\/SDK\/tools needed<\/h3>\n\n\n\n<p>For the hands-on lab in this guide:\n&#8211; <strong>Azure CLI<\/strong> (latest): https:\/\/learn.microsoft.com\/cli\/azure\/install-azure-cli\n&#8211; Optional: <strong>Storage Explorer<\/strong> for inspection: https:\/\/azure.microsoft.com\/products\/storage\/storage-explorer\/\n&#8211; Access to the <strong>Azure portal<\/strong>: https:\/\/portal.azure.com<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Region availability<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Azure Storage Actions availability can be region-dependent (and sometimes Preview-only).<\/li>\n<li><strong>Verify the supported regions and features<\/strong> in official docs before designing production architecture.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Quotas\/limits<\/h3>\n\n\n\n<p>Potential constraints to verify:\n&#8211; Max number of tasks\/assignments per subscription\/region\n&#8211; Max executions per time window\n&#8211; Storage account request limits and throttling\n&#8211; Supported blob types\/features (versions, snapshots, immutability, etc.)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Prerequisite services<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>An <strong>Azure Storage account<\/strong> (typically StorageV2) with a blob container.<\/li>\n<li>Microsoft Entra ID (standard in Azure tenants).<\/li>\n<li>Optional: Log Analytics workspace for centralized logging.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">9. Pricing \/ Cost<\/h2>\n\n\n\n<p>Azure Storage Actions costs can be a combination of <strong>(a) any service charge for running tasks<\/strong> and <strong>(b) the underlying Azure Storage data-plane costs<\/strong> generated by the actions.<\/p>\n\n\n\n<p>Because pricing and billing meters can change with GA rollout and region availability, <strong>do not assume it is free or included<\/strong> unless the official pricing page explicitly states so.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Official pricing sources<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Azure Pricing Calculator: https:\/\/azure.microsoft.com\/pricing\/calculator\/<\/li>\n<li>Azure Storage pricing (transactions, capacity, data transfer): https:\/\/azure.microsoft.com\/pricing\/details\/storage\/<\/li>\n<li>For Azure Storage Actions-specific pricing, <strong>verify in official docs\/pricing<\/strong> (if a dedicated page exists for your region\/offer).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Pricing dimensions (what to look for)<\/h3>\n\n\n\n<p>Check official pricing for meters such as:\n&#8211; Per task run \/ per execution\n&#8211; Per object evaluated or processed\n&#8211; Per action performed\n&#8211; Any base resource\/hour charge<\/p>\n\n\n\n<p>If no dedicated pricing is listed publicly for your offer\/region, treat the service as <strong>\u201cpricing varies \/ not publicly listed\u201d<\/strong> and validate through:\n&#8211; Azure cost analysis after a pilot\n&#8211; Your Microsoft account team\n&#8211; Preview terms (if applicable)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Key cost drivers (direct and indirect)<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">Direct drivers (most common)<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Storage transactions:<\/strong> listing, reading properties, writing tags\/metadata, tier changes, deletes, copies.<\/li>\n<li><strong>Data writes:<\/strong> actions that modify objects incur write operations (and sometimes rewrite data, depending on action).<\/li>\n<li><strong>Service executions:<\/strong> if Azure Storage Actions charges per run\/object\/action.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Indirect\/hidden drivers<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Data transfer:<\/strong> if actions copy\/move data across regions or accounts, you may incur bandwidth charges (especially inter-region).<\/li>\n<li><strong>Downstream effects:<\/strong> changing tier\/metadata can trigger other processes (inventory, scanning, indexing) that add cost.<\/li>\n<li><strong>Operational overhead:<\/strong> logging volume in Log Analytics can be a noticeable cost if you collect verbose diagnostics.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Network\/data transfer implications<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Intra-region within Azure typically avoids egress, but <strong>inter-region transfers are usually billable<\/strong>.<\/li>\n<li>If your action causes data to be duplicated, you pay for:<\/li>\n<li>additional storage capacity<\/li>\n<li>write transactions<\/li>\n<li>potential transfer<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">How to optimize cost<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Start with <strong>small scopes<\/strong> (single container\/prefix).<\/li>\n<li>Prefer <strong>tagging + lifecycle policies<\/strong> over frequent tier changes if that\u2019s cheaper operationally.<\/li>\n<li>Avoid frequent \u201cfull scans\u201d of large datasets unless necessary.<\/li>\n<li>Use <strong>budgets and alerts<\/strong> for both the Storage account and the resource group.<\/li>\n<li>Collect diagnostics selectively; don\u2019t ingest noisy logs by default.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Example low-cost starter estimate (how to think about it)<\/h3>\n\n\n\n<p>A minimal pilot typically includes:\n&#8211; One Storage account with a small container\n&#8211; Upload 10\u2013100 small blobs\n&#8211; Run one task on-demand once or twice\n&#8211; Validate results and stop<\/p>\n\n\n\n<p>Primary costs are likely:\n&#8211; A small number of storage transactions\n&#8211; A small amount of storage capacity\n&#8211; Potentially zero or minimal service execution charges (depending on offer)<\/p>\n\n\n\n<p>Because exact meters can vary, <strong>use the Pricing Calculator for storage transactions<\/strong> and validate any Azure Storage Actions meters via official pricing.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Example production cost considerations<\/h3>\n\n\n\n<p>In production, the cost picture changes when:\n&#8211; You run actions daily\/hourly across millions of blobs\n&#8211; You write tags\/metadata repeatedly\n&#8211; You copy\/move data between accounts or regions\n&#8211; You enable verbose diagnostics<\/p>\n\n\n\n<p>For production planning:\n&#8211; Estimate object counts and run frequency.\n&#8211; Model expected storage transactions (read\/list\/write).\n&#8211; Run a controlled pilot and inspect actual billed meters in <strong>Cost Management + Billing<\/strong>.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">10. Step-by-Step Hands-On Tutorial<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Objective<\/h3>\n\n\n\n<p>Create an Azure Storage account with sample blobs, then use <strong>Azure Storage Actions<\/strong> to apply a governance action (for example, applying blob index tags or adjusting a property) to a targeted subset of blobs. Validate the result with Azure CLI, then clean up all resources.<\/p>\n\n\n\n<blockquote>\n<p>Important: The exact UI options (and supported actions) in Azure Storage Actions can vary by region and release. This lab is designed to be executable by using <strong>Portal-driven task creation<\/strong> and <strong>CLI-driven validation<\/strong>. If you do not see the same options, use the closest supported action (for example, apply tags instead of tiering) and <strong>verify in official docs<\/strong>.<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">Lab Overview<\/h3>\n\n\n\n<p>You will:\n1. Create a resource group and a StorageV2 account.\n2. Create a container and upload a few blobs under different prefixes.\n3. Create a managed identity (user-assigned).\n4. Grant the identity data-plane permissions on the storage account.\n5. Create an Azure Storage Actions task and assign it to a scope (container\/prefix).\n6. Run the task (on-demand or as supported), validate changes, troubleshoot if needed.\n7. Clean up.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 1: Create a resource group<\/h3>\n\n\n\n<p><strong>Expected outcome:<\/strong> A new resource group exists.<\/p>\n\n\n\n<pre><code class=\"language-bash\"># Set variables (edit as needed)\nLOCATION=\"eastus\"\nRG=\"rg-storage-actions-lab\"\nRAND=$RANDOM\nSTORAGE=\"stactions$RAND\"\n\naz group create \\\n  --name \"$RG\" \\\n  --location \"$LOCATION\"\n<\/code><\/pre>\n\n\n\n<p>Verify:<\/p>\n\n\n\n<pre><code class=\"language-bash\">az group show --name \"$RG\" --query \"{name:name,location:location}\" -o table\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Step 2: Create a storage account and container<\/h3>\n\n\n\n<p><strong>Expected outcome:<\/strong> A StorageV2 account and a container exist.<\/p>\n\n\n\n<pre><code class=\"language-bash\">az storage account create \\\n  --name \"$STORAGE\" \\\n  --resource-group \"$RG\" \\\n  --location \"$LOCATION\" \\\n  --sku Standard_LRS \\\n  --kind StorageV2 \\\n  --https-only true \\\n  --min-tls-version TLS1_2 \\\n  --allow-blob-public-access false\n<\/code><\/pre>\n\n\n\n<p>Create a container:<\/p>\n\n\n\n<pre><code class=\"language-bash\">CONTAINER=\"data\"\n\n# Use Azure AD auth for management-plane; for data-plane container create,\n# easiest is to use a key for lab creation, then move to RBAC for automation.\nKEY=$(az storage account keys list -g \"$RG\" -n \"$STORAGE\" --query \"[0].value\" -o tsv)\n\naz storage container create \\\n  --name \"$CONTAINER\" \\\n  --account-name \"$STORAGE\" \\\n  --account-key \"$KEY\"\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Step 3: Upload sample blobs with different prefixes<\/h3>\n\n\n\n<p><strong>Expected outcome:<\/strong> Blobs exist under <code>raw\/<\/code> and <code>tmp\/<\/code>.<\/p>\n\n\n\n<p>Create local test files:<\/p>\n\n\n\n<pre><code class=\"language-bash\">mkdir -p labdata\/raw labdata\/tmp\necho \"invoice-001\" &gt; labdata\/raw\/invoice-001.txt\necho \"invoice-002\" &gt; labdata\/raw\/invoice-002.txt\necho \"temp-file\"   &gt; labdata\/tmp\/temp-001.txt\n<\/code><\/pre>\n\n\n\n<p>Upload them:<\/p>\n\n\n\n<pre><code class=\"language-bash\">az storage blob upload-batch \\\n  --destination \"$CONTAINER\" \\\n  --source \"labdata\" \\\n  --account-name \"$STORAGE\" \\\n  --account-key \"$KEY\"\n<\/code><\/pre>\n\n\n\n<p>List blobs:<\/p>\n\n\n\n<pre><code class=\"language-bash\">az storage blob list \\\n  --container-name \"$CONTAINER\" \\\n  --account-name \"$STORAGE\" \\\n  --account-key \"$KEY\" \\\n  --query \"[].name\" -o table\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Step 4: Create a user-assigned managed identity<\/h3>\n\n\n\n<p><strong>Expected outcome:<\/strong> A managed identity exists and has a principal ID.<\/p>\n\n\n\n<pre><code class=\"language-bash\">IDENTITY_NAME=\"id-storage-actions-lab\"\n\naz identity create \\\n  --name \"$IDENTITY_NAME\" \\\n  --resource-group \"$RG\" \\\n  --location \"$LOCATION\"\n<\/code><\/pre>\n\n\n\n<p>Capture identity IDs:<\/p>\n\n\n\n<pre><code class=\"language-bash\">IDENTITY_PRINCIPAL_ID=$(az identity show -g \"$RG\" -n \"$IDENTITY_NAME\" --query principalId -o tsv)\nIDENTITY_RESOURCE_ID=$(az identity show -g \"$RG\" -n \"$IDENTITY_NAME\" --query id -o tsv)\n\necho \"principalId=$IDENTITY_PRINCIPAL_ID\"\necho \"resourceId=$IDENTITY_RESOURCE_ID\"\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Step 5: Grant the identity permissions on the storage account<\/h3>\n\n\n\n<p>Azure Storage Actions needs permissions to perform actions on blobs.<\/p>\n\n\n\n<p><strong>Expected outcome:<\/strong> The managed identity has a data-plane RBAC role on the storage account.<\/p>\n\n\n\n<p>Assign a broad role for lab simplicity:<\/p>\n\n\n\n<pre><code class=\"language-bash\">STORAGE_ID=$(az storage account show -g \"$RG\" -n \"$STORAGE\" --query id -o tsv)\n\naz role assignment create \\\n  --assignee-object-id \"$IDENTITY_PRINCIPAL_ID\" \\\n  --assignee-principal-type ServicePrincipal \\\n  --role \"Storage Blob Data Contributor\" \\\n  --scope \"$STORAGE_ID\"\n<\/code><\/pre>\n\n\n\n<blockquote>\n<p>Best practice: In production, use the <strong>least privileged<\/strong> role for the specific action (e.g., tag-only if available). Start broad in a lab only to reduce setup friction.<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">Step 6: Register the resource provider (if required)<\/h3>\n\n\n\n<p>If Azure Storage Actions is new\/preview in your tenant, you may need to register its resource provider.<\/p>\n\n\n\n<p><strong>Expected outcome:<\/strong> The provider is registered or already registered.<\/p>\n\n\n\n<p>In a separate terminal (registration can take a few minutes), run:<\/p>\n\n\n\n<pre><code class=\"language-bash\"># The provider name may vary; verify in official docs for Azure Storage Actions.\n# Common pattern for new services is to register a Microsoft.* provider.\n# If this fails, skip and use the portal to see the exact provider needed.\naz provider register --namespace Microsoft.StorageActions\n<\/code><\/pre>\n\n\n\n<p>Check status:<\/p>\n\n\n\n<pre><code class=\"language-bash\">az provider show --namespace Microsoft.StorageActions --query \"registrationState\" -o tsv\n<\/code><\/pre>\n\n\n\n<p>If the namespace differs for your environment, <strong>verify in official docs<\/strong> or in the Azure portal error message when creating the resource.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 7: Create an Azure Storage Actions task (Portal)<\/h3>\n\n\n\n<p>Because task schema and supported operations can vary by release, the most reliable beginner path is the Azure portal.<\/p>\n\n\n\n<p><strong>Expected outcome:<\/strong> A Storage Actions task exists in your resource group.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Go to https:\/\/portal.azure.com<\/li>\n<li>Search for <strong>Azure Storage Actions<\/strong> (or <strong>Storage Actions<\/strong>).<\/li>\n<li>Select <strong>Create<\/strong>.<\/li>\n<li>Choose:\n   &#8211; Subscription: your subscription\n   &#8211; Resource group: <code>rg-storage-actions-lab<\/code>\n   &#8211; Region: same as your storage account (<code>eastus<\/code> in this lab)\n   &#8211; Name: <code>task-governance-lab<\/code><\/li>\n<li>In the task definition:\n   &#8211; Select a <strong>built-in template<\/strong> if available (recommended for first run).\n   &#8211; Choose an action you can validate easily, such as:<ul>\n<li><strong>Apply blob index tags<\/strong> to blobs under a prefix (recommended), or<\/li>\n<li><strong>Change access tier<\/strong> for blobs under a prefix (if supported in your region)<\/li>\n<\/ul>\n<\/li>\n<li>\n<p>Configure the task to target only:\n   &#8211; Container: <code>data<\/code>\n   &#8211; Prefix: <code>raw\/<\/code> (so <code>tmp\/<\/code> is unaffected)<\/p>\n<\/li>\n<li>\n<p>Configure identity:\n   &#8211; Select <strong>User-assigned managed identity<\/strong>\n   &#8211; Choose <code>id-storage-actions-lab<\/code><\/p>\n<\/li>\n<\/ol>\n\n\n\n<p>Create the task.<\/p>\n\n\n\n<blockquote>\n<p>If you do not see a prefix filter, use the narrowest scoping option available (container-level) and reduce the data set to only the blobs you want impacted.<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">Step 8: Create an assignment and run it (Portal)<\/h3>\n\n\n\n<p><strong>Expected outcome:<\/strong> The assignment runs and modifies the targeted blobs.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>In the Storage Actions task, find <strong>Assignments<\/strong> (or the equivalent section).<\/li>\n<li>Create an assignment:\n   &#8211; Target storage account: the lab storage account (<code>stactions...<\/code>)\n   &#8211; Target container\/scope: <code>data<\/code> (and <code>raw\/<\/code> if supported)\n   &#8211; Execution mode: <strong>Run now \/ on-demand<\/strong> (for lab)<\/li>\n<li>Start the run.<\/li>\n<\/ol>\n\n\n\n<p>Wait for completion and review:\n&#8211; Run status: Succeeded\/Failed\n&#8211; Number of objects evaluated\/modified (as shown in the portal)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 9: Validate the result with Azure CLI<\/h3>\n\n\n\n<p>Validation depends on the action you chose.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Option A: If you applied blob index tags<\/h4>\n\n\n\n<p><strong>Expected outcome:<\/strong> <code>raw\/invoice-001.txt<\/code> and <code>raw\/invoice-002.txt<\/code> have the new tag(s); <code>tmp\/temp-001.txt<\/code> does not.<\/p>\n\n\n\n<p>List tags for a blob (requires a CLI that supports blob tags operations):<\/p>\n\n\n\n<pre><code class=\"language-bash\"># If you applied a tag like: env=lab\naz storage blob tag list \\\n  --account-name \"$STORAGE\" \\\n  --account-key \"$KEY\" \\\n  --container-name \"$CONTAINER\" \\\n  --name \"raw\/invoice-001.txt\" \\\n  -o table\n<\/code><\/pre>\n\n\n\n<p>Check the tmp blob:<\/p>\n\n\n\n<pre><code class=\"language-bash\">az storage blob tag list \\\n  --account-name \"$STORAGE\" \\\n  --account-key \"$KEY\" \\\n  --container-name \"$CONTAINER\" \\\n  --name \"tmp\/temp-001.txt\" \\\n  -o table\n<\/code><\/pre>\n\n\n\n<p>If the CLI command isn\u2019t available in your installed Azure CLI version, update Azure CLI or validate via portal:\n&#8211; Storage account \u2192 Containers \u2192 <code>data<\/code> \u2192 select blob \u2192 view <strong>Blob index tags<\/strong><\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Option B: If you changed access tier (where supported)<\/h4>\n\n\n\n<p><strong>Expected outcome:<\/strong> <code>raw\/<\/code> blobs show the new tier.<\/p>\n\n\n\n<pre><code class=\"language-bash\">az storage blob show \\\n  --account-name \"$STORAGE\" \\\n  --account-key \"$KEY\" \\\n  --container-name \"$CONTAINER\" \\\n  --name \"raw\/invoice-001.txt\" \\\n  --query \"{name:name, tier:properties.accessTier}\" -o table\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Validation<\/h3>\n\n\n\n<p>You should confirm:\n&#8211; The task run shows <strong>Succeeded<\/strong>\n&#8211; Only blobs in the intended scope (<code>raw\/<\/code>) were modified\n&#8211; The change is visible via CLI or the portal (tags\/tier\/metadata)<\/p>\n\n\n\n<p>If more blobs were impacted than expected, stop further assignments and tighten the scope before rerunning.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Troubleshooting<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">Issue: \u201cResource provider not registered\u201d<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Symptom:<\/strong> Portal or CLI shows provider registration errors when creating Storage Actions resources.<\/li>\n<li><strong>Fix:<\/strong> Register the provider (namespace may differ\u2014use the one shown in the error).<\/li>\n<li>Portal: Subscription \u2192 Resource providers \u2192 search and register<\/li>\n<li>CLI: <code>az provider register --namespace &lt;NamespaceFromError&gt;<\/code><\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Issue: Task run fails with authorization errors<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Symptom:<\/strong> Run history indicates forbidden\/unauthorized.<\/li>\n<li><strong>Fix checklist:<\/strong><\/li>\n<li>Confirm the task is configured to use the correct managed identity.<\/li>\n<li>Confirm RBAC role assignment exists at the right scope (storage account or container).<\/li>\n<li>Wait a few minutes: RBAC can take time to propagate.<\/li>\n<li>Ensure your storage account settings do not block access (for example, networking restrictions). <strong>Verify whether Storage Actions supports private endpoints-only configurations<\/strong> in your scenario.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Issue: Changes not visible immediately<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Symptom:<\/strong> Run succeeded but tags\/tier not reflected right away.<\/li>\n<li><strong>Fix:<\/strong> Wait a few minutes and re-check; some property updates may appear with slight delay. Confirm you are checking the exact blob and not a similarly named object.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Issue: The portal doesn\u2019t show the same actions\/templates<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Cause:<\/strong> Feature set differs by region\/preview flight.<\/li>\n<li><strong>Fix:<\/strong> Use any supported action you can validate (e.g., tagging) and keep the scope small. Check official docs for current supported actions.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Cleanup<\/h3>\n\n\n\n<p>To avoid ongoing costs, delete the resource group.<\/p>\n\n\n\n<pre><code class=\"language-bash\">az group delete --name \"$RG\" --yes --no-wait\n<\/code><\/pre>\n\n\n\n<p>Verify deletion in the portal or:<\/p>\n\n\n\n<pre><code class=\"language-bash\">az group exists --name \"$RG\"\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">11. Best Practices<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Architecture best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Use a hub-and-spoke governance model:<\/strong> Define tasks centrally; assign to workloads with controlled rollout.<\/li>\n<li><strong>Separate \u201ctask definitions\u201d from \u201cassignments\u201d:<\/strong> treat definitions like policy artifacts and assignments like deployments.<\/li>\n<li><strong>Design for safe rollout:<\/strong><\/li>\n<li>Start with dev\/test containers<\/li>\n<li>Use narrow prefixes<\/li>\n<li>Expand scope gradually<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">IAM\/security best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Prefer user-assigned managed identities<\/strong> for shared governance tasks (central lifecycle, reusable across tasks).<\/li>\n<li><strong>Least privilege RBAC:<\/strong><\/li>\n<li>Avoid <code>Storage Blob Data Contributor<\/code> in production if you only need tagging\/tiering.<\/li>\n<li>Scope role assignment as narrowly as possible (container-level if supported\/appropriate).<\/li>\n<li><strong>Avoid shared keys and long-lived SAS<\/strong> in automation.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Cost best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Minimize broad scans<\/strong> across massive datasets.<\/li>\n<li><strong>Tag once, automate downstream:<\/strong> apply tags and then rely on lifecycle policies for time-based actions.<\/li>\n<li><strong>Monitor Cost Management<\/strong> for both:<\/li>\n<li>Storage transactions increases<\/li>\n<li>Log Analytics ingestion (if diagnostics enabled)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Performance best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Avoid frequent reprocessing<\/strong> of the same objects. Ensure tasks are idempotent where possible.<\/li>\n<li><strong>Use filtering<\/strong> (prefix\/tags) to reduce evaluated objects.<\/li>\n<li><strong>Align with storage partitioning best practices:<\/strong> use logical prefixes to isolate workloads.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Reliability best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Plan for retries and partial success:<\/strong> bulk operations may have intermittent failures.<\/li>\n<li><strong>Use run history and alerts<\/strong> to detect drift (tasks not running, consistent failures).<\/li>\n<li><strong>Create rollback strategy<\/strong> for destructive actions:<\/li>\n<li>Avoid delete until fully validated<\/li>\n<li>Prefer tagging as a first phase, then delete in a later controlled phase<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operations best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Standard naming conventions<\/strong>:<\/li>\n<li>Tasks: <code>task-&lt;domain&gt;-&lt;purpose&gt;-&lt;env&gt;<\/code><\/li>\n<li>Assignments: <code>assign-&lt;task&gt;-&lt;storage&gt;-&lt;scope&gt;<\/code><\/li>\n<li><strong>Tag governance resources<\/strong>: <code>owner<\/code>, <code>env<\/code>, <code>costCenter<\/code>, <code>dataClassification<\/code>.<\/li>\n<li><strong>Document runbooks<\/strong> for:<\/li>\n<li>Failure triage<\/li>\n<li>Permission changes<\/li>\n<li>Expanding scope safely<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Governance best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use Azure Policy to enforce baseline on target storage accounts:<\/li>\n<li>Secure transfer required<\/li>\n<li>Minimum TLS<\/li>\n<li>No public blob access<\/li>\n<li>Private endpoint requirements (if used)<\/li>\n<li>Use resource locks carefully (avoid blocking legitimate updates).<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">12. Security Considerations<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Identity and access model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Azure Storage Actions should authenticate using <strong>managed identities<\/strong>.<\/li>\n<li>Permissions should be granted with <strong>Azure RBAC<\/strong> on the target storage account\/container.<\/li>\n<li>Prefer:<\/li>\n<li>User-assigned managed identity for centralized control<\/li>\n<li>Role assignments scoped narrowly<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Encryption<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Azure Storage encryption at rest is enabled by default for storage accounts.<\/li>\n<li>If using customer-managed keys (CMK), confirm compatibility with the actions you plan to run and with the managed service\u2019s access patterns.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Network exposure<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>If the storage account denies public network access and uses private endpoints, confirm:<\/li>\n<li>Whether Azure Storage Actions can operate under those conditions<\/li>\n<li>Whether additional configuration is required<\/li>\n<\/ul>\n\n\n\n<p>This is a common constraint for managed services\u2014<strong>verify in official docs<\/strong> and run a proof of concept.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Secrets handling<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Avoid storing storage account keys in pipelines and scripts.<\/li>\n<li>For labs, keys simplify setup, but production should favor:<\/li>\n<li>Managed identity<\/li>\n<li>Azure Key Vault only if absolutely needed (and still avoid keys when possible)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Audit\/logging<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use:<\/li>\n<li>Storage account logging (as appropriate)<\/li>\n<li>Azure Activity Log for control-plane changes to tasks\/assignments<\/li>\n<li>Diagnostic settings for Azure Storage Actions if available<\/li>\n<li>Ensure audit trails include:<\/li>\n<li>Who edited task definitions<\/li>\n<li>Who created\/expanded assignments<\/li>\n<li>When runs occurred and what changed<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Compliance considerations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>For regulated workloads:<\/li>\n<li>Validate that actions align with retention and immutability requirements.<\/li>\n<li>Avoid automated deletion unless retention policy allows it.<\/li>\n<li>Ensure run logs are retained according to compliance requirements.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Common security mistakes<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Granting overly broad roles at subscription scope<\/li>\n<li>Using storage account keys in automation<\/li>\n<li>Running destructive actions (delete\/move) without staged rollout<\/li>\n<li>Failing to account for private endpoint \/ firewall restrictions<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Secure deployment recommendations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use least privilege identities and scoped RBAC.<\/li>\n<li>Implement change control for task updates.<\/li>\n<li>Require peer review for any task that can delete or overwrite data.<\/li>\n<li>Pilot in non-production and use small scopes.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">13. Limitations and Gotchas<\/h2>\n\n\n\n<p>Because Azure Storage Actions can be region\/preview dependent, treat this as a checklist of common constraints to validate.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Known limitations to verify<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Region availability<\/strong> and whether the service is Preview\/GA in your region.<\/li>\n<li>Supported storage types:<\/li>\n<li>Blob Storage vs ADLS Gen2 features<\/li>\n<li>Support for premium accounts or specialized SKUs (verify)<\/li>\n<li>Supported blob features:<\/li>\n<li>Versions\/snapshots handling<\/li>\n<li>Append blobs\/page blobs (verify)<\/li>\n<li>Supported actions:<\/li>\n<li>Tagging vs tiering vs delete vs copy\/move (verify exact support list)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Quotas<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Limits on number of tasks and assignments per subscription\/region<\/li>\n<li>Limits on runs per time period<\/li>\n<li>Limits on scope size per run<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Regional constraints<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cross-region operations may be restricted or expensive.<\/li>\n<li>Some action types may only be available in certain regions during rollout.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Pricing surprises<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Even if the service itself has minimal cost, the <strong>storage transactions<\/strong> can be significant at scale.<\/li>\n<li>Tier changes and metadata updates can create large write\/transaction volumes.<\/li>\n<li>Logs into Log Analytics can be costly if verbose.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Compatibility issues<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Private endpoint-only storage accounts may block managed service access unless specifically supported.<\/li>\n<li>Conditional Access policies and tenant restrictions might affect managed identities (rare but worth validating).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operational gotchas<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>RBAC propagation delays can cause transient authorization failures.<\/li>\n<li>A broad assignment can change a huge number of objects\u2014treat assignments like production deployments.<\/li>\n<li>If tasks are not idempotent, repeated runs can cause repeated writes and cost.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Migration challenges<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Moving from scripts to Azure Storage Actions requires:<\/li>\n<li>translating logic into the supported task definition model<\/li>\n<li>creating safe rollouts and validation steps<\/li>\n<li>adjusting RBAC patterns<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Vendor-specific nuances<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Azure Storage has multiple layers of controls (account firewall, private endpoints, RBAC, SAS, keys). Ensure your design doesn\u2019t accidentally depend on keys when using managed identities.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">14. Comparison with Alternatives<\/h2>\n\n\n\n<p>Azure Storage Actions is one tool in a broader Azure Storage automation toolbox.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Alternatives within Azure<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Blob lifecycle management:<\/strong> best for age-based tiering and deletion.<\/li>\n<li><strong>Azure Functions + Event Grid:<\/strong> best for custom logic and event-driven processing.<\/li>\n<li><strong>Logic Apps:<\/strong> low-code orchestration across many systems.<\/li>\n<li><strong>Azure Data Factory \/ Synapse pipelines:<\/strong> scheduled\/batch data movement and transformation.<\/li>\n<li><strong>Azure Automation \/ Runbooks:<\/strong> script execution with schedules (more DIY ops).<\/li>\n<li><strong>Storage inventory + custom processing:<\/strong> reporting and analytics-driven governance.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Alternatives in other clouds<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>AWS: <strong>S3 Lifecycle<\/strong>, <strong>S3 Batch Operations<\/strong>, EventBridge + Lambda<\/li>\n<li>GCP: <strong>Object Lifecycle Management<\/strong>, Cloud Functions, Storage Transfer Service (for transfers)<\/li>\n<li>Multi-cloud: custom tooling, rclone, proprietary data governance platforms<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Open-source\/self-managed alternatives<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cron + scripts (Python, PowerShell) scanning blobs<\/li>\n<li>Containerized batch jobs (Kubernetes CronJobs)<\/li>\n<li>Workflow engines (Airflow) with storage operators<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Comparison table<\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Option<\/th>\n<th>Best For<\/th>\n<th>Strengths<\/th>\n<th>Weaknesses<\/th>\n<th>When to Choose<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>Azure Storage Actions<\/strong><\/td>\n<td>Managed bulk actions and governance automation on Storage<\/td>\n<td>Central tasks + assignments, managed identity, operational visibility<\/td>\n<td>Feature availability varies; may not support complex logic; must validate networking constraints<\/td>\n<td>You need standardized, repeatable storage governance actions at scale<\/td>\n<\/tr>\n<tr>\n<td>Blob lifecycle management<\/td>\n<td>Age-based tiering\/deletion<\/td>\n<td>Simple, built-in, cost-efficient<\/td>\n<td>Limited to lifecycle-style rules; not a general action engine<\/td>\n<td>Your use case is purely time\/age based tiering and retention<\/td>\n<\/tr>\n<tr>\n<td>Functions + Event Grid<\/td>\n<td>Event-driven custom processing<\/td>\n<td>Flexible code, integrates with many services<\/td>\n<td>You own retries, scaling, error handling; may be complex for bulk backfills<\/td>\n<td>You need custom logic per object and real-time processing<\/td>\n<\/tr>\n<tr>\n<td>Logic Apps<\/td>\n<td>Workflow automation across systems<\/td>\n<td>Low-code, connectors, approvals<\/td>\n<td>Can become expensive\/noisy for high-volume blob events<\/td>\n<td>You need business-process orchestration and approvals<\/td>\n<\/tr>\n<tr>\n<td>Data Factory\/Synapse pipelines<\/td>\n<td>Batch ETL\/ELT and movement<\/td>\n<td>Strong scheduling, data movement connectors<\/td>\n<td>More complex and heavier than governance actions<\/td>\n<td>You need transformations, joins, or structured pipelines<\/td>\n<\/tr>\n<tr>\n<td>Azure Automation runbooks<\/td>\n<td>Scripted ops<\/td>\n<td>Familiar scripting, schedules<\/td>\n<td>Operational overhead; brittle at scale<\/td>\n<td>You need custom scripts and accept managing runtime<\/td>\n<\/tr>\n<tr>\n<td>AWS S3 Batch Operations (other cloud)<\/td>\n<td>Bulk ops on S3<\/td>\n<td>Mature bulk model<\/td>\n<td>Not Azure-native<\/td>\n<td>You\u2019re on AWS and need bulk actions<\/td>\n<\/tr>\n<tr>\n<td>Self-managed scripts<\/td>\n<td>Full control<\/td>\n<td>Maximum flexibility<\/td>\n<td>High toil, brittle, hard to audit<\/td>\n<td>Only for small scale or temporary needs<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">15. Real-World Example<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Enterprise example: Central data lake governance across business units<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> A global enterprise has dozens of storage accounts feeding a central analytics estate. Teams upload data inconsistently, missing required tags (<code>dataSensitivity<\/code>, <code>domain<\/code>, <code>retention<\/code>), and cost is rising due to lack of tiering discipline.<\/li>\n<li><strong>Proposed architecture:<\/strong><\/li>\n<li>Platform team defines standard <strong>Azure Storage Actions tasks<\/strong>:<ul>\n<li>Apply required blob index tags based on container\/prefix naming<\/li>\n<li>Tag noncompliant objects for review<\/li>\n<\/ul>\n<\/li>\n<li>Tasks are assigned to each business unit\u2019s storage account with narrow scopes first, then expanded.<\/li>\n<li>Lifecycle management uses those tags\/prefixes for tiering and retention.<\/li>\n<li>Monitoring via Azure Monitor and run history; alerts on failed runs.<\/li>\n<li><strong>Why Azure Storage Actions was chosen:<\/strong><\/li>\n<li>Central reusable definitions with controlled assignment<\/li>\n<li>Managed identity and RBAC alignment<\/li>\n<li>Avoids running custom scanners across massive datasets<\/li>\n<li><strong>Expected outcomes:<\/strong><\/li>\n<li>Consistent tagging across data lake zones<\/li>\n<li>Reduced manual audit effort<\/li>\n<li>Improved cost control (tiering enabled by standardized tags\/prefixes)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Startup\/small-team example: Cost control and hygiene for application logs<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> A startup stores application logs and exports under a single container; temp exports accumulate and inflate costs.<\/li>\n<li><strong>Proposed architecture:<\/strong><\/li>\n<li>One Azure Storage Actions task assigned to the <code>logs<\/code> container:<ul>\n<li>Tag or identify <code>tmp\/<\/code> exports<\/li>\n<li>Clean up old temporary artifacts (if delete is supported\/allowed) or tag for lifecycle deletion<\/li>\n<\/ul>\n<\/li>\n<li>Budgets and alerts in Cost Management<\/li>\n<li><strong>Why Azure Storage Actions was chosen:<\/strong><\/li>\n<li>No dedicated platform engineer to maintain cron jobs<\/li>\n<li>Simple managed approach with run tracking<\/li>\n<li><strong>Expected outcomes:<\/strong><\/li>\n<li>Reduced storage growth<\/li>\n<li>Clear operational visibility (task runs)<\/li>\n<li>Less risk than ad-hoc scripts<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">16. FAQ<\/h2>\n\n\n\n<p>1) <strong>Is Azure Storage Actions the same as Azure Blob lifecycle management?<\/strong><br\/>\nNo. Blob lifecycle management is a built-in policy engine for tiering\/deletion primarily based on age and simple filters. Azure Storage Actions is positioned for broader \u201cactions\u201d and governance automation. There can be overlap; often you use both.<\/p>\n\n\n\n<p>2) <strong>Does Azure Storage Actions work with Azure Data Lake Storage Gen2 (hierarchical namespace)?<\/strong><br\/>\nIt is commonly associated with blob\/data lake patterns, but compatibility depends on the specific feature set and region. <strong>Verify in official docs<\/strong> for ADLS Gen2\/HNS support and any limitations.<\/p>\n\n\n\n<p>3) <strong>Can I use Azure Storage Actions without writing code?<\/strong><br\/>\nThat is the typical goal. However, the task definition may still require structured configuration. Capabilities vary; <strong>verify current portal authoring experience<\/strong>.<\/p>\n\n\n\n<p>4) <strong>Does it support event-driven triggers (on blob created)?<\/strong><br\/>\nSome releases may support schedules or on-demand execution; event-driven triggers may depend on current integration. <strong>Verify supported triggers<\/strong> in official docs.<\/p>\n\n\n\n<p>5) <strong>What identity does it use to change blobs?<\/strong><br\/>\nGenerally a managed identity you configure (system-assigned or user-assigned). You grant that identity data-plane RBAC roles to the target storage.<\/p>\n\n\n\n<p>6) <strong>Do I need to use storage account keys?<\/strong><br\/>\nIn production, you should avoid keys and use managed identity. Keys may be used for quick labs or manual checks, but not recommended for automation.<\/p>\n\n\n\n<p>7) <strong>Can it delete blobs?<\/strong><br\/>\nDeletion is a sensitive operation and may or may not be supported depending on release. If supported, implement staged rollout and approval controls. <strong>Verify in official docs<\/strong>.<\/p>\n\n\n\n<p>8) <strong>Can it move blobs between containers\/accounts?<\/strong><br\/>\nCopy\/move operations can be complex and may not be supported in all releases. If not supported, use Data Factory, AzCopy, or custom compute. <strong>Verify supported actions<\/strong>.<\/p>\n\n\n\n<p>9) <strong>How do I restrict it to only a prefix like <code>raw\/<\/code>?<\/strong><br\/>\nUse assignment scoping and\/or filters (prefix\/tag filters) if supported. If prefix filtering is not available, limit the dataset (separate containers) to control blast radius.<\/p>\n\n\n\n<p>10) <strong>How do I monitor failures?<\/strong><br\/>\nUse run history in the service and integrate with Azure Monitor\/Log Analytics if diagnostics are supported. Also monitor Storage account metrics for spikes in transactions.<\/p>\n\n\n\n<p>11) <strong>Will this increase my storage transaction costs?<\/strong><br\/>\nYes, any action that lists, reads, tags, or modifies objects generates transactions. At scale, transaction cost can exceed the service\u2019s own cost.<\/p>\n\n\n\n<p>12) <strong>Is it safe for production?<\/strong><br\/>\nIt can be, if you follow safe rollout practices: least privilege, narrow scoping, test-first, alerts, and change control. Also validate service maturity (Preview vs GA) for your region.<\/p>\n\n\n\n<p>13) <strong>Can I use it across subscriptions?<\/strong><br\/>\nPotentially, via RBAC and assignments, but cross-subscription governance requires careful identity and access design. <strong>Verify cross-subscription support<\/strong>.<\/p>\n\n\n\n<p>14) <strong>What happens if my storage account blocks public access and uses private endpoints only?<\/strong><br\/>\nManaged services sometimes require special support to reach private endpoints. <strong>Verify networking support<\/strong> for Azure Storage Actions with private endpoints\/firewalls.<\/p>\n\n\n\n<p>15) <strong>How do I version-control tasks?<\/strong><br\/>\nUse Infrastructure as Code (Bicep\/ARM\/Terraform) if the resource types are supported, or export templates and store them in Git. For Preview features, IaC support may lag\u2014<strong>verify<\/strong>.<\/p>\n\n\n\n<p>16) <strong>Can I run a one-time backfill on old data?<\/strong><br\/>\nThat\u2019s a common use case: create a task and run it once on a specific scope. Always start with a small subset to validate behavior and cost.<\/p>\n\n\n\n<p>17) <strong>What\u2019s the difference between a task and an assignment?<\/strong><br\/>\nA task is the reusable \u201cwhat to do.\u201d An assignment is the \u201capply this task to that storage scope (and run it on this schedule\/trigger).\u201d<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">17. Top Online Resources to Learn Azure Storage Actions<\/h2>\n\n\n\n<p>Because URLs and doc structure can change as services evolve, the safest \u201calways correct\u201d official starting point is Microsoft Learn search plus the Azure Storage documentation hub.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Resource Type<\/th>\n<th>Name<\/th>\n<th>Why It Is Useful<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Official documentation<\/td>\n<td>Microsoft Learn search: Azure Storage Actions<\/td>\n<td>Most reliable way to find the current official overview, quickstarts, and schema docs: https:\/\/learn.microsoft.com\/search\/?terms=Azure%20Storage%20Actions<\/td>\n<\/tr>\n<tr>\n<td>Official documentation hub<\/td>\n<td>Azure Storage documentation<\/td>\n<td>Entry point for storage concepts and related services: https:\/\/learn.microsoft.com\/azure\/storage\/<\/td>\n<\/tr>\n<tr>\n<td>Official pricing<\/td>\n<td>Azure Storage pricing<\/td>\n<td>Understand transaction, capacity, and data transfer pricing drivers: https:\/\/azure.microsoft.com\/pricing\/details\/storage\/<\/td>\n<\/tr>\n<tr>\n<td>Official pricing tool<\/td>\n<td>Azure Pricing Calculator<\/td>\n<td>Model end-to-end costs and validate meters: https:\/\/azure.microsoft.com\/pricing\/calculator\/<\/td>\n<\/tr>\n<tr>\n<td>Official portal<\/td>\n<td>Azure Portal<\/td>\n<td>Create and manage tasks\/assignments through supported UI: https:\/\/portal.azure.com<\/td>\n<\/tr>\n<tr>\n<td>Architecture guidance<\/td>\n<td>Microsoft Learn search: storage governance \/ blob lifecycle \/ tagging<\/td>\n<td>Find architecture patterns that complement Storage Actions: https:\/\/learn.microsoft.com\/search\/?terms=Azure%20blob%20governance%20tagging%20lifecycle<\/td>\n<\/tr>\n<tr>\n<td>Related service docs<\/td>\n<td>Blob lifecycle management<\/td>\n<td>Often paired with Storage Actions for retention\/tiering: https:\/\/learn.microsoft.com\/azure\/storage\/blobs\/lifecycle-management-overview<\/td>\n<\/tr>\n<tr>\n<td>Related service docs<\/td>\n<td>Blob index tags<\/td>\n<td>Learn how tags work and how to query them: https:\/\/learn.microsoft.com\/azure\/storage\/blobs\/storage-manage-find-blobs<\/td>\n<\/tr>\n<tr>\n<td>Monitoring<\/td>\n<td>Azure Monitor documentation<\/td>\n<td>Logs\/metrics\/alerts patterns for managed services: https:\/\/learn.microsoft.com\/azure\/azure-monitor\/<\/td>\n<\/tr>\n<tr>\n<td>Tooling<\/td>\n<td>Azure CLI docs<\/td>\n<td>Commands used for lab validation and storage operations: https:\/\/learn.microsoft.com\/cli\/azure\/storage<\/td>\n<\/tr>\n<tr>\n<td>Updates<\/td>\n<td>Azure Updates<\/td>\n<td>Track GA\/Preview announcements for Storage Actions: https:\/\/azure.microsoft.com\/updates\/<\/td>\n<\/tr>\n<tr>\n<td>Samples<\/td>\n<td>Microsoft official GitHub (search)<\/td>\n<td>Find official samples if published: https:\/\/github.com\/Azure (use repo search for \u201cStorage Actions\u201d)<\/td>\n<\/tr>\n<tr>\n<td>Community<\/td>\n<td>Microsoft Q&amp;A (Azure Storage)<\/td>\n<td>Troubleshoot real-world errors and limitations: https:\/\/learn.microsoft.com\/answers\/topics\/azure-storage.html<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">18. Training and Certification Providers<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Institute<\/th>\n<th>Suitable Audience<\/th>\n<th>Likely Learning Focus<\/th>\n<th>Mode<\/th>\n<th>Website URL<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>DevOpsSchool.com<\/td>\n<td>DevOps engineers, SREs, platform teams, cloud engineers<\/td>\n<td>Azure operations, DevOps, infrastructure automation, governance<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n<tr>\n<td>ScmGalaxy.com<\/td>\n<td>Students, early-career engineers, DevOps practitioners<\/td>\n<td>DevOps fundamentals, CI\/CD, cloud basics<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.scmgalaxy.com\/<\/td>\n<\/tr>\n<tr>\n<td>CLoudOpsNow.in<\/td>\n<td>Cloud ops teams, IT operations, engineers transitioning to cloud<\/td>\n<td>Cloud operations, monitoring, automation<\/td>\n<td>Check website<\/td>\n<td>https:\/\/cloudopsnow.in\/<\/td>\n<\/tr>\n<tr>\n<td>SreSchool.com<\/td>\n<td>SREs, reliability engineers, operations leads<\/td>\n<td>SRE practices, observability, reliability engineering on cloud<\/td>\n<td>Check website<\/td>\n<td>https:\/\/sreschool.com\/<\/td>\n<\/tr>\n<tr>\n<td>AiOpsSchool.com<\/td>\n<td>Operations teams exploring AIOps, monitoring automation<\/td>\n<td>AIOps concepts, incident response automation, monitoring analytics<\/td>\n<td>Check website<\/td>\n<td>https:\/\/aiopsschool.com\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">19. Top Trainers<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Platform\/Site<\/th>\n<th>Likely Specialization<\/th>\n<th>Suitable Audience<\/th>\n<th>Website URL<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>RajeshKumar.xyz<\/td>\n<td>DevOps\/cloud training content (verify current focus)<\/td>\n<td>Beginners to intermediate DevOps\/cloud learners<\/td>\n<td>https:\/\/rajeshkumar.xyz\/<\/td>\n<\/tr>\n<tr>\n<td>devopstrainer.in<\/td>\n<td>DevOps training and mentoring (verify offerings)<\/td>\n<td>DevOps engineers, CI\/CD practitioners<\/td>\n<td>https:\/\/devopstrainer.in\/<\/td>\n<\/tr>\n<tr>\n<td>devopsfreelancer.com<\/td>\n<td>Freelance DevOps help\/training platform (treat as a resource directory)<\/td>\n<td>Teams needing practical guidance<\/td>\n<td>https:\/\/devopsfreelancer.com\/<\/td>\n<\/tr>\n<tr>\n<td>devopssupport.in<\/td>\n<td>DevOps support and training resources (verify current services)<\/td>\n<td>Ops\/DevOps teams needing support<\/td>\n<td>https:\/\/devopssupport.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">20. Top Consulting Companies<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Company Name<\/th>\n<th>Likely Service Area<\/th>\n<th>Where They May Help<\/th>\n<th>Consulting Use Case Examples<\/th>\n<th>Website URL<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>cotocus.com<\/td>\n<td>Cloud\/DevOps consulting (verify exact portfolio)<\/td>\n<td>Cloud migration, automation, operational best practices<\/td>\n<td>Storage governance automation planning; cost optimization assessment<\/td>\n<td>https:\/\/cotocus.com\/<\/td>\n<\/tr>\n<tr>\n<td>DevOpsSchool.com<\/td>\n<td>DevOps consulting and enablement<\/td>\n<td>CI\/CD, cloud governance, DevOps\/SRE transformations<\/td>\n<td>Implementing managed identity\/RBAC patterns; operational runbooks for storage governance<\/td>\n<td>https:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n<tr>\n<td>DEVOPSCONSULTING.IN<\/td>\n<td>DevOps consulting (verify exact offerings)<\/td>\n<td>DevOps processes, automation, platform engineering<\/td>\n<td>Designing automation strategy around Storage + event-driven workflows<\/td>\n<td>https:\/\/devopsconsulting.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">21. Career and Learning Roadmap<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">What to learn before Azure Storage Actions<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Azure Storage fundamentals<\/strong><\/li>\n<li>Storage accounts, containers, blobs<\/li>\n<li>Access tiers and redundancy options<\/li>\n<li>Storage security basics (keys vs SAS vs Entra ID)<\/li>\n<li><strong>Azure identity and access<\/strong><\/li>\n<li>Microsoft Entra ID concepts<\/li>\n<li>Managed identities<\/li>\n<li>Azure RBAC and data-plane vs control-plane permissions<\/li>\n<li><strong>Basic operations<\/strong><\/li>\n<li>Azure CLI fundamentals<\/li>\n<li>Monitoring basics (Azure Monitor, Activity Log)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">What to learn after Azure Storage Actions<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Blob lifecycle management<\/strong> (to combine tags + lifecycle rules)<\/li>\n<li><strong>Event-driven architecture<\/strong><\/li>\n<li>Event Grid + Functions for custom logic<\/li>\n<li><strong>Governance at scale<\/strong><\/li>\n<li>Azure Policy, management groups, landing zones<\/li>\n<li><strong>Observability<\/strong><\/li>\n<li>Log Analytics, KQL, alerting patterns<\/li>\n<li><strong>Data platform patterns<\/strong><\/li>\n<li>ADLS Gen2 concepts, lakehouse patterns, data catalog\/governance tooling<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Job roles that use it<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cloud Engineer \/ Cloud Operations Engineer<\/li>\n<li>Platform Engineer<\/li>\n<li>DevOps Engineer<\/li>\n<li>SRE<\/li>\n<li>Storage Engineer<\/li>\n<li>Security\/Compliance Engineer (for governance automation)<\/li>\n<li>Data Platform Engineer (for data lake hygiene)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Certification path (Azure)<\/h3>\n\n\n\n<p>Azure Storage Actions is typically covered indirectly through broader Azure certifications rather than as a standalone exam topic. Consider:\n&#8211; AZ-900 (Azure Fundamentals)\n&#8211; AZ-104 (Azure Administrator)\n&#8211; AZ-305 (Azure Solutions Architect)\n&#8211; Security-focused certs if your work is governance heavy<\/p>\n\n\n\n<p>Always verify current certification outlines on Microsoft Learn.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Project ideas for practice<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Tagging governance project:<\/strong> Apply standardized blob tags by prefix and validate queries.<\/li>\n<li><strong>Cost optimization project:<\/strong> Tag data by lifecycle stage and use lifecycle rules for tiering.<\/li>\n<li><strong>Multi-account rollout:<\/strong> Use one identity and one task definition assigned to multiple dev storage accounts.<\/li>\n<li><strong>Operational readiness:<\/strong> Create alerts on task failures and build a runbook.<\/li>\n<li><strong>Security hardening:<\/strong> Validate least privilege RBAC for a tag-only task; remove broad roles.<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">22. Glossary<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Azure Storage Actions:<\/strong> Azure service for defining and running managed actions against Azure Storage data based on task definitions and assignments.<\/li>\n<li><strong>Storage account:<\/strong> The top-level Azure Storage resource that contains services like Blob, Queue, Table, and Files.<\/li>\n<li><strong>Blob container:<\/strong> A grouping of blobs within Blob Storage.<\/li>\n<li><strong>Blob (object):<\/strong> A file-like object stored in Azure Blob Storage.<\/li>\n<li><strong>Blob index tags:<\/strong> Key-value tags stored with blobs for filtering and searching without scanning full metadata.<\/li>\n<li><strong>Access tier:<\/strong> Hot\/Cool\/Archive tiers that affect storage cost and access performance.<\/li>\n<li><strong>Managed identity:<\/strong> An Azure identity used by services\/apps to authenticate without storing credentials.<\/li>\n<li><strong>Azure RBAC:<\/strong> Role-based access control for Azure resources.<\/li>\n<li><strong>Data plane vs control plane:<\/strong> Data plane is operations on data (blobs); control plane is management of resources (ARM).<\/li>\n<li><strong>Assignment:<\/strong> A binding between a task definition and a target scope for execution.<\/li>\n<li><strong>Prefix:<\/strong> A path-like string at the beginning of blob names (e.g., <code>raw\/2026\/04\/<\/code>), commonly used for organization.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">23. Summary<\/h2>\n\n\n\n<p>Azure Storage Actions is an Azure Storage automation service that helps you <strong>apply consistent actions to storage objects at scale<\/strong> using centrally defined tasks and scoped assignments. It matters because storage governance (tagging, hygiene, policy alignment, and cost control) becomes difficult and risky when handled by ad-hoc scripts\u2014especially across many accounts and millions of blobs.<\/p>\n\n\n\n<p>Architecturally, it fits as a managed \u201cgovernance automation layer\u201d between Azure Storage\u2019s native policies (like lifecycle management) and custom orchestration (Functions\/Logic Apps). Cost-wise, the biggest drivers are usually <strong>storage transactions<\/strong> and any large-scale write\/copy activity, plus potential service-side execution meters\u2014so pilot with small scopes and monitor billing. Security-wise, use <strong>managed identities + least privilege RBAC<\/strong>, be cautious with private endpoint\/firewall constraints, and treat large assignments as production changes with approvals and monitoring.<\/p>\n\n\n\n<p>Use Azure Storage Actions when you need <strong>repeatable, auditable, scalable storage operations<\/strong> without owning batch compute. Next step: review the official Microsoft Learn documentation (via the search link in Resources), confirm your region\u2019s supported actions, and extend the lab into a controlled dev\u2192prod rollout with monitoring and cost guardrails.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Storage<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[40,7],"tags":[],"class_list":["post-515","post","type-post","status-publish","format-standard","hentry","category-azure","category-storage"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/515","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/comments?post=515"}],"version-history":[{"count":0,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/515\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/media?parent=515"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/categories?post=515"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/tags?post=515"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}