Who Deleted a Blob?

It is sometimes useful to know who created/modified/deleted a storage blob. For that information to be recorded in a log the authentication must be done with Azure AD to populate the user information correctly.

There are two sets of logs that can help, Azure Monitor logs and classic Analytics logs

1. Azure monitor storage columns - https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/storagebloblogs
 

Columns of interest

CallerIpAddress - The IP address of the requester, including the port number

OperationName - The type of REST operation that was performed

RequesterObjectId - The OAuth object ID of the requester

RequesterUpn - The User Principal Names of requestor

2. Classic Analytics logs columns - https://learn.microsoft.com/en-us/rest/api/storageservices/storage-analytics-log-format
(version 2.0 format has the columns that record user info)

Columns of interest

operation-type - The type of REST operation performed

requester-ip-address - the IP address of the requester, including the port number

user-object-id - The object ID used for authentication. May be any security principal, including a user, managed identity, or service principal

user-principal-name - User principal name used in bearer authorization

Delete a blob using Azure CLI and AAD authentication

Query Azure Monitor logs for DeleteBlob requests that use OAuth (AAD)

Check classic Analytics log for the DeleteBlob request

Further information
Monitoring Azure Blob Storage

https://learn.microsoft.com/en-us/azure/storage/blobs/monitor-blob-storage?tabs=azure-portal

Azure Storage analytics logging

https://learn.microsoft.com/en-us/azure/storage/common/storage-analytics-logging