https://techcommunity.microsoft.com/discussions/microsoftdefendercloud/is-setting-an-index-tag-in-azure-defender-for-cloud-during-file-write-an-atomic-/4436620

Question

https://techcommunity.microsoft.com/discussions/microsoftdefendercloud/is-setting-an-index-tag-in-azure-defender-for-cloud-during-file-write-an-atomic-/4436620

Iacono, Vito 6

Hi, When using Azure Defender for Cloud, is setting an index tag at the same time as writing a file considered an atomic operation? Or is there a propagation delay before the tag becomes fully available and effective for search and policy enforcement? Any insights or official documentation references would be appreciated!

Nandamuri Pranay Teja 4,450 Reputation points Microsoft External Staff Moderator

2025-07-25T13:23:18.57+00:00
Hello Iacono, Vito

Thank you for posting the question!

To investigate further could you please confirm me the below details.

What is your primary use case for blob index tags in Defender for Storage? What types of files are you uploading, and what are their typical sizes?

Are you using any other Azure services that integrate with Azure Defender for Cloud? How do you plan to use tags across these services?

In the meantime, you can refer to the documentation on Manage and find Azure Blob data with blob index tags:

https://learn.microsoft.com/en-us/azure/storage/blobs/storage-manage-find-blobs?tabs=azure-portal

https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources

Please be informed that when you set an index tag while writing a file, it is not guaranteed to be an atomic operation. This means that there could be a delay before the tag becomes fully effective for search and policy enforcement. After setting an index tag, there may be a brief period during which the tag is not yet available for search or policy enforcement. This is due to the eventual consistency model that many Azure services use, where changes may take some time to propagate throughout the system.

Let me know if you have any questions or concerns. I'm here to help.

1 answer

Your answer

Nandamuri Pranay Teja 4,450 Reputation points Microsoft External Staff Moderator

2025-07-25T13:23:18.57+00:00

Hello Iacono, Vito

Thank you for posting the question!

To investigate further could you please confirm me the below details.

What is your primary use case for blob index tags in Defender for Storage? What types of files are you uploading, and what are their typical sizes?

Are you using any other Azure services that integrate with Azure Defender for Cloud? How do you plan to use tags across these services?

In the meantime, you can refer to the documentation on Manage and find Azure Blob data with blob index tags:

https://learn.microsoft.com/en-us/azure/storage/blobs/storage-manage-find-blobs?tabs=azure-portal

https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources

Please be informed that when you set an index tag while writing a file, it is not guaranteed to be an atomic operation. This means that there could be a delay before the tag becomes fully effective for search and policy enforcement. After setting an index tag, there may be a brief period during which the tag is not yet available for search or policy enforcement. This is due to the eventual consistency model that many Azure services use, where changes may take some time to propagate throughout the system.

Let me know if you have any questions or concerns. I'm here to help.

Answer 1

Iacono, Vito 6

Hi Pranay,

Thanks for your quick response and for sharing the documentation links.

My use case is quite straightforward: I would like to upload a file to Azure Blob Storage with an index tag in a single operation, and then read that file immediately after the upload completes. The files are typical business documents, and their sizes range from a few KB up to several MB.

My main concern is about ABAC policies that evaluate access permissions based on blob index tags. If I attempt to read the file right after upload, but the tag hasn’t propagated yet and the policy checks for the tag, I might encounter an authorization mismatch that doesn’t reflect the intended permissions.

Could you clarify if there is a recommended best practice or workaround to ensure that the index tag is available and effective for policy enforcement before attempting a read operation? Is there any way to programmatically confirm that the tag has been fully propagated?

Thanks again for your assistance!

Best regards, Vito

Nandamuri Pranay Teja 4,450 Reputation points Microsoft External Staff Moderator

2025-07-29T10:42:50.51+00:00
Hello Iacono, Vito

Please be informed that when you upload a blob with index tags, the blob itself is immediately available, but the tags may not be immediately indexed for ABAC policy evaluation. This creates a race condition where your ABAC policy might deny access because it can't see the required tag yet.

Hence you can Implement Retry Logic with Exponential Backoff

// Pseudo-code approach async Task<BlobDownloadInfo> ReadBlobWithRetry(string blobName, TimeSpan maxWait = TimeSpan.FromSeconds(10)) { var retryAttempts = 0; var maxRetries = 5; var baseDelay = TimeSpan.FromMilliseconds(100); while (retryAttempts < maxRetries) { try { return await blobClient.DownloadAsync(); } catch (RequestFailedException ex) when (ex.Status == 403) // Authorization failed { if (retryAttempts == maxRetries - 1) throw; var delay = TimeSpan.FromMilliseconds(baseDelay.TotalMilliseconds * Math.Pow(2, retryAttempts)); await Task.Delay(delay); retryAttempts++; } } }

Post which Structure your ABAC policies to handle the propagation window: Use a composite condition that allows access either by tag OR by being the uploader Include time-based conditions for recently uploaded blobs Use container-level permissions temporarily

Also Verify Tag Propagation Before Reading

async Task<bool> VerifyTagPropagation(BlobClient blobClient, Dictionary<string, string> expectedTags) { try { var response = await blobClient.GetTagsAsync(); return expectedTags.All(expected => response.Value.ContainsKey(expected.Key) && response.Value[expected.Key] == expected.Value); } catch { return false; } }

Note- Always implement retry logic for reads immediately after tagged uploads Design ABAC policies to be resilient during tag propagation windows Consider using ETags alongside tags for immediate consistency check. The tag propagation delay is typically measured in seconds, not minutes, but the exact timing can vary based on load and traffic patterns in your storage account.

Let me know if you have any questions or concerns, I'm here to assist you.
Nandamuri Pranay Teja 4,450 Reputation points Microsoft External Staff Moderator

2025-07-30T09:16:12.0066667+00:00

Hello Iacono, Vito

I wanted to follow-up to see if you had the chance to see the above comment. Let know if you have any questions or concerns in comment, I'm here to assist you.
Nandamuri Pranay Teja 4,450 Reputation points Microsoft External Staff Moderator

2025-07-31T09:46:37.2266667+00:00

Hello Iacono, Vito

just checking to see if you had the chance to see the above comment. Let know if you have any questions or concerns in comment, I'm here to assist you.

Share via

https://techcommunity.microsoft.com/discussions/microsoftdefendercloud/is-setting-an-index-tag-in-azure-defender-for-cloud-during-file-write-an-atomic-/4436620

1 answer

Your answer