Find unused storage account azure ARM

Question

I've reached the hard cap of 250 storage accounts for my subscription. Storage accounts were created using ARM

I need a way to find unused storage accounts and delete them. Basically I want to find storage accounts with containers that have not been accessed in 90 days to and do a clean up.

Is there a way to check last accessed time or a better way to clean up using PowerShell or preferably the azure cli

Thanks

Answer 1

What you could do is get the most recent modified container from the LastModified property, then check if this timestamp is less than the current date minus 90 days. We would need to check both the container level and blob level LastModified properties.

# Set current context to subscription
Set-AzContext -SubscriptionId "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"

# Go through every storage account in your subscription
foreach ($storageAccount in Get-AzStorageAccount) {
    $storageAccountName = $storageAccount.StorageAccountName
    $resourceGroupName = $storageAccount.ResourceGroupName

    # Get key1 storage account key
    $storageAccountKey = (Get-AzStorageAccountKey -Name $storageAccountName -ResourceGroupName $resourceGroupName).Value[0]

    # Create storage account context using above key
    $context = New-AzStorageContext -StorageAccountName $storageAccountName -StorageAccountKey $storageAccountKey

    # fetch all containers
    $containers = Get-AzStorageContainer -Context $context

    $deleteStorageAccount = $false
    foreach ($container in $containers) {

        # First check if container has been modified
        if ($container.LastModified.DateTime -lt (Get-Date).AddDays(-90)) {
            $deleteStorageAccount = $true
            break
        }

        # Get all blobs from container, including deleted blobs
        $blobs = Get-AzStorageBlob -Container $container.Name -Context $context -IncludeDeleted

        # Then check each blob in container
        foreach ($blob in $blobs) {
            if ($blob.LastModified.DateTime -lt (Get-Date).AddDays(-90)) {
                $deleteStorageAccount = $true
                break
            }
        }
    }

    # If this flag is set, storage account has been acccessed in last 90 days
    if ($deleteStorageAccount) {
        Remove-AzStorageAccount -Name $storageAccountName -ResourceGroupName $resourceGroupName -Force -WhatIf
    }
}

Since this action could be extremely harmful, you can run Remove-AzStorageAccount with -WhatIf to see what storage accounts will be deleted before deleting them for real.

Answer 2

This is still not very good because it only takes 1 container or blob to be outside the 90 days to delete the whole storage account. You want to go the other way, assume you are going to delete unless you find one within 90 days:

# Set current context to subscription
Set-AzContext -SubscriptionId "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"

# Go through every storage account in your subscription
foreach ($storageAccount in Get-AzStorageAccount) {
$storageAccountName = $storageAccount.StorageAccountName
$resourceGroupName = $storageAccount.ResourceGroupName

# Get key1 storage account key
$storageAccountKey = (Get-AzStorageAccountKey -Name $storageAccountName -ResourceGroupName $resourceGroupName).Value[0]

# Create storage account context using above key
$context = New-AzStorageContext -StorageAccountName $storageAccountName -StorageAccountKey $storageAccountKey

# fetch all containers
$containers = Get-AzStorageContainer -Context $context

$deleteStorageAccount = $true
foreach ($container in $containers) {

    # First check if container has been modified
    if ($container.LastModified.DateTime -ge (Get-Date).AddDays(-90)) {
        $deleteStorageAccount = $false
        break
    }

    # Get all blobs from container, including deleted blobs
    $blobs = Get-AzStorageBlob -Container $container.Name -Context $context -IncludeDeleted

    # Then check each blob in container
    foreach ($blob in $blobs) {
        if ($blob.LastModified.DateTime -ge (Get-Date).AddDays(-90)) {
            $deleteStorageAccount = $false
            break
        }
    }
}

# If this flag is set, storage account has been acccessed in last 90 days
if ($deleteStorageAccount) {
    Remove-AzStorageAccount -Name $storageAccountName -ResourceGroupName $resourceGroupName -Force -WhatIf
}

}