azcopy sync: Mirror a Directory to Azure Blob
azcopy sync transfers only the differences between a source and an Azure Blob container, and with --delete-destination removes blobs not present at the source.
sync is the incremental, mirror-style transfer for Azure. It skips unchanged blobs and, when told to, deletes stale ones, which fits static-site deploys backed by Blob storage plus a CDN.
What it does
azcopy sync compares source and destination and copies only new or changed files (by last-modified time and size). With --delete-destination=true it deletes destination blobs absent from the source, producing an exact mirror.
Common usage
azcopy sync "./public" \
"https://acct.blob.core.windows.net/www?${SAS_TOKEN}" \
--recursive --delete-destination=true
# preview deletions with a prompt instead of forcing
azcopy sync "./public" "https://acct.blob.core.windows.net/www?${SAS_TOKEN}" \
--delete-destination=promptOptions
| Flag | What it does |
|---|---|
| --delete-destination true|false|prompt | Delete destination items missing from the source |
| --recursive | Recurse into directories (default true for sync) |
| --exclude-path <paths> | Skip semicolon-separated paths |
| --compare-hash MD5 | Compare by hash instead of mtime/size |
| --put-md5 | Store MD5 on uploaded blobs |
In CI
Use --delete-destination=true for static-site deploys so removed assets disappear, then invalidate the CDN separately. sync needs delete permission on the container when purging; a SAS must include the Delete permission or it will 403. Confirm the source-then-destination order to avoid mirroring an empty folder over a live container.
Common errors in CI
"AuthenticationFailed: Server failed to authenticate the request" is a bad or expired SAS. "403 This request is not authorized" with --delete-destination set means the SAS lacks the Delete permission. "AuthorizationPermissionMismatch" means the AAD role is missing Storage Blob Data Contributor. Clock skew between the runner and Azure surfaces as authentication failures; keep NTP synced.