diff --git a/CHANGELOG.md b/CHANGELOG.md
index fce6e5f9b2..491e0df878 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,7 @@
 **BREAKING CHANGES & MIGRATIONS**:
 
 ENHANCEMENTS:
+* Add 7 day retention on workspace storage accounts. ([#4389](https://github.com/microsoft/AzureTRE/issues/4389))
 
 BUG FIXES:
 
diff --git a/templates/workspaces/base/porter.yaml b/templates/workspaces/base/porter.yaml
index 55976e1b09..c70b5ff45f 100644
--- a/templates/workspaces/base/porter.yaml
+++ b/templates/workspaces/base/porter.yaml
@@ -1,7 +1,7 @@
 ---
 schemaVersion: 1.0.0
 name: tre-workspace-base
-version: 2.0.0
+version: 2.0.1
 description: "A base Azure TRE workspace"
 dockerfile: Dockerfile.tmpl
 registry: azuretre
@@ -268,17 +268,17 @@ upgrade:
         - login
       flags:
         service-principal: ""
-        username: '${ bundle.credentials.auth_client_id }'
-        password: '${ bundle.credentials.auth_client_secret }'
-        tenant: '${ bundle.credentials.auth_tenant_id }'
+        username: "${ bundle.credentials.auth_client_id }"
+        password: "${ bundle.credentials.auth_client_secret }"
+        tenant: "${ bundle.credentials.auth_tenant_id }"
         allow-no-subscriptions: ""
   - exec:
       description: "Update workspace app redirect urls"
       command: ./update_redirect_urls.sh
       flags:
-        workspace-api-client-id: '${ bundle.parameters.client_id }'
-        aad-redirect-uris-b64: '${ bundle.parameters.aad_redirect_uris }'
-        register-aad-application: '${ bundle.parameters.register_aad_application }'
+        workspace-api-client-id: "${ bundle.parameters.client_id }"
+        aad-redirect-uris-b64: "${ bundle.parameters.aad_redirect_uris }"
+        register-aad-application: "${ bundle.parameters.register_aad_application }"
 
 uninstall:
   - terraform:
diff --git a/templates/workspaces/base/terraform/storage.tf b/templates/workspaces/base/terraform/storage.tf
index 7fc6f00a2c..8792f7173f 100644
--- a/templates/workspaces/base/terraform/storage.tf
+++ b/templates/workspaces/base/terraform/storage.tf
@@ -31,6 +31,21 @@ resource "azurerm_storage_account" "stg" {
   infrastructure_encryption_enabled = true
 
   lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
+
+  blob_properties {
+    delete_retention_policy {
+      days = 7
+    }
+    container_delete_retention_policy {
+      days = 7
+    }
+  }
+
+  share_properties {
+    retention_policy {
+      days = 7
+    }
+  }
 }
 
 # Using AzAPI as AzureRM uses shared account key for Azure files operations