diff --git a/services/identity/src/grpc_services/authenticated.rs b/services/identity/src/grpc_services/authenticated.rs
--- a/services/identity/src/grpc_services/authenticated.rs
+++ b/services/identity/src/grpc_services/authenticated.rs
@@ -1,6 +1,6 @@
 use std::collections::{HashMap, HashSet};
 
-use crate::comm_service::{backup, tunnelbroker};
+use crate::comm_service::{backup, blob, tunnelbroker};
 use crate::config::CONFIG;
 use crate::database::{DeviceListUpdate, PlatformDetails};
 use crate::device_list::validation::DeviceListValidator;
@@ -99,14 +99,22 @@
   Ok((user_id, device_id))
 }
 
-fn spawn_delete_tunnelbroker_data_task(device_ids: Vec<String>) {
+fn spawn_delete_devices_services_data_task(
+  blob_client: &BlobServiceClient,
+  device_ids: Vec<String>,
+) {
+  let blob_client = blob_client.clone();
   tokio::spawn(async move {
     debug!(
       "Attempting to delete Tunnelbroker data for devices: {:?}",
       device_ids.as_slice()
     );
-    let result = tunnelbroker::delete_devices_data(&device_ids).await;
-    consume_error(result);
+    let (tunnelbroker_result, blob_result) = tokio::join!(
+      tunnelbroker::delete_devices_data(&device_ids),
+      blob::remove_holders_for_devices(&blob_client, &device_ids)
+    );
+    consume_error(tunnelbroker_result);
+    consume_error(blob_result);
   });
 }
 
@@ -408,7 +416,8 @@
       consume_error(result);
     });
 
-    spawn_delete_tunnelbroker_data_task([device_id].into());
+    let blob_client = self.authenticated_blob_client().await?;
+    spawn_delete_devices_services_data_task(&blob_client, [device_id].into());
 
     let response = Empty {};
     Ok(Response::new(response))
@@ -476,7 +485,8 @@
       .delete_devices_data_for_user(&user_id)
       .await?;
 
-    spawn_delete_tunnelbroker_data_task(device_ids);
+    let blob_client = self.authenticated_blob_client().await?;
+    spawn_delete_devices_services_data_task(&blob_client, device_ids);
 
     let response = Empty {};
     Ok(Response::new(response))
@@ -511,7 +521,8 @@
       .delete_otks_table_rows_for_user_device(&user_id, &device_id)
       .await?;
 
-    spawn_delete_tunnelbroker_data_task([device_id].into());
+    let blob_client = self.authenticated_blob_client().await?;
+    spawn_delete_devices_services_data_task(&blob_client, [device_id].into());
 
     let response = Empty {};
     Ok(Response::new(response))
@@ -537,7 +548,7 @@
       ));
     }
 
-    self.delete_tunnelbroker_and_backup_data(&user_id).await?;
+    self.delete_services_data_for_user(&user_id).await?;
 
     self.db_client.delete_user(user_id.clone()).await?;
 
@@ -616,7 +627,7 @@
       .finish(&message.opaque_login_upload)
       .map_err(protocol_error_to_grpc_status)?;
 
-    self.delete_tunnelbroker_and_backup_data(&user_id).await?;
+    self.delete_services_data_for_user(&user_id).await?;
 
     self.db_client.delete_user(user_id.clone()).await?;
 
@@ -640,7 +651,7 @@
 
     for user_id_to_delete in request.into_inner().user_ids {
       self
-        .delete_tunnelbroker_and_backup_data(&user_id_to_delete)
+        .delete_services_data_for_user(&user_id_to_delete)
         .await?;
       self.db_client.delete_user(user_id_to_delete).await?;
     }
@@ -951,7 +962,7 @@
     Ok(())
   }
 
-  async fn delete_tunnelbroker_and_backup_data(
+  async fn delete_services_data_for_user(
     &self,
     user_id: &str,
   ) -> Result<(), Status> {
@@ -968,13 +979,41 @@
     delete_backup_result?;
 
     debug!(
-      "Attempting to delete Tunnelbroker data for devices: {:?}",
+      "Attempting to delete Blob holders and Tunnelbroker data for devices: {:?}",
       device_ids
     );
-    tunnelbroker::delete_devices_data(&device_ids).await?;
+
+    let (tunnelbroker_result, blob_client_result) = tokio::join!(
+      tunnelbroker::delete_devices_data(&device_ids),
+      self.authenticated_blob_client()
+    );
+    tunnelbroker_result?;
+
+    let blob_client = blob_client_result?;
+    blob::remove_holders_for_devices(&blob_client, &device_ids).await?;
 
     Ok(())
   }
+
+  /// Retrieves [`BlobServiceClient`] authenticated with a service-to-service token
+  async fn authenticated_blob_client(
+    &self,
+  ) -> Result<BlobServiceClient, crate::error::Error> {
+    let s2s_token =
+      self
+        .comm_auth_service
+        .get_services_token()
+        .await
+        .map_err(|err| {
+          tracing::error!(
+            errorType = error_types::HTTP_LOG,
+            "Failed to retrieve service-to-service token: {err:?}",
+          );
+          tonic::Status::aborted(tonic_status_messages::UNEXPECTED_ERROR)
+        })?;
+    let blob_client = self.blob_client.with_authentication(s2s_token.into());
+    Ok(blob_client)
+  }
 }
 
 #[derive(
diff --git a/shared/comm-lib/src/auth/types.rs b/shared/comm-lib/src/auth/types.rs
--- a/shared/comm-lib/src/auth/types.rs
+++ b/shared/comm-lib/src/auth/types.rs
@@ -14,7 +14,7 @@
 ///   Ok(HttpResponse::Ok().finish())
 /// }
 /// ```
-#[derive(Debug, Clone, Serialize, Deserialize, PartialEq)]
+#[derive(Debug, Clone, From, Serialize, Deserialize, PartialEq)]
 #[serde(untagged)]
 pub enum AuthorizationCredential {
   UserToken(UserIdentity),