Soft delete for Azure Backup
This article describes how to enable and disable the soft delete feature, and permanently delete a data that is in soft-deleted state.
Concerns about security issues, like malware, ransomware, and intrusion, are increasing. These security issues can be costly, in terms of both money and data. To guard against such attacks, Azure Backup now provides security features to help protect backup data even after deletion.
One such feature is soft delete. With soft delete, even if a malicious actor deletes a backup (or backup data is accidentally deleted), the backup data is retained for 14 additional days, allowing the recovery of that backup item with no data loss. The additional 14 days of retention for backup data in the "soft delete" state don't incur any cost to you.
Soft delete protection is available for these services:
- Soft delete for Azure virtual machines
- Soft delete for SQL server in Azure VM and soft delete for SAP HANA in Azure VM workloads
Lifecycle of a soft-deleted backup item
This flow chart shows the different steps and states of a backup item when Soft Delete is enabled:
Enable and disable soft delete
Soft delete is enabled by default on newly created vaults to protect backup data from accidental or malicious deletes. Disabling this feature isn't recommended. The only circumstance where you should consider disabling soft delete is if you're planning on moving your protected items to a new vault, and can't wait the 14 days required before deleting and reprotecting (such as in a test environment).
To disable soft delete on a vault, you must have the Backup Contributor role for that vault (you should have permissions to perform Microsoft.RecoveryServices/Vaults/backupconfig/write on the vault). If you disable this feature, all future deletions of protected items will result in immediate removal, without the ability to restore. Backup data that exists in soft deleted state before disabling this feature, will remain in soft deleted state for the period of 14 days. If you wish to permanently delete these immediately, then you need to undelete and delete them again to get permanently deleted.
It's important to remember that once soft delete is disabled, the feature is disabled for all the types of workloads. For example, it's not possible to disable soft delete only for SQL server or SAP HANA DBs while keeping it enabled for virtual machines in the same vault. You can create separate vaults for granular control.
Tip
To receive alerts/notifications when a user in the organization disables soft-delete for a vault, use Azure Monitor alerts for Azure Backup. As the disable of soft-delete is a potential destructive operation, we recommend you to use alert system for this scenario to monitor all such operations and take actions on any unintended operations.
Note
- You can also use multi-user authorization (MUA) to add an additional layer of protection against disabling soft delete. Learn more.
- MUA for soft delete is currently supported for Recovery Services vaults only.
Always-on soft delete with extended retention
Soft delete is enabled on all newly created vaults by default. Always-on soft delete state is an opt-in feature. Once enabled, it can't be disabled (irreversible).
Additionally, you can extend the retention duration for deleted backup data, ranging from 14 to 180 days. By default, the retention duration is set to 14 days (as per basic soft delete) for the vault, and you can extend it as required. The soft delete doesn't cost you for first 14 days of retention; however, you're charged for the period beyond 14 days. Learn more about pricing.
Disable soft delete
You can disable the soft delete feature by using the following supported clients.
Choose a client:
Follow these steps:
- In the Azure portal, go to your vault, and then go to Settings > Properties.
- In the Properties pane, select Security Settings Update.
- In the Security and soft delete settings pane, clear the required checkboxes to disable soft delete.
Delete soft deleted backup items permanently
The backup data in soft deleted state prior disabling this feature remains in soft-deleted state. To permanently delete these immediately, undelete and delete them again. Use one of the following clients to permanently delete soft deleted data.
Choose a client:
Follow these steps:
In the Azure portal, go to your vault > Backup Items, and choose the soft deleted item.
Select Undelete.
A window appears. Select Undelete.
Choose Delete backup data to permanently delete the backup data.
Type the name of the backup item to confirm deletion of the recovery points.
To delete the backup data for the item, select Delete. A notification message lets you know that the backup data has been deleted.