Unable to create or update an Azure Recovery Vault with the --immutability-state Locked argument and parameter using az backup vault create

Karl D. Binger 25 Reputation points
2023-07-26T13:53:57.2966667+00:00

It appears there is an issue with the az backup vault create cmdlet to create a recovery vault with immutability enabled. When I run the following command it errors out.

*PS /home/karl> az backup vault create --resource-group $resourcegroupname --location "Central US" --name newrvkdb123vault **--immutability-state Locked ***

(UserErrorUnsupportedVaultImmutabilityStateChange) The immutable vault property for this vault is locked, hence, this setting cannot be disabled. The vault has its immutable vault property enabled and locked, and it can no longer be reverted to a non-immutable vault. Refer to the documentation to learn more: https://aka.ms/AB-ImmutableVaults-States

Code: UserErrorUnsupportedVaultImmutabilityStateChange

Message: The immutable vault property for this vault is locked, hence, this setting cannot be disabled. The vault has its immutable vault property enabled and locked, and it can no longer be reverted to a non-immutable vault. Refer to the documentation to learn more: https://aka.ms/AB-ImmutableVaults-States

If I run the command without --immutability-state Locked, the vault will get deployed but then you cannot go back and update it to enable it programmatically. In the following link it says that you use the az backup vault create to create AND update the vault; however, if you re-run the command "az backup vault create --resource-group $resourcegroupname --location "Central US" --name newrvkdb123vault --immutability-state Locked" you get the same error message. If you check the vault properties, immutability is not enabled even though the error message states that it is.

Lastly, there is no "az backup vault update" - if you run the previous command with update instead of create, it fails. See details below:

PS /home/karl> az backup vault update --resource-group $resourcegroupname --location "Central US" --name newrvkdb123vault --immutability-state Locked

'update' is misspelled or not recognized by the system.

https://learn.microsoft.com/en-us/cli/azure/backup/vault?view=azure-cli-latest#az-backup-vault-create

Azure Backup
Azure Backup
An Azure backup service that provides built-in management at scale.
1,281 questions
0 comments No comments
{count} votes

Accepted answer
  1. Saurabh Sharma 23,816 Reputation points Microsoft Employee
    2023-07-26T19:19:27.64+00:00

    Hi @Karl D. Binger ,

    Thanks for using Microsoft Q&A!!

    When a recovery vault is created the immutability is disabled and locked by default. In order to make the immutability enabled and make it locked using CLI, please follow the below steps -

    1. Create the Recovery services vault create the vault with immutability-state as Unlocked

    az backup vault create --location westus2 --name sasharRSVault --resource-group sashar-Databases --immutability-state Unlocked User's image

    1. Once the vault is created you can make the immutability property as Enabled and locked using the below cmdlet-

    az backup vault create --location westus2 --name sasharRSVault --resource-group sashar-Databases --immutability-state Locked

    Executing the above cmdlet will result in making the vault Locked- User's image

    Please let me know if you have any questions.

    Thanks Saurabh


    Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.