Share via

Last week, I accidentally deleted a VM. How can we prevent this from happening in the future?

mikky 20 Reputation points
2026-03-20T14:05:02.57+00:00

I’m new to Azure, and we have a resource group with multiple resources. Last week, I accidentally deleted a VM. How can we prevent this from happening in the future?

Azure Cost Management
Azure Cost Management

A Microsoft offering that enables tracking of cloud usage and expenditures for Azure and other cloud providers.

0 comments
Answer accepted by question author
  1. Naveena Patlolla 9,565 Reputation points Microsoft External Staff Moderator
    2026-03-20T14:11:36.18+00:00

    Hi mikky
    Sorry to hear you lost that VM! The good news is Azure gives you several ways to guard against accidental deletions going forward. Here’s what you can do:
    1.Apply Resource Locks

    • Go to your resource group (or directly to the VM) in the Azure portal, choose “Locks,” and add a “CanNotDelete” lock.

    • This prevents anyone (even subscription owners) from deleting locked resources unless they first remove the lock.

    2.Use Role-Based Access Control (RBAC)

    • Scope deletion rights only to the people who really need them. For example, give most team members the “Virtual Machine Contributor” role (which can’t delete the resource group) instead of “Owner.”

    • Audit or remove any overly permissive custom roles.

    3.Enable Azure Backup with Soft-Delete

    • Create a Recovery Services vault, configure VM backups, and enable soft-delete.

    • Even if someone stops protection and deletes backup data, Azure retains recovery points for 14 days and you can undelete them.

    4.Lock Managed Disks or Snapshots

    • If your VM uses managed disks, you can place a “CanNotDelete” lock directly on the disk resource.

    • Alternatively, schedule incremental snapshots of your disks to give you a restore point.

    5.(Optional) Audit with Azure Policy

    • Use a built-in policy like “Add resource locks to resources” or “Resource group should have a lock” to enforce your company’s guardrails at scale.

    Putting these in place will give you multiple safety nets: you’ll need the right RBAC permissions to delete, you’ll have to consciously remove a lock, and even if something slips through, you’ll still have backups and snapshots to recover from.
    Reference:

    https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json

    Please let me know if you face any challenge here, I can help you to resolve this issue further

    Provide your valuable Comments.

    Please do not forget to "Accept the answer” and “upvote it” wherever the information provided helps you, this can be beneficial to other community members.it would be greatly appreciated and helpful to others.

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-03-20T14:05:19.3333333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Use a combination of resource locks, soft delete, and backups so that accidental VM deletion is either blocked or recoverable.

    1. Protect critical resources with locks
      • Apply management locks on the subscription, resource group, or individual VM to prevent accidental deletion.
      • Use the Delete / CanNotDelete lock type on important VMs and related resources (for example, disks, key vaults, storage accounts used for backups):
        • CanNotDelete: Resources can be read and modified but not deleted.
        • ReadOnly: Resources can only be read (no updates or deletes).
      • Locks override user permissions, so even users with high privileges cannot delete locked resources until the lock is removed.
      • For cost and flexibility, lock only the most critical resources instead of entire large resource groups. For example, lock the production VNet or key infrastructure components rather than the whole group.
    2. Plan for recovery with backups and soft delete
      • Ensure Azure Backup is configured for all important VMs so they can be restored if deleted.
      • Azure Backup keeps VM backups according to the backup policy even after the VM is deleted; these backups continue to incur storage charges until removed.
      • When backup data is deleted, Azure Backup’s soft delete retains the data for 14 additional days, allowing recovery of accidentally deleted backups.
      • For VM backups, soft delete is available in all Azure public and national regions.
    3. Understand what happens when a VM is deleted
      • When a VM is deleted, its managed disks (OS and data) are not deleted by default; they remain in the resource group and continue to incur charges until manually removed.
      • If automatic cleanup is configured using the deleteOption property, review it so that disks, NICs, and public IPs are not removed unintentionally when the VM is deleted.
    4. Broader protection against destructive changes
      • As part of a Zero Trust approach, combine resource locks with backup and disaster recovery planning.
      • Limit who can manage or remove locks (using Microsoft Entra roles and just-in-time access) so that only a small set of admins can unlock and delete critical resources.
      • Incorporate lock management into incident response and change management procedures so that lock removal is controlled and audited.
    5. Cost-management angle
      • From a cost perspective, locks and backups help avoid the business cost of data loss and unplanned rebuilds.
      • Regularly review backup retention and delete unneeded backups to control storage costs, while keeping protection for critical workloads.

    By locking critical resources, enabling backups with soft delete, and restricting who can remove locks, accidental VM deletion can be significantly reduced and made recoverable.

    References:

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.