Manage Azure Backup Immutable vault operations (preview)

Immutable vault can help you protect your backup data by blocking any operations that could lead to loss of recovery points. Further, you can lock the Immutable vault setting to make it irreversible to prevent any malicious actors from disabling immutability and deleting backups.

In this article, you'll learn how to:

  • Enable Immutable vault
  • Perform operations on Immutable vault
  • Disable immutability

Enable Immutable vault

You can enable immutability for a vault through its properties.

Choose a vault

Follow these steps:

  1. Go to the Recovery Services vault for which you want to enable immutability.

  2. In the vault, go to Properties > Immutable vault, and then select Settings.

    Screenshot showing how to open the Immutable vault settings.

  3. On Immutable vault, select the Enable vault immutability checkbox to enable immutability for the vault.

    At this point, immutability of the vault is reversible, and it can be disabled, if needed.

  4. Once you enable immutability, the option to lock the immutability for the vault appears.

    Once you enable this lock, it makes immutability setting for the vault irreversible. While this helps secure the backup data in the vault, we recommend you make a well-informed decision when opting to lock. You can also test and validate how the current settings of the vault, backup policies, and so on, meet your requirements and can lock the immutability setting later.

  5. Select Apply to save the changes.

    Screenshot showing how to enable the Immutable vault settings.

Perform operations on Immutable vault

As per the Restricted operations, certain operations are restricted on Immutable vault. However, other operations on the vault or the items it contains remain unaffected.

Perform restricted operations

Restricted operations are disallowed on the vault. Consider the following example when trying to modify a policy to reduce its retention in a vault with immutability enabled. This example shows operation on the Recovery Services vaults; however, similar experiences apply for other operations and operations on the Backup vaults.

Consider a policy with a daily backup point retention of 35 days and weekly backup point retention of two weeks, as shown in the following screenshot.

Screenshot showing how to view a backup policy for modification.

Now, let's try to reduce the retention of daily backup points to 30 days, reducing by 5 days, and save the policy.

You'll see that the operation fails with the information that the vault has immutability enabled, and therefore, any changes that could reduce retention of recovery points are disallowed.

Screenshot showing how to modify backup policy to reduce backup retention.

Now, let's try to increase the retention of daily backup points to 40 days, increasing by 5 days, and save the policy.

This time, the operation successfully passes as no recovery points can be deleted as part of this update.

Screenshot showing how to modify backup policy to increase backup retention.

Disable immutability

You can disable immutability only for vaults that have immutability enabled, but not locked.

Choose a vault

Follow these steps:

  1. Go to the Recovery Services vault for which you want to disable immutability.

  2. In the vault, go to Properties > Immutable vault, and then select Settings.

    Screenshot showing how to open the Immutable vault settings to disable.

  3. In the Immutable vault blade, clear the Enable vault Immutability checkbox.

  4. Select Apply to save the changes.

    Screenshot showing how to disable the Immutable vault settings.

Next steps