Tutorial: Recover soft deleted data and recovery points using enhanced soft delete in Azure Backup

This tutorial describes how to enable enhanced soft delete and recover your data and recover backups, if they're deleted.

Enhanced soft delete provides an improvement to the soft delete capability in Azure Backup that enables you to recover your backup data in case of accidental or malicious deletion. With enhanced soft delete, you get the ability to make soft delete always-on, thus protecting it from being disabled by any malicious actors. So, enhanced soft delete provides better protection for your backups against various threats. This feature also allows you to provide a customizable soft delete retention period for which soft deleted data must be retained.

Piezīme

Once you enable the always-on state for soft delete, you can't disable it for that vault.

Before you start

• Enhanced soft delete is supported for Recovery Services vaults and Backup vaults.
• Enhanced soft delete applies to all vaulted workloads alike in Recovery Services vaults and Backup vaults. However, it currently doesn't support operational tier workloads, such as Azure Files backup, Operational backup for Blobs, and Disk and VM snapshot backups.
• For hybrid backups (using MARS, DPM, or MABS), enabling always-on soft delete will disallow server deregistration and deletion of backups via the Azure portal. If you don't want to retain the backed-up data, we recommend you not to enable the always-on soft-delete for the vault or perform stop protection with delete data before the server is decommissioned.
• There's no retention cost for the default soft delete duration of 14 days for vaulted backup, after which it incurs regular backup cost.

Enable soft delete with always-on state

Soft delete is enabled by default for all new vaults you create. To make enabled settings irreversible, select Enable Always-on Soft Delete.

Choose a vault

Recovery Services vault

Follow these steps:

1. Go to Recovery Services vault > Properties.

2. Under Soft Delete, select Update to modify the soft delete setting.

   

   The soft delete settings for cloud and hybrid workloads are already enabled, unless you've explicitly disabled them earlier.

3. If soft delete settings are disabled for any workload type in the Soft Delete blade, select the respective checkboxes to enable them.

   Piezīme

   Enabling soft delete for hybrid workloads also enables other security settings, such as Multi-factor authentication and alert notification for back up of workloads running in the on-premises servers.

4. Choose the number of days between 14 and 180 to specify the soft delete retention period.

   Piezīme

   • There is no cost for soft delete for 14 days. However, deleted instances in soft delete state are charged if the soft delete retention period is >14 days. Learn about pricing details.
   • Once configured, the soft delete retention period applies to all soft deleted instances of cloud and hybrid workloads in the vault.

5. Select the Enable Always-on Soft delete checkbox to enable soft delete and make it irreversible.

   

   Piezīme

   If you opt for Enable Always-on Soft Delete, select the confirmation checkbox to proceed. Once enabled, you can't disable the settings for this vault.

6. Select Update to save the changes.

Backup vault

Follow these steps:

1. Go to Backup vault > Properties.

2. Under Soft Delete, select Update to modify the soft delete setting.

   

   Soft delete is enabled by default with the checkboxes selected.

3. If you've explicitly disabled soft delete for any workload type in the Soft Delete blade earlier, select the checkboxes to enable them.

4. Choose the number of days between 14 and 180 to specify the soft delete retention period.

   Piezīme

   There is no cost for enabling soft delete for 14 days. However, you're charged for the soft delete instances if soft delete retention period is >14 days. Learn about the pricing details.

5. Select the Enable Always-on Soft Delete checkbox to enable soft delete always-on and make it irreversible.

   

   Piezīme

   If you opt for Enable Always-on Soft Delete, select the confirmation checkbox to proceed. Once enabled, you can't disable the settings for this vault.

6. Select Update to save the changes.

Delete a backup item

You can delete backup items/instances even if the soft delete settings are enabled. However, if the soft delete is enabled, the deleted items don't get permanently deleted immediately and stays in soft deleted state as per configured retention period. Soft delete delays permanent deletion of backup data by retaining deleted data for 14-180 days.

Choose a vault

Recovery Services vault

Follow these steps:

1. Go to the backup item that you want to delete.

2. Select Stop backup.

3. On the Stop Backup page, select Delete Backup Data from the drop-down list to delete all backups for the instance.

4. Provide the applicable information, and then select Stop backup to delete all backups for the instance.

   Once the delete operation completes, the backup item is moved to soft deleted state. In Backup items, the soft deleted item is marked in Red, and the last backup status shows that backups are disabled for the item.

   

   In the item details, the soft deleted item shows no recovery point. Also, a notification appears to mention the state of the item, and the number of days left before the item is permanently deleted. You can select Undelete to recover the soft deleted items.

   

Piezīme

When the item is in soft deleted state, no recovery points are cleaned on their expiry as per the backup policy.

Backup vault

Follow these steps:

1. In the Backup center, go to the backup instance that you want to delete.

2. Select Stop backup.

   

   You can also select Delete in the instance view to delete backups.

3. On the Stop Backup page, select Delete Backup Data from the drop-down list to delete all backups for the instance.

4. Provide the applicable information, and then select Stop backup to initiate the deletion of the backup instance.

   

   Once deletion completes, the instance appears as Soft deleted.

   

Recover a soft-deleted backup item

If a backup item/ instance is soft deleted, you can recover it before it's permanently deleted.

Choose a vault

Recovery Services vault

Follow these steps:

1. Go to the backup item that you want to retrieve from the soft deleted state.

   You can also use the Backup center to go to the item by applying the filter Protection status == Soft deleted in the Backup instances.

2. Select Undelete corresponding to the soft deleted item.

   

3. In the Undelete backup item blade, select Undelete to recover the deleted item.

   All recovery points now appear and the backup item changes to Stop protection with retain data state. However, backups don't resume automatically. To continue taking backups for this item, select Resume backup.

Backup vault

Follow these steps:

1. Go to the deleted backup instance that you want to recover.

   You can also use the Backup center to go to the instance by applying the filter Protection status == Soft deleted in the Backup instances.

2. Select Undelete corresponding to the soft deleted instance.

   

3. In the Undelete backup instance blade, select Undelete to recover the item.

   All recovery points appear and the backup item changes to Stop protection with retain data state. However, backups don't resume automatically. To continue taking backups for this instance, select Resume backup.

Piezīme

Undeleting a soft deleted item reinstates the backup item into Stop backup with retain data state and doesn't automatically restart scheduled backups. You need to explicitly resume backups if you want to continue taking new backups. Resuming backup will also clean up expired recovery points, if any.

• MUA for soft delete is currently supported for Recovery Services vaults only.

Next steps

• Learn more about enhanced soft delete for Azure Backup.
• Learn more about soft delete of recovery points.