Tutorial: Recover soft deleted data and recovery points using enhanced soft delete in Azure Backup
This tutorial describes how to enable enhanced soft delete and recover your data and recover backups, if they're deleted.
Enhanced soft delete provides an improvement to the soft delete capability in Azure Backup that enables you to recover your backup data in case of accidental or malicious deletion. With enhanced soft delete, you get the ability to make soft delete always-on, thus protecting it from being disabled by any malicious actors. So, enhanced soft delete provides better protection for your backups against various threats. This feature also allows you to provide a customizable soft delete retention period for which soft deleted data must be retained.
Note
Once you enable the always-on state for soft delete, you can't disable it for that vault.
Before you start
- Enhanced soft delete is supported for Recovery Services vaults and Backup vaults.
- Enhanced soft delete applies to all vaulted workloads alike in Recovery Services vaults and Backup vaults. However, it currently doesn't support operational tier workloads, such as Azure Files backup, Operational backup for Blobs, and Disk and VM snapshot backups.
- For hybrid backups (using MARS, DPM, or MABS), enabling always-on soft delete will disallow server deregistration and deletion of backups via the Azure portal. If you don't want to retain the backed-up data, we recommend you not to enable the always-on soft-delete for the vault or perform stop protection with delete data before the server is decommissioned.
- There's no retention cost for the default soft delete duration of 14 days for vaulted backup, after which it incurs regular backup cost.
Enable soft delete with always-on state
Soft delete is enabled by default for all new vaults you create. To make enabled settings irreversible, select Enable Always-on Soft Delete.
Choose a vault
Follow these steps:
Go to Recovery Services vault > Properties.
Under Soft Delete, select Update to modify the soft delete setting.
The soft delete settings for cloud and hybrid workloads are already enabled, unless you've explicitly disabled them earlier.
If soft delete settings are disabled for any workload type in the Soft Delete blade, select the respective checkboxes to enable them.
Note
Enabling soft delete for hybrid workloads also enables other security settings, such as Multi-factor authentication and alert notification for back up of workloads running in the on-premises servers.
Choose the number of days between 14 and 180 to specify the soft delete retention period.
Note
- There is no cost for soft delete for 14 days. However, deleted instances in soft delete state are charged if the soft delete retention period is >14 days. Learn about pricing details.
- Once configured, the soft delete retention period applies to all soft deleted instances of cloud and hybrid workloads in the vault.
Select the Enable Always-on Soft delete checkbox to enable soft delete and make it irreversible.
Note
If you opt for Enable Always-on Soft Delete, select the confirmation checkbox to proceed. Once enabled, you can't disable the settings for this vault.
Select Update to save the changes.
Delete a backup item
You can delete backup items/instances even if the soft delete settings are enabled. However, if the soft delete is enabled, the deleted items don't get permanently deleted immediately and stays in soft deleted state as per configured retention period. Soft delete delays permanent deletion of backup data by retaining deleted data for 14-180 days.
Choose a vault
Follow these steps:
Go to the backup item that you want to delete.
Select Stop backup.
On the Stop Backup page, select Delete Backup Data from the drop-down list to delete all backups for the instance.
Provide the applicable information, and then select Stop backup to delete all backups for the instance.
Once the delete operation completes, the backup item is moved to soft deleted state. In Backup items, the soft deleted item is marked in Red, and the last backup status shows that backups are disabled for the item.
In the item details, the soft deleted item shows no recovery point. Also, a notification appears to mention the state of the item, and the number of days left before the item is permanently deleted. You can select Undelete to recover the soft deleted items.
Note
When the item is in soft deleted state, no recovery points are cleaned on their expiry as per the backup policy.
Recover a soft-deleted backup item
If a backup item/ instance is soft deleted, you can recover it before it's permanently deleted.
Choose a vault
Follow these steps:
Go to the backup item that you want to retrieve from the soft deleted state.
You can also use the Backup center to go to the item by applying the filter Protection status == Soft deleted in the Backup instances.
Select Undelete corresponding to the soft deleted item.
In the Undelete backup item blade, select Undelete to recover the deleted item.
All recovery points now appear and the backup item changes to Stop protection with retain data state. However, backups don't resume automatically. To continue taking backups for this item, select Resume backup.
- MUA for soft delete is currently supported for Recovery Services vaults only.
Next steps
- Learn more about enhanced soft delete for Azure Backup.
- Learn more about soft delete of recovery points.