Blog Post

Azure SQL Blog
3 MIN READ

🔐 Public Preview: Backup Immutability for Azure SQL Database LTR Backups

Dinakar-Nethi's avatar
Dinakar-Nethi
Icon for Microsoft rankMicrosoft
Sep 30, 2025

The Ransomware Threat Landscape 

Ransomware attacks have become one of the most disruptive cybersecurity threats in recent years. These attacks typically follow a destructive pattern: 

  1. Attackers gain unauthorized access to systems. 
  1. They encrypt or delete critical data. 
  1. They demand ransom in exchange for restoring access. 

Organizations without secure, tamper-proof backups are often left with no choice but to pay the ransom or suffer significant data loss. This is where immutable backups play a critical role in defense. 

🛡 What Is Backup Immutability? 

Backup immutability ensures that once a backup is created, it cannot be modified or deleted for a specified period. This guarantees: 

  • Protection against accidental or malicious deletion. 
  • Assurance that backups remain intact and trustworthy. 
  • Compliance with regulatory requirements for data retention and integrity. 

🚀 Azure SQL Database LTR Backup Immutability (Public Preview) 

Microsoft has introduced backup immutability for Long-Term Retention (LTR) backups in Azure SQL Database, now available in public preview. This feature allows organizations to apply Write Once, Read Many (WORM) policies to LTR backups stored in Azure Blob Storage. 

Key Features: 

  • Time-based immutability: Locks backups for a defined duration (e.g., 30 days). 
  • Legal hold immutability: Retains backups indefinitely until a legal hold is explicitly removed. 
  • Tamper-proof storage: Backups cannot be deleted or altered, even by administrators. 

This ensures that LTR backups remain secure and recoverable, even in the event of a ransomware attack. 

📜 Regulatory Requirements for Backup Immutability 

Many global regulations mandate immutable storage to ensure data integrity and auditability. Here are some key examples: 

Region 

Regulation 

Requirement 

USA 

SEC Rule 17a-4(f) 

Requires broker-dealers to store records in WORM-compliant systems. 

 

FINRA 

Mandates financial records be preserved in a non-rewriteable, non-erasable format. 

 

HIPAA 

Requires healthcare organizations to ensure the integrity and availability of electronic health records. 

EU 

GDPR 

Emphasizes data integrity and the ability to demonstrate compliance through audit trails. 

Global 

ISO 27001, PCI-DSS 

Require secure, tamper-proof data retention for audit and compliance purposes. 

Azure’s immutable storage capabilities help organizations meet these requirements by ensuring that backup data remains unchanged and verifiable. 

🕒 Time-Based vs. Legal Hold Immutability 

Time-Based Immutability 

  • Locks data for a predefined period (e.g., 30 days). 
  • Ideal for routine compliance and operational recovery. 
  • Automatically expires after the retention period. 

📌 Legal Hold Immutability 

  • Retains data indefinitely until the hold is explicitly removed. 
  • Used in legal investigations, audits, or regulatory inquiries. 
  • Overrides time-based policies to ensure data preservation. 

Both types can be applied to Azure SQL LTR backups, offering flexibility and compliance across different scenarios. 

🧩 How Immutability Protects Against Ransomware 

Immutable backups are a critical component of a layered defense strategy: 

  • Tamper-proof: Even if attackers gain access, they cannot delete or encrypt immutable backups. 
  • Reliable recovery: Organizations can restore clean data from immutable backups without paying ransom. 
  • Compliance-ready: Meets regulatory requirements for data retention and integrity. 

By enabling immutability for Azure SQL LTR backups, organizations can significantly reduce the risk of data loss and ensure business continuity. 

Final Thoughts 

The public preview of backup immutability for Azure SQL Database LTR backups is a major step forward in ransomware resilience and regulatory compliance. With support for both time-based and legal hold immutability, Azure empowers organizations to: 

  • Protect critical data from tampering or deletion. 
  • Meet global compliance standards. 
  • Recover quickly and confidently from cyberattacks. 

Immutability is not just a feature—it’s a foundational pillar of modern data protection. 

 

Documentation is available at - Backup Immutability for Long-Term Retention Backups - Azure SQL Database | Microsoft Learn 

Updated Sep 30, 2025
Version 2.0
No CommentsBe the first to comment