Azure Backup’s Soft Delete provides protection of backup data against accidental, malicious, or human-operated ransomware attacks deleting. It is enabled by default on newly created vaults. With Soft Delete enabled, the deleted backup data is retained for 14 additional days to recover with no data loss. The additional 14 days of retention for backup data in the "soft delete" state don't incur any cost to you. If you need to ensure that your Soft Delete should not be disabled, then you can further strengthen your backup security posture by turning Always-on setting making it irreversible.
How does it work
Soft Delete states
The following shows the various states of Soft Delete:
Disabling Soft Delete is not recommended
Disabling this feature is not recommended. The only circumstance where you should consider disabling soft delete is if you're planning on moving your protected items to a new vault, and can't wait the 14 days required before deleting and reprotecting (such as in a test environment). To disable soft delete on a vault, you must have the Backup Contributor role for that vault (you should have permissions to perform Microsoft.RecoveryServices/Vaults/backupconfig/write on the vault). If you disable this feature, all future deletions of protected items will result in immediate removal, without the ability to restore. Backup data that exists in soft deleted state before disabling this feature, will remain in soft deleted state for the period of 14 days. If you wish to permanently delete these immediately, then you need to undelete and delete them again to get permanently deleted.
Soft delete retention period
There is no retention cost for soft delete for the default duration of 14 days. If you chose to increase the retention > 14 days, then it will incur regular backup charges. The retention range value is between 14 days to 180 days. Once configured, the soft delete retention period applies to all soft deleted instances of cloud and hybrid workloads in the vault.
For example, you've deleted backups for one of the instances in the vault that has soft delete retention of 60 days. If you want to recover the soft deleted data after 52 days of deletion, the pricing is:
Enabling Always-on soft delete
Soft delete is enabled by default for all new vaults you create. To make enabled settings irreversible, select Enable Always-on Soft Delete. Always-on soft delete can be enabled only if soft delete is enabled for both cloud and hybrid workloads. When you enable Always-on the following confirmation is prompted as a reminder that this setting is irreversible:
Soft Delete with MUA
If you do not wish to enable Always-on but needed alternative ways to restrict disabling it, then enable Multi-user authorization (MUA) for Azure Backup. This adds an additional layer of protection to critical operations on your vaults.
Additional Resources:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.