Merge pull request #307911 from naba6327108/naba

v-ccolin · web-flow · commit 0215ef1a6365 · 2025-11-07T10:11:12.000Z
Secure by default changes for Backup vault
diff --git a/articles/backup/backup-azure-immutable-vault-concept.md b/articles/backup/backup-azure-immutable-vault-concept.md
@@ -18,8 +18,9 @@ Immutable vault can help you protect your backup data by blocking any operations
 
 - Immutability feature in enabled and locked state is generally available in all Azure regions for Recovery Services vaults.
 - Use of WORM storage for immutable vaults in locked state is currently in GA for Recovery Services Vaults in the following regions: Australia Central 2, Switzerland West, South Africa West, Korea Central, Germany North, Korea South, Spain Central, Israel Central, India South, India West, Mexico Central, Norway West, Poland Central, Japan East.
-- In regions where WORM storage isn't yet generally available, backups with Immutability enabled and locked will automatically transition to WORM-enabled storage once the feature becomes available. This transition requires no user action and involves no data movement.
-- Use of WORM storage for immutable vaults in locked state is applicable for the following workloads: Azure Virtual machines, SQL in Azure VM, SAP HANA in Azure VM, Azure Backup Server, Azure Backup Agent, DPM.
+- Use of WORM storage for immutable vaults in locked state is currently in preview for Backup vaults in the following regions: South Africa West, Korea Central, India South, India West, Poland Central.
+- In regions where WORM storage isn't yet Generally Available, backups with Immutability enabled and locked will automatically transition to WORM-enabled storage once the feature becomes available. This transition requires no user action and involves no data movement.
+- Use of WORM storage for immutable vaults in locked state is applicable for the following workloads: Azure Virtual machines, SQL in Azure VM, SAP HANA in Azure VM, Azure Files, Azure Backup Server, Azure Backup Agent, Data Protection Manager (DPM), Azure Kubernetes, PostgreSQL - Flexible Server.
 
 ## Before you start
 
diff --git a/articles/backup/backup-azure-immutable-vault-how-to-manage.md b/articles/backup/backup-azure-immutable-vault-how-to-manage.md
@@ -17,7 +17,8 @@ This article describes how to manage Azure Backup Immutable vault operations for
 [Immutable vault](backup-azure-immutable-vault-concept.md) can help you protect your backup data by blocking any operations that could lead to loss of recovery points. Further, you can lock the Immutable vault setting to enable WORM storage immutability and make it irreversible to prevent any malicious actors from disabling immutability and deleting backups.
 
 > [!NOTE]
-> Immutable WORM storage is currently in GA for Recovery Services Vaults in the following regions: Australia Central 2, Switzerland West, South Africa West, Korea Central, Germany North, Korea South, Spain Central, Israel Central, India South, India West, Mexico Central, Norway West, Poland Central, Japan East.
+> - Immutable WORM storage is generally available for Recovery Services vaults in the following regions: Australia Central 2, Switzerland West, South Africa West, Korea Central, Germany North, Korea South, Spain Central, Israel Central, India South, India West, Mexico Central, Norway West, Poland Central, Japan East.
+> - Immutable WORM storage is currently in preview for Backup vaults in the following regions: South Africa West, Korea Central, India South, India West, Poland Central
 
 ## Enable Immutable vault
 
diff --git a/articles/backup/secure-by-default.md b/articles/backup/secure-by-default.md
@@ -23,6 +23,7 @@ Secure by default with soft delete for Azure Backup allows you to recover your b
 ## Supported scenarios
 - Soft delete is now enforced by default, and soft delete state can no longer be modified from the Azure portal. This enforcement ensures reliable recovery from any accidental or malicious deletions.
 - Secure by default with soft delete for Recovery Services Vaults is available in public preview in all Azure public regions.
+- Secure by default with soft delete for Backup vaults is available in preview in selected regions: Australia East, West Central US, East Asia.
 - With secure by default, soft delete is also applied at the vault level. When a vault is deleted, it automatically transitions into a soft-deleted state, enabling recovery if required.
 
 ## What's soft delete?
@@ -40,17 +41,17 @@ The key benefits of soft delete are:
 - **Secure by Default**: Soft delete is automatically enabled by default for recovery points, backup items, and vaults. It operates in a single, enforced state across all onboarded regions, eliminating the need to disable soft delete under any circumstances. All newly created vaults have soft delete permanently enabled, ensuring enhanced protection and enforcing a **Good** security level by default.
 
 >[!Note]
->You cannot disable soft delete in the regions where secure by default assurance is in public preview for Recovery Services Vaults.
+>You can't disable soft delete in the regions where secure by default assurance is in preview for Recovery Services vaults and Backup vaults.
 
 - **Data recoverability**: Azure Backup promises to keep your data recoverable for up to 14 days by default at no extra cost. You don't need to take any action to configure secure by default state for your backup data.
 
 - **Configurable soft delete retention**: You can specify the retention duration for deleted backup data to retain in soft-deleted state, ranging from *14 to 180 days*. By default, the retention duration is set to 14 days for the vault, and you can extend it as required. You won't incur additional costs for *14 days*; however, you're charged for the period beyond 14 days.
 
 - **Soft delete for vaults**: You can move vaults with soft deleted items into a soft delete state. Also, you can recover soft-deleted vaults by undeleting them. When you initiate the deletion of a vault that contains soft-deleted items, the vault automatically moves into a soft-deleted state instead of being permanently removed. You can recover soft-deleted  vaults by undeleting them within the configured soft delete retention period. 
-  During this retention period, you can also create a new Recovery Services vault with the same name in the same resource group as the soft-deleted vault. Azure Backup also allows multiple soft-deleted vaults with the same name within a single resource group, as naming constraints are enforced only for active vaults. 
-  This capability is currently in preview across all public regions for Recovery Services vaults.
+  During this retention period, you can also create a new Recovery Services vault or Backup vault with the same name in the same resource group as the soft-deleted vault. Azure Backup also allows multiple soft-deleted vaults with the same name within a single resource group, as naming constraints are enforced only for active vaults. 
+  This capability is currently in preview across all public regions for Recovery Services vaults and limited regions for Backup vaults.
 
-- **Re-configuration of soft deleted backup items**: You can configure backup for the items in soft deleted state with another vault of your choice.
+- **Re-configuration of soft deleted backup items**: You can configure backup for the items in soft deleted state with another vault of your choice. [Learn more.](../business-continuity-center/tutorial-reconfigure-backup-alternate-vault.md)
 
 - **Soft delete and re-registration of backup containers**: You can unregister the backup containers (which you can soft delete) if you've deleted all backup items in the container. You can then register such soft deleted containers to other vaults. This is applicable for supported workloads only, including SQL in Azure VM backup, SAP HANA in Azure VM backup and backup of on-premises servers.
 
@@ -63,20 +64,24 @@ The key benefits of soft delete are:
 
 ## Soft delete for vaults
 
-With secure by default assurance, when a Recovery Services vault is deleted, it moves into a soft deleted state. To soft delete a vault, you have to stop backup and soft delete all the backup items in the vault before initiating delete on the vault. 
+With secure by default assurance, when a vault is deleted, it moves into a soft deleted state. To soft delete a vault, you have to stop backup and soft delete all the backup items in the vault before initiating delete on the vault. 
 
-When you initiate the deletion of a vault that contains soft-deleted items, the vault automatically moves into a soft-deleted state instead of being permanently removed. You can recover soft-deleted  vaults by undeleting them within the configured soft delete retention period. 
-During this retention period, you can also create a new Recovery Services vault with the same name in the same resource group as the soft-deleted vault. Azure Backup also allows multiple soft-deleted vaults with the same name within a single resource group, as naming constraints are enforced only for active vaults. 
+When you initiate the deletion of a vault that contains soft-deleted items, the vault automatically moves into a soft-deleted state instead of being permanently removed. You can recover soft-deleted vaults by undeleting them within the configured soft delete retention period. 
+During this retention period, you can also create a new vault with the same name in the same resource group as the soft-deleted vault. Azure Backup also allows multiple soft-deleted vaults with the same name within a single resource group, as naming constraints are enforced only for active vaults. 
 
-Recovery Services Vault deletions using Azure portal moves the vault into a soft deleted state. For Recovery Services Vault, before initiating delete on the vault, follow these steps:
+Deletions using Azure portal moves the Recovery Services vault and Backup vault into a soft deleted state. 
+For Recovery Services Vault, before initiating delete on the vault, follow these steps:
 - Stop backups and soft delete all protected items
 - Cleanup associations of Servers and Storage Accounts
 - Disable Replication for Site Recovery Replicated Items
 - Clean up dependencies related to your Site Recovery Replicated Items
 - Remove Private Endpoint Connections
 
+For Backup Vault, before initiating delete on the vault, follow these steps:
+- Stop backups and soft delete all protected items
+
 >[!Note]
->Azure Backup doesn't allow re-protection of a backup item to the same vault if the backup item is already in soft deleted state. However, you can protect the item to a different vault or undelete and resume backup in the same vault.
+>Azure Backup doesn't allow re-configuration of a backup item to the same vault if the backup item is already in soft deleted state. However, you can protect the item to a different vault or undelete and resume backup in the same vault for Recovery Services vaults.
 
 ## Soft delete of recovery points
 
@@ -92,8 +97,9 @@ This feature helps to retain these recovery points for an additional duration, a
 Soft delete retention is the retention period (in days) of a deleted item in soft deleted state. Once the soft delete retention period elapses (from the date of deletion), the item is permanently deleted, and you can't undelete. You can choose the soft delete retention period between *14 and 180 days*. Longer durations allow you to recover data from threats that can take time to identify (for example, Advanced Persistent Threats).
 
 >[!Note]
-> Soft delete retention for *14 days* involves no cost. However, regular backup charges apply for additional retention days.<br>
-> By default, soft delete retention is set to 14 days, and you can change it any time. However, the *soft delete retention period* that is active at the time of the deletion governs retention of the item in soft deleted state.
+> - Soft delete retention for *14 days* involves no cost. However, regular backup charges apply for additional retention days.
+> - By default, soft delete retention is set to 14 days, and you can change it any time. However, the *soft delete retention period* that is active at the time of the deletion governs retention of the item in soft deleted state.
+> - Soft-deleted operational backups aren't cleaned automatically after the *soft delete retention period* if the associated vault was also soft deleted. You must manually delete these soft-deleted operational backups.
 
 ## Pricing
 
@@ -111,7 +117,10 @@ When you restore a soft-deleted backup item, it becomes active again, and standa
 
 ## API Considerations for soft delete
 
-Secure by default with soft delete is now enabled by default with the latest API versions during public preview for Recovery Services Vault. As a result, you can still use older API versions to immediately delete backup items, if required. However, this behavior will be applied uniformly across all API versions once the feature reaches General Availability (GA).
+Secure by default with soft delete is now enabled by default with the latest API versions during preview for Recovery Services vault and Backup vault. 
+
+>[!Note]
+>You can still use older API versions to immediately disable soft delete and delete backup items, if required. However, only the new API version behaviour (similar to Azure Portal) will be allowed once the feature reaches General Availability (GA).
 
 The following section outlines the API behavior across different scenarios:
 
@@ -122,9 +131,9 @@ The following table outlines the behavior of the **_Delete Protected Item_** act
 | **Client** | **Soft Delete – Enabled / Always On** | **Soft Delete – Disabled** |
 |-------------|----------------------------------------|-----------------------------|
 | **Azure Portal** | Backup items move to a soft-deleted state. | Backup items move to a soft-deleted state. |
-| **PowerShell** | Backup items move to a soft-deleted state. | For PowerShell modules version **7.5.0** or later, backup items move to a soft-deleted state.<br>For earlier versions, backup items are deleted immediately. |
-| **CLI** | Backup items move to a soft-deleted state. | For Azure CLI version **2.75.0** or later, backup items move to a soft-deleted state.<br>For earlier versions, backup items are deleted immediately. |
-| **REST API** | Backup items move to a soft-deleted state. | For API versions **2024-09-30-preview** or later, backup items move to a soft-deleted state.<br>For earlier API versions, backup items are deleted immediately. |
+| **PowerShell** | Backup items move to a soft-deleted state. | For PowerShell modules version **7.5.0** or later, backup items in Recovery Services vault move to a soft-deleted state. For earlier versions, backup items are deleted immediately.<br>Backup vault actions are independent of the module version. | 
+| **CLI** | Backup items move to a soft-deleted state. | For Azure CLI version **2.75.0** or later, backup items in Recovery Services vault move to a soft-deleted state. For earlier versions, backup items are deleted immediately.<br>Backup vault actions are independent of the module version. |
+| **REST API** | Backup items move to a soft-deleted state. | In Recovery Services vault, for API versions **2024-09-30-preview** or later, backup items move to a soft-deleted state. In Backup vault, for API versions **2025-09-01** or later, backup items move to a soft-deleted state.<br>For earlier API versions, backup items are deleted immediately. |
 
 ### Delete Vault
 
@@ -133,9 +142,9 @@ The following table outlines the behavior of the ***Delete Vault*** action acros
 | **Client** | **Soft Delete – Disabled / Enabled / Always On** |
 |-------------|--------------------------------------------------|
 | **Azure Portal** | Soft deletion of the vault is allowed when the vault is either empty or contains only soft-deleted backup items or containers. |
-| **PowerShell** | For PowerShell module versions **7.5.0** or later, soft deletion of the vault is allowed when the vault is either empty or contains only soft-deleted backup items or containers.<br>For earlier versions, vault deletion is allowed only when the vault is completely empty. |
-| **CLI** | For Azure CLI versions **2.75.0** or later, soft deletion of the vault is allowed when the vault is either empty or contains only soft-deleted backup items or containers.<br>For earlier versions, vault deletion is allowed only when the vault is completely empty. |
-| **REST API** | For API versions **2024-09-30-preview** or later, soft deletion of the vault is allowed when the vault is either empty or contains only soft-deleted backup items or containers.<br>For earlier API versions, vault deletion is allowed only when the vault is completely empty. |
+| **PowerShell** | For PowerShell module versions **7.5.0** or later, soft deletion of the Recovery Services vault is allowed when it is either empty or contains only soft-deleted backup items or containers. For earlier versions, vault deletion is allowed only when the vault is completely empty.<br>Backup vault actions are independent of the module version. |
+| **CLI** | For Azure CLI versions **2.75.0** or later, soft deletion of the Recovery Services vault is allowed when the vault is either empty or contains only soft-deleted backup items or containers. For earlier versions, vault deletion is allowed only when the vault is completely empty.<br>Backup vault actions are independent of the module version. |
+| **REST API** | In Recovery Services vault, for API versions **2024-09-30-preview** or later, soft deletion of the vault is allowed when the vault is either empty or contains only soft-deleted backup items or containers. In Backup vault, for API versions **2025-09-01** or later, soft deletion of the vault is allowed when the vault is either empty or contains only soft-deleted backup items or containers.<br>For earlier API versions, vault deletion is allowed only when the vault is completely empty. |
 
 ### **Disable Soft Delete for Vault**
 
@@ -144,9 +153,9 @@ The following table describes the behavior of the **_Disable Soft Delete_** acti
 | **Client** | **Behavior** |
 |-------------|--------------|
 | **Azure Portal** | Not allowed. |
-| **PowerShell** | Not allowed for PowerShell module versions **7.5.0** or later.<br>Allowed for earlier versions. |
-| **CLI** | Not allowed for Azure CLI versions **2.75.0** or later.<br>Allowed for earlier versions. |
-| **REST API** | Not allowed for API versions **2024-09-30-preview** or later.<br>Allowed for earlier API versions. |
+| **PowerShell** | Not allowed for PowerShell module versions **7.5.0** or later in Recovery Services vault. Allowed for earlier versions.<br>Backup vault actions are independent of the module version. |
+| **CLI** | Not allowed for Azure CLI versions **2.75.0** or later in Recovery Services vault. Allowed for earlier versions.<br>Backup vault actions are independent of the module version. |
+| **REST API** | Not allowed for API versions **2024-09-30-preview** or later in Recovery Services vault. Not allowed for API versions **2025-09-01** or later in Backup vault.<br>Allowed for earlier API versions. |
 
 
 ## Next steps
