This morning I've been looking at Azure Backup and migrating some Windows VM's from one Recovery Services Vault to another. This is mainly because I've taken a look at some production deployed VM's and found they were aligned to the reference architecture Disaster Recovery and Backup policies. Long story short, 6 VM's needed to be moved to maintain consistency.
Things get interesting in that my previous level of access at a customer has changed and I'm time poor, so I thought I'd use PowerShell to achieve this faster. Official documentation is sparse around the topic of disabling protection for a VM in Azure Backup. I would suggest that's likely because the vendor in this case, Microsoft, would very much like customers to not disable Azure Backup protection (both to the customers and their benefit, $$$).
After some digging into the docs.microsoft.com repo and some Bing and Google searches, here's a rundown of the process that worked very well.
I found the initial first step here to not be able to be executed via PowerShell as there's no cmdlet for that functionality. Recovery Services Vaults have (on by default) a “safety” feature called “Soft Delete”. Soft delete is there to ensure backups of VMs cant be deleted by those with lesser permissions that service owners or administrators. Namely its there to prevent malicious actors from being able to delete backups. So if a backup is stopped and backup data is deleted, a 14 day retention is applied. Within that 14 day retention period, backup data can be recovered at any time.
To disable the “Soft Delete” feature, I just used the Azure Portal which was fast and easy. Navigate to any Recovery Services Fault > Select Properties > Select Update under Security Settings > Set Soft Delete to Disabled.
Now that the soft delete feature is disabled, executing the following PowerShell can be done without any hiccups.
$vault = Get-AzRecoveryServicesVault -ResourceGroupName "[Resource group name here]" -Name "[Recovery Services Vault name here]" $Container = Get-AzRecoveryServicesBackupContainer -ContainerType AzureVM -Status Registered -FriendlyName [VM name here] -VaultId $vault.ID $BackupItem = Get-AzRecoveryServicesBackupItem -Container $Container -WorkloadType AzureVM -VaultId $vault.ID Disable-AzRecoveryServicesBackupProtection -Item $BackupItem -VaultId $vault.ID -RemoveRecoveryPoints -Force # "-RemoveRecoveryPoints" is required to be able to completely remove the VM from the RSV, otherwise a soft delete window of 14 days is applied. # "-Force" is optional. If you don't include this, you will be prompted YES/NO to continue.
If you'd like, you can also get that from my public Azure Github repo.
From here I was able to then add the VM resources in question to another Recovery Services Vault and Azure Backup protection under new policies associated with that new vault.
Follow or start a discussion for this blog (Azure Backup PowerShell removal of backup protection of a Azure VM) on Twitter. If you're after something more in depth, or want to ask me an expanded question: raise an issue in my open GitHub AMA repo.